Il mio antivirus(Avast) ha rintracciato il virus Win32:NcaseSpy ma non è in grado di rimuoverlo. Qualcuno ha info in merito? Thanks
Il mio antivirus(Avast) ha rintracciato il virus Win32:NcaseSpy ma non è in grado di rimuoverlo. Qualcuno ha info in merito? Thanks
prova a dare un'okkiata qui http://forums.techguy.org/archive/in.../t-250719.html
e magari posta un log di hijackthis
Logfile of HijackThis v1.98.2
Scan saved at 14.32.23, on 06/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
D:\Programmi\Alwil Software\Avast4\ashserv.exe
D:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
D:\Programmi\QuickTime\qttask.exe
D:\Programmi\Alwil Software\Avast4\ashDisp.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
D:\Program Files\Winad Client\Winad.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Winad Client\WinClt.exe
D:\Programmi\Internet Explorer\iexplore.exe
D:\Programmi\Web_Rebates\WebRebates1.exe
D:\Programmi\Web_Rebates\WebRebates0.exe
D:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
D:\Documents and Settings\Antonella Maselli\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - D:\WINDOWS\System32\nvms.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - D:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\Programmi\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Winad Client] D:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WebRebates0] "D:\Programmi\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Shareaza] "D:\Programmi\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Microsoft Office.lnk = D:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Rebates - file://D:\Programmi\Web_Rebates\Sy1150\Tp1150\scri1150a.h tm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...1a0351cafa03db
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (AxisCamControl) - http://caldarulocam.webstudioitalia....CamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605157.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A5B34C0-FA8D-4A35-8564-3A241A690AB9}: NameServer = 130.244.127.161 130.244.127.169
Come prima cosa, metti HijackThis all'interno di una nuova cartella.
Scaricati AdAware da -links utili- è in Rilievo.
Apri la task manager (CTRL+ALT+CANC) e termina questi processi
D:\Program Files\Winad Client\Winad.exe
D:\Program Files\Winad Client\WinClt.exe
D:\Programmi\Web_Rebates\WebRebates1.exe
D:\Programmi\Web_Rebates\WebRebates0.exe
Chiudi tutte le eventuali finestre di altre applicazioni. Apri HJT lancia la scansione e metti la spunta al fianco dei seguenti valori, clicca su Fix checked:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - D:\WINDOWS\System32\nvms.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - D:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - D:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [Winad Client] D:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WebRebates0] "D:\Programmi\Web_Rebates\WebRebates0.exe"
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...cafa03db
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (AxisCamControl) - http://caldarulocam.webstudioitalia...sCamControl.ocx
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605157.exe
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/content...er/imloader.cab
Elimina il contenuto della cartella Temporary Internet Files
Elimina il contenuto della cartella TEMP
Riavvia in modalità provvisoria
Elimina
D:\Program Files\Winad Client \Winad.exe <==la cartella
D:\Program Files\Winad Client \WinClt.exe <==la cartella
D:\Programmi\Web_Rebates \WebRebates1.exe <==la cartella
D:\Programmi\Web_Rebates \WebRebates0.exe <==la cartella
Sempre dalla provvisoria Apri Adaware e lancia una scansione, elimina tutti i valori infetti.
Riavvia e posta un nuovo log di HJT
fatto ecco il nuovo log
Logfile of HijackThis v1.98.2
Scan saved at 15.11.58, on 07/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
D:\Programmi\Alwil Software\Avast4\ashserv.exe
D:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\svchost.exe
D:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
D:\Programmi\QuickTime\qttask.exe
D:\Programmi\Alwil Software\Avast4\ashDisp.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Antonella Maselli\Desktop\Nuova cartella\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - D:\WINDOWS\System32\mscb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\Programmi\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Winad Client] D:\Program Files\Winad Client\Winad.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Shareaza] "D:\Programmi\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Microsoft Office.lnk = D:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (AxisCamControl) - http://caldarulocam.webstudioitalia....CamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
tutto a posto?
dalla modalità provvisoria elimina cliccando su Fix checked
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - D:\WINDOWS\System32\mscb.dll
O4 - HKLM\..\Run: [Winad Client] D:\Program Files\Winad Client\Winad.exe
sempre dalla provvisoria, se presenti
D:\WINDOWS\System32\mscb.dll <== il file
D:\Program Files\Winad Client\Winad.exe <== la cartella
Riavvia, posta un log
fatto! Ecco l'ultimo log
ogfile of HijackThis v1.98.2
Scan saved at 21.38.14, on 09/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
D:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
D:\Programmi\Alwil Software\Avast4\ashserv.exe
D:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\svchost.exe
D:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
D:\Programmi\QuickTime\qttask.exe
D:\Programmi\Alwil Software\Avast4\ashDisp.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Documents and Settings\Antonella Maselli\Desktop\Nuova cartella\HijackThis.exe
D:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tele2.it/redirect/startpage/adsl/ita
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMMI\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] D:\Programmi\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3200] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Shareaza] "D:\Programmi\Shareaza\Shareaza.exe" -tray
O4 - Global Startup: Microsoft Office.lnk = D:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (AxisCamControl) - http://caldarulocam.webstudioitalia....CamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
il log è ok
grazie mille!
Permessi di invio
Rispondi quotando