DjDiabolik
11-04-2011, 00:22
Allora ragazzi.. c'ho sotto mano un pc con xp sp2 installato e mai aggiornato ma credo sia infetto per bene.
Vorrei evitare di formattare visto che non è il mio ma cercare di dargli una sistematina.....
Allora ho provato a cercare info su google ed anche qua mi sembrava di aver trovato la soluzione qua:
http://www.hwupgrade.it/forum/showthread.php?t=1984665
Ho creato i 3 file .log... l'uso di ATF-Cleaner è stato totalmente inutile
Ho poi eseguito il combofix (scaricato da bleeping computer) che si è eseguito senza problemi senza nemmeno dovergli cambiar nome (m'è capitato in altri pc che dovevo cambiare il nome all'exe).
Eseguito impostando l'opzione "/killall" e questo dopo 2 riavvi che ha fatto lo stesso combofix è il combofix.log situato su C:\:
ComboFix 11-04-10.01 - Utente Pc 11/04/2011 1.01.06.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.510.278 [GMT 2:00]
Eseguito da: C:\ComboFix.exe
Opzioni usate :: /killall
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((( Files Creati Da 2011-03-10 al 2011-04-10 )))))))))))))))))))))))))))))))))))
.
.
2011-04-10 23:06 . 2011-04-10 23:06 4096 ----a-w- c:\windows\system32\01.tmp
2011-04-10 21:34 . 2011-04-10 21:34 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2011-04-10 21:34 . 2011-04-10 21:34 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2011-04-10 21:00 . 2011-04-10 21:00 388096 ----a-r- c:\documents and settings\Utente Pc\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-10 21:00 . 2011-04-10 21:00 -------- d-----w- c:\programmi\Trend Micro
2011-04-10 20:55 . 2011-04-10 20:55 -------- d-----w- c:\documents and settings\Utente Pc\Impostazioni locali\Dati applicazioni\Mozilla
2011-04-10 08:19 . 2011-04-10 08:19 -------- d-----w- c:\programmi\File comuni\Steam
2011-04-10 08:19 . 2011-04-10 08:19 -------- d-----w- c:\programmi\Steam
2011-04-09 13:51 . 2011-04-09 13:51 -------- d-----w- c:\programmi\CCleaner
2011-04-09 13:28 . 2011-04-09 13:28 -------- d-----w- c:\programmi\VS Revo Group
2011-04-09 12:46 . 2011-04-09 12:46 0 ----a-w- c:\windows\ativpsrm.bin
2011-04-09 12:44 . 2009-02-25 13:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-04-09 12:43 . 2011-04-09 12:43 -------- d-----w- C:\ATI
2011-04-09 12:42 . 2011-04-09 12:42 -------- d-----w- c:\windows\system32\config\systemprofile\Dati applicazioni\Intel
2011-04-09 12:41 . 2011-04-09 12:41 -------- d-----w- c:\documents and settings\Utente Pc\Dati applicazioni\Intel
2011-04-09 12:41 . 2011-04-09 12:41 -------- d-----w- c:\documents and settings\NetworkService\Dati applicazioni\Intel
2011-04-09 12:41 . 2011-04-09 12:41 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\Intel
2011-04-09 12:41 . 2011-04-09 12:41 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Intel
2011-04-09 12:41 . 2007-02-12 10:41 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2011-04-09 12:41 . 2007-02-12 10:40 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2011-04-09 12:40 . 2011-04-09 12:40 -------- d-----w- c:\programmi\File comuni\Intel
2011-04-09 12:40 . 2011-04-09 12:40 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Intel
2011-04-09 12:36 . 2007-06-27 12:42 207488 ----a-r- c:\windows\system32\drivers\vinyl97.sys
2011-04-09 12:36 . 2011-04-09 12:36 -------- d-----w- c:\programmi\VIA
2011-04-09 12:36 . 2007-04-11 13:35 331184 ------w- c:\windows\system32\difxapi.dll
2011-04-09 12:35 . 2007-05-02 01:52 290816 ----a-w- c:\windows\system32\drivers\tifm21.sys
2011-04-09 12:34 . 2011-04-09 12:34 -------- d-----w- c:\windows\tiinst
2011-04-09 12:33 . 2011-02-28 06:09 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-04-09 12:33 . 2011-04-09 12:33 -------- d-----w- C:\Intel
2011-04-09 12:30 . 2004-02-25 21:27 57344 ----a-w- c:\windows\system32\razer.cpl
2011-04-09 12:30 . 2004-02-25 21:27 38904 ----a-w- c:\windows\system32\drivers\razerusb.sys
2011-04-09 12:30 . 2011-04-09 12:30 -------- d-----w- c:\programmi\Razer
2011-04-09 11:46 . 2011-04-09 11:46 -------- d-----w- c:\programmi\Driver-Soft
2011-03-17 12:05 . 2011-03-17 12:05 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-14 14:53 . 2005-04-06 12:38 229928 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2011-03-18 18:01 . 2011-04-10 20:55 142296 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
2007-02-02 18:48 401408 --sha-r- c:\windows\system32\ahr.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-09_13.46.44 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-06 12:37 . 2011-04-09 11:56 68900 c:\windows\system32\perfc010.dat
+ 2005-04-06 12:37 . 2011-04-10 11:59 68900 c:\windows\system32\perfc010.dat
- 2005-04-06 12:37 . 2011-04-09 11:56 58272 c:\windows\system32\perfc009.dat
+ 2005-04-06 12:37 . 2011-04-10 11:59 58272 c:\windows\system32\perfc009.dat
+ 2005-04-06 12:37 . 2011-04-10 11:59 435864 c:\windows\system32\perfh010.dat
- 2005-04-06 12:37 . 2011-04-09 11:56 435864 c:\windows\system32\perfh010.dat
- 2005-04-06 12:37 . 2011-04-09 11:56 391030 c:\windows\system32\perfh009.dat
+ 2005-04-06 12:37 . 2011-04-10 11:59 391030 c:\windows\system32\perfh009.dat
+ 2011-04-10 21:31 . 2011-04-10 21:31 235168 c:\windows\system32\Macromed\Flash\FlashUtil10o_Plugin.exe
+ 2011-04-10 21:31 . 2011-04-10 21:31 6053536 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-04-10 21:00 . 2011-04-10 21:00 1094656 c:\windows\Installer\fec5d.msi
+ 2011-04-10 08:19 . 2011-04-10 08:19 1065984 c:\windows\Installer\3f79f66.msi
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InstallIQUpdater"="c:\programmi\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2010-07-07 1008128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"RemoteControl"="c:\programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-14 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-19 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"LManager"="c:\programmi\Launch Manager\QtZgAcer.EXE" [2005-03-28 319488]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 110592]
"razertra"="c:\programmi\Razer\razertra.exe" [2004-02-25 208896]
"AudioDeck"="c:\programmi\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-08-09 528384]
"IntelZeroConfig"="c:\programmi\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"IntelWireless"="c:\programmi\File comuni\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
.
c:\documents and settings\Utente Pc\Menu Avvio\Programmi\Esecuzione automatica\
Utilit… controllo supporti di Picture Motion Browser.lnk - c:\programmi\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-5-18 344064]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
InterBase Server.lnk - c:\cimatrone\Pdm\IbServer\bin\ibserver.exe [2007-10-17 1369600]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Programmi\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Programmi\\Steam\\Steam.exe"=
"c:\\Programmi\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3453:TCP"= 3453:TCP:huxutzgk
.
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppMH\cdrom_mon.exe [13/08/2008 18.50.48 81920]
S2 erpilagu;Time Helper;c:\windows\system32\svchost.exe -k netsvcs [06/04/2005 14.37.26 14336]
S3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\drivers\BTHPRINT.SYS [17/11/2005 10.50.55 35456]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
erpilagu
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-03-09 c:\windows\Tasks\{1D9A1667-672A-4ABF-9A89-017A0790BFED}_ACER-0CE7F6DC47_Utente Pc.job
- c:\windows\system32\mobsync.exe [2005-04-06 03:00]
.
2011-04-05 c:\windows\Tasks\{0B59842E-C602-482F-86D7-1B4B9A85AFA0}_ACER-0CE7F6DC47_Utente Pc.job
- c:\windows\system32\mobsync.exe [2005-04-06 03:00]
.
2010-09-24 c:\windows\Tasks\{6B1F7AB7-35AA-4618-A647-B2FA96B98575}_ACER-0CE7F6DC47_Utente Pc.job
- c:\windows\system32\mobsync.exe [2005-04-06 03:00]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E7A96AF4-2CE3-4208-9B2D-F84BBAE3DEBD} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Utente Pc\Dati applicazioni\Mozilla\Firefox\Profiles\o4gzs43z.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 01:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\programmi\VIA\VIAudioi\SBADeck\ADeck.exe 1????????????????????????????????????????????
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\erpilagu]
"ServiceDll"="c:\windows\system32\zlnvcon.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\programmi\Intel\WiFi\bin\EvtEng.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\File comuni\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\programmi\Razer\razerofa.exe
c:\programmi\Microsoft ActiveSync\WCESCOMM.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\programmi\acer\eRecovery\Monitor.exe
.
**************************************************************************
.
Ora fine scansione: 2011-04-11 01:09:12 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2011-04-10 23:09
ComboFix2.txt 2011-04-10 21:23
ComboFix3.txt 2011-04-09 13:48
.
Pre-Run: 3.635.806.208 byte disponibili
Post-Run: 3.615.588.352 byte disponibili
.
- - End Of File - - 73F047625B33A1AA1434313C3CD8546F
Ancora seguendo quel thread questo è il log del DBTOOLS che cmq dice "system clean":
Ok Loading BitDefender Engines
State 0
Sleeping 3 seconds...
Found so far : 0x0 files/regs
Searching for Downadup file ....
- System folder
tkown -> C:\WINDOWS\system32\zlnvcon.dll
- Temporary folder
- Program Files
- Application Data
Found so far : 0x0 files/regs
No Traces of Downadup Worm were found
L'unico che poco dopo averlo avviato ma consigliato di fare la scansione completa è stato il GMER...... alla fine anche li ho salvato il suo log e tra le voci compariva una scritta in rosso... ecco il log:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-11 00:58:20
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 IC25N080ATMR04-0 rev.MO4OAD4A
Running: gmer.exe; Driver: C:\DOCUME~1\UTENTE~1\IMPOST~1\Temp\awecrpog.sys
---- System - GMER 1.0.15 ----
INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA77B16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA77AFC2
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF8000000, 0x1C5D58, 0xE8000020]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xB9E80F00, 0x24000, 0x48000000]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtQueryInformationProcess 7C91E01B 5 Bytes JMP 01599DD2
.text C:\WINDOWS\System32\svchost.exe[976] NETAPI32.dll!NetpwPathCanonicalize 5BC7A101 5 Bytes JMP 01599D72
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtQueryInformationProcess 7C91E01B 5 Bytes JMP 00889DD2
.text C:\Programmi\Mozilla Firefox\firefox.exe[1924] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00401410 C:\Programmi\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Programmi\Mozilla Firefox\plugin-container.exe[3976] USER32.dll!GetWindowInfo 77D1DE94 5 Bytes JMP 104C7C37 C:\Programmi\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programmi\Mozilla Firefox\plugin-container.exe[3976] USER32.dll!TrackPopupMenu 77D64ED6 5 Bytes JMP 104C823A C:\Programmi\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] erpilagu <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b6b5f2e2f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b6b5f2e2f@00092d584022 0x12 0x20 0x71 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@DisplayName Time Helper
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@Description Abilita i messaggi del registro eventi rilasciati dai programmi di Windows e rende possibile la visualizzazione dei componenti in Visualizzatore eventi. Impossibile interrompere questo servizio.
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu\Parameters@ServiceDll C:\WINDOWS\system32\zlnvcon.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b6b5f2e2f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b6b5f2e2f@00092d584022 0x12 0x20 0x71 0xDA ...
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@DisplayName Time Helper
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@Description Abilita i messaggi del registro eventi rilasciati dai programmi di Windows e rende possibile la visualizzazione dei componenti in Visualizzatore eventi. Impossibile interrompere questo servizio.
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu\Parameters@ServiceDll C:\WINDOWS\system32\zlnvcon.dll
---- EOF - GMER 1.0.15 ----
Da notare appunto quello che lui dice Rootkit... ma con cosa lo sdradico ?
Pensavo al SUPER Antimalware... ma aspetto vostre dritte...
Vorrei evitare di formattare visto che non è il mio ma cercare di dargli una sistematina.....
Allora ho provato a cercare info su google ed anche qua mi sembrava di aver trovato la soluzione qua:
http://www.hwupgrade.it/forum/showthread.php?t=1984665
Ho creato i 3 file .log... l'uso di ATF-Cleaner è stato totalmente inutile
Ho poi eseguito il combofix (scaricato da bleeping computer) che si è eseguito senza problemi senza nemmeno dovergli cambiar nome (m'è capitato in altri pc che dovevo cambiare il nome all'exe).
Eseguito impostando l'opzione "/killall" e questo dopo 2 riavvi che ha fatto lo stesso combofix è il combofix.log situato su C:\:
ComboFix 11-04-10.01 - Utente Pc 11/04/2011 1.01.06.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.510.278 [GMT 2:00]
Eseguito da: C:\ComboFix.exe
Opzioni usate :: /killall
.
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
.
((((((((((((((((((((((((( Files Creati Da 2011-03-10 al 2011-04-10 )))))))))))))))))))))))))))))))))))
.
.
2011-04-10 23:06 . 2011-04-10 23:06 4096 ----a-w- c:\windows\system32\01.tmp
2011-04-10 21:34 . 2011-04-10 21:34 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2011-04-10 21:34 . 2011-04-10 21:34 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2011-04-10 21:00 . 2011-04-10 21:00 388096 ----a-r- c:\documents and settings\Utente Pc\Dati applicazioni\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-10 21:00 . 2011-04-10 21:00 -------- d-----w- c:\programmi\Trend Micro
2011-04-10 20:55 . 2011-04-10 20:55 -------- d-----w- c:\documents and settings\Utente Pc\Impostazioni locali\Dati applicazioni\Mozilla
2011-04-10 08:19 . 2011-04-10 08:19 -------- d-----w- c:\programmi\File comuni\Steam
2011-04-10 08:19 . 2011-04-10 08:19 -------- d-----w- c:\programmi\Steam
2011-04-09 13:51 . 2011-04-09 13:51 -------- d-----w- c:\programmi\CCleaner
2011-04-09 13:28 . 2011-04-09 13:28 -------- d-----w- c:\programmi\VS Revo Group
2011-04-09 12:46 . 2011-04-09 12:46 0 ----a-w- c:\windows\ativpsrm.bin
2011-04-09 12:44 . 2009-02-25 13:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-04-09 12:43 . 2011-04-09 12:43 -------- d-----w- C:\ATI
2011-04-09 12:42 . 2011-04-09 12:42 -------- d-----w- c:\windows\system32\config\systemprofile\Dati applicazioni\Intel
2011-04-09 12:41 . 2011-04-09 12:41 -------- d-----w- c:\documents and settings\Utente Pc\Dati applicazioni\Intel
2011-04-09 12:41 . 2011-04-09 12:41 -------- d-----w- c:\documents and settings\NetworkService\Dati applicazioni\Intel
2011-04-09 12:41 . 2011-04-09 12:41 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\Intel
2011-04-09 12:41 . 2011-04-09 12:41 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Intel
2011-04-09 12:41 . 2007-02-12 10:41 2732032 ----a-w- c:\windows\system32\Netw2r32.dll
2011-04-09 12:41 . 2007-02-12 10:40 557056 ----a-w- c:\windows\system32\Netw2c32.dll
2011-04-09 12:40 . 2011-04-09 12:40 -------- d-----w- c:\programmi\File comuni\Intel
2011-04-09 12:40 . 2011-04-09 12:40 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Intel
2011-04-09 12:36 . 2007-06-27 12:42 207488 ----a-r- c:\windows\system32\drivers\vinyl97.sys
2011-04-09 12:36 . 2011-04-09 12:36 -------- d-----w- c:\programmi\VIA
2011-04-09 12:36 . 2007-04-11 13:35 331184 ------w- c:\windows\system32\difxapi.dll
2011-04-09 12:35 . 2007-05-02 01:52 290816 ----a-w- c:\windows\system32\drivers\tifm21.sys
2011-04-09 12:34 . 2011-04-09 12:34 -------- d-----w- c:\windows\tiinst
2011-04-09 12:33 . 2011-02-28 06:09 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-04-09 12:33 . 2011-04-09 12:33 -------- d-----w- C:\Intel
2011-04-09 12:30 . 2004-02-25 21:27 57344 ----a-w- c:\windows\system32\razer.cpl
2011-04-09 12:30 . 2004-02-25 21:27 38904 ----a-w- c:\windows\system32\drivers\razerusb.sys
2011-04-09 12:30 . 2011-04-09 12:30 -------- d-----w- c:\programmi\Razer
2011-04-09 11:46 . 2011-04-09 11:46 -------- d-----w- c:\programmi\Driver-Soft
2011-03-17 12:05 . 2011-03-17 12:05 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-14 14:53 . 2005-04-06 12:38 229928 ----a-w- c:\windows\system32\drivers\b57xp32.sys
2011-03-18 18:01 . 2011-04-10 20:55 142296 ----a-w- c:\programmi\mozilla firefox\components\browsercomps.dll
2007-02-02 18:48 401408 --sha-r- c:\windows\system32\ahr.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-09_13.46.44 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-04-06 12:37 . 2011-04-09 11:56 68900 c:\windows\system32\perfc010.dat
+ 2005-04-06 12:37 . 2011-04-10 11:59 68900 c:\windows\system32\perfc010.dat
- 2005-04-06 12:37 . 2011-04-09 11:56 58272 c:\windows\system32\perfc009.dat
+ 2005-04-06 12:37 . 2011-04-10 11:59 58272 c:\windows\system32\perfc009.dat
+ 2005-04-06 12:37 . 2011-04-10 11:59 435864 c:\windows\system32\perfh010.dat
- 2005-04-06 12:37 . 2011-04-09 11:56 435864 c:\windows\system32\perfh010.dat
- 2005-04-06 12:37 . 2011-04-09 11:56 391030 c:\windows\system32\perfh009.dat
+ 2005-04-06 12:37 . 2011-04-10 11:59 391030 c:\windows\system32\perfh009.dat
+ 2011-04-10 21:31 . 2011-04-10 21:31 235168 c:\windows\system32\Macromed\Flash\FlashUtil10o_Plugin.exe
+ 2011-04-10 21:31 . 2011-04-10 21:31 6053536 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2011-04-10 21:00 . 2011-04-10 21:00 1094656 c:\windows\Installer\fec5d.msi
+ 2011-04-10 08:19 . 2011-04-10 08:19 1065984 c:\windows\Installer\3f79f66.msi
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InstallIQUpdater"="c:\programmi\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2010-07-07 1008128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"RemoteControl"="c:\programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-14 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-19 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 455168]
"LManager"="c:\programmi\Launch Manager\QtZgAcer.EXE" [2005-03-28 319488]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 110592]
"razertra"="c:\programmi\Razer\razertra.exe" [2004-02-25 208896]
"AudioDeck"="c:\programmi\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-08-09 528384]
"IntelZeroConfig"="c:\programmi\Intel\WiFi\bin\ZCfgSvc.exe" [2009-02-27 1368064]
"IntelWireless"="c:\programmi\File comuni\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-27 1202448]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]
.
c:\documents and settings\Utente Pc\Menu Avvio\Programmi\Esecuzione automatica\
Utilit… controllo supporti di Picture Motion Browser.lnk - c:\programmi\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-5-18 344064]
.
c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
InterBase Server.lnk - c:\cimatrone\Pdm\IbServer\bin\ibserver.exe [2007-10-17 1369600]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Programmi\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Programmi\\Steam\\Steam.exe"=
"c:\\Programmi\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3453:TCP"= 3453:TCP:huxutzgk
.
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppMH\cdrom_mon.exe [13/08/2008 18.50.48 81920]
S2 erpilagu;Time Helper;c:\windows\system32\svchost.exe -k netsvcs [06/04/2005 14.37.26 14336]
S3 BTHprint;Microsoft Bluetooth Printer Class;c:\windows\system32\drivers\BTHPRINT.SYS [17/11/2005 10.50.55 35456]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
erpilagu
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-03-09 c:\windows\Tasks\{1D9A1667-672A-4ABF-9A89-017A0790BFED}_ACER-0CE7F6DC47_Utente Pc.job
- c:\windows\system32\mobsync.exe [2005-04-06 03:00]
.
2011-04-05 c:\windows\Tasks\{0B59842E-C602-482F-86D7-1B4B9A85AFA0}_ACER-0CE7F6DC47_Utente Pc.job
- c:\windows\system32\mobsync.exe [2005-04-06 03:00]
.
2010-09-24 c:\windows\Tasks\{6B1F7AB7-35AA-4618-A647-B2FA96B98575}_ACER-0CE7F6DC47_Utente Pc.job
- c:\windows\system32\mobsync.exe [2005-04-06 03:00]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E7A96AF4-2CE3-4208-9B2D-F84BBAE3DEBD} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\documents and settings\Utente Pc\Dati applicazioni\Mozilla\Firefox\Profiles\o4gzs43z.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-11 01:07
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AudioDeck = c:\programmi\VIA\VIAudioi\SBADeck\ADeck.exe 1????????????????????????????????????????????
.
Scansione files nascosti ...
.
Scansione completata con successo
Files nascosti: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\erpilagu]
"ServiceDll"="c:\windows\system32\zlnvcon.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programmi\Intel\WiFi\bin\S24EvMon.exe
c:\windows\system32\brss01a.exe
c:\programmi\Intel\WiFi\bin\EvtEng.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\File comuni\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\programmi\Razer\razerofa.exe
c:\programmi\Microsoft ActiveSync\WCESCOMM.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\programmi\acer\eRecovery\Monitor.exe
.
**************************************************************************
.
Ora fine scansione: 2011-04-11 01:09:12 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2011-04-10 23:09
ComboFix2.txt 2011-04-10 21:23
ComboFix3.txt 2011-04-09 13:48
.
Pre-Run: 3.635.806.208 byte disponibili
Post-Run: 3.615.588.352 byte disponibili
.
- - End Of File - - 73F047625B33A1AA1434313C3CD8546F
Ancora seguendo quel thread questo è il log del DBTOOLS che cmq dice "system clean":
Ok Loading BitDefender Engines
State 0
Sleeping 3 seconds...
Found so far : 0x0 files/regs
Searching for Downadup file ....
- System folder
tkown -> C:\WINDOWS\system32\zlnvcon.dll
- Temporary folder
- Program Files
- Application Data
Found so far : 0x0 files/regs
No Traces of Downadup Worm were found
L'unico che poco dopo averlo avviato ma consigliato di fare la scansione completa è stato il GMER...... alla fine anche li ho salvato il suo log e tra le voci compariva una scritta in rosso... ecco il log:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-11 00:58:20
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 IC25N080ATMR04-0 rev.MO4OAD4A
Running: gmer.exe; Driver: C:\DOCUME~1\UTENTE~1\IMPOST~1\Temp\awecrpog.sys
---- System - GMER 1.0.15 ----
INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA77B16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA77AFC2
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF8000000, 0x1C5D58, 0xE8000020]
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xB9E80F00, 0x24000, 0x48000000]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[976] ntdll.dll!NtQueryInformationProcess 7C91E01B 5 Bytes JMP 01599DD2
.text C:\WINDOWS\System32\svchost.exe[976] NETAPI32.dll!NetpwPathCanonicalize 5BC7A101 5 Bytes JMP 01599D72
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtQueryInformationProcess 7C91E01B 5 Bytes JMP 00889DD2
.text C:\Programmi\Mozilla Firefox\firefox.exe[1924] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00401410 C:\Programmi\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Programmi\Mozilla Firefox\plugin-container.exe[3976] USER32.dll!GetWindowInfo 77D1DE94 5 Bytes JMP 104C7C37 C:\Programmi\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Programmi\Mozilla Firefox\plugin-container.exe[3976] USER32.dll!TrackPopupMenu 77D64ED6 5 Bytes JMP 104C823A C:\Programmi\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] erpilagu <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b6b5f2e2f
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b6b5f2e2f@00092d584022 0x12 0x20 0x71 0xDA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@DisplayName Time Helper
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu@Description Abilita i messaggi del registro eventi rilasciati dai programmi di Windows e rende possibile la visualizzazione dei componenti in Visualizzatore eventi. Impossibile interrompere questo servizio.
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\erpilagu\Parameters@ServiceDll C:\WINDOWS\system32\zlnvcon.dll
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b6b5f2e2f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000b6b5f2e2f@00092d584022 0x12 0x20 0x71 0xDA ...
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@DisplayName Time Helper
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu@Description Abilita i messaggi del registro eventi rilasciati dai programmi di Windows e rende possibile la visualizzazione dei componenti in Visualizzatore eventi. Impossibile interrompere questo servizio.
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\erpilagu\Parameters@ServiceDll C:\WINDOWS\system32\zlnvcon.dll
---- EOF - GMER 1.0.15 ----
Da notare appunto quello che lui dice Rootkit... ma con cosa lo sdradico ?
Pensavo al SUPER Antimalware... ma aspetto vostre dritte...