Svchost sospetto... aiuto !!!

[schumy2006]

Ciao a tutti !
Da qualche giorno ho notato che zone alarm mi avverte che svchost cerca di connettersi ad internet all'indirizzo 239.255.255.250 Port 1900.

Mi succede spesso di ricevere il virus/trojan linkoptimizer semplicemente collegandomi dopo aver dato il consenso a zone alarm di far passare svchost appunto...

Norton 2006 non rileva nulla, ho fatto una scansione con hijackthis rinominando l'eseguibile test23.exe su consiglio di un mio amico in quanto molti trojan lo indivuduano...

Cmq questo e' il log, ci sono dei problemi ?
Logfile of HijackThis v1.99.1
Scan saved at 12.39.54, on 30/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\TPPALDR.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\PestPatrol\PPControl.exe
C:\Programmi\PestPatrol\PPMemCheck.exe
C:\Programmi\PestPatrol\CookiePatrol.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\FILECO~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Downloads\test23.exe
C:\Programmi\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Programmi\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programmi\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programmi\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\TEMP\symlcsv1.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {B96BEF41-A0C5-22F8-1B13-1F07E91FF16F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "G:\-ARCHIVIO-\ARCHIVIO PROGRAMMI\Quick Time\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programmi\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\Programmi\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\Programmi\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PC Booster] C:\Programmi\inKline Global\PC Booster\PCBooster.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1152448856417
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1152627447263
O17 - HKLM\System\CCS\Services\Tcpip\..\{47984880-6114-49BE-BEFB-8E7690FD322A}: NameServer = 213.205.36.70 213.205.32.70
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ho fatto poi una scanzione con Sysinternal RootkitRevealer ed ecco il risultato:

HKLM\S-1-5-21-507921405-813497703-725345543-1003\RemoteAccess\InternetProfile 09/07/06 12.06 13 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 22/08/06 17.07 66 bytes Windows API length not consistent with raw hive data.

C:\Programmi\Norton AntiVirus\Savrt\0826NAV~.TMP 30/09/06 0.44 0 bytes Hidden from Windows API.

C:\WINDOWS\system32\drivers\etc\lmhosts 30/09/06 0.41 0 bytes Hidden from Windows API.

C:\WINDOWS\system32\lpt9.eua 30/09/06 0.26 126.84 KB Hidden from Windows API.

C:\WINDOWS\wwgwi1.dll 20/08/06 20.56 63.16 KB Hidden from Windows API.

C:\WINDOWS\wwgwi1.upd 22/08/06 10.54 61.37 KB Hidden from Windows API.

Cosa dovrei fare x essere sicuro che non ci siano problemi ? GRAZIE infinite x qualsiasi aiuto !
Vittorio

[Gianky....! :D :)]

Ciao anke io ho Zone Alarm e come dici tu la prima volta ke l'ho installato mi ha kiesto se volevo autorizzare "svshot" a connettersi ad intenet...
A quanto pare "svshot" è un processo del pc (quindi sicuro) e allora gli devi dare l'autorizzazione!!!
X quanto riguarda "link optimizer" ci deve essere 1 altro problema!!!
Ke versione di Zone Alarm usi ?
E ke antivirus ? ciao

[GmG]

@schumy2006 sei infetto da LinkOptimizer

http://www.hwupgrade.it/forum/showthread.php?t=1271721