Cavallo di troia "Bastardo dentro"

**caztello** · 16-11-2006, 16:07

Dopo aver letto ed eseguito, per quel che mi è possibile, i punti 1-2-3 della "Gui.da rimozione......"in rilievo, purtroppo il mio problema rimane irrisolto.

In particolare:
1)Ad ogni connessione internet, il computer si riavvia (visto scrivendo da un'altro terminale)
2)Ad ogni riavvio si ripropone il file iexplorre32.dll (segnalato da avg come cavallo di troia clicker.dhv)

Operazioni effettuate:
Pulizia con Atf Cleaner
Pulizia con Ccleaner
Scansione con avg antivirus aggiornato al 13\11 in modalità normale rileva ed elimina file,
in modalità provvisoria non rileva nulla.
Scansione con avg antispyware aggiornato al 15\11 in modalità normale rileva ed elimina oggetto infetto (hijacker.small.kj) in modalità provvisoria non rileva nulla.
Scansione con SpyBot aggiornato al (3\11) non rileva nulla

Operazioni che non posso fare:
Non avendo la connessione, non posso installare nuovi programmi(aggornati o aggiornare i vecchi), effettuare eventuali scansioni online.

Ed ecco il Log di Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 15.03.02, on 16/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Executive Software\DiskeeperServer\DKService.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Programmi\R-Undelete20\rloginsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\service32.exe
C:\WINNT\system32\ELAN.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\rundll32.exe
C:\Programmi\File comuni\Ulead Systems\AutoDetector\monitor.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\internat.exe
C:\Programmi\WinRamTurbo Pro 4.9\WinRamTurboPro.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.EXE
C:\WINNT\System32\svchost.exe
C:\Nuova cartella\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 195.210.91.83 www.libero.it
O1 - Hosts: 195.210.91.187 arianna.libero.it
O1 - Hosts: 193.108.88.9 download.zonelabs.com
O1 - Hosts: 208.185.174.44 www.zonelabs.com
O1 - Hosts: 216.49.88.123 it.mcafee.com
O1 - Hosts: 216.49.88.130 ads.mcafee.com
O1 - Hosts: 216.49.88.118 us.mcafee.com
O1 - Hosts: 216.49.88.31 download.mcafee.com
O1 - Hosts: 207.46.134.90 windowsupdate.microsoft.com
O1 - Hosts: 207.46.156.121 v4.windowsupdate.microsoft.com
O1 - Hosts: 207.46.248.122 go.microsoft.com
O1 - Hosts: 65.54.206.30 office.microsoft.com
O1 - Hosts: 216.39.69.76 view.atdmt.com
O1 - Hosts: 216.239.115.131 download.com.com
O1 - Hosts: 206.16.0.179 download-pdl.search.com
O1 - Hosts: 213.199.154.47 www.msn.it
O1 - Hosts: 66.94.229.254 home.edonkey.com
O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Programmi\DIALux\DLXShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINNT\system32\ELAN.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2. EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Programmi\File comuni\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WinRamTurbo] C:\Programmi\WinRamTurbo Pro 4.9\WinRamTurboPro.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Programmi\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O12 - Plugin for .UVR: C:\Programmi\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Programmi\DIALux\DLXToolBox.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: R-Studio Login Server - Unknown owner - C:\Programmi\R-Undelete20\rloginsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Aspettando vostre notizie vi chiedo scusa per il mio precedente intervento(fuori regola)
e vi porgo i miei cordiali saluti.

**tiratardi12** · 16-11-2006, 19:12

se non risolvi formatta no?

**Topdrake** · 16-11-2006, 20:59

worm backdoor w32.zotob.f
strumento di rimozione:
http://www.symantec.com/region/it/te...2.zotob.f.html
manualme te devi eliminare il file :
C:\WINNT\service32.exe
e fixare tutte le voci con codice 01.
Ciao.

**aris73** · 16-11-2006, 21:00

fixa
tutte le 01 tranne
O1 - Hosts: 195.210.91.83 www.libero.it
O1 - Hosts: 195.210.91.187 arianna.libero.it
O1 - Hosts: 213.199.154.47 www.msn.it

elimina C:\WINNT\service32.exe -> Trojan.Clicker

**b3nty** · 16-11-2006, 21:08

Scusa ma hai provato a vedere qui:

http://www.hijackthis.de/it

cosa ti dice?

Vedi file per file, e poi entri nel regedit ed elimini le parti che ti dice!

Prova, alcuni problemi me li ha risolti, il virus con le labbra di donna accanto all'ora l'ho tolto così!
Ciao

**caztello** · 17-11-2006, 10:53

1 news
Purtroppo, Zobot non'è colpevole.......

**caztello** · 17-11-2006, 17:20

fixato tutti gli 01 e i consigliati da hijackthis tramite l'analisi del log sul sito.
cancellato il service32.exe e iexplorre32.dll, al riavvio non compaiono.
sacansione con avg e avg antispyware negative.
pulizia con atf cleaner e cclaner registro e file temporanei
tentata connessione e............il compiuter si riavvia.
Ho provato a cambiare porte usb con altre installate su bus pci....ma il risultato non cambia.
Il modem adsl funziona, lo uso su altro compiuter per postare qui.
SONO ESAUSTO!

Vi posto il nuovo log........AIUTO! SENZA IL MULO MUOIO!

Logfile of HijackThis v1.99.1
Scan saved at 16.19.11, on 17/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Executive Software\DiskeeperServer\DKService.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ELAN.exe
C:\WINNT\system32\rundll32.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\explorer.exe
C:\Nuova cartella\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Programmi\DIALux\DLXShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoveElanIcon] C:\WINNT\system32\ELAN.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O12 - Plugin for .UVR: C:\Programmi\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Programmi\DIALux\DLXToolBox.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Programmi\Executive Software\DiskeeperServer\DKService.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

**Topdrake** · 17-11-2006, 21:06

dal log non si rileva nulla, controlla nelle chiavi di registro se è presente, in tal caso elimina.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \
service32 = service32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\
service32 = service32.exe
stai molto attento a come operi nel registro.
ciao.

**caztello** · 18-11-2006, 12:58

Scusa ma......non ho mai editato il registro, e non ho assulutamente idea di dove\come metterci le mani.
Pensavo pure di reinstallare i driver del modem....che ne dite? (tentativo disperato!)

**BilloKenobi** · 18-11-2006, 13:45

EDIT... non avevo letto bene i post... le istruzioni che ho dato erano già state eseguite. pardon

Discussione: Cavallo di troia "Bastardo dentro"

Strumenti discussione

Ricerca discussione

Visualizza

Cavallo di troia "Bastardo dentro"

1 tentativo

2 tetativo

maggiori info

Permessi di invio