W32/Webdor.L

ReverendoMr.Manson · 16-06-2005, 03:08

Perchè da un paio di giorni mi becco ogni mezz' ora circa questo virus W32/Webdor.L (mi attacca il file svcost2.exe). L'antivirus (F-Prot aggiornato a 5 minuti fa) lo blocca poi facendo una scansione dell'intero sistema lo elimina ma dopo 30 minuti circa ricompare il messaggio di F-Prot

Che devo fare???

3dsst · 16-06-2005, 03:12

Quote:

Originariamente inviato da ReverendoMr.Manson

Perchè da un paio di giorni mi becco ogni mezz' ora circa questo virus W32/Webdor.L (mi attacca il file svcost2.exe). L'antivirus (F-Prot aggiornato a 5 minuti fa) lo blocca poi facendo una scansione dell'intero sistema lo elimina ma dopo 30 minuti circa ricompare il messaggio di F-Prot

Che devo fare???

Magari lo blocca ma non lo elimina prova n modalita provvisoria e disabilita il ripristino del sistema poi se n riesci neanche cosi posta il log di hijackthis

ReverendoMr.Manson · 16-06-2005, 03:14

Quando avvio la scansione manuale lo elimina poi dopo ricompare. Provero sto hijackthis.

ReverendoMr.Manson · 16-06-2005, 03:27

Ecco il log

Logfile of HijackThis v1.99.1
Scan saved at 3:24:48, on 16/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\programmi\powerstrip\pstrip.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programmi\Lexmark X1100 Series\lxbkbmon.exe
C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\FILECO~1\TerraTec\SCHEDU~1\TTTimer.exe
C:\Programmi\File comuni\TerraTec\Remote\TTTVRC.exe
C:\Programmi\ABIT\ABIT uGuru\uGuru.exe
C:\Programmi\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmi\Netropa\Onscreen Display\OSD.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\mnyfy.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programmi\StarOffice7\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Fabrizio\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\svchost.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PowerStrip] c:\programmi\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Programmi\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [TerraTec Scheduler] C:\PROGRA~1\FILECO~1\TerraTec\SCHEDU~1\TTTimer.exe
O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programmi\File comuni\TerraTec\Remote\TTTVRC.exe"
O4 - HKLM\..\Run: [ABIT uGuru] C:\Programmi\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\system32\creqyqx.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\svchst.exe /i
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\system32\mnyfy.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: StarOffice 7.lnk = C:\Programmi\StarOffice7\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098134923296
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDSched.exe

un po lungo forse

bluepix · 17-06-2005, 09:19

Disabilita il ripristino di sistema.
Reboot in modalità provvisoria.
Fixa le seguenti rigjhe:
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\svchost.dll
O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\system32\creqyqx.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\svchst.exe /i

anche questa riga non mi piace e non ho trovato nulla riguardo al programma.
Propenderei per la cancellazione:
O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\system32\mnyfy.exe

Poi cancella i file:
C:\WINDOWS\svchost.dll
C:\WINDOWS\system32\creqyqx.exe
C:\WINDOWS\svchst.exe
C:\WINDOWS\system32\mnyfy.exe

reboot in modalità normale

ciao

16-06-2005, 03:08	#1
ReverendoMr.Manson Senior Member Iscritto dal: Oct 2002 Città: Salento Messaggi: 870	W32/Webdor.L Perchè da un paio di giorni mi becco ogni mezz' ora circa questo virus W32/Webdor.L (mi attacca il file svcost2.exe). L'antivirus (F-Prot aggiornato a 5 minuti fa) lo blocca poi facendo una scansione dell'intero sistema lo elimina ma dopo 30 minuti circa ricompare il messaggio di F-Prot Che devo fare??? __________________ Trattato positivamente con: hornet75, dlenoc, Fable, Corona-Extra

16-06-2005, 03:14	#3
ReverendoMr.Manson Senior Member Iscritto dal: Oct 2002 Città: Salento Messaggi: 870	Quando avvio la scansione manuale lo elimina poi dopo ricompare. Provero sto hijackthis. __________________ Trattato positivamente con: hornet75, dlenoc, Fable, Corona-Extra

16-06-2005, 03:27	#4
ReverendoMr.Manson Senior Member Iscritto dal: Oct 2002 Città: Salento Messaggi: 870	Ecco il log Logfile of HijackThis v1.99.1 Scan saved at 3:24:48, on 16/06/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programmi\FSI\F-Prot\F-StopW.EXE C:\WINDOWS\system32\rundll32.exe C:\programmi\powerstrip\pstrip.exe C:\WINDOWS\system32\devldr32.exe C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe C:\Programmi\Lexmark X1100 Series\lxbkbmon.exe C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Programmi\Logitech\MouseWare\system\em_exec.exe C:\PROGRA~1\FILECO~1\TerraTec\SCHEDU~1\TTTimer.exe C:\Programmi\File comuni\TerraTec\Remote\TTTVRC.exe C:\Programmi\ABIT\ABIT uGuru\uGuru.exe C:\Programmi\Netropa\Multimedia Keyboard\TrayMon.exe C:\Programmi\Netropa\Onscreen Display\OSD.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\mnyfy.exe C:\Programmi\MSN Messenger\MsnMsgr.Exe C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Programmi\StarOffice7\program\soffice.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Fabrizio\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\svchost.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [F-StopW] C:\Programmi\FSI\F-Prot\F-StopW.EXE O4 - HKLM\..\Run: [NVMixerTray] "C:\Programmi\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [PowerStrip] c:\programmi\powerstrip\pstrip.exe O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Programmi\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe" O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [TerraTec Scheduler] C:\PROGRA~1\FILECO~1\TerraTec\SCHEDU~1\TTTimer.exe O4 - HKLM\..\Run: [TerraTec Remote Control] "C:\Programmi\File comuni\TerraTec\Remote\TTTVRC.exe" O4 - HKLM\..\Run: [ABIT uGuru] C:\Programmi\ABIT\ABIT uGuru\uGuru.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\system32\creqyqx.exe O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\svchst.exe /i O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\system32\mnyfy.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe" O4 - Startup: StarOffice 7.lnk = C:\Programmi\StarOffice7\program\quickstart.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1098134923296 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDSched.exe un po lungo forse __________________ Trattato positivamente con: hornet75, dlenoc, Fable, Corona-Extra

17-06-2005, 09:19	#5
bluepix Senior Member Iscritto dal: Dec 2004 Città: Magenta(MI) Messaggi: 1513	Disabilita il ripristino di sistema. Reboot in modalità provvisoria. Fixa le seguenti rigjhe: O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\svchost.dll O4 - HKLM\..\Run: [JVM0.14] C:\WINDOWS\system32\creqyqx.exe O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\svchst.exe /i anche questa riga non mi piace e non ho trovato nulla riguardo al programma. Propenderei per la cancellazione: O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\system32\mnyfy.exe Poi cancella i file: C:\WINDOWS\svchost.dll C:\WINDOWS\system32\creqyqx.exe C:\WINDOWS\svchst.exe C:\WINDOWS\system32\mnyfy.exe reboot in modalità normale ciao

Strumenti
Mostra una versione stampabile Invia questa pagina per email