Estval
05-08-2007, 22:09
Un saluto a tutti!
ho un router modem adsl wi-fi USRobotics 9111 e non riesco a capire bene dal log se ho dei guai con la rete... qualcuno può darmi una mano?
Ecco il log
08/05/2007 20:35:36 **TCP FIN Scan** 192.168.2.2, 2487->> 62.32.97.21, 80 (from ATM1 Outbound)
08/05/2007 20:31:21 **TCP FIN Scan** 192.168.2.2, 2015->> 151.1.244.2, 80 (from ATM1 Outbound)
08/05/2007 20:29:44 **TCP FIN Scan** 217.56.122.195, 80->> 192.168.2.2, 1515 (from ATM1 Inbound)
08/05/2007 20:29:10 **Smurf** 193.153.59.0, 4672->> 192.168.2.2, 35462 (from ATM1 Inbound)
08/05/2007 20:24:30 **TCP FIN Scan** 192.168.2.2, 4697->> 151.1.244.2, 80 (from ATM1 Outbound)
08/05/2007 20:21:17 192.168.2.2 login success
08/05/2007 20:10:00 **TCP FIN Scan** 89.186.95.82, 80->> 192.168.2.2, 2829 (from ATM1 Inbound)
08/05/2007 20:01:02 **TCP FIN Scan** 192.168.2.2, 1461->> 82.103.137.41, 80 (from ATM1 Outbound)
08/05/2007 20:01:02 **TCP FIN Scan** 192.168.2.2, 1499->> 64.15.155.212, 80 (from ATM1 Outbound)
08/05/2007 19:51:49 **TCP FIN Scan** 192.168.2.2, 4034->> 66.118.145.4, 80 (from ATM1 Outbound)
08/05/2007 19:51:49 **TCP FIN Scan** 192.168.2.2, 3920->> 82.103.137.41, 80 (from ATM1 Outbound)
08/05/2007 19:40:16 **TCP FIN Scan** 192.168.2.2, 2834->> 82.84.16.14, 43961 (from ATM1 Outbound)
08/05/2007 19:27:07 **TCP FIN Scan** 192.168.2.2, 1423->> 82.51.91.197, 4662 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 5084->> 87.17.240.201, 1726 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 5084->> 79.9.236.65, 1940 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 3676->> 82.54.101.42, 41958 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 3662->> 87.6.76.190, 13320 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 3644->> 79.3.229.66, 55172 (from ATM1 Outbound)
08/05/2007 19:10:53 **TCP FIN Scan** 192.168.2.2, 3024->> 8.12.199.124, 80 (from ATM1 Outbound)
08/05/2007 19:10:53 **TCP FIN Scan** 192.168.2.2, 3046->> 4.23.54.124, 80 (from ATM1 Outbound)
08/05/2007 19:03:59 192.168.2.2 logout
08/05/2007 19:02:22 192.168.2.2 login success
08/05/2007 18:40:44 **TCP FIN Scan** 192.168.2.2, 1121->> 194.20.72.34, 80 (from ATM1 Outbound)
08/05/2007 18:40:44 **TCP FIN Scan** 192.168.2.2, 1085->> 194.20.72.33, 80 (from ATM1 Outbound)
08/05/2007 18:27:08 NTP Date/Time updated.
08/01/2003 00:00:21 I/F(ATM1) PPP connection ok !
08/01/2003 00:00:20 ATM1 get IP:84.223.150.79
08/01/2003 00:00:15 ATM1 start PPP
08/01/2003 00:00:15 ADSL Media Up !
192.168.2.2 - è l'IP del mio pc
La cosa che mi ha insospettito e che mi sembra singolare è che mentre navigavo il forum di hwupgrade non riuscivo ad visualizzare le pagine. IE 7 dopo che ci "pensava" un po' diceva che era impossibile visualizzare la pagina e di controllare la connessione. Però mentre accadeva questo potevo benissimo navigare altre pagine web senza alcun problema
Quando sono riuscivo finalmente a proseguire all'interno del forum, facendo un refresh del log del router mi sono apparse le righe che metto in grassetto!
Non vorrei che la cosa fosse collegata al fatto che una settimana fa Avast (ver 4.7) mi ha segnalato (nel registro eventi alla voce "Attenzione") questo Trojan: Win32:Agent-ITQ (a seguito di un indirizzo web digitato male) e diceva di averlo bloccato.
ho visitato questo sito http://www.suspectfile.com/forum/viewtopic.php?t=156 per rendermi conto della minaccia.
ho effettuato una scansione con Avast in modalità provvisoria, verificato la presenza del servizio random, ecc. e non ho travoto nulla.
Se può servire ecco il log fatto con hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 22.00.36, on 05/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Utility\Hijack This 1.99\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB8888AD-F0B2-4769-B637-E740785B6ADE}: NameServer = 213.205.32.70,213.205.36.70
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\programmi\a-squared free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Detto questo (e scusatemi se mi sono dilungato troppo) ringrazio in anticipo chiunque possa rispondermi!
Grazie
ho un router modem adsl wi-fi USRobotics 9111 e non riesco a capire bene dal log se ho dei guai con la rete... qualcuno può darmi una mano?
Ecco il log
08/05/2007 20:35:36 **TCP FIN Scan** 192.168.2.2, 2487->> 62.32.97.21, 80 (from ATM1 Outbound)
08/05/2007 20:31:21 **TCP FIN Scan** 192.168.2.2, 2015->> 151.1.244.2, 80 (from ATM1 Outbound)
08/05/2007 20:29:44 **TCP FIN Scan** 217.56.122.195, 80->> 192.168.2.2, 1515 (from ATM1 Inbound)
08/05/2007 20:29:10 **Smurf** 193.153.59.0, 4672->> 192.168.2.2, 35462 (from ATM1 Inbound)
08/05/2007 20:24:30 **TCP FIN Scan** 192.168.2.2, 4697->> 151.1.244.2, 80 (from ATM1 Outbound)
08/05/2007 20:21:17 192.168.2.2 login success
08/05/2007 20:10:00 **TCP FIN Scan** 89.186.95.82, 80->> 192.168.2.2, 2829 (from ATM1 Inbound)
08/05/2007 20:01:02 **TCP FIN Scan** 192.168.2.2, 1461->> 82.103.137.41, 80 (from ATM1 Outbound)
08/05/2007 20:01:02 **TCP FIN Scan** 192.168.2.2, 1499->> 64.15.155.212, 80 (from ATM1 Outbound)
08/05/2007 19:51:49 **TCP FIN Scan** 192.168.2.2, 4034->> 66.118.145.4, 80 (from ATM1 Outbound)
08/05/2007 19:51:49 **TCP FIN Scan** 192.168.2.2, 3920->> 82.103.137.41, 80 (from ATM1 Outbound)
08/05/2007 19:40:16 **TCP FIN Scan** 192.168.2.2, 2834->> 82.84.16.14, 43961 (from ATM1 Outbound)
08/05/2007 19:27:07 **TCP FIN Scan** 192.168.2.2, 1423->> 82.51.91.197, 4662 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 5084->> 87.17.240.201, 1726 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 5084->> 79.9.236.65, 1940 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 3676->> 82.54.101.42, 41958 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 3662->> 87.6.76.190, 13320 (from ATM1 Outbound)
08/05/2007 19:14:59 **TCP FIN Scan** 192.168.2.2, 3644->> 79.3.229.66, 55172 (from ATM1 Outbound)
08/05/2007 19:10:53 **TCP FIN Scan** 192.168.2.2, 3024->> 8.12.199.124, 80 (from ATM1 Outbound)
08/05/2007 19:10:53 **TCP FIN Scan** 192.168.2.2, 3046->> 4.23.54.124, 80 (from ATM1 Outbound)
08/05/2007 19:03:59 192.168.2.2 logout
08/05/2007 19:02:22 192.168.2.2 login success
08/05/2007 18:40:44 **TCP FIN Scan** 192.168.2.2, 1121->> 194.20.72.34, 80 (from ATM1 Outbound)
08/05/2007 18:40:44 **TCP FIN Scan** 192.168.2.2, 1085->> 194.20.72.33, 80 (from ATM1 Outbound)
08/05/2007 18:27:08 NTP Date/Time updated.
08/01/2003 00:00:21 I/F(ATM1) PPP connection ok !
08/01/2003 00:00:20 ATM1 get IP:84.223.150.79
08/01/2003 00:00:15 ATM1 start PPP
08/01/2003 00:00:15 ADSL Media Up !
192.168.2.2 - è l'IP del mio pc
La cosa che mi ha insospettito e che mi sembra singolare è che mentre navigavo il forum di hwupgrade non riuscivo ad visualizzare le pagine. IE 7 dopo che ci "pensava" un po' diceva che era impossibile visualizzare la pagina e di controllare la connessione. Però mentre accadeva questo potevo benissimo navigare altre pagine web senza alcun problema
Quando sono riuscivo finalmente a proseguire all'interno del forum, facendo un refresh del log del router mi sono apparse le righe che metto in grassetto!
Non vorrei che la cosa fosse collegata al fatto che una settimana fa Avast (ver 4.7) mi ha segnalato (nel registro eventi alla voce "Attenzione") questo Trojan: Win32:Agent-ITQ (a seguito di un indirizzo web digitato male) e diceva di averlo bloccato.
ho visitato questo sito http://www.suspectfile.com/forum/viewtopic.php?t=156 per rendermi conto della minaccia.
ho effettuato una scansione con Avast in modalità provvisoria, verificato la presenza del servizio random, ecc. e non ho travoto nulla.
Se può servire ecco il log fatto con hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 22.00.36, on 05/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Utility\Hijack This 1.99\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB8888AD-F0B2-4769-B637-E740785B6ADE}: NameServer = 213.205.32.70,213.205.36.70
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\programmi\a-squared free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Detto questo (e scusatemi se mi sono dilungato troppo) ringrazio in anticipo chiunque possa rispondermi!
Grazie