Ho preso un bel virus!!!!

manicomio · 27-07-2005, 18:57

Salve a tutti,
oggi ho lanciato un file .exe scaricato da internet all'interno del quale qulache simpaticone ha nascosto un bel virus.
Quando ho laciato il file lo spyware mi ha dato allarme sul file service.exe pero' non sono riuscito a bloccarlo perchè esiste veramente un processo service.exe all'interno di XP.
Risultato dopo il lancio del file il PC sembra andare bene unica cosa Norton Antivirus non esegue piu' la scasione e neanche il liveUpdate (la finestra si apre e si chiude istantaneamente).
All'avvio successivo mi è venuto un errore di block memory ) ma dando ok il PC è partito regolarmente.
Si nota all'avvio che norton parte con la X rossa sopra in quanto inibisce l'autoprotezione,entrando dentro si puo' riattivrla nìma non si aggiorna e non scansiona...
Ho fatto una scnsione on-line con PC-Cillin il quale ha trovato un virus prontamente eliminato,poi dalle succesive scansioni con Ad-Ware e Giant antispyware ho eliminato altre porcherie ma il prblema rimane eccome.
Ho fatto la scansione con Hijackthis e quaeto è il risultato:

Logfile of HijackThis v1.99.1
Scan saved at 18.44.05, on 27/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Trust\302KS\Mouse\mouse32a.exe
C:\Programmi\Trust\302KS\Keyboard\KbdAp32A.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\MMTray.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\WINDOWS\System32\qttask.exe
C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Programmi\Trust\302KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio Veloce di WinZip.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{963780D7-91D5-404E-BA50-B539D94AB7B2}: NameServer = 212.216.112.112,212.216.172.62
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

Ho cercato un po' rete ma non ho trovato delle soluzioni specifiche anche percè non so' di preciso come si chiama questo virus.
Se qaulcuno ha un'idea mi fa' un grosso favore perchè non so' verament che pesci prendere.
Un grazie enorme in anticipo a tutti!

CIAO!!!

halduemilauno · 27-07-2005, 19:05

C:\WINDOWS\services.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62

O17 - HKLM\System\CCS\Services\Tcpip\..\{963780D7-91D5-404E-BA50-B539D94AB7B2}: NameServer = 212.216.112.112,212.216.172.62

buttali. poi fa una bella pulizia del tuo avvio e soprattutto butta norton.

manicomio · 27-07-2005, 19:26

Grazie per la tempestiva risposta.
Ho seguito le operazioni indicate pero':
Il file C:\WINDOWS\services.exe non lo ho trovato, e la prima riga da eliminare F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe l'ho eliminata ma sembra che si ricrei immediatamente questo è il file attuale:

Logfile of HijackThis v1.99.1
Scan saved at 19.19.54, on 27/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Trust\302KS\Mouse\mouse32a.exe
C:\Programmi\Trust\302KS\Keyboard\KbdAp32A.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\MMTray.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\WINDOWS\System32\qttask.exe
C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\RXCLUS\RXCLUS82.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Programmi\Trust\302KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio Veloce di WinZip.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

Quando ho fatto il FIX degli oggetti mi è arrivato un messaggio da Norton che pero' non ho fatto in tempo a leggere,ho lanciato NAV successivamente ma non ne vuole sapere di aggiornarsi o fare scansioni.....
Sembra che siamo sulla strada buona ma ancora non vuole andare,un grazie enorme per ora.

CIAO!

halduemilauno · 27-07-2005, 19:50

Quote:

Originariamente inviato da manicomio

Grazie per la tempestiva risposta.
Ho seguito le operazioni indicate pero':
Il file C:\WINDOWS\services.exe non lo ho trovato, e la prima riga da eliminare F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe l'ho eliminata ma sembra che si ricrei immediatamente questo è il file attuale:

Quando ho fatto il FIX degli oggetti mi è arrivato un messaggio da Norton che pero' non ho fatto in tempo a leggere,ho lanciato NAV successivamente ma non ne vuole sapere di aggiornarsi o fare scansioni.....
Sembra che siamo sulla strada buona ma ancora non vuole andare,un grazie enorme per ora.

CIAO!

devi mettere un antivirus vero ed efficace. quindi devi buttare norton.

manicomio · 27-07-2005, 20:27

Ok nessun problema che Antivirus mi consigliate?
Cerco di reperirlo il prima possibile.

Grazie!

FOXYLADY · 27-07-2005, 21:12

Quote:

Originariamente inviato da manicomio

Grazie per la tempestiva risposta.
Ho seguito le operazioni indicate pero':
Il file C:\WINDOWS\services.exe non lo ho trovato, e la prima riga da eliminare F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe l'ho eliminata ma sembra che si ricrei immediatamente questo è il file attuale:

Logfile of HijackThis v1.99.1
Scan saved at 19.19.54, on 27/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Trust\302KS\Mouse\mouse32a.exe
C:\Programmi\Trust\302KS\Keyboard\KbdAp32A.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\MMTray.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\WINDOWS\System32\qttask.exe
C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\RXCLUS\RXCLUS82.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Programmi\Trust\302KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio Veloce di WinZip.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

Quando ho fatto il FIX degli oggetti mi è arrivato un messaggio da Norton che pero' non ho fatto in tempo a leggere,ho lanciato NAV successivamente ma non ne vuole sapere di aggiornarsi o fare scansioni.....
Sembra che siamo sulla strada buona ma ancora non vuole andare,un grazie enorme per ora.

CIAO!

C'è ancora il services.exe in windows (quello normale dovrebbe stare in windows/sistem32)

E' importante che prima di fare la scansione con hijack disabiliti il ripristino configurazione di sistema.
Poi fixa

C:\WINDOWS\services.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe

Se non funziona avvia il pc in modalità provvisoria (tasto f8 all'avvio), lancia regedit (start-esegui-regedit), controlla se ci sono queste chiavi, se si eliminale.

Nella chiave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
elimina "MSNMESENGER"="%System%\Main.exe"

Nella chiave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run
elimina "DirectX for Microsoft Windows"="%System%\Fservice.exe"

Nella chiave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
elimina "DirectX for Microsoft Windows"="%System%\Sservice.exe"

Nella chiave
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
elimina "StubPath"="C:\Windows\system\Sservice.exe"

Prima di modificare il registro è meglio se esegui un backup dello stesso nel caso qualcosa andasse storto, per farlo puoi utilizzare il programmino Erunt che trovi qui

Ciao

manicomio · 28-07-2005, 13:47

Salve a tutti,
ci ho riprovato ma senza alcun risultato.
Il file C:\WINDOWS\services.exe
non esiste,ne trovo uno sotto system32 ma non so' se è giusto eliminarlo,poi un'altro e sotto i386.
Facendo il fix quella riga non si camcella o almeno non definitivamente in quanto dopo un attimo è li' di nuovo.
Ho provato ad andare in provvisoria per eliminare le chiavi di registro ma addirittura non ho nessuna cartelle RUN sotto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion quindi tutte le cancellazioni sono per me impossibili.
Ho installato PC Cillin 12 che rileva un cavallo di troia ,dice disinfettato ma dopo poco riappare il messaggio come se si ricreasse in continuazione.
Seguendo le istruzioni pr rimuovere il trojan purtroppo non arrivo a nulla in quanto dice di eliminare ffservice.exe che si trova sotto RUN e quindi introvabile per me.
Sono alla disperazione.......

GRAZIE A TUTTI!!

andorra24 · 28-07-2005, 13:58

Prova a fare una scansione antivirus online:
http://www.bitdefender.com/scan8/ie.html
Fai anche una scansione con ewido:
http://www.ewido.net/en/
ps: cambia antivirus al piu' presto e lascia stare il norton

manicomio · 28-07-2005, 15:15

Ho seguito la procedura descritta qui:http://www.mcse.ms/archive118-2005-6-1652157.html e sono arrivato a questo risultato :

Logfile of HijackThis v1.99.1
Scan saved at 15.10.54, on 28/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Trust\302KS\Mouse\mouse32a.exe
C:\WINDOWS\system32\MMTray.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\Programmi\Trust\302KS\Keyboard\KbdAp32A.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\WINDOWS\System32\qttask.exe
C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe
C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
C:\Programmi\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Programmi\Trust\302KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [pccguide.exe] "C:\Programmi\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio Veloce di WinZip.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Ditemi un po' se la situazione sembra migliorata oppure no.
Ora ho rimosso Norton e ho messo Pc Cillin 12 gli fare una scansione anche a lui tanto per vedere se trova qualcosa.
Grazie a tutti per i consigli.

halduemilauno · 28-07-2005, 16:01

C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

F2 - REG:system.ini: Shell=Explorer.exe

O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe

O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

buttali.

FOXYLADY · 28-07-2005, 16:27

Quote:

Originariamente inviato da halduemilauno

C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

F2 - REG:system.ini: Shell=Explorer.exe

O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe

O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

buttali.

Quoto
Mi sembra che vadi molto meglio il tuo log.

27-07-2005, 18:57	#1
manicomio Member Iscritto dal: May 2004 Messaggi: 51	Ho preso un bel virus!!!! Salve a tutti, oggi ho lanciato un file .exe scaricato da internet all'interno del quale qulache simpaticone ha nascosto un bel virus. Quando ho laciato il file lo spyware mi ha dato allarme sul file service.exe pero' non sono riuscito a bloccarlo perchè esiste veramente un processo service.exe all'interno di XP. Risultato dopo il lancio del file il PC sembra andare bene unica cosa Norton Antivirus non esegue piu' la scasione e neanche il liveUpdate (la finestra si apre e si chiude istantaneamente). All'avvio successivo mi è venuto un errore di block memory ) ma dando ok il PC è partito regolarmente. Si nota all'avvio che norton parte con la X rossa sopra in quanto inibisce l'autoprotezione,entrando dentro si puo' riattivrla nìma non si aggiorna e non scansiona... Ho fatto una scnsione on-line con PC-Cillin il quale ha trovato un virus prontamente eliminato,poi dalle succesive scansioni con Ad-Ware e Giant antispyware ho eliminato altre porcherie ma il prblema rimane eccome. Ho fatto la scansione con Hijackthis e quaeto è il risultato: Logfile of HijackThis v1.99.1 Scan saved at 18.44.05, on 27/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\services.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmi\Trust\302KS\Mouse\mouse32a.exe C:\Programmi\Trust\302KS\Keyboard\KbdAp32A.exe C:\Programmi\File comuni\Symantec Shared\ccApp.exe C:\WINDOWS\system32\MMTray.exe C:\WINDOWS\system32\MMTray2k.exe C:\WINDOWS\system32\MMTrayLSI.exe C:\WINDOWS\System32\qttask.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Programmi\WinZip\WZQKPICK.EXE C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\wuauclt.exe C:\Programmi\Alice ti aiuta\bin\mpbtn.exe C:\Programmi\Messenger\msmsgs.exe C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [FLMK08KB] C:\Programmi\Trust\302KS\Keyboard\MMKEYBD.EXE O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [MMTray] MMTray.exe O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe" O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe O4 - Global Startup: Avvio Veloce di WinZip.lnk = C:\Programmi\WinZip\WZQKPICK.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62 O17 - HKLM\System\CCS\Services\Tcpip\..\{963780D7-91D5-404E-BA50-B539D94AB7B2}: NameServer = 212.216.112.112,212.216.172.62 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe Ho cercato un po' rete ma non ho trovato delle soluzioni specifiche anche percè non so' di preciso come si chiama questo virus. Se qaulcuno ha un'idea mi fa' un grosso favore perchè non so' verament che pesci prendere. Un grazie enorme in anticipo a tutti! CIAO!!!

27-07-2005, 19:05	#2
halduemilauno Senior Member Iscritto dal: Feb 2002 Città: Discovery Messaggi: 34710	C:\WINDOWS\services.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62 O17 - HKLM\System\CCS\Services\Tcpip\..\{963780D7-91D5-404E-BA50-B539D94AB7B2}: NameServer = 212.216.112.112,212.216.172.62 buttali. poi fa una bella pulizia del tuo avvio e soprattutto butta norton. __________________ Good afternoon, gentlemen, I'm a H.A.L. computer.

28-07-2005, 13:58	#8
andorra24 Senior Member Iscritto dal: May 2005 Città: Palermo Messaggi: 6390	Prova a fare una scansione antivirus online: http://www.bitdefender.com/scan8/ie.html Fai anche una scansione con ewido: http://www.ewido.net/en/ ps: cambia antivirus al piu' presto e lascia stare il norton Ultima modifica di andorra24 : 28-07-2005 alle 14:02.

28-07-2005, 16:01	#10
halduemilauno Senior Member Iscritto dal: Feb 2002 Città: Discovery Messaggi: 34710	C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe F2 - REG:system.ini: Shell=Explorer.exe O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62 O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe buttali. __________________ Good afternoon, gentlemen, I'm a H.A.L. computer.

27-07-2005, 19:26	#3
manicomio Member Iscritto dal: May 2004 Messaggi: 51	Grazie per la tempestiva risposta. Ho seguito le operazioni indicate pero': Il file C:\WINDOWS\services.exe non lo ho trovato, e la prima riga da eliminare F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe l'ho eliminata ma sembra che si ricrei immediatamente questo è il file attuale: Logfile of HijackThis v1.99.1 Scan saved at 19.19.54, on 27/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\services.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmi\Trust\302KS\Mouse\mouse32a.exe C:\Programmi\Trust\302KS\Keyboard\KbdAp32A.exe C:\Programmi\File comuni\Symantec Shared\ccApp.exe C:\WINDOWS\system32\MMTray.exe C:\WINDOWS\system32\MMTray2k.exe C:\WINDOWS\system32\MMTrayLSI.exe C:\WINDOWS\System32\qttask.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Programmi\WinZip\WZQKPICK.EXE C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\Programmi\Alice ti aiuta\bin\mpbtn.exe C:\Programmi\Internet Explorer\iexplore.exe C:\Programmi\Norton AntiVirus\navapsvc.exe C:\Programmi\Norton AntiVirus\SAVScan.exe C:\Programmi\Messenger\msmsgs.exe C:\Programmi\RXCLUS\RXCLUS82.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [FLMK08KB] C:\Programmi\Trust\302KS\Keyboard\MMKEYBD.EXE O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [MMTray] MMTray.exe O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe" O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe O4 - Global Startup: Avvio Veloce di WinZip.lnk = C:\Programmi\WinZip\WZQKPICK.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe Quando ho fatto il FIX degli oggetti mi è arrivato un messaggio da Norton che pero' non ho fatto in tempo a leggere,ho lanciato NAV successivamente ma non ne vuole sapere di aggiornarsi o fare scansioni..... Sembra che siamo sulla strada buona ma ancora non vuole andare,un grazie enorme per ora. CIAO!

27-07-2005, 20:27	#5
manicomio Member Iscritto dal: May 2004 Messaggi: 51	Ok nessun problema che Antivirus mi consigliate? Cerco di reperirlo il prima possibile. Grazie!

28-07-2005, 13:47	#7
manicomio Member Iscritto dal: May 2004 Messaggi: 51	Salve a tutti, ci ho riprovato ma senza alcun risultato. Il file C:\WINDOWS\services.exe non esiste,ne trovo uno sotto system32 ma non so' se è giusto eliminarlo,poi un'altro e sotto i386. Facendo il fix quella riga non si camcella o almeno non definitivamente in quanto dopo un attimo è li' di nuovo. Ho provato ad andare in provvisoria per eliminare le chiavi di registro ma addirittura non ho nessuna cartelle RUN sotto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion quindi tutte le cancellazioni sono per me impossibili. Ho installato PC Cillin 12 che rileva un cavallo di troia ,dice disinfettato ma dopo poco riappare il messaggio come se si ricreasse in continuazione. Seguendo le istruzioni pr rimuovere il trojan purtroppo non arrivo a nulla in quanto dice di eliminare ffservice.exe che si trova sotto RUN e quindi introvabile per me. Sono alla disperazione....... GRAZIE A TUTTI!!

28-07-2005, 15:15	#9
manicomio Member Iscritto dal: May 2004 Messaggi: 51	Ho seguito la procedura descritta qui:http://www.mcse.ms/archive118-2005-6-1652157.html e sono arrivato a questo risultato : Logfile of HijackThis v1.99.1 Scan saved at 15.10.54, on 28/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmi\Trust\302KS\Mouse\mouse32a.exe C:\WINDOWS\system32\MMTray.exe C:\WINDOWS\system32\MMTray2k.exe C:\Programmi\Trust\302KS\Keyboard\KbdAp32A.exe C:\WINDOWS\system32\MMTrayLSI.exe C:\WINDOWS\System32\qttask.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe C:\Programmi\Trend Micro\Internet Security 12\pccguide.exe C:\WINDOWS\system32\ctfmon.exe C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Programmi\WinZip\WZQKPICK.EXE C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\Programmi\Alice ti aiuta\bin\mpbtn.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Documents and Settings\Proprietario\Desktop\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ F2 - REG:system.ini: Shell=Explorer.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [FLMK08KB] C:\Programmi\Trust\302KS\Keyboard\MMKEYBD.EXE O4 - HKLM\..\Run: [FLMBROWSEMOUSE] C:\Programmi\Trust\302KS\Mouse\mouse32a.exe O4 - HKLM\..\Run: [MMTray] MMTray.exe O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.03.0000.1005\it\msnappau.exe" O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [pccguide.exe] "C:\Programmi\Trend Micro\Internet Security 12\pccguide.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe O4 - Global Startup: Avvio Veloce di WinZip.lnk = C:\Programmi\WinZip\WZQKPICK.EXE O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7B34DB9D-9A67-4A18-A966-CA52F7C60F27}: NameServer = 212.216.112.112,212.216.172.62 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe Ditemi un po' se la situazione sembra migliorata oppure no. Ora ho rimosso Norton e ho messo Pc Cillin 12 gli fare una scansione anche a lui tanto per vedere se trova qualcosa. Grazie a tutti per i consigli.

Strumenti
Mostra una versione stampabile Invia questa pagina per email