problema con virus, trojan, dialer

[mario1982]

ciao a tutti, ho un problema: da diversi giorni sia l'AVG antispyware, sia l'AVG free mi segnalano la presenza di un virus e di un trojan sul mio pc. dopo alcune scansioni sia con spybot, sia con ad-aware con cui mi sembra di eliminare qualcosa, dopo aver fatto girare ccleaner e panda antirootkit, il pc continua a rallentare e a non aprire alcune pagine web. Inoltre panda ActiveScan online mi dà risultati poco confortanti. Ancora, ho notato una cosa strana nel log Hijackthis: tra i HKLM c'è un processo che chiama Office Sturtup(invece di Startup, come dovrebbe essere), con il file osa9.exe... ma mi sembra che questo file non debba essere nella directory dov'è? ho cercato il file, ma non l'ho trovato... devo fixare il processo? Posto log panda AS e hiackthis... chi può mi aiuti per favore, grazie!

Log panda:
Dialer:dialer.min Non Disinfettato HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Ext\Stats\{DB893839-10F0-4AF9-92FA-B23528F530AF}

Virus:Trj/Spammer.ACJ Disinfettato C:\WINDOWS\SYSTEM32\XPDX.SYS
Adware:Adware/Gmter Non Disinfettato C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Temporary Internet Files\Content.IE5\LSH1VL57\popup[1].htm
Spyware:Cookie/888 Non Disinfettato C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@888[2].txt
Spyware:Cookie/Adverserve Non Disinfettato C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@adverserve[1].txt
Spyware:Cookie/ErrorSafe Non Disinfettato C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@www.errorsafe[1].txt
Spyware:Cookie/ErrorSafe Non Disinfettato C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@errorsafe[2].txt
Spyware:Cookie/DriveCleaner Non Disinfettato C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@www.drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Non Disinfettato C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Non Disinfettato C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@stats.drivecleaner[2].txt
Spyware:Cookie/Belnk Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@belnk[1].txt
Spyware:Cookie/Belnk Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@dist.belnk[2].txt
Spyware:Cookie/Hbmediapro Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@adopt.hbmediapro[3].txt
Spyware:Cookie/Atwola Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@atwola[2].txt
Spyware:Cookie/Maxserving Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@maxserving[2].txt
Spyware:Cookie/Research-int Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@research-int[1].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cgi-bin[7].txt
Spyware:Cookie/bravenetA Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@bravenet[3].txt
Spyware:Cookie/888 Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@888
[1].txt

Spyware:Cookie/Cassava Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cassava
[1].txt

Spyware:Cookie/Hbmediapro Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@adopt.hbmediapro
[2].txt

Spyware:Cookie/Xmts Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@xmts
[3].txt

Spyware:Cookie/Xiti Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@xiti
[1].txt

Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cgi-bin
[14].txt

Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cgi-bin
[12].txt

Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cgi-bin
[22].txt

Spyware:Cookie/Adrevolver Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@adrevolver
[2].txt

Spyware:Cookie/Go Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@go
[1].txt

Spyware:Cookie/Adverserve Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@adverserve[1].txt

Spyware:Cookie/Cd Freaks Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@club.cdfreaks[1].txt

Spyware:Cookie/Cd Freaks Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cdfreaks[2].txt

Spyware:Cookie/bravenetA Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@bravenet
[2].txt

Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cgi-bin[20].txt

Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cgi-bin
[16].txt

Spyware:Cookie/Serving-sys Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@serving-sys[1].txt

Spyware:Cookie/Atwola Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@atwola
[1].txt

Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cgi-bin[25].txt

Spyware:Cookie/Com.com Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@com[1].txt

Spyware:Cookie/Tribalfusion Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@tribalfusion[1].txt

Spyware:Cookie/Humanclick Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@hc2.humanclick[2].txt

Spyware:Cookie/bravenetA Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@bravenet[1].txt

Spyware:Cookie/Serving-sys Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@bs.serving-sys[1].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Win-Xp\Cookies\win-xp@cgi-bin[5].txt

[mario1982]

Logfile of HijackThis v1.99.1
Scan saved at 16.27.32, on 16/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Arcade\PCMService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.e xe
C:\acer\epm\epm-dm.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Acer\eRecovery\Monitor.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Power Translator 11\LogoMedia TranslateDotNet Server.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Programmi\DAP\DAP.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Win-Xp\Documenti\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo0.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo0.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Programmi\Power Translator 11\Applications\LEC IE Translation Extension.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Programmi\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Office SturtUp] C:\WINDOWS\osa9.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB EE.EXE /FU "C:\WINDOWS\TEMP\E_SC8.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Programmi\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HELPExpress.lnk = C:\Programmi\HELPExpress\bin\matcli.exe
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{830A095F-2541-434A-9B80-32F772035FEB}: NameServer = 85.37.17.11 85.38.28.69
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.e xe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Programmi\Power Translator 11\LogoMedia TranslateDotNet Server.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[tecnico24]

no,osa9.exe e leggittimo,e un servizio in esecuzione automatica di microsoft office!!!!non fixarlo per nessun motivo.poi scaricati superantispyware da qui---> www.superantispyware.com aggiornalo alle ultime definizioni e fai uno scan.se non bastasse:
scaricati vundofix. da www.atribune.org/ccount/click.php?id=4
avvialo clicca su scan for vundo
finito lo scan clicca su remove vundo
quando dice di rimuovere i file(infetti,si capisce)digli di si
il desktop diventera bianco(nientepaura) e una volta eliminato i file infetti,riavvia il pc e posta lo scan di vundofix che lo trovi in C:/vundofix.txt ciao e buona foruna.

[mario1982]

Originariamente inviato da tecnico24
no,osa9.exe e leggittimo,e un servizio in esecuzione automatica di microsoft office!!!!non fixarlo per nessun motivo.poi scaricati superantispyware da qui---> www.superantispyware.com aggiornalo alle ultime definizioni e fai uno scan.se non bastasse:
scaricati vundofix. da www.atribune.org/ccount/click.php?id=4
avvialo clicca su scan for vundo
finito lo scan clicca su remove vundo
quando dice di rimuovere i file(infetti,si capisce)digli di si
il desktop diventera bianco(nientepaura) e una volta eliminato i file infetti,riavvia il pc e posta lo scan di vundofix che lo trovi in C:/vundofix.txt ciao e buona foruna.

ho fatto tutto, superantispyware ha trovato solo alcuni tracking cookie e vundofix non ha trovato niente. sarò pulito? farò un'altra scansione con panda...

riguardo osa9.exe, in effetti anch'io sapevo che è un file leggittimo, ma ho letto una cosa qui che mi ha insospettito:

http://www.techspot.com/startup/12845/

in effetti anche nel mio log di HJT il file compare nella directory WINDOWS, e non in Program Files/Microsoft Office...

p.s. assolutamente OT: forza Napoli in A!

[tognazzi]

Originariamente inviato da mario1982
ho fatto tutto, superantispyware ha trovato solo alcuni tracking cookie e vundofix non ha trovato niente. sarò pulito? farò un'altra scansione con panda...
riguardo osa9.exe, in effetti anch'io sapevo che è un file leggittimo, ma ho letto una cosa qui che mi ha insospettito:
http://www.techspot.com/startup/12845/
in effetti anche nel mio log di HJT il file compare nella directory WINDOWS, e non in Program Files/Microsoft Office...
p.s. assolutamente OT: forza Napoli in A!

infatti è un viruz. apri hijackthis, seleziona la voce e clicca su fix checked. non ti preoccupare, perché sono sicuro al 100% che la voce non è legittima.

@tecnico24
osa9.exe non è legittimo perché non si trova nella directory giusta. esistono viruz che hanno esattamente lo stesso nome di file di sistema legittimi ma non si trovano nel percorso legittimo. inoltre
O4 - HKLM\..\Run: [Office SturtUp] C:\WINDOWS\osa9.exe
con l'errore di spelling della "u" al posto di "startup" è un altro chiaro indizio del fatto che si tratta di un file nocivo che cerca di "mimetizzarsi"

[mario1982]

Lo scan on-line kaspersky mi ha trovato diversi file infetti, ma non capisco da quale virus o spyware...

Saturday, June 16, 2007 9:01:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 16/06/2007
Kaspersky Anti-Virus database records: 347527


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 63850
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 01:34:59


C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Symantec\LiveUpdate\Log.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Symantec\LiveUpdate\2007-06-16_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Win-Xp\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DFE73A.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DF8FF3.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DF192F.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DF6DEB.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~WRF2211.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DFFEB6.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~WRS2765.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DF2BF.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DFE793.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DFE7A3.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\~DFB9A8.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Win-Xp\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Win-Xp\Documenti\biografia adamo.doc Object is locked skipped

C:\Documents and Settings\Win-Xp\Documenti\~WRL3875.tmp Object is locked skipped

C:\Documents and Settings\Win-Xp\Documenti\autenticità sequenze adamo.doc Object is locked skipped

C:\Documents and Settings\Win-Xp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Win-Xp\Dati applicazioni\Microsoft\Modelli\Normal.dot Object is locked skipped

C:\Documents and Settings\Win-Xp\Dati applicazioni\Microsoft\Word\STARTUP\FineReader7.20 03.dot Object is locked skipped

C:\Documents and Settings\Win-Xp\Dati applicazioni\Microsoft\Word\Salvataggio automatico di autenticità sequenze adamo.asd Object is locked skipped

C:\Documents and Settings\Win-Xp\ntuser.dat Object is locked skipped

C:\Programmi\Microsoft Office\OFFICE11\STARTUP\Power Translator.dot Object is locked skipped

C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-06-16.18-28-55.log Object is locked skipped

C:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

[ste_95]

ma voi li leggete i log delle scansioni?????

panda non ha rimosso nulla....!

@mario:
scarica avenger
aprilo
input script manually
copia e incolla tutto questo:

Files to delete:
C:\mIRC\mirc.exe
C:\WINDOWS\SYSTEM32\XPDX.SYS
C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Temporary Internet Files\Content.IE5\LSH1VL57\popup[1].htm
C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@888[2].txt
C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@adverserve[1].txt
C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@www.errorsafe[1].txt
C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@errorsafe[2].txt
C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@www.drivecleaner[2].txt
C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@drivecleaner[2].txt
C:\Documents and Settings\Win-Xp\Impostazioni locali\Temp\Cookies\win-xp@stats.drivecleaner[2].txt
C:\Documents and Settings\Win-Xp\Cookies\win-xp@belnk[1].txt
C:\Documents and Settings\Win-Xp\Cookies\win-xp@dist.belnk[2].txt
C:\Documents and Settings\Win-Xp\Cookies\win-xp@adopt.hbmediapro[3].txt
C:\Documents and Settings\Win-Xp\Cookies\win-xp@atwola[2].txt
C:\Documents and Settings\Win-Xp\Cookies\win-xp@maxserving[2].txt

poi clicca su done
e poi sul semaforino...
è giusto sto script???

[tognazzi]

C:\mIRC\mirc.exe è legittimo. la dicitura not-a-virus:Client-IRC.Win32.mIRC.616 skipped
mi fa pensare che l'euristica di kaspersky scanner lo consideri una minaccia, ma non deve essere un vero e proprio virus.

C:\WINDOWS\SYSTEM32\XPDX.SYS è un trojan, questo è il problema da eliminare.

[ste_95]

c'è qualcos'altro in quella cartella...?

prova a far scansionare quel file su www.systemscan.it

[amvinfe]

Originariamente inviato da ste_95
c'è qualcos'altro in quella cartella...?

prova a far scansionare quel file su www.systemscan.it

e questo URL da che parte salta fuori???

il driver è sintomo d'infezione dovuta ad una variante di rustock, vengono generati molti servizi.
Scarica http://www.uploads.ejvindh.net/rustbfix.exe e NON connesso e con l'antivirus DISABILITATO, esegui il tool.
Il pc in presenza di infezione si dovrebbe riavviare da solo, può anche succedere che i riavvii possano essere due.