Aiuto! Cos'è "QxNet"?

[El Matador 79]

Utilizzando PeerGuardian mi capita spesso di vedere che vengono bloccati in sequenza circa 1000/2000 accessi provenienti da un unico soggetto.
Il messaggio che mi appare è:

Connection Rejected: 64.191.130.90 - QXNET[SPYWARE]

Controllo il pc con Ad-aware abbastanza spesso e non ho trovato nessuno spyware.
Non ho virus. (o almeno non ne ho mai rilevati... )
I blocchi avvengono anche se non sto utilizzando programmi P2P e anche se Explorer è chiuso e non ho file temporanei, cookies ecc... in memoria.
Ho controllato nel registro di sistema, ma non ho chiavi con quel nome.

Sapete di cosa si tratta?

Grazie

[El Matador 79]

up

[MrOZ]

qxnet è un trasponder, che fa parte delle infezioni da VX2.BetternetInternet.

dovresti controllare il log di hijackthis.




Questa è una procedura manuale con un tool x rimuoverlo:

=== Look2me VX2.BetternetInternet Fix for Win 2K and XP only ===


=== Download Need Programs ===
Download the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/

Download the following tool and install it in its own folder:
http://tools.zerosrealm.com/VX2Finder.exe


=== Get Name of Hidden dll ===
Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review


=== Delete Hidden dl, Guardian key, User Agent; Restore Security Policies ===
Sign off and stay off the internet until the entire procedure is complete
Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Select all the files found
Press 'Delete These Files'

The program will delete all files but one that will be deleted on reboot
Allow program to reboot

Once Restarted:
a. Press 'Guardian.reg'
b. Press 'User Agent'
c. Press 'Restore Policy'

=== Remove Remaining Infection ===
After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html

Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.


=== Verify Removal ===
Run vx2finder.exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review

Run HiJackThis and post a new log in this thread

=== End of Look2me, VX2.BetterInternet Fix ===

[El Matador 79]

Grazie mille.
Quando ho un po' di tempo provo a fare quello che hai scritto...

Ma, in sintesi, è un pericolo x la privacy? Crea danni?
Oppure non da fastidio?

Ciao

[MrOZ]

Un trasponder può monitorare la tua attività internet, mandando info all'esterno ed aprire popup pubblicitari

http://www.pestpatrol.com/pestinfo/v/vx2.asp

http://www.spysweeper.com/betterinternet-uninstall.html

[El Matador 79]

Ho scaricato e usato VX2Finder ma non mi ha trovato niente, così come Ad-aware...

Mi puoi dire cosa fare con HiJackthis?

[MrOZ]

fai uno scan, salva il log che è in formato txt e copia-incollalo qui.

[El Matador 79]

Logfile of HijackThis v1.98.0
Scan saved at 17.16.36, on 10/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVirPersonal\AVGUARD.EXE
C:\Programmi\AntiVirPersonal\AVWUPSRV.EXE
C:\Programmi\CPUCooL\CooLSrv.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\AntiVirPersonal\AVGNT.EXE
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Programmi\IE Privacy Keeper\IEPrivacyKeeper.exe
C:\WINDOWS\system32\mapiicon.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\PeerGuardian\PeerGuardian_1.99b_pr14.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.99.209.54:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programmi\AntiVirPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\Programmi\IE Privacy Keeper\IEPrivacyKeeper.exe" -stcleanup
O4 - Startup: ITeX PPP Connection.lnk = ?
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {11111111-1111-1111-1111-111111111123} -
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E52381566} - http://toolbar.isearch.com/uninstall/uninstall.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B544FC4-2318-4E81-9841-8D278D41F1A2}: NameServer = 195.130.224.18 195.130.225.129

[El Matador 79]

up

[El Matador 79]

up

[Bilancino]

Meglio Protowall che peerguardian.........più leggero come risorse.

Ciao

[netquik]

hai provato adaware con plugin VX2?

leggi qui per info

http://forum.hwupgrade.it/showthread...hreadid=728094

[El Matador 79]

Quote:

Originariamente inviato da netquik
hai provato adaware con plugin VX2?

leggi qui per info

http://forum.hwupgrade.it/showthread...hreadid=728094

Provato.
"System clean"

Allora sono a posto?

[netquik]

bhè vedi se il problema lo hai ancora...

nel log hijack

eliminerei solo
O16 - DPF: {11111111-1111-1111-1111-111111111123} -

(mi pare avanzo di infezione)

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E52381566} - http://toolbar.isearch.com/uninstall/uninstall.exe

e ovviamente i vari R* relativi alla pagina iniziale