Virus che invia mail

[Tarrion]

salve a tutti, volevo esporvi la seguente questione: mi sono accorto che poco dopo aver connesso internet avast mail scanner inizia a scansionare mail su mail in uscita come se ci fosse un virus chele crea e le invia tramite la mia connessione, ma non riesco a trovare il processo in task manager, posto un log di hijackthis fatto adesso mentre naturalmente le mail vengono inviate a raffica... Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2.41.40, on 25/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PC Achille\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 212.251.31.10 L2authd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\winsys.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{039C3068-A402-49B5-8A4B-D8E752617A91}: NameServer = 85.37.17.16 85.38.28.68
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - Unknown owner - C:\Programmi\M-Audio\MobilePre\Install\MPInst.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programmi\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Programmi\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)

--
End of file - 4739 bytes

[oasis90]

FIXA:

O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\winsys.exe

Il resto è pulito

[lancetta]

Quote:

Originariamente inviato da Tarrion

O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\winsys.exe

molto sospetto,però se non sbaglio potrebbe essere associato ai diver nvidia
aspetta qualcuno più esperto.....

Editreceduto da oasis90...
una domanda se è malware non è associato a rustock (spero di sbagliare...)?

[Tall99]

Quote:

Originariamente inviato da oasis90

FIXA:

O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\winsys.exe

Il resto è pulito

straquoto!

[Tarrion]

siete sicuri allora la fixo? perché anche io avevo sentito parlare del fatto che può trattarsi della nvidia dato che la scheda video è di quella marca...

[Scarymiss]

Quote:

Description:
winsys.exe is a part of a surveillance software from bc-technologies. It is used to monitor and store a record of all user activities. This process should be removed to ensure your personal privacy.

Note: winsys.exe is a process which is also registered as the WORM_FALSU.A Trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Vai,cancella senza timore

[oasis90]

Quote:

Originariamente inviato da Scarymiss

Vai,cancella senza timore

quoto..

[Tarrion]

grazie a tutti problema risolto!

[Tall99]

Quote:

Originariamente inviato da Tarrion

grazie a tutti problema risolto!

straquoto!

[Tarrion]

Mi dispiace, ma nonostante l'estrema cautela con cui navigo, il problema è tornato, avast! mi avvisa ogni volta che mi connetto ad internet dicendo che ha trovato un trojan di nome "spoolsv32", io clicco sul pulsante "chiudi connessione" ma il computer continua a mandare mail a ruota... ecco il log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12.20.53, on 10/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\M-Audio\MobilePre\Install\MPInst.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Programmi\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Winamp\winamp.exe
C:\Programmi\MSN Messenger\livecall.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
F:\Achille\Programmi E Giochi\backups\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 212.251.31.10 L2authd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{039C3068-A402-49B5-8A4B-D8E752617A91}: NameServer = 85.37.17.16 85.38.28.68
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Programmi\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programmi\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Programmi\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)

--
End of file - 5435 bytes

[wizard1993]

cambia antivirus e metti active virus shield (clikka)

aggiornalo e fai una scansione (nella guida linkata c'è tutto) poi scaricati un firewall e installatelo; poi posta un log di hijackthis

[pcì]

sbaglio o sei senza firewall?
sostituisci avast con un antivirus migliore (avira, kasperky, avs), fai scansioni con asquared free, superantispyware, avgantispy, bitdefender-online...

insomma le solite cose

edit: preceduto da wizard

[Tarrion]

grazie del consiglio, ma ho bisogno di levare questo virus immediatamente, poi provvederò a cambiare antivirus, potete dirmi come fare?

[juninho85]

simpatico rustock
scarica avenger ed avvia il seguente script
Files to delete:
C:\WINDOWS\winsys.exe
C:\WINDOWS\omsnlog.dll
C:\WINDOWS\system32\lzx32.sys
C:\WINDOWS\service32.exe
C:\syseniy.exe
C:\WINDOWS\423523298.exe
C:\WINDOWS\csrs.exe
C:\WINDOWS\csrss.dll
C:\WINDOWS\system32\xpdx.sys

Registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|winsys.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|1

Registry values to delete:
HKLM\SYSTEM\CurrentControlSet\Services\PerfNetk
HKLM\SYSTEM\CurrentControlSet\Services\PerfOSt
HKLM\SYSTEM\CurrentControlSet\Services\Processorort
HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStorage
HKLM\SYSTEM\CurrentControlSet\Services\ql1080k
HKLM\SYSTEM\CurrentControlSet\Services\ql12400

dopo aver fatto questo modifica da regedit la chiave

Quote:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon"Userinit"="%System%\userinit.exe,,%Windir%\svchost.exe%"

in maniera da renderla come la seguente

Quote:

"%System%\userinit.exe",

ovviamente post il log restituito da avenger