Ringo64
11-11-2007, 11:25
Il computer è lento, ho sempre una sessantina di processi in esecuzione, mi avete già aiutato ma mi sa che il trojan si è nascosto da qche parte.
Posto ora i trojan rilevati, Tcpview e gmer/rootkit. Fatemi sapere Grazie.:mc:
Trojan rilevati fino ad ora:
rilevato: un programma trojan Trojan-Downloader.VBS.Agent.n URL: http://83.149.65.105/measure/l.php?pl=Win32&ce=true
rilevato: un programma trojan Trojan-Downloader.JS.gen (modifica) Script: http://aboutmeclizine.info/[2]
rilevato: un software nocivo Exploit.Win32.IMG-WMF (modifica) URL: http://ztktvuftcfs.com/48c3cd58661007e2b386/baidi/bbjgntb.tiff
rilevato: un programma trojan Trojan-Downloader.JS.Small.dx Script: http://www.solmelia.it/[2]
rilevato: un programma trojan Trojan-Downloader.VBS.Small.do Script: http://www.solmelia.it/[1]
rilevato: un programma trojan Trojan.Java.ClassLoader.ao URL: http://64.62.137.149/~edit/it/crtdcghcn.jar\BaaaaBaa.class
rilevato: un programma trojan Trojan.Win32.Diamin.gen URL: http://deposito.instantdoor.com/11770-23-exe.exe/UPX
rilevato: un programma trojan Trojan.Win32.Diamin.jm URL: http://flat.instantdoor.com/DialerJava.jar\DialerMiniComando.exe/PE_Patch.UPX/UPX
rilevato: un riskware Trojan.generic Il processo in corso: D:\Installa.exe
eliminato: un programma trojan Trojan.Win32.Diamin.jm Il file: C:\Documents and Settings\lore\Impostazioni locali\Temp\jar_cache50649.tmp\DialerMiniComando.exe/PE_Patch.UPX/UPX
pulito: un programma trojan Trojan.Win32.Diamin.jm Il file: C:\Documents and Settings\lore\Impostazioni locali\Temp\jar_cache9671.tmp
rilevato: un riskware RootShell Il processo in corso: C:\Documents and Settings\lore\Desktop\gmer.exe
rilevato: un programma trojan Trojan-Downloader.JS.Small.fs URL: http://81.29.241.70/new/counter.php?b=3
Stampa di Tcp view: (Tcpvcon non me lo apre)
[System Process]:0 TCP caterino:2325 pagead.l.google.com:http TIME_WAIT
[System Process]:0 TCP caterino:2341 213.254.238.144:http TIME_WAIT
[System Process]:0 TCP caterino:2315 213.254.238.136:http TIME_WAIT
[System Process]:0 TCP caterino:1110 localhost:2306 TIME_WAIT
[System Process]:0 TCP caterino:1110 localhost:2308 TIME_WAIT
alg.exe:2024 TCP caterino:1026 caterino:0 LISTENING
avp.exe:1080 TCP caterino:1110 localhost:2358 ESTABLISHED
avp.exe:1080 TCP caterino:1110 localhost:2326 ESTABLISHED
avp.exe:1080 TCP caterino:1110 localhost:1548 ESTABLISHED
avp.exe:1080 TCP caterino:1110 localhost:2318 ESTABLISHED
avp.exe:1080 TCP caterino:2359 pagead.l.google.com:http ESTABLISHED
avp.exe:1080 TCP caterino:2327 pagead.l.google.com:http ESTABLISHED
avp.exe:1080 TCP caterino:1110 localhost:2348 FIN_WAIT2
avp.exe:1080 TCP caterino:2319 www-google-analytics.l.google.com:http ESTABLISHED
avp.exe:1080 TCP caterino:1549 216.178.44.83:http ESTABLISHED
avp.exe:1080 TCP caterino:1110 caterino:0 LISTENING
CLI.exe:208 TCP caterino:1038 caterino:0 LISTENING
CLI.exe:3888 TCP caterino:1033 caterino:0 LISTENING
IEXPLORE.EXE:872 TCP caterino:2358 localhost:1110 ESTABLISHED
IEXPLORE.EXE:872 TCP caterino:2326 localhost:1110 ESTABLISHED
IEXPLORE.EXE:872 TCP caterino:2348 localhost:1110 CLOSE_WAIT
IEXPLORE.EXE:872 TCP caterino:1548 localhost:1110 ESTABLISHED
IEXPLORE.EXE:872 TCP caterino:2318 localhost:1110 ESTABLISHED
IEXPLORE.EXE:872 UDP caterino:1060 *:*
lsass.exe:1076 UDP caterino:isakmp *:*
lsass.exe:1076 UDP caterino:4500 *:*
svchost.exe:1360 TCP caterino:epmap caterino:0 LISTENING
svchost.exe:1524 UDP caterino:ntp *:*
svchost.exe:1524 UDP caterino:ntp *:*
svchost.exe:1832 UDP caterino:1372 *:*
svchost.exe:1832 UDP caterino:1473 *:*
svchost.exe:1832 UDP caterino:1071 *:*
svchost.exe:1832 UDP caterino:1025 *:*
svchost.exe:1912 UDP caterino:1900 *:*
svchost.exe:1912 UDP caterino:1900 *:*
svchost.exe:968 TCP caterino:49100 caterino:0 LISTENING
System:4 TCP caterino:microsoft-ds caterino:0 LISTENING
System:4 TCP caterino:netbios-ssn caterino:0 LISTENING
System:4 UDP caterino:netbios-ns *:*
System:4 UDP caterino:microsoft-ds *:*
System:4 UDP caterino:netbios-dgm *:*
GMER 1.0.12.12010 - http://www.gmer.net
Rootkit scan 2007-11-11 11:20:33
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 867CF1E8
---- Threads - GMER 1.0.12 ----
Thread 4:172 85D2BB40
Thread 4:176 85D2BB40
Thread 4:180 85D030A0
Thread 4:184 85D030A0
Thread 4:188 85D030A0
Thread 4:508 85D2BB40
Thread 4:636 85D2BB40
Thread 4:784 85D2BB40
Thread 4:2468 8450B620
Thread 872:2864 7C810665
Thread 872:2860 7C810659
Thread 872:3028 7C810659
Thread 872:2020 7C810659
Thread 872:3336 7C810659
Thread 872:3004 7C810659
Thread 872:1680 7C810659
Thread 872:3356 7C810659
Thread 872:276 7C810659
Thread 872:3524 7C810659
Thread 872:3688 7C810659
Thread 872:3256 7C810659
Thread 872:2396 7C810659
Thread 872:1896 7C810659
Thread 872:2188 7C810659
Thread 872:2632 7C810659
Thread 872:648 7C810659
Thread 872:2344 7C810659
Thread 872:2384 7C810659
Thread 872:2784 7C810659
Thread 872:724 7C810659
Thread 872:2356 7C810659
Thread 872:2220 7C810659
Thread 872:3280 7C810659
Thread 872:3716 7C810659
Thread 872:2408 7C810659
Thread 872:4100 7C810659
Thread 3556:3548 7C810665
Thread 3556:892 7C810659
Thread 3556:1760 7C810659
Thread 3556:588 7C810659
Thread 3556:1976 7C810659
Thread 3556:2192 7C810659
Thread 3556:2228 7C810659
Thread 3556:2528 7C810659
Thread 3556:2544 7C810659
Thread 3556:1712 7C810659
Thread 3556:3780 7C810659
Thread 3660:3668 7C810665
Thread 3660:828 7C810659
Thread 3660:1700 7C810659
Thread 3660:236 7C810659
---- EOF - GMER 1.0.12 ----
Posto ora i trojan rilevati, Tcpview e gmer/rootkit. Fatemi sapere Grazie.:mc:
Trojan rilevati fino ad ora:
rilevato: un programma trojan Trojan-Downloader.VBS.Agent.n URL: http://83.149.65.105/measure/l.php?pl=Win32&ce=true
rilevato: un programma trojan Trojan-Downloader.JS.gen (modifica) Script: http://aboutmeclizine.info/[2]
rilevato: un software nocivo Exploit.Win32.IMG-WMF (modifica) URL: http://ztktvuftcfs.com/48c3cd58661007e2b386/baidi/bbjgntb.tiff
rilevato: un programma trojan Trojan-Downloader.JS.Small.dx Script: http://www.solmelia.it/[2]
rilevato: un programma trojan Trojan-Downloader.VBS.Small.do Script: http://www.solmelia.it/[1]
rilevato: un programma trojan Trojan.Java.ClassLoader.ao URL: http://64.62.137.149/~edit/it/crtdcghcn.jar\BaaaaBaa.class
rilevato: un programma trojan Trojan.Win32.Diamin.gen URL: http://deposito.instantdoor.com/11770-23-exe.exe/UPX
rilevato: un programma trojan Trojan.Win32.Diamin.jm URL: http://flat.instantdoor.com/DialerJava.jar\DialerMiniComando.exe/PE_Patch.UPX/UPX
rilevato: un riskware Trojan.generic Il processo in corso: D:\Installa.exe
eliminato: un programma trojan Trojan.Win32.Diamin.jm Il file: C:\Documents and Settings\lore\Impostazioni locali\Temp\jar_cache50649.tmp\DialerMiniComando.exe/PE_Patch.UPX/UPX
pulito: un programma trojan Trojan.Win32.Diamin.jm Il file: C:\Documents and Settings\lore\Impostazioni locali\Temp\jar_cache9671.tmp
rilevato: un riskware RootShell Il processo in corso: C:\Documents and Settings\lore\Desktop\gmer.exe
rilevato: un programma trojan Trojan-Downloader.JS.Small.fs URL: http://81.29.241.70/new/counter.php?b=3
Stampa di Tcp view: (Tcpvcon non me lo apre)
[System Process]:0 TCP caterino:2325 pagead.l.google.com:http TIME_WAIT
[System Process]:0 TCP caterino:2341 213.254.238.144:http TIME_WAIT
[System Process]:0 TCP caterino:2315 213.254.238.136:http TIME_WAIT
[System Process]:0 TCP caterino:1110 localhost:2306 TIME_WAIT
[System Process]:0 TCP caterino:1110 localhost:2308 TIME_WAIT
alg.exe:2024 TCP caterino:1026 caterino:0 LISTENING
avp.exe:1080 TCP caterino:1110 localhost:2358 ESTABLISHED
avp.exe:1080 TCP caterino:1110 localhost:2326 ESTABLISHED
avp.exe:1080 TCP caterino:1110 localhost:1548 ESTABLISHED
avp.exe:1080 TCP caterino:1110 localhost:2318 ESTABLISHED
avp.exe:1080 TCP caterino:2359 pagead.l.google.com:http ESTABLISHED
avp.exe:1080 TCP caterino:2327 pagead.l.google.com:http ESTABLISHED
avp.exe:1080 TCP caterino:1110 localhost:2348 FIN_WAIT2
avp.exe:1080 TCP caterino:2319 www-google-analytics.l.google.com:http ESTABLISHED
avp.exe:1080 TCP caterino:1549 216.178.44.83:http ESTABLISHED
avp.exe:1080 TCP caterino:1110 caterino:0 LISTENING
CLI.exe:208 TCP caterino:1038 caterino:0 LISTENING
CLI.exe:3888 TCP caterino:1033 caterino:0 LISTENING
IEXPLORE.EXE:872 TCP caterino:2358 localhost:1110 ESTABLISHED
IEXPLORE.EXE:872 TCP caterino:2326 localhost:1110 ESTABLISHED
IEXPLORE.EXE:872 TCP caterino:2348 localhost:1110 CLOSE_WAIT
IEXPLORE.EXE:872 TCP caterino:1548 localhost:1110 ESTABLISHED
IEXPLORE.EXE:872 TCP caterino:2318 localhost:1110 ESTABLISHED
IEXPLORE.EXE:872 UDP caterino:1060 *:*
lsass.exe:1076 UDP caterino:isakmp *:*
lsass.exe:1076 UDP caterino:4500 *:*
svchost.exe:1360 TCP caterino:epmap caterino:0 LISTENING
svchost.exe:1524 UDP caterino:ntp *:*
svchost.exe:1524 UDP caterino:ntp *:*
svchost.exe:1832 UDP caterino:1372 *:*
svchost.exe:1832 UDP caterino:1473 *:*
svchost.exe:1832 UDP caterino:1071 *:*
svchost.exe:1832 UDP caterino:1025 *:*
svchost.exe:1912 UDP caterino:1900 *:*
svchost.exe:1912 UDP caterino:1900 *:*
svchost.exe:968 TCP caterino:49100 caterino:0 LISTENING
System:4 TCP caterino:microsoft-ds caterino:0 LISTENING
System:4 TCP caterino:netbios-ssn caterino:0 LISTENING
System:4 UDP caterino:netbios-ns *:*
System:4 UDP caterino:microsoft-ds *:*
System:4 UDP caterino:netbios-dgm *:*
GMER 1.0.12.12010 - http://www.gmer.net
Rootkit scan 2007-11-11 11:20:33
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 867CF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 867CF1E8
---- Threads - GMER 1.0.12 ----
Thread 4:172 85D2BB40
Thread 4:176 85D2BB40
Thread 4:180 85D030A0
Thread 4:184 85D030A0
Thread 4:188 85D030A0
Thread 4:508 85D2BB40
Thread 4:636 85D2BB40
Thread 4:784 85D2BB40
Thread 4:2468 8450B620
Thread 872:2864 7C810665
Thread 872:2860 7C810659
Thread 872:3028 7C810659
Thread 872:2020 7C810659
Thread 872:3336 7C810659
Thread 872:3004 7C810659
Thread 872:1680 7C810659
Thread 872:3356 7C810659
Thread 872:276 7C810659
Thread 872:3524 7C810659
Thread 872:3688 7C810659
Thread 872:3256 7C810659
Thread 872:2396 7C810659
Thread 872:1896 7C810659
Thread 872:2188 7C810659
Thread 872:2632 7C810659
Thread 872:648 7C810659
Thread 872:2344 7C810659
Thread 872:2384 7C810659
Thread 872:2784 7C810659
Thread 872:724 7C810659
Thread 872:2356 7C810659
Thread 872:2220 7C810659
Thread 872:3280 7C810659
Thread 872:3716 7C810659
Thread 872:2408 7C810659
Thread 872:4100 7C810659
Thread 3556:3548 7C810665
Thread 3556:892 7C810659
Thread 3556:1760 7C810659
Thread 3556:588 7C810659
Thread 3556:1976 7C810659
Thread 3556:2192 7C810659
Thread 3556:2228 7C810659
Thread 3556:2528 7C810659
Thread 3556:2544 7C810659
Thread 3556:1712 7C810659
Thread 3556:3780 7C810659
Thread 3660:3668 7C810665
Thread 3660:828 7C810659
Thread 3660:1700 7C810659
Thread 3660:236 7C810659
---- EOF - GMER 1.0.12 ----