Problemi Con Nuovi Virus?

mad.73 · October 11, 2007

ciao a tutti è da qualche giorno che ho degli strani problemi con il mio pc:

1 il cursore del mouse si muove da solo

2 segnali di errori di internet explore

3 desktop che si aggiorna bloccandomi programmi

ho effettuato scanzioni con diversi antivirus niente,con tool antirotik,niente

vi posto il rapporto hijackthis sperando che qualcuno gli dia un'occhiata e mi dica se è tutto ok..

Logfile of HijackThis v1.99.1

Scan saved at 13.05.56, on 11/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Programmi\a-squared Free\a2service.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Programmi\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programmi\D-Tools\daemon.exe

C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe

C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE

C:\Programmi\Creative\Shared Files\CAMTRAY.EXE

C:\Programmi\iTunes\iTunesHelper.exe

C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programmi\Messenger\msmsgs.exe

C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

C:\Programmi\iPod\bin\iPodService.exe

C:\Programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Programmi\Internet Explorer\IEXPLORE.EXE

C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Programmi\ESET\nod32kui.exe

C:\Documents and Settings\mariella\Desktop\collegamenti\RootkitRevealer.exe

C:\DOCUME~1\mariella\IMPOST~1\Temp\FCMQGCJZ.exe

C:\DOCUME~1\mariella\IMPOST~1\Temp\Rar$EX00.219\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1040

O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [EPSON Stylus D78 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_S95.tmp" /EF "HKLM"

O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmi\Creative\Shared Files\CAMTRAY.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-cf4bbf775e038b6c.spaces.live.co...ad/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe

O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: DK - Unknown owner - C:\DOCUME~1\mariella\IMPOST~1\Temp\DK.exe (file missing)

O23 - Service: FCMQGCJZ - ??????????????????????????????????? - C:\DOCUME~1\mariella\IMPOST~1\Temp\FCMQGCJZ.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe

O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Start BT in service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

spero di avere presto aiuto...grazie a tutti

Kuma · October 11, 2007

[ben]mad[/ben]

Ciao...

Dove l'hai fatta la scansione online???

Nel log è chiaramente presente un file infetto... (anzi più di uno)

Scarica i programmi indicati e poi segui le istruzioni...

### PSERV.CPL

http://p-nand-q.com/download/pserv_cpl/pserv-2.6.exe

### Gromozon removal tool

### Fix LinkOpt (by symantec)

### Ccleaner (pulizia generale) +

Vise Registry Cleaner (per pulire il registro)

Quando installi Ccleaner ricordati che se lasci le spunte di default ,verrà installata anche la toolbar yahoo (togli le spunte se non la vuoi)

### VIRIT (non crea conflitti)

http://www.tgsoft.it/italy/download.htm

STAMPA queste istruzioni (oppure salvale in un file sul desktop)

___________

1. avvia in modalità normale il Gromozon Removal Tool

Al termine Salva il log c:\gromozon_removal.log che poi me lo devi postare

Posta il log che si trova in FixLinkopt.log

2. Avvia PSERV.CPL

Clicca con il tasto destro sul nome del servizio e seleziona "Delete"

I servizi che devi eliminare sono:

DK e FCMQGCJZ

Avvia il sistema in Modalità Provvisoria

3. Avvia FIX LinkOPT (by symantec)

(al termine servirà il log--> FixLinkopt.log)

4. Riavvia in modalità normale ed installa VIRIT

avvialo, aspetta il termine del controllo della memoria, ed AGGIORNALO (importante)

poi fai la scansione completa del sistema (salva il log e postalo)

----------------

Se dopo la pulizia, (dopo il riavvio) il sistema ti sembra che funzioni correttamente, Disabilita il Ripristino di configurazione su tutte le unità;

(nota che questo ELIMINERà TUTTI i punti di ripristino, ed eventuali virus in esso contenuti..)

Quindi riabilitalo almeno sull'unità dove hai installato il sistema operativo (solitamente il disco C:\) e crea un nuovo punto di ripristino pulito

--

Posta i log di:

VIRIT

c:\gromozon_removal.log

FixLinkopt.log

ed un nuovo log aggiornato di Hijack (e specifica quello che non sei riuscito a fare)

(poi facciamo un'alro scan online)

mad.73 · October 13, 2007

prima di tutto ti volevo ringraziare per l'aiuto..sono riuscito a seguire tutte le tue direttive e ti posto i vari log:

gromozon_removal

Removal tool loaded into memory

Gromozon rootkit component not detected - searching for other components

Scanning: C:\WINDOWS

Scanning: C:\Programmi\File comuni

Trojan.Gromozon does not exist - your system is clean.

FixLinkopt

Symantec Trojan.Linkoptimizer Removal Tool 1.0.8

Trojan.Linkoptimizer has not been found on your computer.

VirIT eXplorer Lite Log

13/10/2007 - 13:05:50

[sCANSIONE DEL REGISTRO]

OK

[A:]

BOOT SECTOR: OK

[C:]

MASTER BOOT RECORD: OK

BOOT SECTOR: OK

[D:]

MASTER BOOT RECORD: OK

BOOT SECTOR: OK

[E:]

[F:]

BOOT SECTOR: OK

[G:]

[H:]

[i:]

[J:]

Chiavi Registro infette: 0.

Files Infetti: 0.

Files Sospetti: 0.

Files Analizzati: 55187.

Files Totali: 55187.

Chiavi Registro rimosse: 0.

Virus Rimossi: 0.

Logfile of HijackThis

Logfile of HijackThis v1.99.1

Scan saved at 13.27.26, on 13/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Programmi\Eset\nod32kui.exe

C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe

C:\Programmi\D-Tools\daemon.exe

C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe

C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Programmi\Creative\Shared Files\CAMTRAY.EXE

C:\Programmi\iTunes\iTunesHelper.exe

C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe

C:\VEXPLITE\MONLITE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Programmi\Messenger\msmsgs.exe

C:\Programmi\a-squared Free\a2service.exe

C:\WINDOWS\System32\GEARSec.exe

C:\Programmi\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\VEXPLITE\viritsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

C:\Programmi\iPod\bin\iPodService.exe

C:\Programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Programmi\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Programmi\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\mariella\Desktop\collegamenti\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =