www.MegaLab.it

[evergreen]

virus whataboutarabit (almeno credo)
Salve ho sicuramente preso un virus, che mi crea una nuova connessione chiamata SERVICE che mi crea un file exe nei file temporanei numerato (es. 121431.exe) e non riesco ad eliminarlo. Eliminio tutti i file temporanei, con hijackthis fixo il file che parte in automatico ed una sorta di collegamento ad un whatistherabbit.com, cancello il file exe, ma puntualmente rispunta che fare?
eccovi il log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 14.42.22, on 20/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\VEXPLITE\MONLITE.EXE
C:\Program Files\Conexant\Adsl\dslstat.exe
C:\Program Files\Conexant\Adsl\dslagent.exe
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\DOCUME~1\basta\IMPOST~1\Temp\1187613074.dat.exe
C:\Documents and Settings\basta\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freeforumzone.leonardo.it/viewforum.aspx?f=12780
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Conexant\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Conexant\Adsl\dslagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programmi\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/pa...can_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Programmi\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe



e quello di kaspersky:

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target Folders
C:\WINDOWS\

Scan Statistics
Total number of scanned objects 11773
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:10:05

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Spero che qualcuno mi aiuti.grazie

[crazy.cat]

Con kaspersky hai sbagliato la scansione dovevi farlo di tutto il disco e non solo della cartella windows.
Mi serve il log di questo programma
http://noahdfear.geekstogo.com/FindAWF.exe

[evergreen]

Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 180D-FD65

Directory di C:\BAK

0 File 0 byte
2 Directory 10.637.787.136 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 180D-FD65

Directory di C:\VEXPLITE\BAK

09/08/2007 11.07 245.760 MONLITE.EXE
1 File 245.760 byte
2 Directory 10.637.787.136 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 180D-FD65

Directory di C:\WINDOWS\SYSTEM32\BAK

30/08/2004 22.00 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 10.637.783.040 byte disponibili
Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 180D-FD65

Directory di C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

11/05/2007 03.06 40.048 Reader_sl.exe
1 File 40.048 byte
2 Directory 10.637.783.040 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

245760 16 Aug 2007 "C:\VEXPLITE\MONLITE.EXE"
245760 9 Aug 2007 "C:\VEXPLITE\bak\MONLITE.EXE"
15360 30 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 30 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
24080 16 Aug 2007 "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 11 May 2007 "C:\Programmi\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"


end of report
-----------------------

rifaccio il log di kaspersky? comunque quando elimino i file come descritto in precedenza mi dice che l'hd e' pulito.

[crazy.cat]

Dai questo script in pasto ad avenger e rimuovi il virus
http://www.MegaLab.it/2684/3

Files to move:
C:\VEXPLITE\bak\MONLITE.EXE | C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\bak\ctfmon.exe | C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe | C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe

Fai una scansione con kaspersky ma di tutto il pc e non solo di un pezzo.

Ma usi solo virit come antivirus?
E' poco e non tanto affidabile.

[evergreen]

ecco il log di kaspersky che sembra esser pulito

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 107044
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:22:07

Infected Object Name Virus Name Last Action
C:\Documents and Settings\basta\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\basta\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\basta\Impostazioni locali\Cronologia\History.IE5\MSHist012007082020070821\index.dat Object is locked skipped

C:\Documents and Settings\basta\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\basta\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\basta\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\basta\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\basta\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{E3D4FB54-ADFA-40F6-BDDD-3194B179185D}\RP80\change.log Object is locked skipped

C:\VEXPLITE\basta\reg.dat Object is locked skipped

C:\VEXPLITE\reg_ecc.dat Object is locked skipped

C:\VEXPLITE\VIRITMON.LOG Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[crazy.cat]

avevo dimenticato.
Cancella tutto in questa cartella
C:\DOCUME~1\basta\IMPOST~1\Temp\1187613074.dat.exe
e con hijackthis cancella questa riga.
O15 - Trusted Zone: *.whataboutarabit.com

[evergreen]

niente c'e' ancora.
ho seguito tutta la procedura, ma quando al riavvio vado a controllare nella cartella temp mi si forma il file: abc123.pid
e tra i processi che visualizzo con hijackthis c'e' sempre *trustedzone.
che faccio?

[crazy.cat]

Ma si riformano anche i file exe nella cartella temp?
Cambia antivirus, metti antivir pe al posto di virit.

[evergreen]

no al momento l'exe no, ma si crea comunque il TRUSTED ZONE, mettendo antivir risolvo il problema?

[crazy.cat]

Sicuramente antivir è molto meglio di virit, magari ti trova qualcosa che non si vede nei vari log.

Hai provato un scansione con qualche antispyware come a2 squared o superantispyware?