Qualche trojan e qualche altro problema

[zell]

salve

ho il seguente problema...ogni volta che avvio windows avast mi dice che ci son dei trojan e io gli dico di fare delete
poi search and destroy mi dice che qualcuno vuole modificare il registro e gli dico di no

però comunque ogni tanto mi si apre ie dal nulla verso una pagina con un brutto link e lo chiudo subito...e ogni tanto avast si avvia e dice di nuovo che c'è un trojan

ho provato sia avast, search and destroy che ad aware ma il problema rimane

il log di hijackthis.log:

codice:

Logfile of HijackThis v1.99.1
Scan saved at 16.26.40, on 25/09/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\Programmi\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\winfp.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Programmi\HPQ\Shared\hpqwmi.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\WINDOWS\system32\CMMON32.EXE
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Daniele\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Programmi\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [Windows Lsass Services] C:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [AAWTray] C:\Programmi\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programmi\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177767488703
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B601C08-686D-4A17-8BBC-B467DB7710B8}: NameServer = 29.253.128.10,29.253.128.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{A344C058-E307-4A6D-926E-EB2845B993D8}: NameServer = 130.136.1.110 130.136.1.110
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Programmi\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\Shared\hpqwmi.exe
O23 - Service: MySQL - Unknown owner - C:\Programmi\MySQL\MySQL.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

cosa posso fare??

Daniele

[tecnico24]

Ciao daniele,avvia hijackthis,clicca sull opzione Do a system scan only
seleziona a sinistra queste voci:

O4 - HKLM\..\Run: [Windows Lsass Services] C:\WINDOWS\system\lsass.exe
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe


Poi scarica avenger http://swandog46.geekstogo.com/avenger.zip
clicca sull'opzione input script manually,poi sulla lente di ingrandimento ed inserisci nel box vuoto questo script in rosso:

files to delete:
C:\WINDOWS\winfp.exe
C:\WINDOWS\system\lsass.exe



clicca su Done,poi sul semaforo con luce verde,due volte si,riavvia il pc e posta qui il log di avenger(lo trovi in c:/avenger.txt)

[zell]

ci ho provato...ma mi ha dato un errore quando ho cliccato su riavvia
una volta riavviato, il fileche dici

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\vjaijmyp

*******************

Script file located at: \??\C:\Documents and Settings\jybndppk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\winfp.exe deleted successfully.


File C:\WINDOWS\system\lsass.exe not found!
Deletion of file C:\WINDOWS\system\lsass.exe failed!

Could not process line:
C:\WINDOWS\system\lsass.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[ste_95]

riscontri ancora problemi?

se si scarica systemscan, il link è nella mia firma, e fai la scansione con tutte le voci spuntate, a questo punto carica il file log su questo sito e dacci il primo link che vedi per aprirlo...

[zell]

si ci sono ancora gli stessi problemia

ora provo come dici tu

[ste_95]

attendo...

[zell]

http://www.freefilehosting.net/download/MjQzNzE=

ecco fatto
cmq il sistema peggiore sempre di più..ogni tanto si blocca tutto e parte un istanza di ie...se la chiudo poi nei processi cmq rimane sempre un iexplorer.exe

e inoltre ogni tanto si avvia e non carica neinte...se apro task manager mancano tutti i processi sotto il mio nome (come se non caricasse l'utente) devo uscire e rientrare

ed infine ogni tanto non si spegne neanche...sta ore nella schermata finale di xp..

[zell]

proprio ora mi è comparso un popup di ie dal nulla che recita:
IMPORTANTE: la scansione non è stata completata...bla bla...dice di provare ErrorSafe

se faccio annulla si apre una pagina di ie vuota...

[ste_95]

con avenger inserisci questo script:

se conosci o in qualche modo pensi che quel file Eplorer.exe sia legittimo, toglilo dalòlo script, dalla riga in rosso...

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \winfp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \C:\WINDOWS\system\lsass.exe"

Files to delete:
C:\windows\winfp.exe
C:\WINDOWS\system\lsass.exe
D:\Explorer.exe
C:\54a1c3e5edc60dd949621bbe04\autorun.inf
C:\54a1c3e5edc60dd949621bbe04\Setup.exe

Folders to delete:
C:\DOCUME~1\Daniele\IMPOST~1\Temp
Error opening C:\WINDOWS\Temp

alla fine dacci il log e un nuovo log di hijackthis...

[zell]

ho provato ub the avenger e mi dice:

Error: Syntax error in line -- no registry value to be found. Line wiill be ignored

ora riavvio