[Spyware] WUpd

**Desperado** · 21-02-2005, 19:26

È qualche giorno che il mio PC domestico è invaso da uno spyware di nome WUpd che il mio fido Panda Platinum Internet Security mi trova ed elimina... Il problema è che in realtà non lo debella affatto, tornando in auge ogni 2/3 minuti. Ho provato a far girare HiJackThis (rimuovendo le chiavi perigliose), AdAware e suddetto antivirus sia in modalità "normale", sia in modalità provvisioria, ma non sono serviti a nulla... Questo maledetto spyware continua a rompere...
Ho provato anche a seguire le istruzioni indicate qua, ma senza successo, poichè delle chiavi di regstro indicate sul sito non c'è traccia nel mio...
Qualcuno ha già avuto a che fare con questo maleficio e può darmi una mano??? Grazie mille!!!

**Desperado** · 22-02-2005, 08:48

Uppete...

**amvinfe** · 22-02-2005, 10:40

posta il log di HJT

**Desperado** · 22-02-2005, 17:53

Appena arrivo a casa provvedo...

**Desperado** · 23-02-2005, 01:17

Logfile of HijackThis v1.99.1
Scan saved at 0.30.43, on 23/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Panda Software\Panda Platinum Internet Security\PaSSrv.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Panda Software\Panda Platinum Internet Security\PavFnSvr.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\pavprot.exe
C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\Prevsrv.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
C:\Programmi\Panda Software\Panda Platinum Internet Security\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programmi\Google\Gmail Notifier\gnotify.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\avciman.exe
C:\Documents and Settings\Driuk\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fbd0f0d6f03a53942eabd594578b9786\update\update. exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmi\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Programmi\Panda Software\Panda Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Programmi\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [*windows update] wscxt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108943171406
O20 - AppInit_DLLs: PAVWAIT.DLL
O23 - Service: *Microsoft Update - Unknown owner - C:\WINDOWS\System32\wstcl.exe (file missing)
O23 - Service: *windows update - Unknown owner - C:\WINDOWS\System32\wscxt.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Programmi\Panda Software\Panda Platinum Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
O23 - Service: Panda PAVFNSVR (PAVFNSVR) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\PavFnSvr.exe
O23 - Service: Panda PAVPROT (PAVPROT) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\pavprot.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\Prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Programmi\Panda Software\Panda Platinum Internet Security\PsImSvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

**amvinfe** · 23-02-2005, 12:05

apri HJT fai lo scan, metti la spunta ai valori clicca su Fix checked:

O4 - HKCU\..\Run: [*windows update] wscxt.exe
O23 - Service: *Microsoft Update - Unknown owner - C:\WINDOWS\System32\wstcl.exe (file missing)
O23 - Service: *windows update - Unknown owner - C:\WINDOWS\System32\wscxt.exe (file missing)

riavvia in mod. provvisoria cerca ed elimina il file
wscxt.exe
se non lo trovi potrebbe avere l'attributo nascosto quindi apri una qualsiasi cartella
Clicca su "Visualizza"
Clicca su "Opzioni Cartella"
Clicca su "Visualizza"
Clicca su "Mostra Tutti i files"
Clicca su "Applica"
Clicca su "Ok"
una volta che hai verificato la presenza o meno del file rimetti la spunta su Nascondi files di sistema, Applica e OK.

Riavvia.

Fai una scansione online,
http://www.bitdefender.com/scan/license.php
riavvia, posta un nuovo log

**Desperado** · 23-02-2005, 12:25

Domandona: che è sto file wscxt.exe???

**amvinfe** · 23-02-2005, 15:29

backdoor Rbot

**Desperado** · 24-02-2005, 11:55

Cercando il file WSCXT.EXE ho trovato solo questo...

Che è???
è il file incriminato???

**Desperado** · 24-02-2005, 12:56

Logfile of HijackThis v1.99.1
Scan saved at 11.55.02, on 24/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Panda Software\Panda Platinum Internet Security\PaSSrv.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\PavFnSvr.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\pavprot.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\Prevsrv.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\PsImSvc.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programmi\Google\Gmail Notifier\gnotify.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Programmi\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
C:\Programmi\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Driuk\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmi\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Programmi\Panda Software\Panda Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Programmi\Panda Software\Panda Platinum Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1108943171406
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O20 - AppInit_DLLs: PAVWAIT.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Programmi\Panda Software\Panda Platinum Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
O23 - Service: Panda PAVFNSVR (PAVFNSVR) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\PavFnSvr.exe
O23 - Service: Panda PAVPROT (PAVPROT) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\pavprot.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Platinum Internet Security\Prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Programmi\Panda Software\Panda Platinum Internet Security\PsImSvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

Discussione: [Spyware] WUpd

Strumenti discussione

Ricerca discussione

Visualizza

[Spyware] WUpd

Permessi di invio