credo sia un trojan: 2E.tmp

[OYS]

Originariamente inviato da idioteque.it
già, il fatto purtroppo è proprio questo. sto cercando qualche tool per rimuoverlo ma non ne trovo

Se quando cerchi di eliminarlo ti esce fuori : "Impossibile eliminare rpcc.dll: accesso negato" allora vuol dire che un processo (visibile con task manager windows) sta operando con quella dll... Se vedi qualche processo strano allora interrompilo...altrimenti cerca i processi su google...

[idioteque.it]

sono ancora in lotta

ecco il nuovo log di hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 1.26.01, on 17/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\FBM Software\ZeroSpyware\FileDeleter.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wmsv.exe
C:\WINDOWS\System32\dslagent.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\bak\qttask.exe
C:\Programmi\Java\jre1.5.0_06\bin\bak\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\programmi\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Programmi\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ZSScheduler] RunDll32.exe "C:\Programmi\FBM Software\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Programmi\FBM Software\ZeroSpyware\
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programmi\GetRight\getright.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135429397732
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9541C64-377F-4DFC-A01A-85DD433DE7B5}: NameServer = 85.255.116.87 85.255.112.174
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Disk Indexing Service (DiSVC) - Unknown owner - C:\WINDOWS\system32\disvc.exe (file missing)
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBMSoftware - C:\Programmi\FBM Software\ZeroSpyware\FileDeleter.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Microsoft Windows Software Update Service (mswsus) - Unknown owner - C:\WINDOWS\System32\mswsus.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Protocol Deployment Manager (PDM) - Unknown owner - C:\WINDOWS\system32\2E.tmp (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[OYS]

Non riesci a eliminare manualmente questi?:

C:\WINDOWS\System32\mswsus.exe

C:\WINDOWS\system32\wmsv.exe

C:\WINDOWS\System32\rpcc.dll

[idioteque.it]

il secondo sì, però ogni volta si rigenera

gli altri due invece non mi appaiono

[OYS]

Originariamente inviato da idioteque.it
il secondo sì, però ogni volta si rigenera

gli altri due invece non mi appaiono

Prova in modalità provvisoria disabilitando il ripristino configurazione di sistema: start
->tasto destro su risorse computer->propietà-> ripristino configurazione sistema->disattiva

Se no prova a fare delle scansioni antivirus incentrate su quella cartella...

[idioteque.it]

alcuni file sono riuscito a debellarli. altri si rigenerano. ennesimo log hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 3.21.30, on 18/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\FBM Software\ZeroSpyware\FileDeleter.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wmsv.exe
C:\WINDOWS\System32\dslagent.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\bak\qttask.exe
C:\Programmi\Java\jre1.5.0_06\bin\bak\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Programmi\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ZSScheduler] RunDll32.exe "C:\Programmi\FBM Software\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Programmi\FBM Software\ZeroSpyware\
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135429397732
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9541C64-377F-4DFC-A01A-85DD433DE7B5}: NameServer = 85.255.116.87 85.255.112.174
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Disk Indexing Service (DiSVC) - Unknown owner - C:\WINDOWS\system32\disvc.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBMSoftware - C:\Programmi\FBM Software\ZeroSpyware\FileDeleter.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Microsoft Windows Software Update Service (mswsus) - Unknown owner - C:\WINDOWS\System32\mswsus.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Protocol Deployment Manager (PDM) - Unknown owner - C:\WINDOWS\system32\2E.tmp (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[OYS]

Il problema forse sono questi ip (non fanno parte del tuo provider quindi se non li conosci eliminali):

O17 - HKLM\System\CCS\Services\Tcpip\..\{D9541C64-377F-4DFC-A01A-85DD433DE7B5}: NameServer = 85.255.116.87 85.255.112.174

O23 - Service: Disk Indexing Service (DiSVC) - Unknown owner - C:\WINDOWS\system32\disvc.exe



Per quelli in precedenza è rimasto solo questo attivo:

C:\WINDOWS\system32\wmsv.exe


Scaricati questo che forse riuscirà a rimuoverli:http://info.prevx.com/downloadremove.asp?mlw=DISVC.EXE

[idioteque.it]

ho scaricato prevx1 ma non riesco ad installarlo. arriva all'81% e si blocca.

poi quando riavvia il computer dice "unable to start Prevx service. your machine is not protected. impossibile avviare il servizio. il servizio è disabilitato oppure non è associato a nessuna periferica"

[OYS]

Originariamente inviato da idioteque.it
ho scaricato prevx1 ma non riesco ad installarlo. arriva all'81% e si blocca.

poi quando riavvia il computer dice "unable to start Prevx service. your machine is not protected. impossibile avviare il servizio. il servizio è disabilitato oppure non è associato a nessuna periferica"

Strano a me non fa così...
Cmq forse la soluzione potrebbe essere: quando sei in modalità provvisoria disattiva il ripristino configurazione di sistema (start--> tasto destro su risorse del computer-->propietà-->ripristino configurazione-->disattiva) e a quel punto cancelli i file che non riuscivi a eliminare...

[idioteque.it]

alla fine più o meno ce l'ho fatta.
il grosso dei problemi l'ho eliminato, grazie soprattutto al programma VirIT, davvero molto efficace.

OYS, grazie dei consigli e di tutta la pazienza che hai avuto a rispondermi ogni volta