problema virus su explorer

[frances82]

Appena mi collego ad internet attivato firewall ad ogni pagina aperta anche se vuota mi appare in continuazione di installare ed eseguire questo:
http://www.unixshellz.info/antitrust/
Cosa può essere norton nn mi trova nulla!!

[frances82]

e ad ogni riavvio c'è questo errore e poi se connesso ad internet mi apre quella pagina descritta in precedenza.

codice:

Tipo evento:	Errore
Origine evento:	Application Error
Categoria evento:	Nessuno
ID evento:	1001
Data:		13/07/2004
Ora:		22.43.46
Utente:		N/D
Computer:	ACER1356LMI
Descrizione:
Bucket 84446200 errato.

Per ulteriori informazioni, consultare la Guida in linea e supporto tecnico all'indirizzo http://go.microsoft.com/fwlink/events.asp.
Dati:
0000: 42 75 63 6b 65 74 3a 20   Bucket: 
0008: 38 34 34 34 36 32 30 30   84446200
0010: 0d 0a                     ..

[amvinfe]

hai già provato con AdAware e con SpyBot aggiornati?

[frances82]

sì già tolto della m___a ma il problema continua, ho provato a scaricare il tool di rimozione virus sasser ma nulla

[amvinfe]

scaricati HijackThis è in Rilievo, mettilo in una nuova cartella. Aprilo clicca su scan e salva il log, postalo poi qui.

[frances82]

Qui c'è il file log fatto dalla scansione del medesimo programma, spero possa servire:

codice:

Logfile of HijackThis v1.98.0
Scan saved at 10.56.41, on 15/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Downlo~1\btmv6\d8d6j.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\LAUNCH~1\QtZpAcer.EXE
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\video_32sD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wssvr.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Fr@\Desktop\Nuova cartella\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZpAcer.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programmi\File comuni\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zwaxbox.exe
O4 - HKLM\..\Run: [Microsoft Update] wssvr.exe
O4 - HKLM\..\Run: [NVIDIA Video drivers] video_32sD.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wssvr.exe
O4 - HKLM\..\RunServices: [NVIDIA Video drivers] video_32sD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA Video drivers] video_32sD.exe
O4 - HKCU\..\Run: [Microsoft Update] wssvr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

[amvinfe]

sei sicuramente infetto dal worm sdbot
C:\WINDOWS\System32\video_32sD.exe
e molto probabilmente da rbot
C:\WINDOWS\System32\wssvr.exe


fai una scansione online e dopo aver rimosso i files infetti riavvia, posta un nuovo log di HJT

http://support.f-secure.com/enu/home/ols.shtml

[frances82]

Ora sembra andare tutto ok non mi apre più nessuna finestra
Cmq qui c'è il nuovo referto :rollo:

codice:

Logfile of HijackThis v1.98.0
Scan saved at 0.15.29, on 16/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Downlo~1\btmv6\d8d6j.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\LAUNCH~1\QtZpAcer.EXE
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wssvr.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Fr@\Desktop\Nuova cartella\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Progra~1\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZpAcer.EXE
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programmi\File comuni\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zwaxbox.exe
O4 - HKLM\..\Run: [Microsoft Update] wssvr.exe
O4 - HKLM\..\Run: [NVIDIA Video drivers] video_32sD.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wssvr.exe
O4 - HKLM\..\RunServices: [NVIDIA Video drivers] video_32sD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA Video drivers] video_32sD.exe
O4 - HKCU\..\Run: [Microsoft Update] wssvr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab

[amvinfe]

Riavvia in modalità provvisoria, fai uno scan con HijackThis, metti la spunta alle voci che ti indicherò, tutte le applicazioni devono essere chiuse, browser compreso, clicca su Fix checked

O4 - HKLM\..\Run: [NVIDIA Video drivers] video_32sD.exe
O4 - HKLM\..\RunServices: [NVIDIA Video drivers] video_32sD.exe
O4 - HKCU\..\Run: [NVIDIA Video drivers] video_32sD.exe

Riavvia e portati in questo sito http://virusscan.jotti.dhs.org/ e fai fare la scansione a questo file wssvr.exe il percorso è C:\WINDOWS\System32\

copia qui il risultato.

[frances82]

ecco qui:

codice:

Service load:  0%        100%  
 
File:  wssvr.exe  
Status:  INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)  
   
AntiVir  No viruses found (1.14 seconds taken) 
BitDefender  Backdoor.SDBot.Gen (3.60 seconds taken) 
ClamAV  No viruses found (6.25 seconds taken) 
F-Prot Antivirus  No viruses found (0.98 seconds taken) 
F-Secure Anti-Virus  Backdoor.Rbot.gen (3.96 seconds taken) 
Kaspersky Anti-Virus  Backdoor.Rbot.gen (3.62 seconds taken) 
McAfee VirusScan  W32/Sdbot.worm.gen.g (3.37 seconds taken) 
Norman Virus Control  Sandbox: W32/Malware; [ General information ]

* **Locates window "NULL [class mIRC]" on desktop.
* File length: 140853 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\wssvr.exe.
* Deletes file 1.

[ Changes to registry ]
* Creates value "Microsoft Update"="wssvr.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Microsoft Update"="wssvr.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates value "Microsoft Update"="wssvr.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Checks wheter computer is connected to Internet.
* Attempts to resolve name "no-ip.dnsalias.com".
* Connect port 6667 [TCP], IP 193.75.75.100.
* Connects to IRC Server.
* Connect port 113 [IP], IP 0.0.0.0.

[ Process/window information ]
* Creates a mutex bee2. (26.53 seconds taken)