Aiutamici Forum
Benvenuto Ospite Cerca | Topic Attivi | Utenti | | Log In | Registra

trojan Opzioni
lavelle
Inviato: Tuesday, January 24, 2006 7:42:16 AM
Rank: AiutAmico

Iscritto dal : 1/18/2003
Posts: 89
Ciao scusate se posto nuovamente la mia richiesta ma su suggerimento di un amico ho effettuato anche un log con il programma hijackthis e lo riporto di sotto.
Quando accendo il pc norton antivirus mi indica che nel computer ho : backdoor.trojan e in windows/systems32/icqchk.exe.
Ho seguito le vostre istruzioni:
ho attivato la modalità provvisoria e ho fatto una scansione completa con norton e con ad adward ma non mi ha segnalato niente.
Poi ho riavviato e mi ha di nuovo segnalato il trojan.
Poi sono passato nella modalità normale.
Ho scaricato hijackthis e vi indico di seguito il log:


Logfile of HijackThis v1.99.1
Scan saved at 7.33.33, on 24/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Smtray.exe
C:\Programmi\Compaq\Easy Access Button Support\StartEAK.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Programmi\QuickTime\qttask.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\turini massimo\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=0410&s=search&ap=b204
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bw.myway.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\ycomp5_3_18_0.dll
O2 - BHO: MSX - {037CE595-57CB-4EB5-9775-97BC112F3BB3} - C:\WINDOWS\system32\msx.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll (file missing)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Site Update Watcher - {A853979C-2A9A-4ACB-8975-5740A7E26CB4} - C:\WINDOWS\system32\kaboom.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\ycomp5_3_18_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] C:\Programmi\COMPAQ\Coloreal\coloreal.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programmi\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmi\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\arvququn.exe
O4 - HKLM\..\Run: [Microsoft Windows Updater] svchostz.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Programmi\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [VVSN] C:\Programmi\VVSN\VVSN.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programmi\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [runapp] C:\WINDOWS\system32\icqchk.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] svchostz.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: E_SPSU01.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SPSU01.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {150E326A-2709-467F-B384-3261EEA6CB5B} (P_e_S Control) - http://services.abbeynet.it/webclient/cab/PS-1.1.0.4_light.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c7.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0264c81d7166d1dadf05/netzip/RdxIE601_it.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {FF536F77-656B-4863-96F7-B7C8DBF342E3} (WebPhone Control) - http://www.abbeyphone.com/activex/WebPhone-1.2.5.2_light.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8036D2C1-E84C-4B7C-90C4-09F5F1E0E77D}: NameServer = 85.37.17.41 85.38.28.83
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe


Il mio sistema operatico è window xp e uso l'adsl.
Potete aiutarmi?
Grazie Massimo

Sponsor
Inviato: Tuesday, January 24, 2006 7:42:16 AM

 
alfonso
Inviato: Tuesday, January 24, 2006 9:23:27 AM

Rank: AiutAmico

Iscritto dal : 10/5/2000
Posts: 19,132
Ciao ,
esegui queste operazioni

Disattiva il ripristino di configurazione, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=257&SH=N

Riavvia in modalità provvisoria, leggi qui come fare
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=344&SH=N

apri HIJAC THIS ed elimina come indicato in questo articolo
http://www.aiutamici.com/software/descrizione.asp?CodSw=1175
le righe che seguono.

==================================
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=0410&s=search&ap=b204
-
O2 - BHO: MSX - {037CE595-57CB-4EB5-9775-97BC112F3BB3} - C:\WINDOWS\system32\msx.dll
-
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll (file missing)
-
O2 - BHO: Site Update Watcher - {A853979C-2A9A-4ACB-8975-5740A7E26CB4} - C:\WINDOWS\system32\kaboom.dll
-
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\arvququn.exe
O4 - HKLM\..\Run: [Microsoft Windows Updater] svchostz.exe
-
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
-
O4 - HKLM\..\Run: [VVSN] C:\Programmi\VVSN\VVSN.exe
-
O4 - HKLM\..\Run: [runapp] C:\WINDOWS\system32\icqchk.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] svchostz.exe
-
O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
-
O16 - DPF: {150E326A-2709-467F-B384-3261EEA6CB5B} (P_e_S Control) - http://services.abbeynet.it/webclient/cab/PS-1.1.0.4_light.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c7.cab
-
O16 - DPF: {FF536F77-656B-4863-96F7-B7C8DBF342E3} (WebPhone Control) - http://www.abbeyphone.com/activex/WebPhone-1.2.5.2_light.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8036D2C1-E84C-4B7C-90C4-09F5F1E0E77D}: NameServer = 85.37.17.41 85.38.28.83
==================================

Con la funzione CERCA di Windows, cerca ed elimina questi file,
==================================
msx.dll
OdigoBHO.dll
kaboom.dll
arvququn.exe
svchostz.exe
MediaAccK.exe
VVSN.exe
icqchk.exe
==================================


Vai a PANNELLO DI CONTROLLO e clicca su OPZIONI INTERNET
nella finestra che si apre clicca i tre pulsanti
ELIMINA COOKIES - ELIMINA FILE - CANCELLA CRONOOLOGIA

al termine utilizza i programmi AD-AWARE e SPYBOT indicati in questo articolo
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=388&SH=N

Fai una scansione con questo programma
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=1286

sempre in modalità provvisoria fai una scansione Antivirus

quindi riavvia il computer e controlla se il problema e risolto, se e tutto OK riattiva il ripristino configurazione disattivato all'inizio di questa procedura e crea un nuovo punto di ripristino, leggi qui alla voce 8
http://www.aiutamici.com/software/view.asp?tipo=home&CodSw=170&SH=N

Collaboratore Aiutamici
lavelle
Inviato: Tuesday, January 24, 2006 1:36:23 PM
Rank: AiutAmico

Iscritto dal : 1/18/2003
Posts: 89
Grazie Alfonso stasera provo.
Ma devo eliminare tutte le righe che mi hai scritto e che ho copiato sotto tra le due righe tratteggiate?
Scusa la domanda ma non vorrei piantare qualche pastrocchio.
Ciao poi ti faccio sapere

==================================
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=3C01&lc=0410&s=search&ap=b204
-
O2 - BHO: MSX - {037CE595-57CB-4EB5-9775-97BC112F3BB3} - C:\WINDOWS\system32\msx.dll
-
O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll (file missing)
-
O2 - BHO: Site Update Watcher - {A853979C-2A9A-4ACB-8975-5740A7E26CB4} - C:\WINDOWS\system32\kaboom.dll
-
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\arvququn.exe
O4 - HKLM\..\Run: [Microsoft Windows Updater] svchostz.exe
-
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
-
O4 - HKLM\..\Run: [VVSN] C:\Programmi\VVSN\VVSN.exe
-
O4 - HKLM\..\Run: [runapp] C:\WINDOWS\system32\icqchk.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] svchostz.exe
-
O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
-
O16 - DPF: {150E326A-2709-467F-B384-3261EEA6CB5B} (P_e_S Control) - http://services.abbeynet.it/webclient/cab/PS-1.1.0.4_light.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c7.cab
-
O16 - DPF: {FF536F77-656B-4863-96F7-B7C8DBF342E3} (WebPhone Control) - http://www.abbeyphone.com/activex/WebPhone-1.2.5.2_light.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8036D2C1-E84C-4B7C-90C4-09F5F1E0E77D}: NameServer = 85.37.17.41 85.38.28.83
==================================

alfonso
Inviato: Tuesday, January 24, 2006 7:09:10 PM

Rank: AiutAmico

Iscritto dal : 10/5/2000
Posts: 19,132
Vai tranquillo, e tutto da eliminare, il sistema é infetto.

Collaboratore Aiutamici
Utenti presenti in questo topic
Guest


Salta al Forum
Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Main Forum RSS : RSS

Aiutamici Theme
Powered by Yet Another Forum.net versione 1.9.1.8 (NET v2.0) - 3/29/2008
Copyright © 2003-2008 Yet Another Forum.net. All rights reserved.