|
Junior Member
Iscritto dal: Mar 2009
Messaggi: 11
|
Vundo / Virtumonde / Virtumondo / MS Juan
Ciao a tutti, spero di postare nel modo giusto...
Innanzitutto grazie per le guide, perchè dopo tre giorni a cancellare schifezze e illudermi con poca convinzione di aver finito, mi hanno fornito una pista.
Lunga e tediosa descrizione dei problemi/sintomi:
Circa una settimana fa ho installato il firewall Sunbelt. Ci ho preso un po' di confidenza e ho visto che più o meno tutto funzionava.
Mi si aggiorna firefox (anche se ricordavo si fosse aggiornato da poco) e inizialmente avevo attribuito a questo il problema n.ro 1
Quote:
1.Qualche giorno fa, durante la navigazione, sotto firewall, firefox si piantava ad un certo punto del caricamento di pagine che richiedono l'uso di componenti aggiuntivi, come ad esempio repubblica: da process explorer vedevo la cpu al 100% (quasi tutto firefox) e l'uso della ram che aumentava. Firefox non rispondeva, chiudevo la finestra e non bastava, così lo killavo da process explorer. Per navigare in quelle pagine dovevo disattivare il firewall (nonostante java e quant'altro mi fosse servito nelle navigazioni precedenti, avesse i permessi di regola). L'uso della cpu restava alto, ma a questo punto non più per firefox, bensì per il firewall nonostante fosse disattivato.
Ho disinstallato java e reinstallato con cura, dato che me ne risultavano 2 versioni installate (colpa mia, stress post reinstallazione), ma ancora il problema persisteva (e poi fino a pochi giorni prima era andato tutto liscio nonostante le due versioni presenti).
|
Quote:
2.Mi è anche capitato che mi bloccasse l'accesso alla rete:
nonostante l'icona di connessione segnasse il pc connesso, non andavano nè msn, nè firefox, nè azureus. Ho pensato si trattasse di qualche impostazione sbagliata del firewall, perchè riavviando, disattivando il FW andavano normalmente msn, firefox etc.
|
Quote:
3.In uno dei successivi riavvii, nel frattempo che pensavo a quale potesse essere il problema, hanno cominciato a comparire popup pubblicitari e continui avvisi di intrusione (da lsass e da un altro che non ricordo), bloccati dal firewall. Il loro numero aumentava e il mio Nod stava zitto zitto (quindi mi sa che finiti i 30 giorni lo faccio sparire). Installo Adaware e trovo quello che credo sia il colpevole: virtumonde.
Adaware lo cancella, sembra debellato, ma, dato che persistono il problema 1 e il problema 3, non mi convinco troppo: faccio una scansione con l'antivirus e trovo 2 files dovuti a "una variante di win32/kriptik.FI trojan horse".
Elimino e con Hijackthis analizzo online; accanto a una voce era consigliata questa pagina.
4.Faccio tutto, il problema 3 delle intrusioni bloccate è risolto, ma il problema 1 c'è ancora. In più firewall e antivirus segnalano dei programmi che cercano di eseguire files con nomi generati come a caso (ad esempio azureus). Mi scollego da internet, faccio una scansione con l'antivirus (non da modalità provvisoria, dato che si bloccava) e trovo 3 files dovuti ad "adware.SuperJuan"
|
Log di Malwarebytes
Quote:
Malwarebytes' Anti-Malware 1.34
Versione del database: 1825
Windows 5.1.2600 Service Pack 3
08/03/2009 22.42.03
mbam-log-2009-03-08 (22-42-03).txt
Tipo di scansione: Scansione rapida
Elementi scansionati: 61897
Tempo trascorso: 2 minute(s), 14 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 1
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
C:\Documents and Settings\Ross\Desktop\setupxv(2).exe (Rogue.Installer) -> Quarantined and deleted successfully.
|
L'avevo appena scaricato, nonostante puzzasse
La pagina è questa http://www.antispyware.com/glossary_details.php?ID=133826 e l'antivirus mi ha segnalato un eseguiile all'indirizzo setup.antispyware.com, ma nel dubbio che fosse un falso positivo l'ho preso. Poi è stato riconosciuto infetto dall'antivirus e già che c'ero, per curiosità l'ho lasciato per la scansione di malwarebytes.
Log di Combofix:
Quote:
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
FW: Sunbelt Personal Firewall *disabled*
* Creato nuovo punto di ripristino
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\dxabvtep.ini
c:\windows\system32\msssc.dll
c:\windows\system32\qaavcklm.ini
c:\windows\system32\xpkuugwf.ini
.
((((((((((((((((((((((((( Files Creati Da 2009-02-08 al 2009-03-08 )))))))))))))))))))))))))))))))))))
.
2009-03-07 19:06 . 2009-03-07 19:06 <DIR> d-------- c:\windows\Sun
2009-03-07 17:00 . 2009-03-07 17:00 <DIR> d-------- c:\programmi\Java
2009-03-07 17:00 . 2009-03-07 17:00 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-07 15:23 . 2009-03-07 15:23 <DIR> d-------- C:\VundoFix Backups
2009-03-07 15:09 . 2009-03-07 15:09 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-03-07 15:09 . 2009-03-07 15:09 <DIR> d-------- c:\documents and settings\Me\Dati applicazioni\Malwarebytes
2009-03-07 15:09 . 2009-03-07 15:09 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-03-07 15:09 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 15:09 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-07 12:32 . 2009-02-23 21:14 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2009-03-07 12:32 . 2009-02-23 21:14 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2009-03-07 12:32 . 2009-02-23 21:14 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2009-03-07 12:32 . 2009-02-23 20:19 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2009-03-07 12:32 . 2009-02-23 21:14 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2009-03-07 12:32 . 2009-03-08 22:50 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2009-03-07 12:32 . 2009-02-23 21:14 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2009-03-07 12:32 . 2009-03-07 14:22 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2009-03-07 12:32 . 2009-03-07 12:32 <DIR> d-------- c:\documents and settings\Administrator
2009-03-06 20:52 . 2009-03-06 20:45 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-06 20:45 . 2009-03-06 20:45 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-06 20:45 . 2009-03-06 20:45 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-06 18:24 . 2009-03-06 18:24 <DIR> d--h-c--- c:\documents and settings\All Users\Dati applicazioni\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-06 18:23 . 2009-03-06 18:23 <DIR> d-------- c:\programmi\Lavasoft
2009-03-06 18:23 . 2009-03-06 20:45 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Lavasoft
2009-03-05 16:40 . 2009-03-05 16:40 <DIR> d-------- c:\documents and settings\Me\Dati applicazioni\OpenOffice.org
2009-03-05 16:17 . 2009-03-05 16:17 <DIR> d-------- c:\programmi\JRE
2009-03-05 16:16 . 2009-03-05 16:17 <DIR> d-------- c:\programmi\OpenOffice.org 3
2009-03-05 13:04 . 2009-03-05 13:04 45,984 --a------ c:\windows\system32\cardvr.exe
2009-03-05 13:04 . 2009-03-05 13:04 186 --a------ c:\windows\system32\c.bat
2009-03-05 12:45 . 2009-03-05 12:45 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2009-03-05 12:42 . 2009-03-05 12:42 <DIR> d-------- c:\programmi\File comuni\Macrovision Shared
2009-03-05 12:41 . 2008-04-07 05:38 45,392 -ra------ c:\windows\system32\AdobePDF.dll
2009-03-05 12:41 . 2008-04-07 05:38 22,872 -ra------ c:\windows\system32\AdobePDFUI.dll
2009-03-05 12:34 . 2009-03-05 12:42 <DIR> d-------- c:\programmi\File comuni\Adobe
2009-03-05 12:31 . 2009-02-22 17:02 1,679,360 --a------ c:\windows\system32\javac.exe
2009-03-03 18:02 . 2009-03-03 18:02 <DIR> dr------- c:\documents and settings\LocalService\Preferiti
2009-03-03 10:44 . 2009-03-08 17:23 <DIR> d-------- c:\documents and settings\Me\Dati applicazioni\skypePM
2009-03-03 10:44 . 2009-03-03 10:44 <DIR> d-------- c:\documents and settings\Me\Dati applicazioni\Locktime
2009-03-03 10:44 . 2009-03-03 10:44 56 --ah----- c:\windows\system32\ezsidmv.dat
2009-03-02 22:30 . 2009-03-08 19:59 <DIR> d-------- c:\documents and settings\Me\Dati applicazioni\Skype
2009-03-02 22:29 . 2009-03-02 22:29 <DIR> dr------- c:\programmi\Skype
2009-03-02 22:29 . 2009-03-02 22:29 <DIR> d-------- c:\programmi\File comuni\Skype
2009-03-02 22:29 . 2009-03-02 22:29 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Skype
2009-03-02 21:51 . 2009-03-02 21:54 <DIR> d-------- c:\programmi\RegCleaner
2009-03-02 21:48 . 2009-03-02 21:48 <DIR> d-------- c:\programmi\NetLimiter 2 Pro
2009-03-02 21:48 . 2009-03-02 21:48 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Locktime
2009-02-26 13:37 . 2009-03-07 11:52 <DIR> d-------- c:\documents and settings\Me\Dati applicazioni\.purple
2009-02-26 13:36 . 2009-02-26 13:36 <DIR> d-------- c:\programmi\Pidgin
2009-02-26 13:36 . 2009-02-26 13:36 <DIR> d-------- c:\programmi\File comuni\GTK
2009-02-25 21:12 . 2009-02-25 21:12 <DIR> d-------- c:\programmi\PicLensIE
2009-02-25 21:11 . 2008-05-09 11:53 512,000 --a------ c:\windows\system32\dllcache\jscript.dll
2009-02-25 21:11 . 2008-05-09 11:53 430,080 --a------ c:\windows\system32\dllcache\vbscript.dll
2009-02-25 21:11 . 2008-05-09 11:53 180,224 --a------ c:\windows\system32\dllcache\scrobj.dll
2009-02-25 21:11 . 2008-05-09 11:53 172,032 --a------ c:\windows\system32\dllcache\scrrun.dll
2009-02-25 21:11 . 2008-05-08 12:24 155,648 --a------ c:\windows\system32\dllcache\wscript.exe
2009-02-25 21:11 . 2008-05-09 09:45 135,168 --a------ c:\windows\system32\dllcache\cscript.exe
2009-02-25 21:11 . 2008-05-09 11:53 90,112 --a------ c:\windows\system32\dllcache\wshext.dll
2009-02-25 19:44 . 2009-02-25 19:44 <DIR> d-------- c:\windows\system32\xircom
2009-02-25 19:44 . 2009-02-25 19:44 <DIR> d-------- c:\programmi\microsoft frontpage
2009-02-25 19:44 . 2004-08-19 14:39 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-25 19:17 . 2009-02-25 19:17 <DIR> d-------- c:\windows\system32\bits
2009-02-25 19:17 . 2009-02-25 19:17 <DIR> d-------- c:\windows\l2schemas
2009-02-25 19:14 . 2009-02-25 19:14 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-25 18:54 . 2009-02-25 18:55 <DIR> d-------- c:\programmi\Disk Cleaner
2009-02-25 11:10 . 2009-02-25 11:10 <DIR> d-------- c:\programmi\Sunbelt Software
2009-02-25 11:10 . 2008-10-31 07:09 270,888 -ra------ c:\windows\system32\drivers\SbFw.sys
2009-02-25 11:10 . 2008-06-21 04:54 65,576 --a------ c:\windows\system32\drivers\SbFwIm.sys
2009-02-25 00:22 . 2009-03-08 19:59 <DIR> d-------- c:\documents and settings\Me\Dati applicazioni\Azureus
2009-02-25 00:22 . 2009-02-25 00:22 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Azureus
2009-02-25 00:21 . 2009-02-27 17:23 <DIR> d-------- c:\programmi\Vuze
2009-02-25 00:18 . 2009-03-07 17:00 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-24 23:16 . 2008-06-17 20:01 8,490,496 --a------ c:\windows\system32\dllcache\shell32.dll
2009-02-24 23:03 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-24 23:03 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-24 22:55 . 2009-02-24 22:55 <DIR> d-------- c:\programmi\MSXML 6.0
2009-02-24 22:54 . 2009-02-24 22:54 <DIR> d-------- c:\programmi\MSXML 4.0
2009-02-24 20:34 . 2009-02-25 21:14 <DIR> d--h----- c:\windows\$hf_mig$
2009-02-24 20:34 . 2007-08-10 08:20 26,488 --a------ c:\windows\system32\spupdsvc.exe
2009-02-24 20:25 . 2008-04-14 03:13 4,274,816 --a------ c:\windows\system32\nv4_disp.dll
2009-02-24 20:24 . 2004-08-03 22:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-02-24 20:23 . 2008-04-13 19:36 44,928 --------- c:\windows\system32\drivers\agpcpq.sys
2009-02-24 20:23 . 2008-04-13 19:36 42,368 --------- c:\windows\system32\drivers\agp440.sys
2009-02-24 20:23 . 2008-04-14 03:13 4,255 --------- c:\windows\system32\drivers\adv01nt5.dll
2009-02-24 20:23 . 2008-04-14 03:13 3,967 --------- c:\windows\system32\drivers\adv02nt5.dll
2009-02-24 20:23 . 2008-04-14 03:13 3,775 --------- c:\windows\system32\drivers\adv11nt5.dll
2009-02-24 20:23 . 2008-04-14 03:13 3,711 --------- c:\windows\system32\drivers\adv09nt5.dll
2009-02-24 20:23 . 2008-04-14 03:13 3,647 --------- c:\windows\system32\drivers\adv07nt5.dll
2009-02-24 20:23 . 2008-04-14 03:13 3,615 --------- c:\windows\system32\drivers\adv05nt5.dll
2009-02-24 20:23 . 2008-04-14 03:13 3,135 --------- c:\windows\system32\drivers\adv08nt5.dll
2009-02-24 19:39 . 2008-05-07 06:10 1,293,312 --a------ c:\windows\system32\dllcache\quartz.dll
2009-02-24 19:39 . 2008-07-07 21:27 253,952 --a------ c:\windows\system32\dllcache\es.dll
2009-02-24 19:39 . 2008-06-24 17:42 74,240 --a------ c:\windows\system32\dllcache\mscms.dll
2009-02-24 19:38 . 2008-05-27 18:23 765,952 --a------ c:\windows\system32\dllcache\vgx.dll
2009-02-24 19:38 . 2008-06-20 12:51 361,600 --a------ c:\windows\system32\dllcache\tcpip.sys
2009-02-24 19:38 . 2008-10-23 13:36 286,720 --a------ c:\windows\system32\dllcache\gdi32.dll
2009-02-24 19:38 . 2008-06-14 18:32 272,768 --------- c:\windows\system32\drivers\bthport.sys
2009-02-24 19:38 . 2008-06-14 18:32 272,768 --a------ c:\windows\system32\dllcache\bthport.sys
2009-02-24 19:38 . 2008-06-20 18:46 247,296 --a------ c:\windows\system32\dllcache\mswsock.dll
2009-02-24 19:38 . 2008-06-20 12:08 225,856 --a------ c:\windows\system32\dllcache\tcpip6.sys
2009-02-24 19:38 . 2008-06-20 18:46 147,968 --a------ c:\windows\system32\dllcache\dnsapi.dll
2009-02-24 19:38 . 2008-08-14 11:04 138,496 --a------ c:\windows\system32\dllcache\afd.sys
2009-02-24 19:34 . 2008-09-15 16:24 1,846,400 --a------ c:\windows\system32\dllcache\win32k.sys
2009-02-24 19:33 . 2008-08-14 14:22 2,192,896 --a------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-24 19:33 . 2008-08-14 14:22 2,148,864 --a------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-24 19:33 . 2008-08-14 14:22 2,069,760 --a------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-24 19:33 . 2008-08-14 14:22 2,027,520 --a------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-24 19:29 . 2008-10-24 12:21 455,296 --a------ c:\windows\system32\dllcache\mrxsmb.sys
2009-02-24 19:29 . 2008-12-11 11:57 333,952 --a------ c:\windows\system32\dllcache\srv.sys
2009-02-24 19:29 . 2008-05-08 15:02 203,136 --a------ c:\windows\system32\dllcache\rmcast.sys
2009-02-24 19:28 . 2008-04-11 20:04 691,712 --a------ c:\windows\system32\dllcache\inetcomm.dll
2009-02-24 19:28 . 2008-05-01 15:34 331,776 --a------ c:\windows\system32\dllcache\msadce.dll
2009-02-24 19:26 . 2008-12-20 23:30 6,066,688 --a------ c:\windows\system32\dllcache\ieframe.dll
2009-02-24 19:26 . 2007-04-17 10:32 2,455,488 --a------ c:\windows\system32\dllcache\ieapfltr.dat
2009-02-24 19:26 . 2008-12-20 23:30 1,831,424 --a------ c:\windows\system32\dllcache\inetcpl.cpl
2009-02-24 19:26 . 2008-12-20 23:31 1,160,192 --a------ c:\windows\system32\dllcache\urlmon.dll
2009-02-24 19:26 . 2008-12-20 23:30 383,488 --a------ c:\windows\system32\dllcache\ieapfltr.dll
2009-02-24 19:26 . 2008-12-20 23:31 233,472 --a------ c:\windows\system32\dllcache\webcheck.dll
2009-02-24 19:26 . 2008-12-20 23:30 133,120 --a------ c:\windows\system32\dllcache\extmgr.dll
2009-02-24 19:26 . 2008-12-20 23:30 124,928 --a------ c:\windows\system32\dllcache\advpack.dll
2009-02-24 19:26 . 2008-12-20 23:31 105,984 --a------ c:\windows\system32\dllcache\url.dll
2009-02-24 19:26 . 2008-12-19 10:12 70,656 --a------ c:\windows\system32\dllcache\ie4uinit.exe
2009-02-24 19:26 . 2008-12-20 23:30 63,488 --a------ c:\windows\system32\dllcache\icardie.dll
2009-02-24 19:24 . 2008-10-15 17:36 337,408 --a------ c:\windows\system32\dllcache\netapi32.dll
2009-02-24 19:24 . 2008-10-03 11:02 247,326 --a------ c:\windows\system32\dllcache\strmdll.dll
2009-02-24 19:23 . 2008-09-04 18:15 1,106,944 --a------ c:\windows\system32\dllcache\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 16:03 --------- d-----w c:\programmi\BS.Player ControlBar
2009-02-23 20:54 --------- d-----w c:\documents and settings\Me\Dati applicazioni\BSplayer
2009-02-23 20:48 32 ----a-w c:\windows\system32\drivers\adidsl.cfg
2009-02-23 20:47 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-02-23 20:47 --------- d-----w c:\programmi\SAGEM
2009-02-23 20:47 --------- d-----w c:\documents and settings\Me\Dati applicazioni\InstallShield
2009-02-23 20:45 --------- d-----w c:\programmi\Webteh
2009-02-23 20:45 --------- d-----w c:\documents and settings\Me\Dati applicazioni\BSplayer Pro
2009-02-23 20:44 --------- d-----w c:\programmi\Easy Duplicate Finder
2009-02-23 20:36 --------- d-----w c:\programmi\ESET
2009-02-23 20:36 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\ESET
2009-02-23 19:29 --------- d-----w c:\programmi\Analog Devices
2009-02-23 19:28 --------- d-----w c:\programmi\File comuni\InstallShield
2009-02-23 19:22 --------- d-----w c:\programmi\Servizi in linea
2009-02-23 19:19 --------- d-----w c:\programmi\Windows Media Connect 2
2009-02-06 17:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-16 20:15 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-20 22:31 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-20 22:31 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll
2008-12-20 22:31 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll
2008-12-20 22:31 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll
2008-12-20 22:31 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll
2008-12-20 22:31 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll
2008-12-20 22:31 102,912 ----a-w c:\windows\system32\dllcache\occache.dll
2008-12-20 22:30 52,224 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-20 22:30 459,264 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2008-12-20 22:30 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll
2008-12-20 22:30 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2008-12-20 22:30 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll
2008-12-20 22:30 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2008-12-20 22:30 267,776 ----a-w c:\windows\system32\dllcache\iertutil.dll
2008-12-20 22:30 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2008-12-20 22:30 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll
2008-12-20 22:30 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2008-12-19 09:10 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-08 1451264]
"Ad-Watch"="c:\programmi\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-06 515416]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-03-07 148888]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 172032]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-12-20 c:\windows\system32\advpack.dll]
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
DSLMON.lnk - c:\programmi\SAGEM\SAGEM F@st 800-840\dslmon.exe [2009-02-23 1205840]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^Me^Menu Avvio^Programmi^Componenti^Esecuzione automatica^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Me\Menu Avvio\Programmi\Componenti\Esecuzione automatica\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-06-11 22:43 640376 c:\programmi\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
--a------ 2008-06-12 02:25 37232 c:\programmi\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Free Download Manager\\fdm.exe"=
"c:\\Programmi\\Vuze\\Azureus.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-06 64160]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-08 34312]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-04-23 82200]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2009-02-25 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-06-21 66600]
R2 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-08 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programmi\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
R2 SbPF.Launcher;SbPF.Launcher;c:\programmi\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-10-31 95528]
R2 SPF4;Sunbelt Personal Firewall 4;c:\programmi\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-02-25 65576]
S2 ELOADER;General Purpose USB Driver (adildr.sys);c:\windows\system32\drivers\adildr.sys [2009-02-23 56088]
--- Altri Servizi/Drivers In Memoria ---
*Deregistered* - PROCEXP113
.
Contenuto della cartella 'Scheduled Tasks'
2009-03-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programmi\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 20:44]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
Notify-WgaLogon - (no file)
MSConfigStartUp-cc968a90 - c:\windows\system32\amdqfocj.dll
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: Append Link Target to Existing PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Scarica con Free Download Manager - file://c:\programmi\Free Download Manager\dllink.htm
IE: Scarica i video con Free Download Manager - file://c:\programmi\Free Download Manager\dlfvideo.htm
IE: Scarica selezionati con Free Download Manager - file://c:\programmi\Free Download Manager\dlselected.htm
IE: Scarica tutto con Free Download Manager - file://c:\programmi\Free Download Manager\dlall.htm
FF - ProfilePath - c:\documents and settings\Me\Dati applicazioni\Mozilla\Firefox\Profiles\boo1icor.default\
FF - prefs.js: browser.startup.homepage - www.google.it
FF - component: c:\programmi\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 22:50:46
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2009-03-08 22.53.40
ComboFix-quarantined-files.txt 2009-03-08 21:53:35
Pre-Run: 6.366.945.280 byte disponibili
Post-Run: 6,350,827,520 byte disponibili
272 --- E O F --- 2009-02-25 20:14:09
|
Log di Hijackthis
Quote:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\NetLimiter 2 Pro\nlsvc.exe
C:\Programmi\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Programmi\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Programmi\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Documents and Settings\Ross\Desktop\procexp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ross\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Programmi\PicLensIE\cooliris.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [egui] "C:\Programmi\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Programmi\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Scarica con Free Download Manager - file://C:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica i video con Free Download Manager - file://C:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://C:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://C:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Programmi\PicLensIE\cooliris.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1235497799500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1235497747468
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF95B55F-7C13-482F-A88B-CDC7A7DDFCAB}: NameServer = 208.67.222.222 208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programmi\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Programmi\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Programmi\Sunbelt Software\Personal Firewall\SbPFSvc.exe
--
End of file - 7705 bytes
|
Ultima modifica di Darshee : 08-03-2009 alle 23:36.
|
08-03-2009, 23:30
