Hardware Upgrade Forum - View Single Post

Max The Carret · 08-09-2004, 15:10

allora, mi son beccato un trojan

, se non era per zone alarm che lo bloccava chissà se me ne accorgevo, avg lo ha trovato il giorno seguente dopo aver fatto l'aggiornamento. ma non lo toglie.
fatto scansioni in rete, individuato, non tolto.
fatto log con hijackthis, individuato

il fatto è che ho appena formattato e me ne sono accorto subito dopo, chissà dove si era intanato... impossibile averlo preso nei tre minuti in cui zone era disattivato mentre facevo l'up.
non mi costa nulla riformattare, ma se risiede ancora nei documenti? penso mi sia entrato attraverso un p2p, oppure con mirc. si chiama linux.exe, trojan/irc/backdoor.sdbot.47

mi aiutate a toglierlo? vi posto il log:
grazie per l'aiuto

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\soundman.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
D:\Service Disk\html2pop3117betawin32\html2pop3.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\iTunes\iTunes.exe
D:\Service Disk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xoomer.virgilio.it/pronius
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe
O4 - Startup: Collegamento a html2pop3.lnk = D:\Service Disk\html2pop3117betawin32\html2pop3.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{794D9CDA-DCD4-4A81-9BE4-D4F51C3A0A15}: NameServer = 80.18.114.155 151.99.125.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{794D9CDA-DCD4-4A81-9BE4-D4F51C3A0A15}: NameServer = 80.18.114.155 151.99.125.1

08-09-2004, 15:10	#19
Max The Carret Senior Member Iscritto dal: Mar 2002 Messaggi: 309	allora, mi son beccato un trojan , se non era per zone alarm che lo bloccava chissà se me ne accorgevo, avg lo ha trovato il giorno seguente dopo aver fatto l'aggiornamento. ma non lo toglie. fatto scansioni in rete, individuato, non tolto. fatto log con hijackthis, individuato il fatto è che ho appena formattato e me ne sono accorto subito dopo, chissà dove si era intanato... impossibile averlo preso nei tre minuti in cui zone era disattivato mentre facevo l'up. non mi costa nulla riformattare, ma se risiede ancora nei documenti? penso mi sia entrato attraverso un p2p, oppure con mirc. si chiama linux.exe, trojan/irc/backdoor.sdbot.47 mi aiutate a toglierlo? vi posto il log: grazie per l'aiuto C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\soundman.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe C:\Programmi\iTunes\iTunesHelper.exe C:\Programmi\QuickTime\qttask.exe C:\WINDOWS\System32\ctfmon.exe C:\Programmi\MSN Messenger\MsnMsgr.Exe D:\Service Disk\html2pop3117betawin32\html2pop3.exe C:\Programmi\iPod\bin\iPodService.exe C:\Programmi\Outlook Express\msimn.exe C:\Programmi\Internet Explorer\IEXPLORE.EXE C:\Programmi\iTunes\iTunes.exe D:\Service Disk\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xoomer.virgilio.it/pronius R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Microsoft Update Machine] Linux.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\RunServices: [Microsoft Update Machine] Linux.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Microsoft Update Machine] Linux.exe O4 - Startup: Collegamento a html2pop3.lnk = D:\Service Disk\html2pop3117betawin32\html2pop3.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{794D9CDA-DCD4-4A81-9BE4-D4F51C3A0A15}: NameServer = 80.18.114.155 151.99.125.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{794D9CDA-DCD4-4A81-9BE4-D4F51C3A0A15}: NameServer = 80.18.114.155 151.99.125.1 __________________ l'abito non fa il monaco, ma la scarpa si...