Credo di avere il pc zeppo di virus!

[Dave-Z]

Scusatemi, non voglio fare cross posting...ma forse dovevo postare quì dall'inizio....date un'occhiata quì: http://forum.html.it/forum/showthrea...hreadid=746766

leggete soprattutto il mio ultimo messaggio...la situazione è grave!

[amvinfe]

posta un log di HijackThis, trovi tutto in Rilievo -links utili-

[mardux]

una volta installato UN SOLO WINDOWS, configuralo, e prima di metterti in rete, installa un firewall tipo Sygate Personal Firewall, un antivirus e il SP2 (valutandone i lati positivi e negativi) oppure il SP1.

poi
attiva il FW

connettiti alla rete (crea una connessione ma nn aprire il browser)

aggiorna l'antivirus e fai una scansione sul sistema

vai su windows update, fai una scansione, e scarica le pacth che ti propone riguardo alla sicurezza.

fatto questo sei apposto.


seguendo questa procedura è quasi impossibile infettarsi da virus

[Dave-Z]

Originariamente inviato da amvinfe
posta un log di HijackThis, trovi tutto in Rilievo -links utili-

Questo è il log (tieni conto però che avevo disabilitato alcuni processi come beird.exe che è quello che a mio avviso rompeva + le palle!)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\dllmanager.exe
C:\WINDOWS\System32\spoolscv.exe
C:\WINDOWS\System32\winguard.exe
C:\WINDOWS\System32\klsuicbn.exe
C:\WINDOWS\System32\iexplore.exe
C:\WINDOWS\System32\mpsvc.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\svdll32.exe
C:\WINDOWS\System32\winmplyer32.exe
C:\WINDOWS\System32\sres32.exe
C:\WINDOWS\System32\msnmsgrr.exe
C:\WINDOWS\Mixer.exe
c:\windows\system32\ccdew\wshield.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Fuck xp!\Documenti\emule\emule.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
c:\windows\system32\ccdew\wshield.exe
c:\windows\system32\ccdew\ymnz.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wvsvc.exe
C:\Documents and Settings\Fuck xp!\Desktop\HijackThis1982.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Go And Start] svdll32.exe
O4 - HKLM\..\Run: [Quicktime Mediaplayer] winmplyer32.exe
O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
O4 - HKLM\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\Run: [dlite] dllmanager.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zofae.exe
O4 - HKLM\..\Run: [Win32 USB32 Driver] spoolscv.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\juzmx.exe
O4 - HKLM\..\Run: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKLM\..\Run: [blah service] msnmsgrr.exe
O4 - HKLM\..\Run: [winusb.dll] winguard.exe
O4 - HKLM\..\Run: [WinAC v4] klsuicbn.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RealPlayer] RealPlayer.exe
O4 - HKLM\..\Run: [Microsoft Update] msgn.exe
O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\log.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINDOWS\paintms.exe
O4 - HKLM\..\Run: [MP Services] mpsvc.exe
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [Windows Media Player] msass43.exe
O4 - HKLM\..\RunServices: [Go And Start] svdll32.exe
O4 - HKLM\..\RunServices: [Quicktime Mediaplayer] winmplyer32.exe
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKLM\..\RunServices: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\RunServices: [dlite] dllmanager.exe
O4 - HKLM\..\RunServices: [Win32 USB32 Driver] spoolscv.exe
O4 - HKLM\..\RunServices: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKLM\..\RunServices: [blah service] msnmsgrr.exe
O4 - HKLM\..\RunServices: [winusb.dll] winguard.exe
O4 - HKLM\..\RunServices: [WinAC v4] klsuicbn.exe
O4 - HKLM\..\RunServices: [RealPlayer] RealPlayer.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msgn.exe
O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunServices: [MP Services] mpsvc.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msass43.exe
O4 - HKLM\..\RunOnce: [dlite] dllmanager.exe
O4 - HKLM\..\RunOnce: [Win32 USB32 Driver] spoolscv.exe
O4 - HKLM\..\RunOnce: [winusb.dll] winguard.exe
O4 - HKLM\..\RunOnce: [WinAC v4] klsuicbn.exe
O4 - HKLM\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunOnce: [MP Services] mpsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Go And Start] svdll32.exe
O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
O4 - HKCU\..\Run: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKCU\..\Run: [Win32 USB32 Driver] spoolscv.exe
O4 - HKCU\..\Run: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKCU\..\Run: [winusb.dll] winguard.exe
O4 - HKCU\..\Run: [WinAC v4] klsuicbn.exe
O4 - HKCU\..\Run: [RealPlayer] RealPlayer.exe
O4 - HKCU\..\Run: [Microsoft Update] msgn.exe
O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [MP Services] mpsvc.exe
O4 - HKCU\..\RunServices: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKCU\..\RunOnce: [winusb.dll] winguard.exe
O4 - HKCU\..\RunOnce: [WinAC v4] klsuicbn.exe
O4 - HKCU\..\RunOnce: [Win32 USB32 Driver] spoolscv.exe
O4 - HKCU\..\RunOnce: [MP Services] mpsvc.exe
O4 - HKCU\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKCU\..\RunOnce: [dlite] dllmanager.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101134429777
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF4E45F4-947F-4A3F-B106-D330474A49E7}: NameServer = 81.74.228.227 151.99.125.1

[amvinfe]

ti è mai balenata l'idea d'installare un antivirus?

Sei pieno di worms (Rbot soprattutto), fai una scansione online (quello della TrendMicro o quello della Panda) gli URLs li trovi nella stessa sezione dove hai scaricato HijackThis.
Finita la scansione riavvia


Dimenticavo:
posta poi un nuovo log

[Dave-Z]

Originariamente inviato da amvinfe
fai una scansione online (quello della TrendMicro o quello della Panda) gli URLs li trovi nella stessa sezione dove hai scaricato HijackThis.
Finita la scansione riavvia

è da mezzora che sto provando ma non riesco a far partire la scansione

[amvinfe]

Per quanto riguarda il file beird.exe, lo stesso è collegato al worm Randon.
Sia Rbot che lo stesso Randon modificano il file Hosts, avendo tu XP verifica che nel file Hosts (aprilo con il Notepad ed assicurati che NON vi sia spuntata la casella "Utilizza sempre questa applicazione per aprire questo tipo di file")

C:\windows\system32\drivers\etc\

vi sia solo

127.0.0.1 localhost


elimina tutto il resto al suo interno clicca su File in alto a sx e poi su salva. Prova a collegarti ora ed a fare la scansione online.

[amvinfe]

nel caso la scansione non ti riuscisse, puoi provare a risolvere in questo modo:

Crea una nuova cartella sul desktop e chiamala ad es. fix, al suo interno inserisci
SYSCLEAN.COM

e

lpt261.zip

dezippa il file lpt261.zip sempre all'interno della cartella fix.
Riavvia in mod. provvisoria apri la cartella fix che avevi creato clicca su sysclean verifica che sia selezionata l'opzione per la rimozione in automatico dei file, lancia la scansione.
Riavvia in mod. normale fai un nuovo scan con HJT e posta il log.

[Dave-Z]

Ok, sono riuscito a fare una scansione online con il panda:

Incident Status Location

Virus:W32/Gaobot.BMT.worm Disinfected Operating system
Virus:W32/Parite.B Disinfected C:\Documents and Settings\Fuck xp!\Impostazioni locali\Temp\era1.tmp
Virus:W32/Randon.CL.worm Disinfected C:\WINDOWS\system32\ccdew\beird.exe
Virus:W32/Randon.CL.worm Disinfected C:\WINDOWS\system32\ccdew\c.bat
Virus:W32/Randon.CL.worm Disinfected C:\WINDOWS\system32\ccdew\dual.exp
Virus:Trj/Passer.AD Disinfected C:\WINDOWS\system32\ccdew\emoti.bat
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\ccdew\hosts
Virus:Trj/Small.AK Disinfected C:\WINDOWS\system32\ccdew\ymnz.exe
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp
Virus:W32/Korgo.BC.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Impostazi oni locali\Temporary Internet Files\Content.IE5\W8MYYRI6\x[1].exe
Virus:W32/Korgo.AR.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Impostazi oni locali\Temporary Internet Files\Content.IE5\W8MYYRI6\x[2].exe
Virus:W32/Korgo.AH.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Impostazi oni locali\Temporary Internet Files\Content.IE5\W8MYYRI6\x[3].exe
Virus:W32/Korgo.U.worm No disinfected C:\WINDOWS\system32\config\systemprofile\Impostazi oni locali\Temporary Internet Files\Content.IE5\W8MYYRI6\x[4].exe
Virus:W32/Gaobot.AHY.worm Disinfected C:\WINDOWS\system32\msnmsgr.exe
Virus:W32/Sdbot.BAE.worm Disinfected C:\WINDOWS\system32\pksvc.exe
Virus:W32/Parite.B Disinfected C:\WINDOWS\Temp\qsa1.tmp
Virus:W32/Parite.B Disinfected C:\WINDOWS\Temp\qsa2.tmp

come faccio ad eliminare il file ancora infetto?

[Dave-Z]

questo è il nuovo log con il sw che mi hai consigliato:

Logfile of HijackThis v1.98.2
Scan saved at 15.38.15, on 24/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dllmanager.exe
C:\WINDOWS\System32\spoolscv.exe
C:\WINDOWS\System32\klsuicbn.exe
C:\WINDOWS\System32\iexplore.exe
C:\WINDOWS\System32\mpsvc.exe
C:\WINDOWS\System32\wurguar.exe
C:\WINDOWS\System32\spoolcsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\winfw.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\winmplyer32.exe
C:\WINDOWS\System32\Yahoo.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\RealPlayer.exe
C:\WINDOWS\paint.exe
C:\WINDOWS\taskmsg.exe
C:\WINDOWS\System32\wvsvc.exe
C:\WINDOWS\System32\msass43.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\System32\wuamgrder.exe
C:\WINDOWS\System32\crsss.exe
C:\WINDOWS\System32\msnmsgrr.exe
C:\WINDOWS\System32\SystemStat.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Fuck xp!\Desktop\HijackThis1982.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Quicktime Mediaplayer] winmplyer32.exe
O4 - HKLM\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\Run: [dlite] dllmanager.exe
O4 - HKLM\..\Run: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKLM\..\Run: [WinAC v4] klsuicbn.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RealPlayer] RealPlayer.exe
O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINDOWS\paint.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINDOWS\taskmsg.exe
O4 - HKLM\..\Run: [MP Services] mpsvc.exe
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [Windows Media Player] msass43.exe
O4 - HKLM\..\Run: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\Run: [notepad.exe] C:\WINDOWS\iexplorer.exe
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\Run: [Windows media service] crsss.exe
O4 - HKLM\..\Run: [PK Services] pksvc.exe
O4 - HKLM\..\Run: [blah service] msnmsgrr.exe
O4 - HKLM\..\Run: [Win32 Firewall Driver] winfw.exe
O4 - HKLM\..\Run: [System Stats] SystemStat.exe
O4 - HKLM\..\Run: [Win32 USB32 Driver] spoolscv.exe
O4 - HKLM\..\RunServices: [Quicktime Mediaplayer] winmplyer32.exe
O4 - HKLM\..\RunServices: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\RunServices: [dlite] dllmanager.exe
O4 - HKLM\..\RunServices: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKLM\..\RunServices: [WinAC v4] klsuicbn.exe
O4 - HKLM\..\RunServices: [RealPlayer] RealPlayer.exe
O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunServices: [MP Services] mpsvc.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msass43.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunServices: [Windows media service] crsss.exe
O4 - HKLM\..\RunServices: [PK Services] pksvc.exe
O4 - HKLM\..\RunServices: [blah service] msnmsgrr.exe
O4 - HKLM\..\RunServices: [Win32 Firewall Driver] winfw.exe
O4 - HKLM\..\RunServices: [System Stats] SystemStat.exe
O4 - HKLM\..\RunServices: [Win32 USB32 Driver] spoolscv.exe
O4 - HKLM\..\RunOnce: [dlite] dllmanager.exe
O4 - HKLM\..\RunOnce: [Win32 USB32 Driver] spoolscv.exe
O4 - HKLM\..\RunOnce: [WinAC v4] klsuicbn.exe
O4 - HKLM\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunOnce: [MP Services] mpsvc.exe
O4 - HKLM\..\RunOnce: [Microsoft Windows Securety] wurguar.exe
O4 - HKLM\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunOnce: [Win32 Firewall Driver] winfw.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKCU\..\Run: [Win32 USB32 Driver] spoolscv.exe
O4 - HKCU\..\Run: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKCU\..\Run: [WinAC v4] klsuicbn.exe
O4 - HKCU\..\Run: [RealPlayer] RealPlayer.exe
O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [MP Services] mpsvc.exe
O4 - HKCU\..\Run: [Microsoft Windows Securety] wurguar.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Win32 Firewall Driver] winfw.exe
O4 - HKCU\..\Run: [Windows Media Player] msass43.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [System Stats] SystemStat.exe
O4 - HKCU\..\RunServices: [ALTER DATA] c:\windows\system32\ccdew\repcale.exe c:\windows\system32\ccdew\beird.exe
O4 - HKCU\..\RunOnce: [WinAC v4] klsuicbn.exe
O4 - HKCU\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKCU\..\RunOnce: [MP Services] mpsvc.exe
O4 - HKCU\..\RunOnce: [Microsoft Windows Securety] wurguar.exe
O4 - HKCU\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\RunOnce: [Win32 Firewall Driver] winfw.exe
O4 - HKCU\..\RunOnce: [Win32 USB32 Driver] spoolscv.exe
O4 - HKCU\..\RunOnce: [dlite] dllmanager.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101134429777
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

ps. le cosse sono un attimino migliorate dopo lo scan di panda, ma non molto