PC distrutto da attacco W32 mille formattazioni ed un cambio HD

**OM3GA** · 10-07-2007, 12:30

Salve.
connessione rallentata, presenza dei file lsass.exe, services.exe, winlog.exe, csrss.exe, smss.exe. Il Pc a volte si blocca rendendo inutilizzabile qualsiasi icona o menù.
L'avg rileva ma nn elimina così come virit.
All'ultima scansione erano 11 i file infetti eliminati.

log di HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 1.10.15, on 10/07/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\om3ga\Impostazioni locali\Temp\Directory temporanea 1 per hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\System32\qomlmkk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] $$
O4 - HKLM\..\Run: [DSLAGENTEXE] $$
O4 - HKLM\..\Run: [AVG7_CC] $$
O4 - HKLM\..\Run: [GSICON.EXE] $$
O4 - HKLM\..\Run: [dslagent.exe USB] $$
O4 - HKLM\..\Run: [$$] $$
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{128F6032-9F07-4B17-90E6-001116776E34}: NameServer = 193.12.150.2 212.247.152.2
O20 - Winlogon Notify: qomlmkk - C:\WINDOWS\SYSTEM32\qomlmkk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Security Restore Services - Unknown owner - C:\WINDOWS\system32\svshost.exe

Log di VirIt modalità provvisoria

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]

OK

[SCANSIONE DELLA MEMORIA]

OK

--------------------------------------------------------

10/07/2007 - 01:15:25

[SCANSIONE DEL REGISTRO]

OK

[A:]

BOOT SECTOR: OK

[C:]

MASTER BOOT RECORD: OK

BOOT SECTOR: OK

C:\Programmi\File comuni\System\MSASP32.exe Infetto da Backdoor.SdBot.QB

* * * RIMOSSO * * *

C:\WINDOWS\system32\scrcons32.exe Infetto da Backdoor.RBot.XY

* * * RIMOSSO * * *

[D:]

Scan di VirIt Normale

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]

OK

[SCANSIONE DELLA MEMORIA]

OK

--------------------------------------------------------

10/07/2007 - 01:15:25

[SCANSIONE DEL REGISTRO]

OK

[A:]

BOOT SECTOR: OK

[C:]

MASTER BOOT RECORD: OK

BOOT SECTOR: OK

C:\Programmi\File comuni\System\MSASP32.exe Infetto da Backdoor.SdBot.QB

* * * RIMOSSO * * *

C:\WINDOWS\system32\scrcons32.exe Infetto da Backdoor.RBot.XY

* * * RIMOSSO * * *

[D:]

[E:]

Chiavi Registro infette: 0.

Files Infetti: 2.

Files Sospetti: 0.

Files Analizzati: 15649.

Files Totali: 15649.

Chiavi Registro rimosse: 0.

Virus Rimossi: 2.

[SCANSIONE DELLA MEMORIA]

OK

--------------------------------------------------------

10/07/2007 - 01:24:43

[SCANSIONE DEL REGISTRO]

OK

[A:]

BOOT SECTOR: OK

[C:]

MASTER BOOT RECORD: OK

BOOT SECTOR: OK

[D:]

[E:]

Chiavi Registro infette: 0.

Files Infetti: 0.

Files Sospetti: 0.

Files Analizzati: 10093.

Files Totali: 10093.

Chiavi Registro rimosse: 0.

Virus Rimossi: 0.

Scan di HijackThis dopo VirIt in modalità normale

Logfile of HijackThis v1.99.1

Scan saved at 1.29.20, on 10/07/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\svshost.exe

C:\VEXPLITE\viritsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Programmi\Winamp\winampa.exe

C:\VEXPLITE\MONLITE.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Programmi\Messenger\msmsgs.exe

C:\Programmi\Windows NT\Accessori\WORDPAD.EXE

C:\Programmi\Internet Explorer\iexplore.exe

C:\Documents and Settings\om3ga\Impostazioni locali\Temp\Directory temporanea 2 per hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\System32\qomlmkk.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [GSICONEXE] $$

O4 - HKLM\..\Run: [DSLAGENTEXE] $$

O4 - HKLM\..\Run: [AVG7_CC] $$

O4 - HKLM\..\Run: [GSICON.EXE] $$

O4 - HKLM\..\Run: [dslagent.exe USB] $$

O4 - HKLM\..\Run: [$$] $$

O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe

O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: õÿÿÿ -

O17 - HKLM\System\CCS\Services\Tcpip\..\{128F6032-9F07-4B17-90E6-001116776E34}: NameServer = 193.12.150.2 212.247.152.2

O20 - Winlogon Notify: qomlmkk - C:\WINDOWS\SYSTEM32\qomlmkk.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Security Restore Services - Unknown owner - C:\WINDOWS\system32\svshost.exe

O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

heLP pls
HelP!!!

Patrizio

Discussione: PC distrutto da attacco W32 mille formattazioni ed un cambio HD

Strumenti discussione

Ricerca discussione

Visualizza

Visualizzazione discussione

PC distrutto da attacco W32 mille formattazioni ed un cambio HD

Permessi di invio