VIRUS! RRRAR.EXE cosa fare?

[jane]

salve a tutti. ho scaricato adobe photoshop cs3 da emule e istallato. poi l'ho cancellato, ma è rimasto un processo denominato rrrar.exe.
questo parte quando sono connesso e per 5 minuti mi porta la cpu a 100% e in questo lasso di tempo è impossibile far partire hijackthis. quando finalmente riprendo il controllo del pc, rrrar.exe non c'è più.
ho fatto l'analisi del file su www.virusscan.com e l'unico antivirus che lo ricnosce è virusbuster che però è una demo per 30gg. ora l'ho installato e il problema non si verifica più, ma quando fra 20gg scadrà la prova sarò perduto!
ho installato kaspersky internet security, ma lui non conosce il processo...
come fare?
grazie

[ste_95]

magar provare a cancellare il file.....

posta anche un log di hijackthis appena te ne è concesso l'accesso....

[jane]

il file si crea da solo in c:\windows, anche dopo che lo cancello...
ti riporto il log di hijack
grazie ciao

Logfile of HijackThis v1.99.1
Scan saved at 18.34.21, on 10/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\acer\Acer eConsole\MediaServerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\Programmi\Spyware Doctor\sdhelp.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\PROGRA~1\VIRUSB~1\Bin\vbcmserv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Acer\Acer eMode Management\AspireService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Creative\MediaSource\Detector\CTDetec t.exe
C:\Programmi\Spyware Doctor\swdoctor.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\Programmi\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\file scaricati\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Programmi\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AspireService] C:\Programmi\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Office SturtUp] osa9.exe
O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VIRUSB~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [kis] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Programmi\Creative\MediaSource\Detector\CTDetec t.exe /R
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ZDWlan.lnk = ?
O8 - Extra context menu item: Aggiungi a Kaspersky Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169737730937
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by131fd.bay131.hotmail.msn.co...x/HMAtchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15021/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Programmi\acer\Acer eConsole\MediaServerService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VirusBuster Component Manager Service (VBCompManService) - VirusBuster Kft. - C:\PROGRA~1\VIRUSB~1\Bin\vbcmserv.exe

[ste_95]

per me il log è pulito...non c'è traccia di malware...

[jane]

lo so ti ho detto che scompare dopo un po...quando hijackpuò partire, rrrar.exe è già scomparso

[ste_95]

dacci il percorso del file....

[Habanero]

1) su questo forum non è permesso di parlare di software scaricato illegalmente.... e Photoshop CS3 non è propriamente distribuibile in modo libero. Leggi le regole del forum poste in rilievo per favore.

2) questa voce non mi piace molto:
O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd

prova ad individuare il file ctccw32.dll e fallo analizzare da
http://www.virustotal.com/

Io comunque sarei per eliminarla.


Facci sapere il responso di virustotal.

[jane]

scusate se ho infranto le regole del forum...
il file rrrar.exe si forma in c:\windows\
per quanto riguarda il file ctccw32.dll (che si trova in c:\window\system32, virustotal.com ha trovato questi risultati:

AntiVir 7.4.0.32 06.15.2007 TR/Drop.Agen.ru.2.A
DrWeb 4.33 06.15.2007 BackDoor.IRC.Mishko
Fortinet 2.85.0.0 06.15.2007 W32/Malicious.C5C4!tr
Panda 9.0.0.4 06.15.2007 Trj/Downloader.OMF
Webwasher-Gateway 6.0.1 06.15.2007 Trojan.Drop.Agen.ru.2.A
VBA32 3.12.0.2 06.14.2007 BackDoor.IRC.Mishko
Webwasher-Gateway 6.0.1 06.15.2007 Trojan.Drop.Agen.ru.2.A



grazie e scusate ancora per l'infrazione (posso togliere/modificare il testo originale?)

[RisingTrigger]

per quanto rigurda il tuo log ..... controllerei
C:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe mi sebra non tanto pulito

C:\Programmi\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe molto probabilmente .......... come dire .. sto programmino non mi ispira molto se non lo conosci controllalo per benino ...

O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd non mi ispira controlla
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe idem
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VIRUSB~1\Bin\avltd.exe" idem



tt il resto mi sembra ok ....

[jane]

Originariamente inviato da RisingTrigger
per quanto rigurda il tuo log ..... controllerei
C:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe mi sebra non tanto pulito

C:\Programmi\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe molto probabilmente .......... come dire .. sto programmino non mi ispira molto se non lo conosci controllalo per benino ...

O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd non mi ispira controlla
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe idem
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VIRUSB~1\Bin\avltd.exe" idem

grazie. virusbuster è l'unico antivirus che riesce a bloccare rrrar.exe e sono quindi tranquillo. per quanto riguarda ZyDAS...ZDWlan è il mio programma che controlla il ricevitore wireless del router... tutto tranquillo su questo fronte...