|
|||||||
|
|
|
 |
|
|
Strumenti |
15-06-2005, 20:51
|
#1 |
|
Senior Member
Iscritto dal: Sep 2001
Città: Vicopisano (PI)
Messaggi: 11652
|
Computer appestato di dialer e spyware
Dunque, ultimamente mi capitano certi computer appestati che i virus saltano fuori dall'HD
  Dunque, c'è un computer con vari spyware/dialer che ho controllato ma non riesco a ripulire. Ho fatto la scansione con ewido + ad-aware ed hanno tolto un pò robaccia, ma continuano ad aprirsi popup ed all'avvio parte un dialer che tenta di connettersi ad un numero (tanto c'è l'adsl  ).Ho tolto un casino di eseguibili sospetti dall'avvio automatico nel regedit ma evidentemente non basta, qualche idea? Intanto posto il log fatto alla fine dei tentativi per vedere che c'è ancora: Codice:
Logfile of HijackThis v1.99.1
Scan saved at 21.39.59, on 15/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\Apoint\Apoint.exe
C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\msahe319.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\Programmi\Sony\vaio media music server\SSSvr.exe
C:\Programmi\Apoint\Apntex.exe
C:\Programmi\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\system32\wuauclt.exe
F:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.sfonditalia.biz?1746
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe
O2 - BHO: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll (file missing)
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [StatusClient] C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Programmi\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [4ac63fd0267c] C:\WINDOWS\System32\comcat10.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [gcasServ] C:\WINDOWS\gcasServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteabh32.exe
O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\claudio\Dati applicazioni\sgrunt\IE4321.exe
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKCU\..\Run: [Windows Media Player] 50cent.exe
O4 - HKCU\..\Run: [Los5RjH3R] msahe319.exe
O4 - HKCU\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKCU\..\Run: [System] mah.exe
O4 - HKCU\..\Run: [Messanger] phqghume.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O12 - Plugin for .mid: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.master70.biz
O15 - Trusted Zone: www.master71.biz
O15 - Trusted Zone: www.sfonditalia.biz
O15 - Trusted Zone: www.skymasters.biz
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O15 - Trusted Zone: www.xbeta69.com
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EAA105FE-7BBD-4196-8B96-D46743894195} (MjpegControl Class) - http://213.203.169.142:50/plugin/mjpegcontrol.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5C4F95-AC34-4867-9699-2E4868D90096}: NameServer = 212.216.112.112,212.216.172.62
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FILECO~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Programmi\Sony\vaio media music server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Programmi\File comuni\Sony Shared\vaio media platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Programmi\sony\photo server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Programmi\File comuni\sony shared\vaio media platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Programmi\File comuni\sony shared\vaio media platform\UPnPFramework.exe
 Ciao, GHz
__________________
>>PARTECIPA AI PROGETTI DI CALCOLO DISTRIBUITO CON BOINC.Italy!<<
You may say I'm a dreamer - But I'm not the only one - I hope someday you'll join us - And the team will be the 1# one BoincEmperor 1° Livello - Rotoloni DOCET!! Cactus rulez!!  |
|
|
|
15-06-2005, 21:26
|
#2 |
|
Senior Member
Iscritto dal: May 2004
Città: Sestri Levante
Messaggi: 617
|
Solita domandina, le scansioni le hai fatte in modalità provvosoria dopo aver disabilitato il sistema di ripristino?
|
|
|
|
|
15-06-2005, 22:15
|
#3 |
|
Senior Member
Iscritto dal: Dec 2004
Città: Magenta(MI)
Messaggi: 1513
|
Tiriamoci su le maniche ed incominciamo a tagliare
 per prima cosa farei girare il tool bar di rimozione di EliteToolBar: http://www.softpedia.com/get/Interne...-Remover.shtml poi, disabilitare il ripristino di sistema reboot in modalità provvisoria Fixare con Hijackthis queste linee: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.sfonditalia.biz?1746 R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file) O2 - BHO: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll (file missing) O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll (file missing) O4 - HKLM\..\Run: [4ac63fd0267c] C:\WINDOWS\System32\comcat10.exe O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteabh32.exe O4 - HKLM\..\Run: [Olympic] C:\Documents and Settings\claudio\Dati applicazioni\sgrunt\IE4321.exe O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKCU\..\Run: [Windows Media Player] 50cent.exe O4 - HKCU\..\Run: [Los5RjH3R] msahe319.exe O4 - HKCU\..\Run: [McAfee Windows Protection] mcafee32.exe O4 - HKCU\..\Run: [System] mah.exe O4 - HKCU\..\Run: [Messanger] phqghume.exe O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing) O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing) O15 - Trusted Zone: www.archiviosex.net O15 - Trusted Zone: www.master70.biz O15 - Trusted Zone: www.master71.biz O15 - Trusted Zone: www.sfonditalia.biz O15 - Trusted Zone: www.skymasters.biz O15 - Trusted Zone: www.xbeta69.com O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {EAA105FE-7BBD-4196-8B96-D46743894195} (MjpegControl Class) - http://213.203.169.142:50/plugin/mjpegcontrol.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing) oltre a questi sono sospetti: R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe da cancellare i files o le directory(se esistono): C:\WINDOWS\AdRoar.dll C:\WINDOWS\System32\comcat10.exe C:\Program Files\Media Pass (directory) C:\windows\system32\eliteabh32.exe C:\Documents and Settings\claudio\Dati applicazioni\sgrunt (directory) C:\WINDOWS\ARUpdate.exe C:\Program Files\AutoUpdate (directory) 50cent.exe msahe319.exe mcafee32.exe mah.exe phqghume.exe C:\WINDOWS\System32\maxspeed.exe C:\WINDOWS\System32\vbsys2.dll reboot in modalità normale riposta il log per controllare il risultato ciao ciao  Abbiamo finalmente vinto qualcosa(W Inter). Era ora...
|
|
|
|
|
16-06-2005, 02:14
|
#4 | |
|
Senior Member
Iscritto dal: Nov 2001
Città: Varese
Messaggi: 1461
|
Quote:
impeccabile come sempre
__________________
Quando l'agnello aprì il quarto sigillo udì una voce che diceva vieni e apparve a lui un cavallo pallido il suo cavaliere si chiamava morte dietro di lui l'inferno...  Le uniche donne che vengono sedotte sono quelle che non hanno desiderio di offrirsi
|
|
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 05:00.
