Pioc1.exe

[merlinox]

Ragazzi ho un file che si mette in
c:\windows\temp\pioc1.exe

Gli antivirus non me lo trovano,
ho appena pulito il pc (post) ma nulla di fatto.

Ogni tanto appare e mi butta giù la connessione ADSL tentando di creare un'altra connessione.
Lo rimuovo dai file in RUN dal registro, ma poi riparte.
Oltre tutto non riesco a killare il processo, nemmeno con i programmi della sysinternal

Allego hijack log

===

Logfile of HijackThis v1.99.1
Scan saved at 0.54.02, on 03/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Utility\AvgFree\avgamsvr.exe
C:\PROGRA~1\Utility\AvgFree\avgupsvc.exe
C:\PROGRA~1\Utility\AvgFree\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Utility\AvgFree\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\driver\MediaKey\MediaKey.EXE
C:\driver\A4Tech\Mouse\Amoumain.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet\DynDNS\DynDNS.exe
C:\Programmi\Internet\Free Download Manager\fdm.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programmi\Internet\eMule\emule.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\UltraVNC\WinVNC.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\Programmi\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908. 5008\GoogleToolbarNotifier.exe
C:\Programmi\Macromedia\Fireworks 8\Fireworks.exe
C:\Programmi\Utility\ProcessExplorerNt\procexp.exe
C:\Programmi\Utility\ProcessExplorerNt\procexp.exe
C:\Programmi\Utility\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 207.44.196.219 auto.search.msn.com #NETVISION
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Programmi\Internet\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Utility\AvgFree\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MediaKey] C:\driver\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\driver\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programmi\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [pioc1.exe] C:\WINDOWS\Temp\pioc1.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Programmi\Internet\DynDNS\DynDNS.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Programmi\Internet\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\Internet\eMule\emule.exe -AutoStart
O4 - Startup: Gestione servizi.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Gestione servizi.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programmi\Internet\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programmi\Internet\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programmi\Internet\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A425B20-80B0-41C2-BD69-A100BC020DC5}: NameServer = 212.247.156.66 212.247.156.70
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Utility\AvgFree\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Utility\AvgFree\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Utility\AvgFree\avgemc.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 ODBC Agent - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swagent.exe
O23 - Service: ColdFusion MX 7 ODBC Server - Unknown owner - C:\CFusionMX7\db\slserver54\bin\swstrtr.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetGwy - Unknown owner - C:\Programmi\File comuni\System\OZj.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmi\UltraVNC\WinVNC.exe" -service (file missing)

[holifay]

segui con attenzione queste istruzioni: http://forum.html.it/forum/showthrea...readid=1046884

[merlinox]

Avevo scritto proprio perchè seguendo quelle istruzioni, al riavvio era comunque un casino di virus.
Devo rileggere meglio:
http://www.suspectfile.com/forum/viewtopic.php?p=1675
comunque sono cose che ho fatto.

Adesso ho ripulito altre cosine con hijack e scansionato con avg che ha trovato
"trojan horse Generic2.GAI"
è la storia infinita...

Riposto il nuovo hijack, grazie!
p.s.: le ultime due voci di hijack non riesco a rimuoverle
===
Logfile of HijackThis v1.99.1
Scan saved at 14.00.37, on 03/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Utility\AvgFree\avgamsvr.exe
C:\PROGRA~1\Utility\AvgFree\avgupsvc.exe
C:\PROGRA~1\Utility\AvgFree\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Utility\AvgFree\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\driver\MediaKey\MediaKey.EXE
C:\driver\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet\DynDNS\DynDNS.exe
C:\Programmi\Internet\Free Download Manager\fdm.exe
C:\Programmi\Internet\eMule\emule.exe
C:\PROGRA~1\Utility\AvgFree\avgwb.dat
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908. 5008\GoogleToolbarNotifier.exe
C:\Programmi\UltraVNC\winvnc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Utility\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 207.44.196.219 auto.search.msn.com #NETVISION
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Utility\AvgFree\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MediaKey] C:\driver\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [WheelMouse] C:\driver\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programmi\UltraVNC\winvnc.exe" -servicehelper
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Programmi\Internet\DynDNS\DynDNS.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Programmi\Internet\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\Internet\eMule\emule.exe -AutoStart
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Programmi\Internet\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Programmi\Internet\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Programmi\Internet\Free Download Manager\dllink.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A425B20-80B0-41C2-BD69-A100BC020DC5}: NameServer = 212.247.156.66 212.247.156.70
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Utility\AvgFree\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Utility\AvgFree\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Utility\AvgFree\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programmi\UltraVNC\winvnc.exe" -service (file missing)

[holifay]

Ma guarda che hai praticamente risolto, ti resta solo il residuo del dialer netvision da eliminare:

O1 - Hosts: 207.44.196.219 auto.search.msn.com #NETVISION


Ti consiglio comunque una scansione antivirus online, ad esempio questa http://security.symantec.com Quando la fai disabilita temporaneamente AVG.

Per le voci O23 è più efficace farlo da DOS:
sc stop viritsvclite
sc disable viritsvclite (per disabilitarlo)
sc delete viritsvclite (per cancellarlo)
sc stop winvnc
sc disable winvnc (per disabilitarlo)
sc delete winvnc (per cancellarlo)

se disabiliti winvnc allora togli anche questo dall´avvio
4 - HKLM\\..\\Run: [WinVNC] \"C:\\Programmi\\UltraVNC\\winvnc.exe\" -servicehelper

[merlinox]

Ottimo grazie. Vnc Server non volevo rimuoverlo, solo che nel log di hjijack mi dava missing e non capisco perchè.

Grazie ancora

[holifay]

non far troppo caso ai (file missing) di HijackThis, ogni tanto prende delle cantonate