Olimpo Informatico

[frax_bigos]

Salve a tutti, spero che mi possiate aiutare col mio problema.
Sono riuscito a difendere il mio PC dagli attacchi per molti mesi grazie a Zone Alarm ma alla fine qualcuno e' riuscito a spedirmi qualche malware.
Explorer non funziona bene, appena lo apro mi esce il messaggio "Internet explorer ha incontrato un problema e deve essere chiuso... ecc ecc." , per poter navigare devo lasciare questa finestrina aperta ignorandola....
L'ho disistallato e reinstallato ma niente... il problema e' sempre li
Mentre navigo poi si aprono pop-up a raffica con messaggi pubblicitari e siti porno.
Posto qui il log di hijack-this:

Logfile of HijackThis v1.99.1
Scan saved at 15.14.37, on 13/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\NCH Software\Fling\fling.exe
C:\Program Files\MySQL\MySQL Server 5.2\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\sysnet32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NCH Software\Fling\fling.exe
C:\WINDOWS\system32\gdwmem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AAD8C98A-DCF7-4547-A84D-148FD816A229} - C:\WINDOWS\system32\dbmsrpcnm.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CD2830DC-E1DE-4345-9D77-7A50384DB51B} - c:\windows\system32\dpcdllo.dll
O2 - BHO: (no name) - {CD88D16A-551E-42CE-8CE8-6C53C791D75C} - c:\windows\system32\bdwahacx.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Lies City.exe
O4 - HKLM\..\Run: [FlingRun] "C:\Program Files\NCH Software\Fling\fling.exe" -logon
O4 - HKLM\..\Run: [gdwmem] C:\WINDOWS\system32\gdwmem.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BinTray] C:\DOCUME~1\TRUSSI~1\APPLIC~1\GRIMBO~1\4test.exe
O4 - HKCU\..\Run: [gdwmem] C:\WINDOWS\system32\gdwmem.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.archiviosex.net
O15 - Trusted Zone: *.otherchance.com
O15 - Trusted Zone: *.whatsnew.name
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162799979484
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jicalril - C:\WINDOWS\SYSTEM32\dpcdllo.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Fling Service (FlingService) - Unknown owner - C:\Program Files\NCH Software\Fling\fling.exe" -service (file missing)
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Grazie mille!!!
Francesco

[Sante62]

Ciao francesco
Il PC sembra parecchio infetto.
Direi di lasciare stare Hijackthis per ora.

Scarica Virit da quì: http://www.tgsoft.it/italy/download.htm

Aggiornalo e fagli fare la scansione completa del PC.
Fai in modo che rimuova automaticamente i file infetti trovati.
Non dimenticare di disattivare momentaneamente il tuo antivirus.
Incolla poi quì il risultatocon un log aggiornato di HJT

Poi, fai anche questi passaggi:
http://forum.zeusnews.com/viewtopic.php?p=194965#194965 passaggio 1 -

http://forum.zeusnews.com/viewtopic.php?p=194966#194966 passaggio 2 -

[tecnico24]

ciao frax,io penso invece che hijackthis ci serve,quindi
avvia hijackthis,spunta a sinistra su queste voci:


O20 - Winlogon Notify: jicalril - C:\WINDOWS\SYSTEM32\dpcdllo.dll
O15 - Trusted Zone: *.whatsnew.name
O15 - Trusted Zone: *.otherchance.com
O15 - Trusted Zone: *.archiviosex.net
O4 - HKCU\..\Run: [gdwmem] C:\WINDOWS\system32\gdwmem.exe
O4 - HKCU\..\Run: [BinTray] C:\DOCUME~1\TRUSSI~1\APPLIC~1\GRIMBO~1\4test.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [gdwmem] C:\WINDOWS\system32\gdwmem.exe
O4 - HKLM\..\Run: [FlingRun] "C:\Program Files\NCH Software\Fling\fling.exe" -logon
O4 - HKLM\..\Run: [axis love poll lite] C:\Documents and Settings\All Users\Application Data\each new axis love\Lies City.exe
O2 - BHO: (no name) - {CD88D16A-551E-42CE-8CE8-6C53C791D75C} - c:\windows\system32\bdwahacx.dll
O2 - BHO: (no name) - {CD2830DC-E1DE-4345-9D77-7A50384DB51B} - c:\windows\system32\dpcdllo.dll
O2 - BHO: (no name) - {AAD8C98A-DCF7-4547-A84D-148FD816A229} - C:\WINDOWS\system32\dbmsrpcnm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


poi clicca sotto su FIX CHECKED.



poi Scarica The Avenger
http://swandog46.geekstogo.com/avenger.zip

estrai l?archivio nel desktop.

Poi avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno dello spazio bianco copia ed incolla questo script in rosso:





files to delete:
C:\WINDOWS\system32\gdwmem.exe
C:\WINDOWS\sysnet32.exe
C:\WINDOWS\service32.exe




poi Clicca sul pulsante Done
Adesso clicca sul semaforo con la luce verde
Rispondi Yes 2 volte
Il pc si dovrebbe riavviare,se non si riavvia,riavvialo manualmente

Al riavvio collegati e posta il contenuto del file C:\Avenger.txt

[frax_bigos]

Ho fixato...
Ecco il log di avenger ed il log di hijackthis(se puo' servire)
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ghcjrupy

*******************

Script file located at: ptxsuakf

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 20.11.03, on 13/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MySQL\MySQL Server 5.2\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\service32.exe
C:\WINDOWS\sysnet32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AAD8C98A-DCF7-4547-A84D-148FD816A229} - C:\WINDOWS\system32\dbmsrpcnm.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CD2830DC-E1DE-4345-9D77-7A50384DB51B} - c:\windows\system32\dpcdllo.dll
O2 - BHO: (no name) - {CD88D16A-551E-42CE-8CE8-6C53C791D75C} - c:\windows\system32\bdwahacx.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162799979484
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jicalril - C:\WINDOWS\SYSTEM32\dpcdllo.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Alcune voci che avevo fixato sono ancora presenti.
Ditemi voi.

PS
Ho fatto la scanzione con quell'antivirus e mi ha rilevato questi virus:ù
trojan.win32.swizzor.BF
trojan.win32.dialer.HH
trojan.win32.small.RI

li ha rimossi e al riavvio il PC e' diventato ancora più instabile con crash e iexplorer che non si connetteva più a internet. Così ho fatto il ripristino di windows dal CD (non la formattazione) ed ho seguito le indicazioni di tecnico24

[Sante62]

Probabilmente l'infezione è più estesa di quanto ci aspettassimo.
Vai su start->Esegui e digita regedit.
Si aprirà il registro di sistema.
Aiutandoti con i + naviga attarverso questa chiave:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image file execution options e controlla se c'è una chiave chiamata explorer.exe. Nel caso ci sia, fai un click su di essa e riporta qua nel forum ciò che si trova sulla destra.

Fai la stessa cosa con quest'altra chiave:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image file execution options e controlla se c'è una chiave chiamata iexplorer.exe. Nel caso ci sia, click col destro su di essa elimina. Se non si fa eliminare clic col destro->Autorizzazioni, spunta tutti gli utenti e clicca su consenti sempre .
Nuovamente clic col destro, elimina.

[tecnico24]

segui le indicazione date da sante62,poi oltre a quello che devi postare,
esegui uno scan con FindAwf http://noahdfear.geekstogo.com/FindAWF.exe
esegui il file e si apre una finestra nera(DOS)
premi invio e attendi un blocco note con delle scritte.
riportalo qui.

[Orange]

benvenuto anche da parte mia, frax_bigos

[frax_bigos]

Dunque:
ho cercato con regedit quelle voci ma non c'era niente.
Ho fatto partire FindAWF ed ecco il log:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 14/09/2007
The current time is: 18.40.20,56


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

In effetti ora il PC va un po meglio. Iexplorer non mi crasha più con quel messaggino ed il sistema operativo e' tornato stabile.

L'unica cosa che ancora non va e' che quando apro in internet explorer faccio per aprire un link in un nuovo tab ecco dove vengo reindirizzato:

http://www.search-daily.com/search.php?qq=ciccio (ciccio l'ho messo io)

Penso che ci sia ancora qualche infezione.
Seguo i consigli di sante e posto il postabile

PS
Non vorrei disattivare Zone Alarm durante la scansione perche' mi protegge da costanti tentativi di intrusione e vi giuro che sono MIGLIAIA!
E tranquillo?

[Sante62]

Per favore posta pure un log aggiornato di Hijackthis.

PS: Per alcune scansioni potrebbe essere necessario disattivare anche il firewall.

[frax_bigos]

Ho fatto partire FindAWF ed ecco il log:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 14/09/2007
The current time is: 18.40.20,56


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Poi ho avviato VirIt explorer e mi ha trovato e rimosso alcuni trojan tra cui:
win32.Agent.BCZ sul file WINDOWS\SERVICE32.EXE (ma va!)
win32.Small.RI sul file WINDOWS\SVCHOST.dll
gli altri non li ricordo ma si trovavano nei file temporanei di internet.
poi mi ha bloccato anche un file: WINDOWS\SYSTEM32\RPCC.EXE

Ho avviato gmer ed ecco i link:
<a href="http://www.freefilehosting.net/files/MjE0Mzc=">mygmerlog1.txt</a>


<a href="http://www.freefilehosting.net/files/MjE0Mzg=">mygmerlog2.txt</a>

Poi ho avviato suspectfile, ecco il link:
<a href="http://www.freefilehosting.net/files/MjE0NDA=">report35.txt</a>

e dulcis in fundo ecco il log hjt:

Logfile of HijackThis v1.99.1
Scan saved at 19.56.50, on 14/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MySQL\MySQL Server 5.2\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org1.1.5\program\soffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AAD8C98A-DCF7-4547-A84D-148FD816A229} - C:\WINDOWS\system32\dbmsrpcnm.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CD2830DC-E1DE-4345-9D77-7A50384DB51B} - c:\windows\system32\dpcdllo.dll
O2 - BHO: (no name) - {CD88D16A-551E-42CE-8CE8-6C53C791D75C} - c:\windows\system32\bdwahacx.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 1.1.5.lnk = C:\Program Files\OpenOffice.org1.1.5\program\quickstart.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\MUSTEK 1248UB\Driver\WATCH.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162799979484
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jicalril - C:\WINDOWS\SYSTEM32\dpcdllo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ecco qui tutte le scansioni, le ho fatte col firewall attivato se ci sono problemi posso rifarlo tutto...senza firewall!

Grazie per la pazienza

[tecnico24]

ciao,avvia hijackthis,clicca su Do a system scan only.
e spunta a sinistra su queste voci:

O20 - Winlogon Notify: jicalril - C:\WINDOWS\SYSTEM32\dpcdllo.dll

O2 - BHO: (no name) - {CD88D16A-551E-42CE-8CE8-6C53C791D75C} - c:\windows\system32\bdwahacx.dll

O2 - BHO: (no name) - {CD2830DC-E1DE-4345-9D77-7A50384DB51B} - c:\windows\system32\dpcdllo.dll

O2 - BHO: (no name) - {AAD8C98A-DCF7-4547-A84D-148FD816A229} - C:\WINDOWS\system32\dbmsrpcnm.dll


e clicca sotto su FIX CHECKED.

[Sante62]

Allora, dopo aver fixato le voci indicate da tecnico24, utilizza nuovamente avenger con questo script:

Files to delete:
C:\WINDOWS\system32\drivers\czzkojxr.sys
C:\U.exe
C:\WINDOWS\system32\rpcc.exe

drivers to unload:
czzkojxr

Adesso collegati a Kaspersky e fai una scansione online:
http://forum.zeusnews.com/viewtopic.php?t=21705
Quando sta scaricando i file necessari, disattiva momentaneamente l'antivirus ed eventualmente anche il firewall. Non appena inizia la scansione del PC disconnettiti da internet.
Alla fine carica il risultato su www.freefilehosting.net, riportando quì il link che ti viene assegnato.

[frax_bigos]

Allora, ho fixato le voci con hijackthis ma riappaiono sempre.

Ho fatto la scansione con l'antivirus e mi ha trovato un covo di infezioni!
ecco il link del report:

report2.html

ed ecco il log di avenger:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nwtfwrex

*******************

Script file located at: \??\C:\Program Files\upechulj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\drivers\czzkojxr.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\czzkojxr.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\czzkojxr.sys
Status: 0xc0000022

File C:\U.exe deleted successfully.
File C:\WINDOWS\system32\rpcc.exe deleted successfully.


Registry key \Registry\Machine\System\CurrentControlSet\Services\czzkojxr not found!
Unload of driver czzkojxr failed!

Could not process line:
czzkojxr
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[bdoriano]

Direi che i files .DLL identificano una probabile infezione di VirtuMonde.

Prima, se puoi, disabilita il ripristino di sistema

Poi scarica VundoFix.exe sul desktop

- Esegui VundoFix.exe
- Clicca Scan for Vundo.
- al termine della scansione, clicca Remove Vundo.
- ti chiede se vuoi eliminare i files infetti, clicca YES
- il tuo video diventerà nero durante la rimozione di Vundo.
- al termine ti chiederà di riavviare il pc, clicca OK.
- Copia qui il contenuto del log C:\vundofix.txt e un nuovo log di hijackthis.

Nota: VundoFix potrebbe non riuscire ad eliminare qualche file. In questo caso, VundoFix si avvierà automaticamente al riavvio del pc, ripeti le operazioni indicate sopra partendo da "Clicca Scan for Vundo" quando VundoFix apparirà al riavvio.

Al termine, fai una scansione con questo avviandolo in modalità provvisoria.

Quando hai fatto quei passaggi, procedi con questi altri:
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[frax_bigos]

[Sante62]

[bdoriano]

Speriamo che il suggerimento di Sante62 sia arrivato in tempo!
Facci sapere.

[frax_bigos]

Ho gia' formattato
Ora il PC mi va una bellezza
Pero' vi ringrazio tutti per l'impegno e quando (sicuramente) mi becchero' un trojan sapro' a chi rivolgermi. Siete tosti! Ciao!

A proposito! Prima di formattare avevo provato di mia iniziativa a caricare explorer dalla task bar ma mi dava un messaggio di file inesistente
Quindi la pazienza e finita e sono passato alle maniere forti

Francesco

[bdoriano]