[Risolto] help con troian e malware e...

phpone

[Risolto] help con troian e malware e...

helppp

allego il log di hjt

non riesco a trovare dove sia il problema

wolf.otakar

Ciao phpone,
sintomi??

Avvia hijackthis da: "Do a System scan only"!

seleziona queste:

O4 - HKLM..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\dmvkewpt.dll",setvm

O4 - HKLM..\Run: [PMHandler] C:\WINDOWS\SYSTEM32\PMHandler.exe conosci??

Clicca su "Fix checked"! Fatto questo, posta un nuovo log??

phpone

PMHandler.exe me lo da come file di windows defender

mo do un'occhiata a questo dmvkewpt.dll

edit --> fixato questo dll, ora il log e' identico, manca solo la voce relativa a questo dll

wolf.otakar

phpone,
che sintomi presenta il pc??

phpone

mi apriva popup ogni 20 minuti
mo vediamo come va domani
se da ancora problemi o se era quello il problema
(ho eliminato altri file del genere nei giorni passati.. con tool tipo vundofix& varie)

grazie

vi faccio sapere

wolf.otakar

Effettua uno scan con A-Squared e SuperAntiSpyware "aggiornati"!!

phpone

@Wolf Otakar said:

Effettua uno scan con A-Squared e SuperAntiSpyware "aggiornati"!!

l'ho fatto un paio di giorni fa ma senza risultati
addirittura nessuno dei 2 ha trovato nulla
qualche risultato l'ho avuto solo con vundofix

phpone

help
qui' i popup continuano
devo rivolgermi a un dottore???

riecco il log di hjt, pero' ora non mi pare ci sia niente di anomalo

Logfile of HijackThis v1.99.1
Scan saved at 8.40.55, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\AppServ\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\iPod Access for Windows\iPAHelper.exe
C:\AppServ\MySQL\bin\mysqld-nt.exe
C:\AppServ\Apache2\bin\Apache.exe
C:\WINDOWS\system32\PMSveH.exe
C:\Programmi\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Programmi\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Programmi\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\PMHandler.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Lenovo\HOTKEY\TPHKMGR.exe
C:\Programmi\Lenovo\HOTKEY\TpWAudAp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Programmi\IBM ThinkVantage\Client Security Solution\cssauthe.exe
C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
C:\Programmi\Windows Media Player\WMPNSCFG.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Lenovo\Bluetooth Software\BTTray.exe
C:\Programmi\IBM ThinkVantage\Client Security Solution\pwmgre.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lenovo.com/it/it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [TPHOTKEY] C:\Programmi\Lenovo\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [TPWAUDAP] C:\Programmi\Lenovo\HOTKEY\TpWAudAp.exe
O4 - HKLM..\Run: [PMHandler] C:\WINDOWS\SYSTEM32\PMHandler.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [suScheduler] C:\Programmi\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM..\Run: [ISUSScheduler] "c:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM..\Run: [cssauthe] "C:\Programmi\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent
O4 - HKLM..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM..\Run: [ACTray] C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM..\Run: [ACWLIcon] C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM..\Run: [ISUSPM Startup] c:\progra~1\fileco~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [WMPNSCFG] C:\Programmi\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/it/it
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172399396062
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\AppServ\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - C:\Programmi\iPod Access for Windows\iPAHelper.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\AppServ\MySQL\bin\mysqld-nt.exe
O23 - Service: PMSveH - Lenovo - C:\WINDOWS\system32\PMSveH.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: TVT Backup Service - Unknown owner - C:\Programmi\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Programmi\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Programmi\ThinkVantage\SystemUpdate\UCLauncherService.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pierfrancesco99

No confermo anche io non c'è niente di anomalo
Ma i popup si aprono mentre navighi ? o anche con firefox chiuso ?

phpone

si aprono popup di IE
con ff raramente si apre qualche scheda
e' IE che parte per cavoli suoi su siti tipo *immigration support, cloni di youtube, communities
*

wolf.otakar

@phpone said:

si aprono popup di IE
con ff raramente si apre qualche scheda
e' IE che parte per cavoli suoi su siti tipo *immigration support, cloni di youtube, communities

phpone,
il blocco dei pop-up su IE è attivo?? Hai provato per caso, uno scan con Spybot?

phpone

si e' attivo il blocco popup
cmq anche a ie chiuso si aprono quei siti

ho fatto scan con adaware, spybot, a-squared, avg, ccleaner, rogue remover, hjt, superantispyware, windows defender e.... boh non mi ricordo piu'

non so con che altro fare

wolf.otakar

Ciao phpone,
allega qui nel forum, l'elenco dei processi attivi nel task manager:

Prompt dei comandi ---> *tasklist -v >processi-attivi.txt

phpone

mi dice
tasklist non e' riconosciuto come comando interno o esterno, un programma eseguibile o un file batch

phpone

sto rifacendo uno scan con superantispyware
e sta trovando qualcosa (non capisco perche' prima non ha trovato nulla :x)

speriamo di risolvere

wolf.otakar

@phpone said:

sto rifacendo uno scan con superantispyware
e sta trovando qualcosa (non capisco perche' prima non ha trovato nulla :x)

speriamo di risolvere

Ciao phpone,
qualche novita'??

p.s. che anti-virus usi??

phpone

pare tutto risolto:?
superantispyware ha trovato un paio di dll e qualche chiave di registro infettata
ora e' tutto a posto:)
come antivirus ho avg, SANTO AVG, che mi ha bloccato tutti i trojan che mettevano quei siti

grazie per l'aiuto

wolf.otakar

@phpone said:

pare tutto risolto

Bene, phpone!