downloader.GK

[federikakordano]

Ciao a tutti,
Da qualche tempo ho su un mio pc (con windowsXP home edition) un virus chiamato appunto downloader.gk. Con norton non riesco ad eliminarlo, neanche in modalità provvisoria; ho provato con panda software on line (active scan) lo vede ma non riesce ad eliminarlo.
Come posso fare?
grazie..

[amvinfe]

posta un log di HijackThis, il programma lo trovi in rilievo -links utili-

[federikakordano]

Eccolo:

Logfile of HijackThis v1.98.2
Scan saved at 11.51.15, on 09/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\Apache Group\Apache\Apache.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Apache Group\Apache\Apache.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmi\Real\RealPlayer\RealPlay.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programmi\MSN Apps\Updater\01.02.0002.1001\it\msnappau.exe
C:\Documents and Settings\Home\Desktop\FreeRAM XP Pro 1.40.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\MailWasher Pro\MailWasher.exe
C:\Programmi\Macromedia\Dreamweaver MX\Dreamweaver.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WS_FTP\WS_FTP95.exe
C:\apps\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Messenger\msmsgs.exe
C:\roberto\download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tele2.it/redirect/dial_up
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - TELE2Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.0002.1001\it\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.0002.1001\it\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Programmi\MSN Apps\Updater\01.02.0002.1001\it\msnappau.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Home\Desktop\FreeRAM XP Pro 1.40.exe" -win
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.it/redirect/dial_up
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.sesso.be/i0267hn.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...bb9ab412ee222b
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{041C6437-AC58-4B1D-AD24-D2A80124B4AE}: NameServer = 212.121.64.2,195.31.190.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4AD10B4-31FC-4D0D-8079-B94EA186000A}: NameServer = 195.31.190.31,212.216.112.112
O17 - HKLM\System\CS1\Services\Tcpip\..\{041C6437-AC58-4B1D-AD24-D2A80124B4AE}: NameServer = 212.121.64.2,195.31.190.31

[amvinfe]

dalla provvisoria elimina le seguenti voci mettendo la spunata e cliccando su Fix checked

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.sesso.be/i0267hn.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...12e
e222b
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB


riavvia, disattiva il Ripristino di configurazione di sistema,
Click su Start, click con il tasto dx del mouse su Risorse del Computer poi su Proprietà. Click sulla scheda Ripristino configurazione di sistema mettere la spunta su Disattiva Ripristino configurazione di sistema o su Disattiva Ripristino configurazione di sistema su tutte le unità, click su Applica click su Sì e poi su OK, riavviare.
Fai una scansione con l'antivirus.

Riavvia il pc
Riattiva il Ripristino di conf. di sistema

[federikakordano]

Grazie mille !!! Ho risolto il problema.