*Aerith*
22-04-2008, 21:48
Sintomi: pc lento, connessione internet lenta, applicazioni java a volte non funzionano bene, a volte si blocca il browser senza motivi.
Il pc non va in modalità provvisoria, nè con f8 nè con msconfig
- fatta scansione con avast, niente
- scansione con a-squared, niente
- scansione con prevx ha trovato un rootkit, non sapevo come salvare il log, posto il link all'immagine con il risultato
http://i25.tinypic.com/imqcsh.jpg
- log di gmer:
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-22 19:40:47
Windows 5.1.2600 Service Pack 1
---- System - GMER 1.0.14 ----
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF79C5B30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5857D98]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5857CB8]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xF781CC70]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF79C56F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF585812A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF58578AA]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF781D4FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF7828D50]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF79C5470]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5857D2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF58577C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF585783C]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF79C5C50]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xF781D51E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5857E42]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5857E02]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xF78284F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5857F84]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF79C5990]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF79C58D0]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF79C5D60]
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 150 805025CC 4 Bytes [ 30, 5B, 9C, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 805025EC 4 Bytes [ 98, 7D, 85, F5 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ B8, 7C, 85, F5 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C0 8050263C 4 Bytes [ 70, CC, 81, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [ F0, 56, 9C, F7 ]
.text ...
.text wanarp.sys F79F80C6 2 Bytes [ 90, 90 ]
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- User IAT/EAT - GMER 1.0.14 ----
IAT E:\WINDOWS\system32\services.exe[756] @ E:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00520002
IAT E:\WINDOWS\system32\services.exe[756] @ E:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00520000
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 867A8290
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\aswTdi \Device\AswUdpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
---- Modules - GMER 1.0.14 ----
Module _________ F77BA000-F77D0000 (90112 bytes)
---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior
---- EOF - GMER 1.0.14 ----
Niente di rosso, però le ultime cose non mi sembrano buone, sob sob. Inoltre quando ho lanciato gmer e ho fatto la scansione il pc si è riavviato dandomi errore grave di sistema, allora ho tolto la spunta a registry e ha funzionato.
- log di hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 21.30.04, on 22/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\Sygate\SPF\smc.exe
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Programmi\File comuni\Real\Update_OB\realsched.exe
E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
E:\Programmi\ExPLabs.com\LinkScanner\LinkScannerMonitor.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe
E:\Programmi\ExPLabs.com\LinkScanner\LinkScannerConnect.exe
E:\Programmi\a-squared Free\a2service.exe
E:\Programmi\Real\RealPlayer\RealPlay.exe
E:\Programmi\PrevxCSI\PrevxCSI.exe
E:\Programmi\PrevxCSI\PrevxCSI.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Barbara\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/webhp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Programmi\ExPLabs.com\LinkScanner\LinkScannerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] E:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "E:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LinkScanner Monitor] E:\Programmi\ExPLabs.com\LinkScanner\LinkScannerMonitor.exe /auto
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = E:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://E:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://E:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://E:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://E:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\Programmi\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CSIScanner - Unknown owner - E:\Programmi\PrevxCSI\\PrevxCSI.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Programmi\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Per favore aiutatemi......:cry: :cry:
Il pc non va in modalità provvisoria, nè con f8 nè con msconfig
- fatta scansione con avast, niente
- scansione con a-squared, niente
- scansione con prevx ha trovato un rootkit, non sapevo come salvare il log, posto il link all'immagine con il risultato
http://i25.tinypic.com/imqcsh.jpg
- log di gmer:
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-22 19:40:47
Windows 5.1.2600 Service Pack 1
---- System - GMER 1.0.14 ----
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF79C5B30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5857D98]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5857CB8]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xF781CC70]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF79C56F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF585812A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF58578AA]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF781D4FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF7828D50]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF79C5470]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5857D2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF58577C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF585783C]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF79C5C50]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xF781D51E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5857E42]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5857E02]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xF78284F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5857F84]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF79C5990]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF79C58D0]
SSDT \??\E:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF79C5D60]
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 150 805025CC 4 Bytes [ 30, 5B, 9C, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 805025EC 4 Bytes [ 98, 7D, 85, F5 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ B8, 7C, 85, F5 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C0 8050263C 4 Bytes [ 70, CC, 81, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [ F0, 56, 9C, F7 ]
.text ...
.text wanarp.sys F79F80C6 2 Bytes [ 90, 90 ]
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F76C8670] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F76C8810] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F76C8970] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F76C88D0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
---- User IAT/EAT - GMER 1.0.14 ----
IAT E:\WINDOWS\system32\services.exe[756] @ E:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00520002
IAT E:\WINDOWS\system32\services.exe[756] @ E:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00520000
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 867A8290
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\aswTdi \Device\AswUdpFilter wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
---- Modules - GMER 1.0.14 ----
Module _________ F77BA000-F77D0000 (90112 bytes)
---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior
---- EOF - GMER 1.0.14 ----
Niente di rosso, però le ultime cose non mi sembrano buone, sob sob. Inoltre quando ho lanciato gmer e ho fatto la scansione il pc si è riavviato dandomi errore grave di sistema, allora ho tolto la spunta a registry e ha funzionato.
- log di hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 21.30.04, on 22/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\Sygate\SPF\smc.exe
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\Explorer.EXE
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Programmi\File comuni\Real\Update_OB\realsched.exe
E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
E:\Programmi\ExPLabs.com\LinkScanner\LinkScannerMonitor.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe
E:\Programmi\ExPLabs.com\LinkScanner\LinkScannerConnect.exe
E:\Programmi\a-squared Free\a2service.exe
E:\Programmi\Real\RealPlayer\RealPlay.exe
E:\Programmi\PrevxCSI\PrevxCSI.exe
E:\Programmi\PrevxCSI\PrevxCSI.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Barbara\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/webhp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Programmi\ExPLabs.com\LinkScanner\LinkScannerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] E:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "E:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LinkScanner Monitor] E:\Programmi\ExPLabs.com\LinkScanner\LinkScannerMonitor.exe /auto
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = E:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://E:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://E:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://E:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://E:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - E:\Programmi\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - E:\Programmi\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CSIScanner - Unknown owner - E:\Programmi\PrevxCSI\\PrevxCSI.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Programmi\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Per favore aiutatemi......:cry: :cry: