PDA

View Full Version : infestato


Hidro
11-06-2005, 19:15
qualcuno può dirmi cosa è tutta questa robbaccia?


help plz :cry:

3dsst
11-06-2005, 20:02
qualcuno può dirmi cosa è tutta questa robbaccia?


help plz :cry:
posta il log di hijackthis ;)

3dsst
11-06-2005, 20:08
cmq hai almeno un trojano l'ultima voce dell'allegato e il W32/Rbot-AER

3dsst
11-06-2005, 20:08
che antivirus usi??????

Hidro
12-06-2005, 09:09
quale mi consiglieresti?

Hidro
12-06-2005, 09:25
ecco il log di hijackthis




Logfile of HijackThis v1.99.1
Scan saved at 10.24.32, on 12/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\cfmon.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\wvsvc.exe
C:\WINDOWS\System32\MSASP32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\MSASP32.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programmi\180searchassistant\salmhook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [afsjaj] C:\WINDOWS\afsjaj.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe

halduemilauno
12-06-2005, 09:39
ecco il log di hijackthis




Logfile of HijackThis v1.99.1
Scan saved at 10.24.32, on 12/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\cfmon.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\wvsvc.exe
C:\WINDOWS\System32\MSASP32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\MSASP32.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programmi\180searchassistant\salmhook.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [afsjaj] C:\WINDOWS\afsjaj.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c18.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe

C:\WINDOWS\System32\wvsvc.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [Starting up] wvsvc.exe

O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe

O4 - HKCU\..\Run: [Starting up] wvsvc.exe

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab

buttali.
;)

Hidro
12-06-2005, 09:54
continuano a spuntare altre cose... volendo formattare, cosa dovrei fare per non riprenderle?

Hidro
12-06-2005, 09:58
:(

Hidro
12-06-2005, 11:16
continuano a spuntare altre cose... volendo formattare, cosa dovrei fare per non riprendere questi trojans?

:(

Jaguar64bit
12-06-2005, 12:00
continuano a spuntare altre cose... volendo formattare, cosa dovrei fare per non riprenderle?


L'unica vera cura è installarsi l'antivirus Kaspersky 5 Personal. www.kaspersky.com

poi installati ad-aware 1.06

Spywareblaster

spybot 1.4

ewido 3.0.


aggiornali e via di scan.

3dsst
12-06-2005, 12:54
Kaspersky come antivirus scaricati la trial e fatti una scansione poi ad-aware spybot microsoft antispy(ex giant) e un buon firewall e sei sicuro ;)

bluepix
12-06-2005, 14:04
Non so un quale stato sia rimasto il tuo PC, ma facendo riferimento al tuo log iniziale ci sarebbe da operare nella seguente maniera:

stoppa il servizio:hwclock.exe

elimina le righe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programmi\180searchassistant\salmhook.dll
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe

O4 - HKLM\..\Run: [afsjaj] C:\WINDOWS\afsjaj.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe

disabilità il rispristino di sistema

Reboot in modalità provvisoria e cancella i seguenti file:
wvsvc.exe
MSASP32.exe
C:\WINDOWS\System32\hwclock.exe

e la seguente directory:
c:\programmi\180searchassistant

rilancia Hijackthis e controlla che tutte le voci sopraelencate siano state rimosse altrimenti rimuovile

reboot in modalità normale

YMen
13-06-2005, 07:42
Non so un quale stato sia rimasto il tuo PC, ma facendo riferimento al tuo log iniziale ci sarebbe da operare nella seguente maniera:

stoppa il servizio:hwclock.exe

elimina le righe
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\programmi\180searchassistant\salmhook.dll
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe

O4 - HKLM\..\Run: [afsjaj] C:\WINDOWS\afsjaj.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c18.cab
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe

disabilità il rispristino di sistema

Reboot in modalità provvisoria e cancella i seguenti file:
wvsvc.exe
MSASP32.exe
C:\WINDOWS\System32\hwclock.exe

e la seguente directory:
c:\programmi\180searchassistant

rilancia Hijackthis e controlla che tutte le voci sopraelencate siano state rimosse altrimenti rimuovile

reboot in modalità normale
io aggiungerei:
poi riposta il log :D

Hidro
13-06-2005, 12:42
ho un altro problema aprendo il task manager e anche hijackthis si richiudono automaticamente


:eek:



edit: tra i processi c'e' un windll32 :confused:

YMen
13-06-2005, 12:56
ho un altro problema aprendo il task manager e anche hijackthis si richiudono automaticamente


:eek:



edit: tra i processi c'e' un windll32 :confused:
cerca il file windll32.exe e cancellalo poi prova a riaprire il task e se c'è ancora il processo terminalo poi riavvia e riprova ad aprire il task e hijackthis e posta il log

Hidro
13-06-2005, 13:32
il problema è non me lo fa cancellare perchè è in uso :(

YMen
13-06-2005, 13:38
accidenti!!!!!!!!!!!!!!!!
allora scarica killbox poi riavvia in modalità provvisoria inserisci in killbox l'intero percorso del file e cancellalo dopodichè rifai quello che ti ho detto

Hidro
13-06-2005, 15:30
una formattazione ed una installazione del service pack 1 e 2 mi permette di non riprendere tutte queste schifezze? :(

Hidro
13-06-2005, 15:31
e comunque sarebbe questo windll32.exe mi causa tutti questi problemi? :(

YMen
13-06-2005, 15:38
una formattazione ed una installazione del service pack 1 e 2 mi permette di non riprendere tutte queste schifezze? :(
Può darsi ma cmq non è sicuro
e comunque sarebbe questo windll32.exe mi causa tutti questi problemi? :(
è probabile cmq sei riuscito ad eliminarlo? e se sei riuscito ad aprirlo posta il log di hijackthis
se no fammi l'elenco di tutti i processi in esecuzione nel task se poi sei riuscito ad aprire almeno quello

Hidro
13-06-2005, 16:00
ecco il log della scansione che ho appena fatto


Logfile of HijackThis v1.99.1
Scan saved at 16.59.40, on 13/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rpcclient.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe




eliminato windll32.exe in modalità provvisoria

YMen
13-06-2005, 16:10
Non sei ancora a posto
Fixa questa riga:
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
e poi conosci questo?
rpcclient.exe

Hidro
13-06-2005, 16:15
rpcclient.exe ho provato a cancellarlo anche in modalità provvisoria... niente

ricompare automaticamente

YMen
13-06-2005, 16:25
come hai provato a cancellarlo, manualmente? l'hai terminato dal task? prima di riavviare in mod prov hai disabilitato il system restore?
PS: ma quindi non lo conosci rpcclient.exe?

Hidro
13-06-2005, 16:37
no rpcclient non lo conosco purtroppo.. cmq e' anche nei servizi di windows in strumenti e amministrazione...

x system restore intendi cancellato il servizio di ripristino della configurazione del sistema?

YMen
13-06-2005, 16:41
x system restore intendi cancellato il servizio di ripristino della configurazione del sistema?
si ma non lo devi cancellare solo disabilitare da risorse del computer--> proprietà

Hidro
13-06-2005, 17:15
ho controllato, l'avevo già disattivato

bluepix
13-06-2005, 17:25
La caccia si fa interessante :)

Per rpcclient.exe(non c'è nessuna entry in google e, per definizione, è un malware) nella gestione dei servizi stoppa il servizio poi disabilitalo.

fixa quindi la linea:
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe

Installa assolutamente il Service Pack 2

Hidro
13-06-2005, 18:45
vedo con piacere che la situazione interessa :D


cmq il problema è che non è possibile disabilitarlo dai servizi :(

Hidro
13-06-2005, 19:03
ecco che ne sbuca un altro adesso


Logfile of HijackThis v1.99.1
Scan saved at 20.01.38, on 13/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rpcclient.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\KYSVCXD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe



KYSVCXD.exe :confused: :confused: :confused: :confused:

bluepix
13-06-2005, 20:10
ecco che ne sbuca un altro adesso


Logfile of HijackThis v1.99.1
Scan saved at 20.01.38, on 13/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rpcclient.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\KYSVCXD.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe



KYSVCXD.exe :confused: :confused: :confused: :confused:
mi sembra una lotta senza fine.
Devi assolutamente installare SP2.
Sembra un attacco dall'esterno che crea un processo rpcclient.exe che poi genere files di volta in volta diversi.

Prova ad start-esegui services.msc cerca il processo "Remote Procedure Call (RPC) Client" (non RPC remote Procedure Call) o qualcosa di simile che lancia il programma in questione. Tasto destro e Termina.
Poi tasto desto proprieta e scegli Disabilita nel tipo di avvio.

Riparti in modalità provvisoria e fixa le righe:
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe

YMen
13-06-2005, 20:16
Fixa questi:
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE

O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE

O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe

Poi sempre da mod prov riprova a cancellare i file sia di rpcclient.exe che di KYSVCXD.EXE con killbox riavvia in mod normale termina i processi dal task

Hidro
13-06-2005, 22:51
stoppato e disabilitato il servizio rpc


cancellato KYSVCXD.EXE


ma rpc da hijackthis non vuole andare via :mc:



edit: trova file e cartelle rpcclient.exe non esiste :eek:

YMen
14-06-2005, 07:56
stoppato e disabilitato il servizio rpc ...
ma rpc da hijackthis non vuole andare via :mc:
edit: trova file e cartelle rpcclient.exe non esiste :eek:
quindi l'hai terminato dal task ma non riesci a togliere la riga che to ho segnalato da hijackthis (nemmeno da mod prov?)

cancellato KYSVCXD.EXE
e anche terminato dal task?

PS: skunworks conosce un utile prog per cancellare i file ora lo avviso

Hidro
14-06-2005, 11:09
allora, per quanto riguarda KYSVCXD.EXE terminato e cancellato... e fino ad ora sembra non ricomparire più :D


EDIT: non chiedetemi perchè ma il servizio rpc stamattina si poteva disabilitare :eek:

Hidro
14-06-2005, 11:13
Logfile of HijackThis v1.99.1
Scan saved at 12.12.31, on 14/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Client (RpcClient) - Unknown owner - C:\WINDOWS\System32\rpcclient.exe



in hijackthis continua a non andare via :mbe:

YMen
14-06-2005, 11:24
in hijackthis continua a non andare via :mbe:
ma se tenti di fixarlo cosa succede? lo fa anche da mod prov?

Hidro
14-06-2005, 12:05
lo fixa ma alla prossima scansione lo ritrova...


cmq

C:\WINDOWS\system32\logonui.exe ??

YMen
14-06-2005, 12:23
lo fixa ma alla prossima scansione lo ritrova...
prova a fixarlo da mod prov
C:\WINDOWS\system32\logonui.exe ??
non so cosa sia ma almeno dall'analizzatore risulta sicuro

Hidro
14-06-2005, 12:46
cmq vada come vada vi ringrazio tutti per il tempo che dedicato a me per risolvere questi problemi ;)

YMen
14-06-2005, 13:35
cmq vada come vada vi ringrazio tutti per il tempo che dedicato a me per risolvere questi problemi ;)
di niente :D

Hidro
14-06-2005, 14:47
io comunque ho il firewall di windows (senza sp1 e sp2) attivato.... ma serve a qualcosa o se lo disattivo è la stessa cosa?

YMen
14-06-2005, 14:57
io comunque ho il firewall di windows (senza sp1 e sp2) attivato.... ma serve a qualcosa o se lo disattivo è la stessa cosa?
prima di tutto metti sia sp1 che sp2 soprattutto sp2 e cmq il firewall di windows è cmq una protezione in più ma senza l'sp1 e 2 serve a poco

bluepix
14-06-2005, 14:57
io comunque ho il firewall di windows (senza sp1 e sp2) attivato.... ma serve a qualcosa o se lo disattivo è la stessa cosa?

Da Hijackthis non sembra che tu non abbia installato nè antivirus nè un firewall nè uno spyware:(

Mi sbaglio?

YMen
14-06-2005, 14:58
in ogni caso come procede la disinfestazione?

Hidro
14-06-2005, 15:03
io ho ad aware e firewall di windows attivati antivirus nada... ho fatto la scansione e poi l'ho tolto

YMen
14-06-2005, 15:06
Da Hijackthis non sembra che tu non abbia installato nè antivirus nè un firewall nè uno spyware:(

Mi sbaglio?
:doh: :doh: :doh: accidenti è vero non me ne ero accorto metti subito un firewall (io consiglio kerio) e un av (a pagamento: kaspersky free: antivir) dopo averli installati aggiornali fai una scansione con l'av da mod prov poi scaricati ewido, a-squared, ad-aware e spybot S&D e facci una scansione.
Ps: perchè non me l'hai detto subito che non avevi protezioni? :doh: :doh: :doh:

tutmosi3
14-06-2005, 15:08
In mezzo a tutto 'sto macello, io non ho ancora capito che antivirus, firewall, antispyware avevi.

Ciao

YMen
14-06-2005, 15:13
In mezzo a tutto 'sto macello, io non ho ancora capito che antivirus, firewall, antispyware avevi.

Ciao
a quanto ho capito come firewall usa quello di xp av l'ha installato fatto la scansione e disinstallato e antispyware aveva ad-aware :D

Hidro
14-06-2005, 15:13
ad aware come spyware, firewall di windows, appena fatta scansione con kaspersky... :( trova rpcclient.exe come trojan.... il problema è che non si può cancellare perchè l'accesso è negato :eek: :eek:

YMen
14-06-2005, 15:16
trova rpcclient.exe come trojan.... il problema è che non si può cancellare perchè l'accesso è negato :eek: :eek:
anche da mod prov?

Hidro
14-06-2005, 15:30
questo è il report della scansione di kaspersky



Statistics:
Start time: 14/06/2005 16.11.17
Completion time: 14/06/2005 16.18.33
Objects scanned: 37634
Dangerous objects detected: 27
Viruses disinfected: 0
Objects deleted: 12
Objects quarantined: 0

Settings:
Objects to scan:
My Computer
If a dangerous object is detected:
Prompt user for action once the scan is completed
Scan level:
Recommended
Exclusions from the scan scope:
Option not used

Report:
C:\WINDOWS\System32\rpcclient.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.11.22
rpcclient.exe\rpcclient.exe object could not be disinfected, disinfection postponed 14/06/2005 16.11.22
C:\WINDOWS\System32\rpcclient.exe object could not be disinfected, disinfection postponed 14/06/2005 16.11.27
C:\WINDOWS\SYSTEM32\RPCCLIENT.EXE is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.11.31
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcClient [ImagePath=C:\WINDOWS\System32\rpcclient.exe] is infected with a virus Service: startUp link to C:\WINDOWS\SYSTEM32\RPCCLIENT.EXE object with "Infected" verdict 14/06/2005 16.11.31
C:\WINDOWS\SYSTEM32\RPCCLIENT.EXE object could not be disinfected, disinfection postponed 14/06/2005 16.11.31
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcClient [ImagePath=C:\WINDOWS\System32\rpcclient.exe] object could not be disinfected 14/06/2005 16.11.31
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\Ad-Aware SE Default.skn password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\arrow1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\arrow2.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bck1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt11.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt12.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt13.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt21.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt22.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt23.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt31.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt32.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt33.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt41.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt42.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt43.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt51.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt52.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt53.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt61.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\bt62.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\checkbox1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\checkbox2.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\checkbox3.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\checkbox4.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\defbtn1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\defbtn2.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\defbtn3.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph2.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph3.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph4.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph5.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph6.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\glyph7.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\main.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\preview.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Documents and Settings\Iron\Documenti\Zip & programmi\aawsepersonal.exe/WISE0020.BIN\sprite1.bmp password protected, has not been processed 14/06/2005 16.12.20
C:\Program Files\Internet Optimizer\optimize.exe is a Trojan Trojan-Downloader.Win32.Dyfuca.ei 14/06/2005 16.12.55
C:\Program Files\Internet Optimizer\optimize.exe object could not be disinfected, disinfection postponed 14/06/2005 16.12.55
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp password protected, has not been processed 14/06/2005 16.13.06
C:\WINDOWS\system32\aimsg.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.15.54
C:\WINDOWS\system32\aimsg.exe object could not be disinfected, disinfection postponed 14/06/2005 16.15.54
C:\WINDOWS\system32\cfmon.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.15.56
C:\WINDOWS\system32\cfmon.exe object could not be disinfected, disinfection postponed 14/06/2005 16.15.56
C:\WINDOWS\system32\i is a Trojan Trojan-Downloader.BAT.Ftp.ab 14/06/2005 16.16.02
C:\WINDOWS\system32\i object could not be disinfected, disinfection postponed 14/06/2005 16.16.02
C:\WINDOWS\system32\msdirectx.sys is a Trojan Trojan.Win32.Rootkit.h 14/06/2005 16.16.07
C:\WINDOWS\system32\msdirectx.sys object could not be disinfected, disinfection postponed 14/06/2005 16.16.07
C:\WINDOWS\system32\msnt32.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.16.08
C:\WINDOWS\system32\msnt32.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.08
C:\WINDOWS\system32\o is a Trojan Trojan-Downloader.BAT.Ftp.ab 14/06/2005 16.16.11
C:\WINDOWS\system32\o object could not be disinfected, disinfection postponed 14/06/2005 16.16.11
C:\WINDOWS\system32\rpcclient.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.16.13
C:\WINDOWS\system32\rpcclient.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.13
C:\WINDOWS\system32\Sygat.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.16.16
C:\WINDOWS\system32\Sygat.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.16
C:\WINDOWS\system32\uuu.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.16.17
C:\WINDOWS\system32\uuu.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.17
C:\WINDOWS\system32\windowsp.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.16.18
C:\WINDOWS\system32\windowsp.exe object could not be disinfected, disinfection postponed 14/06/2005 16.16.18
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m is a Trojan Trojan.Win32.LowZones.br 14/06/2005 16.16.21
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m object could not be disinfected, disinfection postponed 14/06/2005 16.16.21
C:\WINDOWS\System32\rpcclient.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.17.38
C:\WINDOWS\System32\rpcclient.exe moved to the backup storage 14/06/2005 16.17.42
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, object locked 14/06/2005 16.17.42
C:\WINDOWS\System32\rpcclient.exe will be deleted at system startup 14/06/2005 16.17.51
rpcclient.exe\rpcclient.exe deleted 14/06/2005 16.17.51
C:\WINDOWS\System32\rpcclient.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.17.51
C:\WINDOWS\System32\rpcclient.exe error moving to the backup storage 14/06/2005 16.17.55
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.17.55
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.17.59
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.01
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.03
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.05
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.08
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.09
C:\WINDOWS\System32\rpcclient.exe cannot be deleted, file not found 14/06/2005 16.18.10
C:\WINDOWS\SYSTEM32\RPCCLIENT.EXE processing error 14/06/2005 16.18.14
C:\Program Files\Internet Optimizer\optimize.exe is a Trojan Trojan-Downloader.Win32.Dyfuca.ei 14/06/2005 16.18.14
C:\Program Files\Internet Optimizer\optimize.exe moved to the backup storage 14/06/2005 16.18.15
C:\Program Files\Internet Optimizer\optimize.exe deleted 14/06/2005 16.18.16
C:\WINDOWS\system32\aimsg.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.18.16
C:\WINDOWS\system32\aimsg.exe moved to the backup storage 14/06/2005 16.18.17
C:\WINDOWS\system32\aimsg.exe deleted 14/06/2005 16.18.17
C:\WINDOWS\system32\cfmon.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.18.17
C:\WINDOWS\system32\cfmon.exe moved to the backup storage 14/06/2005 16.18.19
C:\WINDOWS\system32\cfmon.exe deleted 14/06/2005 16.18.19
C:\WINDOWS\system32\i is a Trojan Trojan-Downloader.BAT.Ftp.ab 14/06/2005 16.18.19
C:\WINDOWS\system32\i moved to the backup storage 14/06/2005 16.18.22
C:\WINDOWS\system32\i deleted 14/06/2005 16.18.22
C:\WINDOWS\system32\msdirectx.sys is a Trojan Trojan.Win32.Rootkit.h 14/06/2005 16.18.22
C:\WINDOWS\system32\msdirectx.sys moved to the backup storage 14/06/2005 16.18.24
C:\WINDOWS\system32\msdirectx.sys deleted 14/06/2005 16.18.24
C:\WINDOWS\system32\msnt32.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.18.24
C:\WINDOWS\system32\msnt32.exe moved to the backup storage 14/06/2005 16.18.25
C:\WINDOWS\system32\msnt32.exe deleted 14/06/2005 16.18.25
C:\WINDOWS\system32\o is a Trojan Trojan-Downloader.BAT.Ftp.ab 14/06/2005 16.18.25
C:\WINDOWS\system32\o moved to the backup storage 14/06/2005 16.18.26
C:\WINDOWS\system32\o deleted 14/06/2005 16.18.26
C:\WINDOWS\system32\rpcclient.exe processing error 14/06/2005 16.18.26
C:\WINDOWS\system32\Sygat.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.18.26
C:\WINDOWS\system32\Sygat.exe moved to the backup storage 14/06/2005 16.18.27
C:\WINDOWS\system32\Sygat.exe deleted 14/06/2005 16.18.27
C:\WINDOWS\system32\uuu.exe is a Trojan Backdoor.Win32.Codbot.ad 14/06/2005 16.18.27
C:\WINDOWS\system32\uuu.exe moved to the backup storage 14/06/2005 16.18.28
C:\WINDOWS\system32\uuu.exe deleted 14/06/2005 16.18.28
C:\WINDOWS\system32\windowsp.exe is a Trojan Backdoor.Win32.Codbot.ae 14/06/2005 16.18.28
C:\WINDOWS\system32\windowsp.exe moved to the backup storage 14/06/2005 16.18.32
C:\WINDOWS\system32\windowsp.exe deleted 14/06/2005 16.18.32
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m is a Trojan Trojan.Win32.LowZones.br 14/06/2005 16.18.32
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m moved to the backup storage 14/06/2005 16.18.33
C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\26MUI77V\loko3[1].m deleted 14/06/2005 16.18.33

Hidro
14-06-2005, 15:31
conclusione... infestato da trojan che nessun altro antivirus rilevava :(

Hidro
14-06-2005, 15:35
appena tolto il firewall sono stato bombardato da lsass e altra robbaccia ma kaspersky li ha bloccati tutti :sofico:

YMen
14-06-2005, 15:45
quindi ora sei completamente pulito? hai riavviato il pc?

tutmosi3
14-06-2005, 15:53
a quanto ho capito come firewall usa quello di xp av l'ha installato fatto la scansione e disinstallato e antispyware aveva ad-aware :D

Il che mida da pensare che in precedenza non avessi antivirus.

Ciao

Hidro
14-06-2005, 17:59
diciamo che sono pulito :D


cmq ora mi arriva il cd di windows xp con sp1 e 2 già installati e formatto


thx a tutti

YMen
14-06-2005, 18:09
anzichè formattare perchè non installi soltanto l'sp 1 e 2?
almeno così non rendi inutile il lavoro di noi tutti :(

Hidro
14-06-2005, 19:57
mi potreste passare un link per il service pack 1?

bluepix
14-06-2005, 20:13
Magari dico una bestialità, ma , di solito, i Service Pack di Windows contengono tutti gli aggiornamenti inseriti nei Srvice Pack precedenti.
Dovrebbe quindi bastare l'installazione del SP2.

Hidro
14-06-2005, 20:21
non ne ho la minima idea... cmq se il service pack2 non implica l'installazione precedente del service pack 1 meglio ancora :D

tutmosi3
15-06-2005, 06:52
SP2 contiene anche SP1.
Ciao

Hidro
15-06-2005, 19:16
messo sp2


Logfile of HijackThis v1.99.1
Scan saved at 20.15.08, on 15/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Iron\Documenti\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rossoalice.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1B1D65B-86D1-48D0-832D-1793F749FDA7}: NameServer = 80.17.212.208 151.99.125.1
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



questo è il log della scansione appena fatta con hijackthis

è tutto ok?



29 processi non sono un pò troppi?

SkunkWorks 68
17-06-2005, 08:04
...Ho pututo leggere solo adesso la discussione.Avete fatto un ottimo lavoro...Che faticaccia...Il log sembra pulito...Potresti disabilitare il servizio messenger,volendo..Ciao :)