|
|||||||
|
|
|
 |
|
|
Strumenti |
08-07-2004, 12:01
|
#1 |
|
Senior Member
Iscritto dal: Jun 2001
Città: Verona
Messaggi: 8699
|
SdBot-545
Avast mi trova questo trojan "SdBot-545" collocato in msconfig.....non posso ne riparare,ne spostare e neppure cancellare (ci mancherebbe!
 ).Come risolvo? Inoltre che trojan è il SdBot-545....che fa? Grazie
__________________
You have to be trusted by the people that you lie to / So that when they turn their backs on you / You'll get the chance to put the knife in |
|
|
|
08-07-2004, 14:15
|
#2 | |
|
Member
Iscritto dal: Sep 2003
Città: Imperia
Messaggi: 211
|
Re: SdBot-545
Quote:
|
|
|
|
|
|
08-07-2004, 14:58
|
#3 |
|
Senior Member
Iscritto dal: Jun 2001
Città: Verona
Messaggi: 8699
|
niente da fare.
cmq ho trovato un altro trojan: SdBot-194-B........locato in C:\Windows\System32\Wuadsff.exe che fa sto trojan?
__________________
You have to be trusted by the people that you lie to / So that when they turn their backs on you / You'll get the chance to put the knife in |
|
|
|
|
09-07-2004, 14:09
|
#4 | |
|
Member
Iscritto dal: Sep 2003
Città: Imperia
Messaggi: 211
|
Quote:
|
|
|
|
|
|
09-07-2004, 20:48
|
#5 |
|
Senior Member
Iscritto dal: Jun 2001
Città: Verona
Messaggi: 8699
|
Logfile of HijackThis v1.98.0
Scan saved at 20.47.47, on 09/07/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS.0\System32\smss.exe C:\WINDOWS.0\system32\winlogon.exe C:\WINDOWS.0\system32\services.exe C:\WINDOWS.0\system32\lsass.exe C:\WINDOWS.0\System32\Ati2evxx.exe C:\WINDOWS.0\system32\svchost.exe C:\WINDOWS.0\System32\svchost.exe C:\WINDOWS.0\system32\Ati2evxx.exe C:\WINDOWS.0\Explorer.EXE C:\PROGRA~1\Avast4\ashDisp.exe C:\Programmi\Motherboard Monitor 5\MBM5.EXE C:\WINDOWS.0\System32\syswr.exe C:\WINDOWS.0\System32\ctfmon.exe C:\Programmi\Logitech\MouseWare\system\em_exec.exe C:\Programmi\Avast4\aswUpdSv.exe C:\Programmi\Avast4\ashServ.exe C:\WINDOWS.0\system32\drivers\etc\wcmgr.exe C:\Programmi\foobar2000\foobar2000.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti F0 - system.ini: Shell= F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe, O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file) O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MBM 5] "C:\Programmi\Motherboard Monitor 5\MBM5.EXE" O4 - HKLM\..\Run: [Microsoft Updating] syswr.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe O4 - HKLM\..\RunServices: [Microsoft Updating] syswr.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Updating] syswr.exe O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O10 - Broken Internet access because of LSP provider 'c:\windows.0\system32\rsvpsp.dll' missing O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O17 - HKLM\System\CCS\Services\Tcpip\..\{F416A63C-717B-4771-8C90-C32E95EF9954}: NameServer = 62.211.69.150 212.48.4.15
__________________
You have to be trusted by the people that you lie to / So that when they turn their backs on you / You'll get the chance to put the knife in |
|
|
|
|
10-07-2004, 13:29
|
#6 | |
|
Senior Member
Iscritto dal: Jun 2001
Città: Verona
Messaggi: 8699
|
Quote:
up 
__________________
You have to be trusted by the people that you lie to / So that when they turn their backs on you / You'll get the chance to put the knife in |
|
|
|
|
|
10-07-2004, 13:38
|
#7 |
|
Senior Member
Iscritto dal: Jun 2003
Città: "Mantua me genuit" Trattative concluse: 1 fracco!!! Devianze: MacTard iMac 27" i5 2,8Ghz 4GB IPHONE 5 32GB Black Iscritto dal: Nov 2002
Messaggi: 4426
|
hai già provato ad usare stinger di mcafee (anche in mod provvisoria) o la ver trial di trojanhunter (www.misec.net)????
|
|
|
|
|
10-07-2004, 13:54
|
#8 |
|
Senior Member
Iscritto dal: Mar 2004
Città: Rimini
Messaggi: 10296
|
Ciao,
vedi un po' questi, tutta porcheria DOC: C:\WINDOWS.0\System32\syswr.exe C:\WINDOWS.0\system32\drivers\etc\wcmgr.exe F0 - system.ini: Shell= O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file) O4 - HKLM\..\Run: [Microsoft Updating] syswr.exe O10 - Broken Internet access because of LSP provider 'c:\windows.0\system32\rsvpsp.dll' missing O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: Via i temporanei e quelli di internet, via system restore, da provvisoria localizza e uccidi: syswr.exe wcmgr.exe Fissa con hijackthis tutte le voci segnate qua sopra. 
__________________
sometimes they come back *** Life Happens! - (Professionista I.T. - Tecnico Telecomunicazioni) Latitude E6420 I7 2760QM SSD Crucial M4-512GB --- Tecra R840 I5 2520M SSD Samsung 830-256GB --- Macbook Pro 13,3" I5 2435M SSD Samsung 830-256GB |
|
|
|
|
10-07-2004, 14:11
|
#9 |
|
Senior Member
Iscritto dal: Jun 2001
Città: Verona
Messaggi: 8699
|
stinger già provato.
ho avviato in modalità provvisoria e ho fatto quello che dite..... (però è strano....premendo "fix selected" non fixa un caz.......) ecco il nuovo log: Logfile of HijackThis v1.98.0 Scan saved at 14.09.28, on 10/07/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS.0\System32\smss.exe C:\WINDOWS.0\system32\winlogon.exe C:\WINDOWS.0\system32\services.exe C:\WINDOWS.0\system32\lsass.exe C:\WINDOWS.0\System32\Ati2evxx.exe C:\WINDOWS.0\system32\svchost.exe C:\WINDOWS.0\System32\svchost.exe C:\WINDOWS.0\system32\Ati2evxx.exe C:\WINDOWS.0\Explorer.EXE C:\PROGRA~1\Avast4\ashDisp.exe C:\Programmi\Motherboard Monitor 5\MBM5.EXE C:\WINDOWS.0\System32\ctfmon.exe C:\Programmi\Logitech\MouseWare\system\em_exec.exe C:\Programmi\Avast4\aswUpdSv.exe C:\Programmi\Avast4\ashServ.exe C:\WINDOWS.0\system32\drivers\etc\wcmgr.exe C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti F0 - system.ini: Shell= F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe, O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MBM 5] "C:\Programmi\Motherboard Monitor 5\MBM5.EXE" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\ctfmon.exe O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O10 - Broken Internet access because of LSP provider 'c:\windows.0\system32\rsvpsp.dll' missing O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix:
__________________
You have to be trusted by the people that you lie to / So that when they turn their backs on you / You'll get the chance to put the knife in |
|
|
|
|
10-07-2004, 14:33
|
#10 |
|
Senior Member
Iscritto dal: Mar 2004
Città: Rimini
Messaggi: 10296
|
Ciao,
un po' meglio ma.... c'è ancora questa schifezza: C:\WINDOWS.0\system32\drivers\etc\wcmgr.exe L'altro, syswr.exe sembra sparito... Non si riesce proprio a toglierlo quel file? Nemmeno da mod. provvisoria? mi riferisco a wcmgr.exe Boh, strano che non si riescano a fissare quelle voci con hijackthis, non mi è mai successo...
__________________
sometimes they come back *** Life Happens! - (Professionista I.T. - Tecnico Telecomunicazioni) Latitude E6420 I7 2760QM SSD Crucial M4-512GB --- Tecra R840 I5 2520M SSD Samsung 830-256GB --- Macbook Pro 13,3" I5 2435M SSD Samsung 830-256GB |
|
|
|
|
10-07-2004, 14:35
|
#11 |
|
Senior Member
Iscritto dal: Jun 2001
Città: Verona
Messaggi: 8699
|
wcmgr non me lo trova neppure col cerca.....anche avendo messo "mostra i files nascosti" e visualizza bla bla bla....
__________________
You have to be trusted by the people that you lie to / So that when they turn their backs on you / You'll get the chance to put the knife in |
|
|
|
|
10-07-2004, 14:49
|
#12 | |
|
Senior Member
Iscritto dal: Mar 2004
Città: Rimini
Messaggi: 10296
|
Quote:
dove sembra ci sia il file wcmgr.exe è quello che normalmente contiene i file hosts. Controlla cosa c'è in quel percorso, dovrebbe esserci pochissima roba, nulla con estensione exe, solo file tipo hosts, lmhosts.sam e pochi altri, ripeto: nulla con estensioni exe, dll, com, pif ecc. Dai un'occhiata ed eventualmente apri col notepad il file HOSTS per vedere dentro se c'è qualche ridirezionamento anomalo. Eventualmente "taglialo" e "backuppalo" in un'altra cartella tanto per vedere cosa succede
__________________
sometimes they come back *** Life Happens! - (Professionista I.T. - Tecnico Telecomunicazioni) Latitude E6420 I7 2760QM SSD Crucial M4-512GB --- Tecra R840 I5 2520M SSD Samsung 830-256GB --- Macbook Pro 13,3" I5 2435M SSD Samsung 830-256GB |
|
|
|
|
|
10-07-2004, 15:16
|
#13 |
|
Senior Member
Iscritto dal: Jun 2001
Città: Verona
Messaggi: 8699
|
ecco nuovo log
Logfile of HijackThis v1.98.0 Scan saved at 15.16.06, on 10/07/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS.0\System32\smss.exe C:\WINDOWS.0\system32\winlogon.exe C:\WINDOWS.0\system32\services.exe C:\WINDOWS.0\system32\lsass.exe C:\WINDOWS.0\System32\Ati2evxx.exe C:\WINDOWS.0\system32\svchost.exe C:\WINDOWS.0\System32\svchost.exe C:\WINDOWS.0\system32\Ati2evxx.exe C:\WINDOWS.0\Explorer.EXE C:\PROGRA~1\Avast4\ashDisp.exe C:\Programmi\Motherboard Monitor 5\MBM5.EXE C:\WINDOWS.0\System32\ctfmon.exe C:\Programmi\Logitech\MouseWare\system\em_exec.exe C:\Programmi\Avast4\aswUpdSv.exe C:\Programmi\Avast4\ashServ.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Programmi\Avast4\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti F0 - system.ini: Shell= F2 - REG:system.ini: UserInit=C:\WINDOWS.0\system32\userinit.exe, O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MBM 5] "C:\Programmi\Motherboard Monitor 5\MBM5.EXE" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\System32\ctfmon.exe O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe O10 - Broken Internet access because of LSP provider 'c:\windows.0\system32\rsvpsp.dll' missing O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O17 - HKLM\System\CCS\Services\Tcpip\..\{F416A63C-717B-4771-8C90-C32E95EF9954}: NameServer = 62.211.69.150 212.48.4.15
__________________
You have to be trusted by the people that you lie to / So that when they turn their backs on you / You'll get the chance to put the knife in |
|
|
|
|
10-07-2004, 15:34
|
#14 |
|
Senior Member
Iscritto dal: Mar 2004
Città: Rimini
Messaggi: 10296
|
Adesso sembra pulito!
Restano quelle incoerenze segnalate prima, che non si eliminano con hijackthis. Però sono solo piccole incoerenze nel registro, non dovrebbero dare conseguenze. Ci sono infatti dei riferimenti ma mancano i file... Secondo me potresti essere a posto
__________________
sometimes they come back *** Life Happens! - (Professionista I.T. - Tecnico Telecomunicazioni) Latitude E6420 I7 2760QM SSD Crucial M4-512GB --- Tecra R840 I5 2520M SSD Samsung 830-256GB --- Macbook Pro 13,3" I5 2435M SSD Samsung 830-256GB |
|
|
|
|
10-07-2004, 15:38
|
#15 |
|
Senior Member
Iscritto dal: Jun 2001
Città: Verona
Messaggi: 8699
|
peccato che non abbia risolto il problema che da il titolo alla discussione!
__________________
You have to be trusted by the people that you lie to / So that when they turn their backs on you / You'll get the chance to put the knife in |
|
|
|
|
11-07-2004, 00:26
|
#16 | |
|
Member
Iscritto dal: Aug 2001
Messaggi: 158
|
Quote:
__________________
Alim 300W,MB Asus A7M266,CPU amd 1200 fsb266,Ram samsung 256DDR,HD Maxtor 80Gb,Skaudio SBlaster5.1+casseDTT2200,Sk video Asus V8200Deluxe,DVD panasonic 16x48x,Plex W2410TA. |
|
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 14:40.
