PC e navigazione lentissimi [era:Vi prego controllate questa Log!]

[gr245]

Ho un PC molto lento, su internet sono quasi fermo, (ho l'ADSL libero), ho il sospetto di avere il PC infettato.

Finalmente sono riuscito a fare uno scanning con Hijackthis, (non riuscivo ad aprirlo...) ma seguendo qualche post di questo forum ce lo fatta !

Vi invio la log di HijackThis, ditemi se c'è qualche intruso...!

Logfile of HijackThis v1.99.0
Scan saved at 21.11.57, on 26/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\TCAUDIAG.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\System32\cdplayer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Silicon Image\SiISATARaid\SATARaid.exe
C:\WINNT\regedit.exe
C:\Documents and Settings\gianka\Desktop\PROGRAMMI ANTIVIRUS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,"c:\winnt\ system32\maxtorhelper.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B93D9C5-79AF-459C-9295-A1C795099A0B} - (no file)
O2 - BHO: (no name) - {3AA07F7A-B949-459E-8FAA-027B2CEF83F3} - (no file)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - (no file)
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {910EF9DA-5219-4BA5-B59A-A2DEA22F5AD2} - (no file)
O2 - BHO: (no name) - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - (no file)
O2 - BHO: (no name) - {A07BBF98-097D-474F-80CA-CACA9E2EF22D} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Microsoft Windows Security] mvsecure.exe
O4 - HKLM\..\Run: [dxdll32] dxdll32.exe
O4 - HKLM\..\Run: [dnssvc32] dnssvc32.exe
O4 - HKLM\..\Run: [Java Configuration Loader.] spoolsvfix.exe
O4 - HKLM\..\Run: [MCI driver32] driver32.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe "
O4 - HKLM\..\RunServices: [Norton Antivirus CCDebug] CCSEVRT.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Security] mvsecure.exe
O4 - HKLM\..\RunServices: [Java Configuration Loader.] spoolsvfix.exe
O4 - HKLM\..\RunServices: [IPC Spool Manager] winspec.exe
O4 - HKLM\..\RunServices: [TkNetDriver Monitor] lexbce.exe
O4 - HKLM\..\RunServices: [MCI driver32] driver32.exe
O4 - HKLM\..\RunServices: [wnplayer] wnplayer.exe
O4 - HKCU\..\Run: [Microsoft WorkStation ] wkssvc.exe
O4 - HKCU\..\Run: [Configuration Loading Service] wscel.exe
O4 - HKCU\..\Run: [IPC Spool Manager] winspec.exe
O4 - HKCU\..\Run: [MCI driver32] driver32.exe
O4 - HKCU\..\Run: [Ekeniyoha] ssekeniyoha.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128 .5462\GoogleToolbarNotifier.exe
O4 - Global Startup: SATARaid.lnk = C:\Programmi\Silicon Image\SiISATARaid\SATARaid.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162069998765
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O20 - AppInit_DLLs:
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servizio amministrativo di Gestione disco logico - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Estensione eventi dll - EPPSCAN WDM Driver - (no file)
O23 - Service: Google Updater Service - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HFP Service - Unknown - C:\WINNT\system32\hfp.exe
O23 - Service: msie7 - Unknown - C:\WINNT\system\msie701.exe (file missing)

Grazie, ciao

[OYS]

VVoVe: È un vero e propio assalto di questo famoso Worm/Backdoor chiamato SdBot

Assicurati di aver messo hijackthis in una cartella (in modo che crei il file di ripristino in essa), e poi procedi, selezionando le stringhe seguenti e premendo fix checked:


O4 - HKLM\..\Run: [Microsoft Windows Security] mvsecure.exe

O4 - HKLM\..\Run: [dxdll32] dxdll32.exe

O4 - HKLM\..\Run: [dnssvc32] dnssvc32.exe

O4 - HKLM\..\Run: [Java Configuration Loader.] spoolsvfix.exe

O4 - HKLM\..\Run: [MCI driver32] driver32.exe

O4 - HKLM\..\RunServices: [Norton Antivirus CCDebug] CCSEVRT.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Security] mvsecure.exe

O4 - HKLM\..\RunServices: [IPC Spool Manager] winspec.exe

O4 - HKLM\..\RunServices: [TkNetDriver Monitor] lexbce.exe

O4 - HKLM\..\RunServices: [MCI driver32] driver32.exe

O4 - HKLM\..\RunServices: [wnplayer] wnplayer.exe

O4 - HKCU\..\Run: [Microsoft WorkStation ] wkssvc.exe

O4 - HKCU\..\Run: [Configuration Loading Service] wscel.exe

O4 - HKCU\..\Run: [IPC Spool Manager] winspec.exe

O4 - HKCU\..\Run: [MCI driver32] driver32.exe

O4 - HKCU\..\Run: [Ekeniyoha] ssekeniyoha.exe

O20 - AppInit_DLLs:

[Habanero]

La prossima volta usa un titolo appropriato altrimenti la discussione verrà chiusa

[gr245]

ho fatto il fixed checked, poi ho rifatto hijackthis ecco il risultato:

Logfile of HijackThis v1.99.0
Scan saved at 19.47.59, on 28/03/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\TCAUDIAG.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\System32\cdplayer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Silicon Image\SiISATARaid\SATARaid.exe
D:\PROGRAMMI ISTALLATI\eMule\0.46c\emule.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\gianka\Desktop\PROGRAMMI ANTIVIRUS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,"c:\winnt\ system32\maxtorhelper.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B93D9C5-79AF-459C-9295-A1C795099A0B} - (no file)
O2 - BHO: (no name) - {3AA07F7A-B949-459E-8FAA-027B2CEF83F3} - (no file)
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - (no file)
O2 - BHO: (no name) - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {910EF9DA-5219-4BA5-B59A-A2DEA22F5AD2} - (no file)
O2 - BHO: (no name) - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - (no file)
O2 - BHO: (no name) - {A07BBF98-097D-474F-80CA-CACA9E2EF22D} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DeluxeCD] C:\WINNT\System32\cdplayer.exe -tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe "
O4 - HKLM\..\RunServices: [Java Configuration Loader.] spoolsvfix.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128 .5462\GoogleToolbarNotifier.exe
O4 - Global Startup: SATARaid.lnk = C:\Programmi\Silicon Image\SiISATARaid\SATARaid.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1162069998765
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77324FC6-1116-4786-B83E-FA5D54984271}: NameServer = 193.70.152.15 193.70.152.25
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINNT\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Servizio amministrativo di Gestione disco logico - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Estensione eventi dll - EPPSCAN WDM Driver - (no file)
O23 - Service: Google Updater Service - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HFP Service - Unknown - C:\WINNT\system32\hfp.exe
O23 - Service: msie7 - Unknown - C:\WINNT\system\msie701.exe (file missing)

C'è qualcos'altro che non và?
Grazie x il vs aiuto !

[OYS]

Sembrerebbe tutto ok.. Prima mi ero dimenticato questi due:


F2 - REG:system.ini: Shell=

O23 - Service: msie7 - Unknown - C:\WINNT\system\msie701.exe (file missing)



Dopo averli fixati, fai start-->esegui, e copia incolla questi comandi (uno alla volta)


sc stop msie7

sc delete msie7



Infine controlla su www.virustotal.com se questo è un virus:


C:\WINNT\system32\hfp.exe


In quel caso fixa questa:


O23 - Service: HFP Service - Unknown - C:\WINNT\system32\hfp.exe


e fai questo:

sc stop HFP Service

sc delete HFP Service

[gr245]

grazie per il tuo aiuto !

ho fatto il fix checked x gli ultlmi due, ma non sono riuscito ad eseguire i comandi

sc stop msie7

sc delete msie7

ecco cosa mi dice:
impossibile trovare i comandi SC o uno dei suoi componenti. verificare il percorso del file...


ti allego copia della risposta

fammi sapere
grazie ciao

[Habanero]

.

[Habanero]

prova con:

c:\WINNT\system32\sc stop msie7

c:\WINNT\system32\sc delete msie7

[gr245]

niente il solito errore!

[tognazzi]

qui

http://forums.techguy.org/windows-nt...ml#post2764505

consigliano di fixare anche

F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe