Home News Guide Hardware Download Forum Glossario

Condividi:        

ms.exe - trojan.W32.agent.vp

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Regole del forum
Rispondi al post

ms.exe - trojan.W32.agent.vp

Postdi chiaret » 06/10/06 16:20

Non riesco a liberarmi da questo worm.... potete aiutarmi?

Questo il log di Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 16.52.10, on 06/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Programmi\Sophos\Remote Update\cachemgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Programmi\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
F:\Programmi\Stunnel\stunnel.exe
C:\WINNT\system32\internat.exe
F:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmi\Sophos SWEEP for NT\ICMON.EXE
F:\Programmi\Sophos\Remote Update\imonitor.exe
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\ms.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2ee25147-37d4-4640-832c-fccfac8b21d9} - C:\WINNT\system32\koaa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe


il processo ms.exe è segnalato sospetto, facendo una scansione on-line ottengo:

Checked file ms.exe
Filesize: 13312 Bytes
MD5-Hashvalue: 8c21e7eab926ce40112c227021f8eef7
SHA1-Hashvalue: ac02b5b3f8e491af3bbf3ea01e9264918fabf265
=======================================

F-Prot Antivirus: No virus found.

Clam AV: No virus found.

VirusBlokAda: infected Trojan.Win32.Agent.vp



Se elimino il prcesso con HijackThis poi ricompare al riavvio del sistema!
Ho fatto girare stinger, cwshredder, SUPERAntiSpyware Free Edition, ma non mi eliminano il problema!

Qualche indicazione a riguardo?
grazie....
chiaret
Newbie
 
Post: 9
Iscritto il: 06/10/06 16:08
Località: Fe
Top
Sponsor
 

Postdi Luke57 » 06/10/06 17:20

Ciao, il log è incompleto.
Fai girare questo tool della symantec:
http://smallbiz.symantec.com/security_r ... 16-4153-99
L´esito viene salvato nel file FixLinkopt.log

Incolla il report in un post.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10
Top

Postdi chiaret » 07/10/06 11:10

ciao, grazie per la risposta.

ecco il log di Symantec Trojan.Linkoptimizer Removal Tool:

Symantec Trojan.Linkoptimizer Removal Tool 1.0.2
SeTakeOwnershipPrivilege acquired
SeDebugPrivilege acquired

C:\Documents and Settings\Administrator\Desktop\hijackthis\backups\backup-20061006-124050-103.dll: (deleted)
C:\Documents and Settings\Administrator\Desktop\hijackthis\backups\backup-20061006-130855-693-ms.exe: (deleted)
C:\Documents and Settings\Administrator\Desktop\hijackthis\backups\backup-20061006-135034-863-ms.exe: (deleted)
C:\Documents and Settings\Administrator\Desktop\hijackthis\backups\backup-20061006-153529-422.dll: (deleted)
C:\Documents and Settings\Administrator\Desktop\hijackthis\backups\backup-20061006-172432-428.dll: (deleted)
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\1.tmp: (deleted)
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\11.tmp: (deleted)
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\2.tmp: (deleted)
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\3.tmp: (deleted)
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\30.tmp: (deleted)
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\4.tmp: (deleted)
C:\WINNT\system32\koaa.dll: (deleted)

C:\Documents and Settings\Administrator\Impostazioni locali\Temp\5.tmp: (will be deleted on next reboot)
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\ms.exe: (will be deleted on next reboot)
The Trojan.Linkoptimizer removal was successful.
The system will delete 2 Trojan.Linkoptimizer files from your PC on next reboot.

Here is the report:

2 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 80069
The number of deleted threat files: 12
The number of threat processes terminated: 0
The number of registry entries fixed: 0

The system requires a reboot but was not rebooted.
To clean up all remnants of the threat from the system it must be rebooted.


ora riavvio il sistema e ripeto l'operazione per verificare se ho risolto....poi vi dico....
chiaret
Newbie
 
Post: 9
Iscritto il: 06/10/06 16:08
Località: Fe
Top

Postdi chiaret » 07/10/06 11:41

rieccomi, il problema sembra risolto, questo il log di Hijackthis dopo il trattamento di FixLinkopt.exe

Logfile of HijackThis v1.99.1
Scan saved at 12.35.01, on 07/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Programmi\Sophos\Remote Update\cachemgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Programmi\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
F:\Programmi\Stunnel\stunnel.exe
C:\WINNT\system32\internat.exe
F:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmi\Sophos SWEEP for NT\ICMON.EXE
F:\Programmi\Sophos\Remote Update\imonitor.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PPMemCheck] F:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] F:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] F:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stunnel] F:\Programmi\Stunnel\stunnel.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Programmi\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Remote Update Monitor.lnk = F:\Programmi\Sophos\Remote Update\imonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedC ... vSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/ ... scan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedC ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97593B54-76BC-49DD-97F8-2512ACE773EE}: NameServer = 10.16.1.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{97593B54-76BC-49DD-97F8-2512ACE773EE}: NameServer = 10.16.1.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{97593B54-76BC-49DD-97F8-2512ACE773EE}: NameServer = 10.16.1.0
O20 - Winlogon Notify: SASWinLogon - F:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Sophos Cache Manager (CacheMgr) - SOPHOS Plc - F:\Programmi\Sophos\Remote Update\cachemgr.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Programmi\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Programmi\Sophos SWEEP for NT\SWEEPSRV.SYS


ed il FixLinkopt.log non segnala altre schifezze!

grazie mille, scusate se ho inserito un nuovo argomento nel forum, avevo letto "LEGGI PRIMA DI CHIEDERE AIUTO SU VIRUS, SPYWARE, ecc" ma evidentemente non con sufficiente attenzione.
GRazie ancora per il prezioso aiuto!
chiaret
Newbie
 
Post: 9
Iscritto il: 06/10/06 16:08
Località: Fe
Top

Postdi Luke57 » 07/10/06 12:03

Ciao, disistalla la java sun vecchia e installa l'ultima da qui:
http://download.winhelpline.info/file/4 ... i586-p.exe
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10
Top

Postdi chiaret » 09/10/06 09:36

rieccomi...un po' in ritardo...!
Ho installato la versione aggiornata di java sun,
grazie infinite per l'aiuto.

ciao
chiaret
Newbie
 
Post: 9
Iscritto il: 06/10/06 16:08
Località: Fe
Top
Rispondi al post

Torna a Sicurezza e Privacy


Topic correlati a "ms.exe - trojan.W32.agent.vp":

Pc infetto da trojan sicuranza
Autore: dayfreeman 		Forum: Sistemi Operativi Windows
Risposte: 26
trojan win32/sirefef
Autore: marzianu 		Forum: Sicurezza e Privacy
Risposte: 27
Trojan individuato ma con problemi di rimozione.
Autore: eddiguff 		Forum: Sicurezza e Privacy
Risposte: 8
Come eliminare un trojan da "services.exe"?
Autore: Clarock100 		Forum: Sicurezza e Privacy
Risposte: 2
Trojan in WinLogon.exe
Autore: karpo 		Forum: Sistemi Operativi Windows
Risposte: 0

Chi c’è in linea

Visitano il forum: Nessuno e 60 ospiti