come rimuovere w.exe?

**pier carlo maso** · 07-12-2005, 18:46

ho un piccolo preoblema: da qualche giorno in c: vedo w.exe, identificato in alcuni siti come trojan, e non riesco a rimuoverlo. fino ad ora ho provato con spy boot, ad-aware e a-squared ma non lo riconoscono. inoltre l'ho bloccato usando wintask pro 5, lui rimane dove era e, come prima, se voglio eliminarlo dice che non è possibile perchè lo sta già usando un altro programma. che potrei fare prima di reinstallare il sist?

il mio os è win xp, allego il log di hijackthis e di startuplist nella speranza che qualcuno venga in mio aiuto.

grazie in anticipo!

Logfile of HijackThis v1.99.1
Scan saved at 17.22.57, on 07/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmi\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\TOSHIBA\TME3\TMERzCtl.EXE
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\LIUtilities\WinTasks\wintasks.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programmi\mozilla.org\Mozilla\mozilla.exe
C:\Programmi di instalazione\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Programmi\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Programmi\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Programmi\TOSHIBA\TME3\Tmesrv31.exe

StartupList report, 07/12/2005, 17.23.35
StartupList version: 1.52
Started from : C:\Programmi di instalazione\startuplist1521\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmi\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\TOSHIBA\TME3\TMERzCtl.EXE
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\LIUtilities\WinTasks\wintasks.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programmi\mozilla.org\Mozilla\mozilla.exe
C:\Programmi di instalazione\HijackThis1991.exe
C:\Programmi di instalazione\startuplist1521\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:

[C:\Documents and Settings\ermanno\Menu Avvio\Programmi\Esecuzione automatica]
Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

000StTHK = 000StTHK.exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
Apoint = C:\Programmi\Apoint2K\Apoint.exe
TouchED = C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
TFNF5 = TFNF5.exe
SmoothView = C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
TPSMain = TPSMain.exe
TMESRV.EXE = C:\Programmi\TOSHIBA\TME3\TMESRV31.EXE /Logon
TMERzCtl.EXE = C:\Programmi\TOSHIBA\TME3\TMERzCtl.EXE /Service
NDSTray.exe = NDSTray.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
TOSCDSPD = C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Promemoria registrazione 1.job
Promemoria registrazione 2.job
Promemoria registrazione 3.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 5.599 bytes
Report generated in 0,040 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

**thomas_anderson** · 07-12-2005, 19:02

Segui queste istruzioni:

http://securityresponse.symantec.com...ao.trojan.html

Lavora dalla modalità provvisoria con ripristino configurazione di sistema disattivato.

Controlla che le voci elencate da Symantec siano presenti sul tuo pc. esegui uno scan con Hijackthis, ma questa volta da disconnesso.

**LUCASS** · 07-12-2005, 19:06

Ciao,prima verifica se è infetto,quindi vai qui http://virusscan.jotti.org/
Clicca su "Sfoglia" e incolla nella casella "nome file" questo
c:\w.exe
Clicca su "Apri" poi su "Submit" e aspetta l'analisi,sè è infetto apri Hijackthis>open misc tools section>delete file on reboot>inserisci questo c:\w.exe nella casella
Clicca su apri e rispondi di SI al domanda se vuoi riavviare

**thomas_anderson** · 07-12-2005, 19:12

Se è infetto avrà creato delle chiavi di registro, quindi non credo che come soluzione funzioni al 100%. :master:

**LUCASS** · 07-12-2005, 19:20

No ho detto così perchè non avevo visto che avevi postato tu

comunque la scheda symantec è del 2003 un po vecchia per non essere riconosciuta da vari antivirus io penso che sia questo http://www.sophos.com/virusinfo/anal...ojpsymeck.html

**thomas_anderson** · 07-12-2005, 19:25

Vero.

**LUCASS** · 07-12-2005, 19:29

si è vero ma tutti e non ho capito il perchè si ricollegano a al 2003 forse una variante non so

Discussione: come rimuovere w.exe?

Strumenti discussione

Ricerca discussione

Visualizza

come rimuovere w.exe?

Permessi di invio