Utility
Home Messaggi odierni FAQ Ricerca avanzata Lo staff del forum Regolamento Utenti Archivio
Pagina 1 di 3 1 2 3 ultimoultimo
Visualizzazione dei risultati da 1 a 10 su 21
  1. 04-12-2007, 18:28 #1
    abmol
    abmol non è in linea
    Utente di HTML.it
    Registrato dal
    Oct 2007
    Messaggi
    29

    Invaso da Trojan.small Trojan.agent

    Salve,
    come da titolo non riesco a levarmi dal pc i sopracitati trojan, potete aiutarmi. Di seguito hijackthis file.

    Logfile of HijackThis v1.99.1
    Scan saved at 17.21.05, on 04/12/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
    C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Programmi\Logitech\MouseWare\system\em_exec.exe
    C:\Programmi\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Lomba\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {163A402E-6A82-436D-9B57-6D5E866EC2AB} - (no file)
    O2 - BHO: (no name) - {18725C05-011D-4D18-90CE-F62B03D1A3CA} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {194D6466-7707-466A-A345-1F7C9D2DB25D} - (no file)
    O2 - BHO: (no name) - {1E941FB2-A761-4744-A75F-31367767D7FA} - (no file)
    O2 - BHO: (no name) - {20F3BBD2-CB98-4C6B-A895-7EA60FA56FF6} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {22D13381-6894-4215-921F-014472D607A4} - (no file)
    O2 - BHO: (no name) - {248E19D4-E819-4F82-B996-1A55E7280D64} - (no file)
    O2 - BHO: (no name) - {27CAFEC0-9B6D-4C28-B213-CD6EFA1CB36D} - (no file)
    O2 - BHO: (no name) - {28F7C6A4-62A3-47A9-93E4-DC973085DB4F} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {37BDF91C-331A-4BA4-8375-92F27D8F4FC1} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {38D0BF98-910F-4E38-890B-96815B82FFBB} - (no file)
    O2 - BHO: (no name) - {3AAC3CB9-FCC1-484A-AC00-DBF1698A1F72} - (no file)
    O2 - BHO: (no name) - {3C39C496-2D80-4F42-AB1D-CF05B55994C9} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {407B22C9-C725-48C7-A16D-FA46E1CA41F9} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {460466C3-CC83-478F-AA3C-EECD49D3BF3A} - (no file)
    O2 - BHO: (no name) - {50F9AD6D-9EF1-457D-B5B7-99B724E46DBE} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {52A1F6E6-C129-4492-83A4-9EAA12D65F44} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5F401C5F-0A31-4D7C-9CA1-AF7089272D61} - (no file)
    O2 - BHO: (no name) - {66B69622-7E64-480D-994B-3A431C0C7DE6} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {6887FBC7-5BB6-4A02-970A-B8A2249F760D} - (no file)
    O2 - BHO: (no name) - {7096F78E-863A-4399-99B0-DB65FAED1FF4} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {748D1204-DCE0-4933-8D91-3824F410BAAC} - (no file)
    O2 - BHO: (no name) - {7D3DBB69-8D6A-4310-AF91-A4892E20CD53} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {7E4D8F52-746E-48EF-A986-3C9D00F9FF3D} - (no file)
    O2 - BHO: (no name) - {82643A4E-70B9-4B48-9E8A-ACA77339D719} - (no file)
    O2 - BHO: (no name) - {8461125C-8C06-4ED3-9DDA-F1F2E80146E4} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {8D606FE5-5798-4FCA-A4C3-EBA57B0D4F2D} - (no file)
    O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\System32\wvusstu.dll
    O2 - BHO: (no name) - {8EF29372-DEDD-4735-B7D0-DD3F95F44312} - (no file)
    O2 - BHO: (no name) - {9124800C-1D1B-438F-A55B-DDE3D4FCB641} - (no file)
    O2 - BHO: (no name) - {AD67EECE-7405-41B5-BFFD-64233BC0D9D5} - (no file)
    O2 - BHO: (no name) - {B21066D7-3EB1-4AF2-A0E1-2F1777E860CB} - (no file)
    O2 - BHO: (no name) - {B447F8D9-B72E-4EBC-8FA4-08855A854528} - (no file)
    O2 - BHO: (no name) - {B4B67244-76CC-4520-BDB8-B7E1C116A36E} - (no file)
    O2 - BHO: (no name) - {C47CD3CD-004D-4494-8F56-B5D99D3B227C} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {C920DAA8-3853-4488-AE9C-2FFB14F13511} - (no file)
    O2 - BHO: (no name) - {CA6299F1-E25A-44FF-92A6-DF5BF3EC9639} - (no file)
    O2 - BHO: (no name) - {CB2E63C8-8CDD-4374-8277-770101711FA5} - (no file)
    O2 - BHO: (no name) - {D50E35EE-F4ED-4ED2-87AA-D9D4A16ACA77} - (no file)
    O2 - BHO: (no name) - {D5F20E87-F5D8-49CE-AEDB-1CBF2C5EB06E} - (no file)
    O2 - BHO: (no name) - {DB73557F-E726-4069-9682-C504DBCFF20D} - (no file)
    O2 - BHO: (no name) - {E8089A1D-114F-4342-B79A-63FBD56701FF} - (no file)
    O2 - BHO: (no name) - {E950ACD0-937E-449E-B0FE-F382E1999158} - (no file)
    O2 - BHO: (no name) - {E9E62A31-218D-4EEF-A69E-A62C30A3D114} - (no file)
    O2 - BHO: (no name) - {F37FA342-7EF0-4EC0-B85F-57C24ABD51C9} - (no file)
    O2 - BHO: (no name) - {F54230D4-AA6D-45F4-A1D0-D5F87D416C99} - (no file)
    O2 - BHO: (no name) - {F55CCEE3-16E0-4897-8141-B4E343239CF3} - (no file)
    O2 - BHO: (no name) - {F58C6547-B459-4AED-8F44-EE3BC60F5D0B} - (no file)
    O2 - BHO: (no name) - {FDAC7499-1FA9-4786-AB89-8894AF0F0620} - (no file)
    O2 - BHO: (no name) - {FDC484A1-5931-4BEE-A491-7930B4D4720F} - [SASInprocServer32] (file missing)
    O2 - BHO: (no name) - {FF94D466-F59C-40DA-B13F-2134A5C17C42} - (no file)
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [AntiSpywareBot] C:\Programmi\AntiSpywareBot\AntiSpywareBot.exe -boot
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Programmi\PokerStars.NET\PokerStarsUpdate.exe
    O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: opnklij - C:\WINDOWS\
    O20 - Winlogon Notify: pyvkizux - pyvkizux.dll (file missing)
    O20 - Winlogon Notify: wvusstu - C:\WINDOWS\SYSTEM32\wvusstu.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
    Rispondi quotando Rispondi quotando
  2. 04-12-2007, 18:41 #2
    abmol
    abmol non è in linea
    Utente di HTML.it
    Registrato dal
    Oct 2007
    Messaggi
    29
    Ho fatto una scansione online di hijackthis, e ho eliminato le voci inutili.
    Questo il nuvo file.

    Logfile of HijackThis v1.99.1
    Scan saved at 17.38.51, on 04/12/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
    C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Programmi\Logitech\MouseWare\system\em_exec.exe
    C:\Programmi\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Lomba\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [AntiSpywareBot] C:\Programmi\AntiSpywareBot\AntiSpywareBot.exe -boot
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Programmi\PokerStars.NET\PokerStarsUpdate.exe
    O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
    Rispondi quotando Rispondi quotando
  3. 04-12-2007, 19:33 #3
    abmol
    abmol non è in linea
    Utente di HTML.it
    Registrato dal
    Oct 2007
    Messaggi
    29
    Per ora l'unico che individua i trojan è ad-aware, ma se provo a fixare, il pc va ad una schermata blu moltopreoccupante, dopodichè non mi resta che riavviare.
    Rispondi quotando Rispondi quotando
  4. 04-12-2007, 19:53 #4
    OYS
    OYS non è in linea
    Utente di HTML.it L'avatar di OYS
    Registrato dal
    Apr 2006
    Messaggi
    3,142
    Ci sono molte varianti di questo trojan... Sai che file (o chiave di registro) è affetto dal virus (quale ti segnala ad-aware)?

    Fixa questo:

    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    Internet Assigned Numbers Authority
    Rispondi quotando Rispondi quotando
  5. 04-12-2007, 20:03 #5
    abmol
    abmol non è in linea
    Utente di HTML.it
    Registrato dal
    Oct 2007
    Messaggi
    29
    Il file a cui fa riferimento ad-aware è c:\windows\system32\wvusstu.dll

    Ho fixato con hijack il file che mi hai detto.

    Mi continuano ad uscire finestre del tea timer di Spybot SD, con scritto, Categoria:Browser helper object - Modifica: valore aggiunto Voce: una chiave di registro che cambia tutte le volte che nego i cambiamenti.
    Rispondi quotando Rispondi quotando
  6. 04-12-2007, 20:42 #6
    abmol
    abmol non è in linea
    Utente di HTML.it
    Registrato dal
    Oct 2007
    Messaggi
    29
    Questo è il log di hijackthis dopo un riavvio, in modlità provvisoria.
    Il svchost.exe nei fonts riappare sempre, stessa cosa per
    O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\SYSTEM32\wvusstu.dll
    O20 - Winlogon Notify: wvusstu - C:\WINDOWS\SYSTEM32\wvusstu.dll

    Logfile of HijackThis v1.99.1
    Scan saved at 19.38.35, on 04/12/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Lomba\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\SYSTEM32\wvusstu.dll
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: wvusstu - C:\WINDOWS\SYSTEM32\wvusstu.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
    Rispondi quotando Rispondi quotando
  7. 04-12-2007, 21:11 #7
    OYS
    OYS non è in linea
    Utente di HTML.it L'avatar di OYS
    Registrato dal
    Apr 2006
    Messaggi
    3,142
    Quel file mi fa pensare al trojan vundo...


    1) Scarica http://swandog46.geekstogo.com/avenger.zip

    clicca su input script manually e poi sulla lente di ingrandimento.
    nello spazio bianco inserisci con copia incolla queste tre righe blu:



    files to delete:
    C:\WINDOWS\SYSTEM32\wvusstu.dll
    C:\WINDOWS\Fonts\svchost.exe



    clicca su done.
    poi sul semaforo con luce verde
    due volte si, il pc si riavviera' e al ritorno posta il log di avenger (C:/avenger.txt).



    2) Fai una scansione con FixVundo & VundoFix
    Internet Assigned Numbers Authority
    Rispondi quotando Rispondi quotando
  8. 05-12-2007, 00:30 #8
    abmol
    abmol non è in linea
    Utente di HTML.it
    Registrato dal
    Oct 2007
    Messaggi
    29
    Grazie per l'aiuto fin'ora OYS.
    Eccoti il log.

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Service s\csddhoab

    *******************

    Script file located at: \??\C:\WINDOWS\rknubunr.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\WINDOWS\SYSTEM32\wvusstu.dll deleted successfully.
    File C:\WINDOWS\Fonts\svchost.exe deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
    Rispondi quotando Rispondi quotando
  9. 05-12-2007, 01:22 #9
    abmol
    abmol non è in linea
    Utente di HTML.it
    Registrato dal
    Oct 2007
    Messaggi
    29
    Fix vundo non ha trovato nessun virus.
    Vundo fix ha trovato 3 .dll che ha rimosso.

    questo il nuovo log di hijackthis.

    Logfile of HijackThis v1.99.1
    Scan saved at 0.22.11, on 05/12/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    C:\VEXPLITE\MONLITE.EXE
    C:\Programmi\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Programmi\MSN Messenger\msnmsgr.exe
    C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
    C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Programmi\MSN Messenger\livecall.exe
    C:\Programmi\MSN Messenger\usnsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\VEXPLITE\VIRITEXP.EXE
    C:\Programmi\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Lomba\Desktop\VundoFix.exe
    C:\Documents and Settings\Lomba\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
    O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
    Rispondi quotando Rispondi quotando
  10. 05-12-2007, 01:49 #10
    abmol
    abmol non è in linea
    Utente di HTML.it
    Registrato dal
    Oct 2007
    Messaggi
    29
    All'avvio di windows virit mi segnala questo progrmma in esecuzione automatica,

    c:\windows\system32\DDCYV.dll
    Rispondi quotando Rispondi quotando
« Discussione precedente | Prossima discussione »

Permessi di invio

  • Non puoi inserire discussioni
  • Non puoi inserire repliche
  • Non puoi inserire allegati
  • Non puoi modificare i tuoi messaggi
  •  

Regole del Forum

Powered by vBulletin® Version 4.2.1
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved.