log per ricerca spyware

[pikagi]

questo è il logo di hjackt
Logfile of HijackThis v1.99.1
Scan saved at 10.10.24, on 23/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\ewido\security suite\ewidoctrl.exe
C:\Programmi\ewido\security suite\ewidoguard.exe
C:\Osra\Cosmo\prg\bin\win32\srvany.exe
C:\Osra\Cosmo\prg\bin\win32\srvprot.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\KMaestro\KMaestro.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\BITWARE\NT\bwprnmon.exe
C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\ATnotes\ATnotes.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Postazione-02\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer :: Powered by WinTricks
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSims - {4D64DAE1-DF1E-45E8-9372-84CA698335FA} - C:\WINDOWS\system32\kaboom.dll
O2 - BHO: m1a1 - {521693AA-7453-47ED-9959-3BD47DAA1B1A} - C:\WINDOWS\system32\msx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Dredge - {EB870508-E2B7-4169-8120-760F69703776} - C:\WINDOWS\system32\kaboom.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BtcMaestro] C:\Programmi\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATnotes.exe] C:\Programmi\ATnotes\ATnotes.exe
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: WT » apri link in background « - C:\PROGRA~1\WINTRI~1\wt_openback.htm
O8 - Extra context menu item: WT » apri nuova finestra IE - C:\PROGRA~1\WINTRI~1\wt_ie.htm
O8 - Extra context menu item: WT » cerca con Google - C:\PROGRA~1\WINTRI~1\wt_google.htm
O8 - Extra context menu item: WT » cerca News - C:\PROGRA~1\WINTRI~1\wt_news.htm
O8 - Extra context menu item: WT » cerca Software - C:\PROGRA~1\WINTRI~1\wt_software.htm
O8 - Extra context menu item: WT » cerca su WinTricks - C:\PROGRA~1\WINTRI~1\wt_cercawt.htm
O8 - Extra context menu item: WT » cerca sul dizionario Garzanti - C:\PROGRA~1\WINTRI~1\wt_garzanti.htm
O8 - Extra context menu item: WT » cerca sul Forum di WinTricks - C:\PROGRA~1\WINTRI~1\wt_cercaforum.htm
O8 - Extra context menu item: WT » traduci Inglese -> Italiano - C:\PROGRA~1\WINTRI~1\wt_lycos.htm
O8 - Extra context menu item: WT » traduci tutta la pagina - C:\PROGRA~1\WINTRI~1\wt_lycos_url.htm
O8 - Extra context menu item: WT » vai su WinTricks - C:\PROGRA~1\WINTRI~1\wt_home.htm
O8 - Extra context menu item: WT » vai sul Forum di WinTricks - C:\PROGRA~1\WINTRI~1\wt_forum.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: WinTricks - {F6FE5D00-8F11-11d2-804F-00105A133818} - http://www.wintricks.it/ (file missing)
O9 - Extra 'Tools' menuitem: WinTricks Home - {F6FE5D00-8F11-11d2-804F-00105A133818} - http://www.wintricks.it/ (file missing)
O9 - Extra button: Forum - {F6FE5D01-8F11-11d2-804F-00105A133818} - http://www.wintricks.it/forum/index.php?s= (file missing)
O9 - Extra 'Tools' menuitem: WinTricker's Forum - {F6FE5D01-8F11-11d2-804F-00105A133818} - http://www.wintricks.it/forum/index.php?s= (file missing)
O9 - Extra button: News - {F6FE6E01-8F11-11d2-804F-00105A133818} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141384925015
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.c...ll/Xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {ED5D2306-0FF4-11D2-B37C-0000C000D50D} (HighWay Imaging Control) - http://www.3di.it/code/iw/iwfull.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{261EEC46-CB8C-4FFB-9669-E349F0D40386}: NameServer = 151.99.125.2,151.99.125.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{261EEC46-CB8C-4FFB-9669-E349F0D40386}: NameServer = 151.99.125.2,151.99.125.3
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmi\ewido\security suite\ewidoguard.exe
O23 - Service: ProtezOSRA - Unknown owner - C:\Osra\Cosmo\prg\bin\win32\srvany.exe

mi aiutate a cancellare le voci sporche ed infette
Ciao e grazie

[crazy.cat]

Queste due dll sono da eliminare.
Dalla modalità provvisoria, oppure usa Delete doctor per cancellarle.

O2 - BHO: MSims - {4D64DAE1-DF1E-45E8-9372-84CA698335FA} - C:\WINDOWS\system32\kaboom.dll
O2 - BHO: m1a1 - {521693AA-7453-47ED-9959-3BD47DAA1B1A} - C:\WINDOWS\system32\msx.dll
O2 - BHO: Dredge - {EB870508-E2B7-4169-8120-760F69703776} - C:\WINDOWS\system32\kaboom.dll

[Giorgius]

Doctor Alex AntiSpyware

Download: http://www.doctor-alex.com/files/SetupDrAlex.exe

Sito Web: http://www.doctor-alex.com/default.htm

Ewido consigliato per test finale.

[pikagi]

era sparito per due o tre giorni... ma stasera è ricomparso con messaggio di ewido.... come fare per cancellare definitivamente questo trojan ?

[Lionsquid]

svuota tutte le cache, dei browser e anche quella JAVA

con gli strumenti di cui disponi si può eliminare tranquillamente,.... come ulteriore sicurezza puoi fare una scansione con Mcafee


ah.. dimenticavo.. rimuovi i codec video che hai scaricato ed installato, quel virus usa diffondersi attraverso un'exe che millanta l'installazione del codec AC3

[pikagi]

scusami come faccio a verificare quali sono i codec video che ho installato ... questo è il pc con il quale lavoro e non ricordo di averne installato di particolari inoltre in aggiunta ai sistemi tradizionali come svuoto le cache anche di Java ?
ciao e grazie

[Lionsquid]

cache java > pannello di controllo > java > teb "generale" , zona "File temp. Internet > ELIMINA FILE, poi vai in IMPOSTAZIONI e limita lo spazio per la cache a 50-64Mb


per i codec è un'ipotesi dato che quel virus è principalmente veicolato con un file per il codec video+AC3