gnpb
25-01-2008, 22:57
Sul mio pc che uso come muletto-server (xp sp1) mi sono preso questo "backdoor win32 rbot" che Kaspersky IS 6.0.261 ha scovato e eliminato in automatico.
Il problema è che ora nelle partizione C ed E non si riesce ad accedere direttamente da esplora risorse (stranamente nella D invece tutto normale):
http://img225.imageshack.us/img225/7832/senzatitolo1kp6.th.jpg (http://img225.imageshack.us/my.php?image=senzatitolo1kp6.jpg)
Per vedere il contenuto di tali dischi col menu' a pop up bisogna andare su esplora e si sono aggiunte le voci in alto Auto e Autoplay come fosse un dvd
http://img235.imageshack.us/img235/8594/senzatitolo2wn1.th.jpg (http://img235.imageshack.us/my.php?image=senzatitolo2wn1.jpg)
Il log di Hijack direi che è pulito
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.35.08, on 25/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\CPUCooL\CooLSrv.exe
C:\Programmi\NDAS\System\ndassvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\HDD Health\hddhealth.exe
C:\Programmi\ARESCOM\Modem Telindus Arescom ND220\dslmon.exe
C:\Programmi\Samurize\Client.exe
C:\Programmi\CPUCooL\CPUCooL.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 1:1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [HDDHealth] C:\Programmi\HDD Health\hddhealth.exe -wl
O4 - Startup: Client Default.lnk = C:\Programmi\Samurize\Client.exe
O4 - Startup: CPUCooL.lnk = C:\Programmi\CPUCooL\CPUCooL.exe
O4 - Startup: Modem ADSL ND220 USB.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: Aggiungi ad Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: Anti-virus web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F33EAC1-56F9-4894-8994-B595CD7C4372}: NameServer = 213.205.32.70 213.205.36.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD92199-E8CC-4780-85EE-D5196DAEDB29}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F33EAC1-56F9-4894-8994-B595CD7C4372}: NameServer = 213.205.32.70 213.205.36.70
O17 - HKLM\System\CS3\Services\Tcpip\..\{0F33EAC1-56F9-4894-8994-B595CD7C4372}: NameServer = 213.205.32.70 213.205.36.70
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Programmi\CPUCooL\CooLSrv.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Programmi\NDAS\System\ndassvc.exe
O23 - Service: NetOp Helper ver. 8.00 (2005061) (NetOp Host for NT Service) - Danware Data A/S - C:\Programmi\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
Come fare per ritornare alla situazione precedente? (senza fare un ripristino ovviamente)
Il problema è che ora nelle partizione C ed E non si riesce ad accedere direttamente da esplora risorse (stranamente nella D invece tutto normale):
http://img225.imageshack.us/img225/7832/senzatitolo1kp6.th.jpg (http://img225.imageshack.us/my.php?image=senzatitolo1kp6.jpg)
Per vedere il contenuto di tali dischi col menu' a pop up bisogna andare su esplora e si sono aggiunte le voci in alto Auto e Autoplay come fosse un dvd
http://img235.imageshack.us/img235/8594/senzatitolo2wn1.th.jpg (http://img235.imageshack.us/my.php?image=senzatitolo2wn1.jpg)
Il log di Hijack direi che è pulito
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.35.08, on 25/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\CPUCooL\CooLSrv.exe
C:\Programmi\NDAS\System\ndassvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programmi\HDD Health\hddhealth.exe
C:\Programmi\ARESCOM\Modem Telindus Arescom ND220\dslmon.exe
C:\Programmi\Samurize\Client.exe
C:\Programmi\CPUCooL\CPUCooL.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 1:1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [HDDHealth] C:\Programmi\HDD Health\hddhealth.exe -wl
O4 - Startup: Client Default.lnk = C:\Programmi\Samurize\Client.exe
O4 - Startup: CPUCooL.lnk = C:\Programmi\CPUCooL\CPUCooL.exe
O4 - Startup: Modem ADSL ND220 USB.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: Aggiungi ad Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O9 - Extra button: Anti-virus web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F33EAC1-56F9-4894-8994-B595CD7C4372}: NameServer = 213.205.32.70 213.205.36.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD92199-E8CC-4780-85EE-D5196DAEDB29}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F33EAC1-56F9-4894-8994-B595CD7C4372}: NameServer = 213.205.32.70 213.205.36.70
O17 - HKLM\System\CS3\Services\Tcpip\..\{0F33EAC1-56F9-4894-8994-B595CD7C4372}: NameServer = 213.205.32.70 213.205.36.70
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Programmi\CPUCooL\CooLSrv.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Programmi\NDAS\System\ndassvc.exe
O23 - Service: NetOp Helper ver. 8.00 (2005061) (NetOp Host for NT Service) - Danware Data A/S - C:\Programmi\Danware Data\NetOp Remote Control\HOST\NHOSTSVC.EXE
Come fare per ritornare alla situazione precedente? (senza fare un ripristino ovviamente)