www.MegaLab.it

da **evergreen** » sab feb 24, 2007 1:38 am

Ciao raga, ho appena comprato il pc nuovo un secondo dopo aver istallato il modem ed andando sul sito ufficiale di EMULE [...]

mi sono beccato un virus. Ma come cazzarola si fa?
Potreste aiutarmi?
Il pc dopo pochi minuti mi da un errore di win 32 e non mi si riconnette piu' ad internet devo riavviare e poi solita cosa.
Ecco l'hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 0.37.13, on 24/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Premium\sched.exe
C:\Programmi\AntiVir PersonalEdition Premium\avguard.exe
C:\Programmi\AntiVir PersonalEdition Premium\avesvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\AntiVir PersonalEdition Premium\avmailc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\AntiVir PersonalEdition Premium\avgnt.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\utente\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'avsda.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C1EEFC7-6217-4967-84EE-FBA40F327247}: NameServer = 85.37.17.39 85.38.28.71
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C1EEFC7-6217-4967-84EE-FBA40F327247}: NameServer = 85.37.17.39 85.38.28.71
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir Mail Security Service (AntiVirMailService) - H+BEDV Datentechnik GmbH - C:\Programmi\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Programmi\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: AntiVir PersonalEdition Premium Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programmi\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: AntiVir Engine Service (AVEService) - H+BEDV Datentechnik GmbH - C:\Programmi\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

------------------------------

ho eliminato le porcate che ho trovato ma non e' cambiato nulla, il log e' cosi' corto perche' come ho gia' detto ho appena istallato i fondamentali :|

da **evergreen** » sab feb 24, 2007 1:39 am

ah ho anche fixxato questo:
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe

ma non cambia nulla, in piu' per esempio non mi si visualizza la cartella IMPOSTAZIONI LOCALI dove di solito sono collocati i virus .exe ci devo andare io dalla barra degli indirizzi

da **crazy.cat** » sab feb 24, 2007 9:22 am

Installare un firewall e tutte le patch prima d collegarsi?
O era più importante collegarsi subito ad emule.....

Hai solo cancellato la riga
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
oppure hai eliminato anche il file exe?

Prova a fare una scansione con stinger dalla modalità provvisoria
http://download.nai.com/products/mcafee ... tng260.exe

da **evergreen** » sab feb 24, 2007 1:15 pm

allora grazie per la risposta cosi' celere, che tipo di patch avrei dovuto scaricare? intanto riparto in modalita' provvisoria e faccio la scansione con quel progamma.

da **Monkey13** » sab feb 24, 2007 1:23 pm

Questa patch: [^]

http://monkeyscountry.altervista.org/Do ... dowsXP.rar

dal mio sito.. non dovresti avere più problemi! Ciao!

da **crazy.cat** » sab feb 24, 2007 1:24 pm

Le patch di sicurezza di windows per esempio....

da **Amantide** » sab feb 24, 2007 1:30 pm

evergreen ha scritto:ah ho anche fixxato questo:
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe

ma non cambia nulla, in piu' per esempio non mi si visualizza la cartella IMPOSTAZIONI LOCALI dove di solito sono collocati i virus .exe ci devo andare io dalla barra degli indirizzi

Per chiedere aiuto qui sul forum è importante!! postare i log iniziali con tutte le voci sospette presenti, purtroppo nessuno di noi è munito di una sfera magica.

Dopo aver visto questa voce ...
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
... ti posso dire con la sicurezza che si tratta di trojan Zonebac.

Fai la scansione con Kaspersky online e posta qui il report della scansione.

da **evergreen** » sab feb 24, 2007 1:34 pm

grazie a tutti veramente di cuore.
Allora fancendo la scansione con il progrmma precedente ecco il risultato:

McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006

Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Feb 2 2006.

Ready to scan for 55 viruses, trojans and variants.

Scan initiated on Sat Feb 24 12:17:31 2007

Number of clean files: 74902

---------------------------

ora l'errore mi si e' subito verificato GENERIC HOST PROCESS Win32 service
andando nel dettaglio mi indica questi due errori:
C:\DOCUME~1\utente\IMPOST~1\Temp\WERc8b5.dir00\svchost.exe.mdmp
C:\DOCUME~1\utente\IMPOST~1\Temp\WERc8b5.dir00\appcompat.txt

istallo subito la patch consigliata e scansiono con kaspersky

--------------------------

virit non mi dava nessun virus ma meglio controllare con kaspersky

da **Amantide** » sab feb 24, 2007 1:39 pm

evergreen ha scritto:
virit non mi dava nessun virus ma meglio controllare con kaspersky

Se clicchi sul link sotto alla scritta trojan Zonebac capirai perché ti ho chiesto di postare il log della scansione con Kaspersky online. [;)]

P.S. Ah! Quella patch non c'entra niente con questo problema.

da **evergreen** » sab feb 24, 2007 2:06 pm

aaaaaaaaaallora:
1) Risolto il problema dell'errore di win32: ERA LA PATCH DI WINXP [acc2]

2) Ho fatto la scansione con Kaspersky mi ha dato 3 file infetti ma erano quelli che c'erano nel file di backup di avenger (il programma che avevo utilizzato per rimuovere i file che ritenevo sospetti) per sicurezza vi posto il log. Fatemi sapere se c'e' qualcosa, grazie mille:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 24, 2007 1:01:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/02/2007
Kaspersky Anti-Virus database records: 257768
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 23796
Number of viruses found: 2
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:14:47

Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/drf1172272047[1].htm.exe Infected: Trojan.Win32.Dialer.ri skipped
C:\avenger\backup.zip/avenger/lsasss.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\avenger\backup.zip ZIP: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\utente\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\utente\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\utente\Impostazioni locali\Cronologia\History.IE5\MSHist012007022420070225\index.dat Object is locked skipped
C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\utente\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\utente\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\utente\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VEXPLITE\reg_ecc.dat Object is locked skipped
C:\VEXPLITE\REPORT.RPT Object is locked skipped
C:\VEXPLITE\utente\reg.dat Object is locked skipped
C:\VEXPLITE\VIRITEXP.LOG Object is locked skipped
C:\VEXPLITE\VIRITMON.LOG Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\netrzfqg.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Tasks\obdnpzpc.job Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.