www.MegaLab.it

da **adepoiu** » mer lug 12, 2006 10:55 am

un saluto festoso a tutto il forum!
ieri mi è entrato un cavallo di troia di cui sbadatamente non ho preso il nome.
avast me l'ha rilevato ed io l'ho spostato nel cestino come consigliava l'antivirus.
dopodichè ho fatto girare spybot e adware se personal.
autocad non mi gira correttamente mentre il resto parrebbe funzionare.
qualche anima pia mi può controllare questo hijack?grazie

Logfile of HijackThis v1.99.1
Scan saved at 11.34.45, on 12/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINNT\system32\internat.exe
C:\Programmi\Skype\Phone\Skype.exe
E:\macchina digitale\QuickDCF.exe
C:\Programmi\Sony Corporation\Image Transfer\SonyTray.exe
C:\lotus\organize\easyclip.exe
C:\Programmi\CASIO\Photo Loader\Plauto.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINNT\System32\cleanmgr.exe
C:\WINNT\System32\cleanmgr.exe
C:\Programmi\Mozilla Thunderbird\thunderbird.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.GIUSEPPE\Desktop\Nuova cartella\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] :RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] :C:\Office51\SOINTGR.EXE
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Libero\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ÿ_zskd_]sjynk_xc[sw`v50inkrwksz_] c:\winnt\system32\_zskwrkni05v`ws[cx_knyjs]_d.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe
O4 - HKLM\..\RunServices: [ÿ_zskd_]sjynk_xc[sw`v50inkrwksz_] c:\winnt\system32\_zskwrkni05v`ws[cx_knyjs]_d.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ÿ_zskd_]sjynk_xc[sw`v50inkrwksz_] c:\winnt\system32\_zskwrkni05v`ws[cx_knyjs]_d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = E:\macchina digitale\QuickDCF.exe
O4 - Global Startup: Image Transfer.lnk = C:\Programmi\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Loader residente.lnk = C:\Programmi\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan ... ncipal.htm (file missing)
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.actalis.it
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: *.inlineanet.it
O15 - Trusted Zone: www.otherchance.com
O15 - Trusted Zone: www.playitalia.com
O15 - Trusted Zone: www.redfunny.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... st0401.cab
O16 - DPF: {42C559C0-2E84-11D5-A3C6-00010219529D} (siacapi-core-install) - https://portal.actalis.it/CA/Environmen ... nstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7591976456
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6101308-42CF-45C6-AD74-0779A2E41673}: NameServer = 62.94.0.1,62.94.0.2
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documenti\Settings\artm_new.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

da **andorra24** » mer lug 12, 2006 11:10 am

Fixa queste voci:

O4 - HKLM\..\Run: [ÿ_zskd_]sjynk_xc[sw`v50inkrwksz_] c:\winnt\system32\_zskwrkni05v`ws[cx_knyjs]_d.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\testtestt.exe
O4 - HKLM\..\RunServices: [ÿ_zskd_]sjynk_xc[sw`v50inkrwksz_] c:\winnt\system32\_zskwrkni05v`ws[cx_knyjs]_d.exe
O4 - HKCU\..\Run: [ÿ_zskd_]sjynk_xc[sw`v50inkrwksz_] c:\winnt\system32\_zskwrkni05v`ws[cx_knyjs]_d.exe
O15 - Trusted Zone: *.actalis.it (se questa voce l'hai messa volutamente non fixarla)
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: *.inlineanet.it (se questa voce l'hai messa volutamente non fixarla)
O15 - Trusted Zone: www.otherchance.com
O15 - Trusted Zone: www.playitalia.com
O15 - Trusted Zone: www.redfunny.com
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documenti\Settings\artm_new.dll

elimina i seguenti files exe e la dll:
c:\winnt\system32\_zskwrkni05v`ws[cx_knyjs]_d.exe
C:\WINNT\system32\testtestt.exe
C:\Documents and Settings\All Users\Documenti\Settings\artm_new.dll

Fai una scansione con ewido:
http://www.ewido.net/en/onlinescan/

da **adepoiu** » mer lug 12, 2006 5:39 pm

ciao andorra, intanto grazie per la sollecitudine.
ho fixato come mi hai detto ma poi i file da eliminare non li ho trovati nelle rispettive cartelle!!!!

andorra24 ha scritto:elimina i seguenti files exe e la dll:
c:\winnt\system32\_zskwrkni05v`ws[cx_knyjs]_d.exe
C:\WINNT\system32\testtestt.exe
C:\Documents and Settings\All Users\Documenti\Settings\artm_new.dll

se continuo a scannare hijack e fixare i sospetti, alla successiva scan i file sospetti sono ancora lì!!

Fai una scansione con ewido:
http://www.ewido.net/en/onlinescan/

la scansione non mi parte!!dopo che ho schiacciato scan, non succede nulla.

credo di essere messo peggio di quanto credessi

da **crazy.cat** » mer lug 12, 2006 5:44 pm

Hai abilitato la visione dei file nascosti?

Potresti avere qualche schifezzuola nascosta che ti blocca lo scan (con che browser lo fai?)

Prova ad usare uno di questi dalla modalità provvisoria
http://www.MegaLab.it/2349
http://www.MegaLab.it/2333

da **adepoiu** » mer lug 12, 2006 9:55 pm

grande crazy cat!!sempre presente quando ho un problema!

no, nessun file nascosto, non ci sono proprio o comunque non riesco a trovarli.

usa mozilla firefox.

comunque ora ho usato trend micro e mi ha fatto cancellare quattro virus;domani conto di usare anche scangui e poi reinstallo tutte le applicazioni che non funzionano: tu che dici?
grazie e buonanotte

www.MegaLab.it

cavallo di troia!!

cavallo di troia!!

Chi c’è in linea