(dalla sezione "software")-> che cos'è il file "slvchost32.exe"?

[vodafone]

ho aperto una discussione nella sezione software chiedendo cosa fosse questo file slvchost32.exe....mi hanno risposto che è un WORM...allora ho deciso di passare qui...sto cercando di rimuoverlo...
ieri infatti avevo la connessione lenta lenta...addirittura ho visto che erano di più i kb inviati che quelli scaritati....ma aprendo il task manager mi appaiono molti files del tipo...svchost.exe (come si può vedere da allegato)...che cosa sono?

[vodafone]

mi ero dimenticato l'allegato

[Habanero]

svchost è un file legittimo di windows che si occupa di lanciare vari servizi. E' normale che ve ne siano più istanze nel task manager (in genere sono 4).

slvchost invece è un trojan...

Vai nel thread link utili dei questo forum scaricati HijackThis e leggiti la guida presente nello stesso thread.

Posta qui il log del programma.

[vodafone]

ecco il log:

Logfile of HijackThis v1.98.2
Scan saved at 14.23.52, on 18/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programmi\McAfee\McAfee VirusScan\VsStat.exe
C:\Programmi\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\McAfee\McAfee VirusScan\Webscanx.exe
C:\Programmi\McAfee\McAfee VirusScan\alogserv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\slvchost32.exe
C:\Programmi\StopDialers\StopDialer.exe
C:\Programmi\mobile PhoneTools\mPhonetools.exe
C:\Programmi\McAfee\McAfee VirusScan\VsMain.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\oem\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.athena.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Programmi\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Programmi\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [74088686.exe] C:\WINDOWS\System32\74088686.exe
O4 - HKLM\..\Run: [Alogserv] C:\Programmi\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [slvchost] slvchost32.exe
O4 - HKLM\..\RunServices: [slvchost] slvchost32.exe
O4 - HKCU\..\Run: [lycosInside] C:\Programmi\lycos\Lyc_SysTray.exe
O4 - Startup: delcookiexp.cmd
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mpeg: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.athena.it
O16 - DPF: Interface Chat Voila - http://chat4.x-echo.com/version5/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...88/mcfscan.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9D3F73B-B6F3-4009-BA04-5B34CD696BA9}: NameServer = 212.245.255.2 212.141.84.12

[amvinfe]

dalla mod provvisoria servendoti di HJT elimina

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Programmi\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Programmi\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [74088686.exe] C:\WINDOWS\System32\74088686.exe
O4 - HKLM\..\Run: [slvchost] slvchost32.exe
O4 - HKLM\..\RunServices: [slvchost] slvchost32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE (file missing)

sempre dalla provvisoria elimina
C:\WINDOWS\System32\74088686.exe <==il file
slvchost32.exe

Riavvia e fai una scansione online, in Rilievo -links utili- trovi gli indirizzi dove poterla fare, quella della TrendMicro la consiglio.

Riavvia e posta un nuovo log di HJT