Olimpo Informatico

[janarajs]

Il log del HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 15:01:03, on 29/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\service32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\_Install\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = proxy1.emirates.net.ae:8080
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696}

- C:\Documents and Settings\Jana Rajsiglova\10267710.dll
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program

Files\Emirates Internet\Communicator\Program\AIM\aim.exe

-cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O17 -

HKLM\System\CCS\Services\Tcpip\..\{24FEC776-2B84-41C4-A7A2-EF51A92

56411}: NameServer = 213.42.20.20,195.229.241.222
O17 -

HKLM\System\CS1\Services\Tcpip\..\{24FEC776-2B84-41C4-A7A2-EF51A92

56411}: NameServer = 213.42.20.20,195.229.241.222
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F}

- C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown

owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program

Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program

Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program

Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio

Technologies - C:\Program Files\Kerio\Personal Firewall

4\kpf4ss.exe
O23 - Service: STI Simulator - Unknown owner -

C:\WINDOWS\System32\PAStiSvc.exe

[Smjert]

Ciao hai il Trojan Clicker

Scarica questo file .reg, una volta scaricato doppicliccalo e rispondi di sì.

Riavvia il pc in Modalità Provvisoria (F8 al boot).

[janarajs]

Ciao,
allora andando nel Safe Mode ho cercato i file che hai indicato.
Ho trovato soltanto service32.exe e l'ho cancellato, altri non li ho trovati. Andando nel C:\Windows non ho trovato nessun file numerato con extension .exe
Ho dovuto ritornare nel modo normale, non riuscivo acceddere Internet da SafeMode, non so se e giusto

Il log del HijackThis nuovo, spero che non si spezzi ancora:

Logfile of HijackThis v1.99.1
Scan saved at 16:52:32, on 29/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
D:\_Install\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\Documents and Settings\Jana Rajsiglova\10267710.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Emirates Internet\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{24FEC776-2B84-41C4-A7A2-EF51A9256411}: NameServer = 213.42.20.20,195.229.241.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{24FEC776-2B84-41C4-A7A2-EF51A9256411}: NameServer = 213.42.20.20,195.229.241.222
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

[Smjert]

Sì è giusto, da Modalità Provvisoria non puoi connetterti a internet (avrei dovuto avvertirti).
Cmq Sys32.dll che era infettato l'hai cancellato?
Hai utilizzato quel file .reg?

Fai per sicurezza una scansione con Panda, salva il report e posta il suo contenuto.

[janarajs]

Quel .reg file l'ho utilizato come da istruzzione, mi ha soltanto notificato che il file e stato inserito nel registro.
Poi ero andata nel SafeMode e fatto le azioni descritte prima. Il file sys32.dll non ho cancellato, non sapevo Devo andare ancora nel SafeMode per cancellarlo?

Ho iniziato scan col Panda ma a meta del processo il Avast mi segnala che e stato trovato il virus Win32:CTX nel file http://acs.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL ed unica azione proposta e di interrompere la connessione...

[Smjert]

Quel file, sys32.dll adesso lo puoi cancellare da modalità normale perchè non è + utilizzato dal trojan.

[janarajs]

Ho fatto search del file sys32.dll, cercando anche nei hidden e system files e non l'ho trovato.

Adesso allora disattivero Avast e faro di nuovo Panda scan. Pero ho una domanda, uso il KerioPersonalFirewall ed mi sta chiedendo che Windows Explorer si vuole connettere al sa.windows.com, ecco il log:

[29/10/2006 17:38:42]

Direction: outgoing
Local Point: 0.0.0.0, port 1360
Adapter: TI USB Remote NDIS Network Device #2 - Packet Scheduler Miniport
Remote Point: sa.windows.com [207.46.248.249], port http [80]
Protocol: TCP

Dovrei dare il permesso o no?

[Smjert]

No blocca.
Il file è syst32.dll
guarda inoltre se ha questo file proof.exe e/o questo extrk.exe

[janarajs]

Ok, ho bloccato quel uscita. Trovo veramente difficile capire quando dovrei permettere e quando bloccare certi processi. Mi capita che blocco qualcosa e poi mi trovo senza accesso al panello di controllo ad esempio, in somma, sbagliando si impara, vero? Mi sento parecchio ignorante oggi

Ho cercato sia syst32.dll, proof.exe e extrk.exe, non ne ho trovato neanche uno.

Ho fatto Panda scan, ecco il report:


Incident Status Location

Adware:Adware/GoodSearchNow Not disinfected C:\Documents and Settings\Jana Rajsiglova\10267710.dll
Adware:adware/gator Not disinfected Windows Registry
Adware:Adware/GoodSearchNow Not disinfected C:\Documents and Settings\Jana Rajsiglova\101672748.dll
Adware:Adware/GoodSearchNow Not disinfected C:\Documents and Settings\Jana Rajsiglova\106132018.dll
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@atwola[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@bluestreak[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@burstnet[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@c.enhance[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@c.goclick[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@casalemedia[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@centrport[2].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@clickbank[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@hitbox[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@maxserving[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@mediaplex[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@questionmarket[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@statcounter[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@tradedoubler[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jana Rajsiglova\Cookies\jana rajsiglova@tribalfusion[1].txt
Dialer:Dialer.ICB Not disinfected C:\Documents and Settings\Jana Rajsiglova\Local Settings\Temp\it_0118.exe
Possible Virus. Not disinfected C:\Documents and Settings\Jana Rajsiglova\Local Settings\Temp\winsyst32.exe
Adware:Adware/GoodSearchNow Not disinfected C:\RECYCLER\S-1-5-21-1409082233-1343024091-854245398-1003\Dc4.exe
Adware:Adware/GoodSearchNow Not disinfected C:\WINDOWS\2321614943.exe
Adware:Adware/GoodSearchNow Not disinfected C:\WINDOWS\Temp\_avast4_\unp73774697.tmp

[Smjert]

C:\WINDOWS\2321614943.exe
Ma allora ce l'avevi il file numerico in C:\Windows...

Com'è che non hai neanche trovato questo? C:\Documents and Settings\Jana Rajsiglova\Local Settings\Temp\winsyst32.exe te l'avevo scritto di cercarlo con la ricerca Windows.

Vabbeh..

[janarajs]

Si ho notato, che dovevano esserci, non li ho trovati prima.

Allora, ho fatto tutte le operazioni che hai indicato.

Sto facendo un altro Panda scan, passero il log appenna fatto.

Nelfrattempo vorrei ringraziarti di tutto cuore per il tuo aiuto fin'ora.

[janarajs]

Ecco nuovo log di Panda scan:


Incident Status Location

Adware:adware/gator Not disinfected Windows Registry
Adware:Adware/GoodSearchNow Not disinfected C:\WINDOWS\Temp\_avast4_\unp73774697.tmp

[Smjert]

Data la presenza di quegli AdAware, se non ce li hai già scaricati sia Spybot Search and Destroy che Lavasoft AdWare, aggiornali e fagli fare una scansione completa cancellando quello che trovano.
Per il resto dovresti essere a posto.

[janarajs]

Ok, li ho scaricati e fatto i scan. Mi hanno trovato un po di spyware, ho cancellato tutto.

Ti ringrazio ancora del tuo aiuto, mi rendo conto che ti ho portato via maggior parte del pomeriggio, ti sono molto grata.

Salutoni da Dubai,

Ciao

Jana

[Smjert]

Figurati! Dovere! 8)
Ciau.