|
|||||||
|
|
|
 |
|
|
Strumenti |
07-06-2009, 12:38
|
#1 |
|
Member
Iscritto dal: Jun 2007
Messaggi: 88
|
Infezione Conficker
Ciao a tt...ho eseguito la guida per la rimozione del Conficker fino al punto in cui devo inviare i log...I test effettuati dicono che sono infetto da:
Possibly Infected by Conficker A/B variant Status: System is possibly infected with Conficker.B clean Status: There are no signs for an infection. detto ciò ecco a voi i log: BDTOOLS REMOVE Downadup Codice:
Ok Loading BitDefender Engines State 0 Sleeping 3 seconds... Found so far : 0x0 files/regs Searching for Downadup file .... - System folder tkown -> C:\WINDOWS\system32\zijbtq.dll - Temporary folder - Program Files - Application Data Found so far : 0x0 files/regs No Traces of Downadup Worm were found Codice:
ComboFix 09-06-06.03 - utente1 07/06/2009 10.27.16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3583.3114 [GMT 2:00]
Eseguito da: c:\documents and settings\utente1\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090606-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
ADS - WINDOWS: deleted 72 bytes in 1 streams.
((((((((((((((((((((((((( Files Creati Da 2009-05-07 al 2009-06-07 )))))))))))))))))))))))))))))))))))
.
2009-06-06 17:44 . 2009-06-06 17:44 -------- d-sh--w- c:\documents and settings\All Users\Dati applicazioni\SecuROM
2009-06-06 16:08 . 2009-06-06 16:09 -------- d-----w- c:\programmi\Rockstar Games
2009-06-06 13:12 . 2009-06-06 13:12 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-06-06 13:09 . 2009-06-06 13:09 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-06-06 13:09 . 2009-04-27 12:21 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2009-06-06 13:09 . 2009-06-06 13:09 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-06-06 13:09 . 2009-06-06 13:09 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\TuneUp Software
2009-06-06 13:09 . 2009-06-06 13:09 -------- d-----w- c:\programmi\TuneUp Utilities 2009
2009-06-06 13:09 . 2009-06-06 13:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\TuneUp Software
2009-06-06 13:08 . 2009-06-06 13:08 -------- d-sh--w- c:\documents and settings\All Users\Dati applicazioni\{55A29068-F2CE-456C-9148-C869879E2357}
2009-06-06 12:57 . 2009-06-06 13:15 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-06-05 20:39 . 2009-06-06 12:54 -------- d-----w- c:\programmi\Microsoft Games for Windows - LIVE
2009-06-05 20:39 . 2009-06-05 20:39 -------- d-----w- c:\windows\system32\xlive
2009-06-05 16:27 . 2009-06-05 16:27 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-06-05 15:07 . 2009-06-05 15:07 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\nView_Profiles
2009-06-03 13:01 . 2009-06-03 13:01 -------- d--h--r- c:\documents and settings\utente1\Dati applicazioni\SecuROM
2009-06-02 21:10 . 2009-06-06 15:59 -------- d-----w- c:\documents and settings\utente1\Impostazioni locali\Dati applicazioni\Rockstar Games
2009-06-02 21:05 . 2009-06-02 21:05 -------- d-----w- c:\windows\system32\drivers\umdf
2009-06-02 19:41 . 2009-06-06 20:59 2619544 ----a-w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\FontCache3.0.0.0.dat
2009-06-02 19:39 . 2009-06-02 19:42 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-02 19:39 . 2009-06-02 19:39 -------- d-----w- c:\programmi\Reference Assemblies
2009-06-02 19:37 . 2006-09-15 23:05 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2009-06-02 19:37 . 2006-06-29 11:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll
2009-05-12 16:40 . 2009-05-12 16:40 88916 ---ha-w- c:\windows\system32\mlfcache.dat
2009-05-12 10:37 . 2009-05-12 10:37 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\EPSON
2009-05-09 15:02 . 2009-05-09 15:02 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\vlc
2009-05-08 17:00 . 2009-05-08 17:00 -------- d-----w- c:\programmi\ElcomSoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-06 20:59 . 2009-03-27 18:04 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\uTorrent
2009-06-06 20:48 . 2009-03-27 17:42 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\Xfire
2009-06-06 16:29 . 2009-03-27 18:10 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-06 16:29 . 2009-03-27 18:10 189072 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-06-06 16:09 . 2009-03-25 19:13 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-06-06 14:35 . 2009-03-27 18:05 140240 ----a-w- c:\documents and settings\utente1\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-06-05 19:09 . 2009-03-25 22:39 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\Ahead
2009-06-05 15:53 . 2009-03-28 00:29 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\mIRC
2009-06-03 13:00 . 2009-03-27 17:42 -------- d-----w- c:\programmi\Xfire
2009-06-02 19:41 . 2001-08-31 12:00 475968 ----a-w- c:\windows\system32\perfh010.dat
2009-06-02 19:41 . 2001-08-31 12:00 78324 ----a-w- c:\windows\system32\perfc010.dat
2009-06-02 19:41 . 2009-03-25 23:07 -------- d-----w- c:\programmi\MSBuild
2009-05-28 13:27 . 2009-05-01 09:43 -------- d-----w- c:\programmi\Mozilla Thunderbird
2009-05-28 13:16 . 2009-03-27 17:46 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\teamspeak2
2009-05-24 09:46 . 2009-04-08 14:43 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\FileZilla
2009-05-11 13:59 . 2009-04-22 11:37 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\Skype
2009-05-11 13:58 . 2009-04-22 11:39 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\skypePM
2009-05-03 22:35 . 2009-05-03 22:35 -------- d-----w- c:\programmi\Xi
2009-05-02 23:13 . 2009-05-02 23:05 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\MySQL-Front
2009-05-02 05:47 . 2009-04-26 16:08 -------- d-----w- c:\programmi\EA Sports
2009-05-01 11:42 . 2009-05-01 11:42 -------- d-----w- c:\programmi\MySQL
2009-05-01 09:43 . 2009-05-01 09:43 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\Talkback
2009-05-01 09:43 . 2009-05-01 09:43 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\Thunderbird
2009-04-30 14:07 . 2009-04-30 14:04 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\WebStripper
2009-04-29 13:07 . 2009-04-29 13:07 -------- d-----w- c:\programmi\Electronic Arts
2009-04-22 11:39 . 2009-04-22 11:39 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-04-22 11:37 . 2009-04-22 11:37 -------- d-----w- c:\programmi\File comuni\Skype
2009-04-22 11:37 . 2009-04-22 11:37 -------- d-----r- c:\programmi\Skype
2009-04-22 11:37 . 2009-04-22 11:37 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype
2009-04-14 17:43 . 2009-04-14 17:43 -------- d-----w- c:\programmi\Elaborate Bytes
2009-04-14 17:37 . 2009-04-14 17:37 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\SlySoft
2009-04-14 17:35 . 2009-04-14 17:35 -------- d-----w- c:\programmi\SlySoft
2009-04-14 17:23 . 2009-04-14 17:23 -------- d-----w- c:\programmi\ClonyXXL
2009-04-14 10:29 . 2009-04-12 10:31 -------- d-----w- c:\programmi\File comuni\Logishrd
2009-04-12 10:32 . 2009-04-12 10:32 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\Logitech
2009-04-12 10:32 . 2009-04-12 10:32 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\LogiShrd
2009-04-10 10:37 . 2009-04-10 10:37 -------- d-----w- c:\documents and settings\utente1\Dati applicazioni\dyyno-vlc
2009-04-10 10:36 . 2009-04-10 10:36 -------- d-----w- c:\programmi\Dyyno
2009-04-10 00:40 . 2009-04-10 00:40 103744 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-04-03 13:15 . 2009-03-27 18:10 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-03-28 15:16 . 2009-03-28 15:16 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-03-28 15:16 . 2009-03-28 15:16 152576 ----a-w- c:\documents and settings\utente1\Dati applicazioni\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-28 00:21 . 2009-03-28 00:21 0 -c--a-w- c:\windows\nsreg.dat
2009-03-28 00:07 . 2009-03-28 00:07 2232 -c--a-w- c:\windows\java\Packages\Data\RPRTRH73.DAT
2009-03-28 00:07 . 2009-03-28 00:07 155995 ----a-w- c:\windows\java\Packages\NF7HBD7J.ZIP
2009-03-28 00:07 . 2009-03-28 00:07 2678 -c--a-w- c:\windows\java\Packages\Data\CDFZ79B9.DAT
2009-03-28 00:07 . 2009-03-28 00:07 2678 -c--a-w- c:\windows\java\Packages\Data\MHVBR9ZT.DAT
2009-03-28 00:07 . 2009-03-28 00:07 2678 -c--a-w- c:\windows\java\Packages\Data\E7VVN5ZP.DAT
2009-03-28 00:07 . 2009-03-28 00:07 2678 -c--a-w- c:\windows\java\Packages\Data\9BDR9RRV.DAT
2009-03-28 00:07 . 2009-03-28 00:07 2678 -c--a-w- c:\windows\java\Packages\Data\79RPJPNJ.DAT
2009-03-27 18:10 . 2009-03-27 18:10 22328 ----a-w- c:\documents and settings\utente1\Dati applicazioni\PnkBstrK.sys
2009-03-27 18:10 . 2009-03-27 18:10 22328 ----a-w- c:\documents and settings\utente1\Dati applicazioni\PnkBstrK.sys
2009-03-25 22:35 . 2009-03-25 22:35 69632 ----a-r- c:\documents and settings\utente1\Dati applicazioni\Microsoft\Installer\{B358DA4D-0918-436E-A0E6-4813B1E5965A}\NewShortcut2_B358DA4D0918436EA0E64813B1E5965A.exe
2009-03-25 22:35 . 2009-03-25 22:35 69632 ----a-r- c:\documents and settings\utente1\Dati applicazioni\Microsoft\Installer\{B358DA4D-0918-436E-A0E6-4813B1E5965A}\NewShortcut1_B358DA4D0918436EA0E64813B1E5965A.exe
2009-03-25 22:35 . 2009-03-25 22:35 10134 ----a-r- c:\documents and settings\utente1\Dati applicazioni\Microsoft\Installer\{B358DA4D-0918-436E-A0E6-4813B1E5965A}\ARPPRODUCTICON.exe
2009-03-25 19:12 . 2009-03-25 19:12 319488 -c--a-w- c:\windows\HideWin.exe
2009-03-25 17:19 . 2009-03-25 16:51 86327 -c--a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-25 16:49 . 2009-03-25 16:49 21840 -c--a-w- c:\windows\system32\emptyregdb.dat
2009-03-19 08:42 . 2009-04-10 10:35 217088 ----a-w- c:\documents and settings\utente1\Dati applicazioni\Mozilla\Firefox\Profiles\562h523s.default\extensions\[email protected]\Plugins\npDyyno.dll
2008-04-13 17:13 . 2008-04-13 17:13 166162 --sha-r- c:\windows\system32\zijbtq.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-25 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-25 86016]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Motive SmartBridge"="c:\progra~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 438359]
"EPSON Stylus DX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE" [2005-02-08 98304]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-03-28 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-31 16806912]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-06-25 1630208]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Xfire\\xfire.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Programmi\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Programmi\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\utente1\\Impostazioni locali\\Dati applicazioni\\Dyyno Receiver\\DPPM.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\utente1\\Desktop\\mIRC.exe"=
"c:\\Programmi\\Electronic Arts\\Burnout(TM) Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"c:\\Programmi\\Electronic Arts\\Burnout(TM) Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"c:\\Programmi\\Electronic Arts\\Burnout(TM) Paradise The Ultimate Box\\BurnoutParadise.exe"=
"c:\\Programmi\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Neoact\\Carom3D\\carom.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Programmi\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"c:\\Programmi\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Documents and Settings\\utente1\\Desktop\\Halo_Custom_Edition_-_Upload_by_Doom32x\\Halo Custom Edition - Upload by Doom32x\\Halo Custom Edition\\Halo Custom Edition\\Halo Custom Edition\\haloce.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9761:TCP"= 9761:TCP:oraton
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [27/03/2009 19.50.11 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/03/2009 19.50.11 20560]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [06/06/2009 15.09.26 604416]
R3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [25/01/2008 11.12.34 25088]
S2 xwkwp;Installer System;c:\windows\system32\svchost.exe -k netsvcs [13/04/2008 19.14.22 14336]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
xwkwp
.
Contenuto della cartella 'Scheduled Tasks'
2009-06-07 c:\windows\Tasks\Manutenzione in 1 clic.job
- c:\programmi\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:55]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
SafeBoot-procexp90.Sys
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\utente1\Dati applicazioni\Mozilla\Firefox\Profiles\562h523s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - component: c:\documents and settings\utente1\Dati applicazioni\Mozilla\Firefox\Profiles\562h523s.default\extensions\{7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}\components\NativeComponent.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\utente1\Dati applicazioni\Mozilla\Firefox\Profiles\562h523s.default\extensions\[email protected]\plugins\npDyyno.dll
FF - plugin: c:\programmi\Dyyno\Dyyno Player\npvlc.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-07 10:28
Windows 5.1.2600 Service Pack 3 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xwkwp]
"ServiceDll"="c:\windows\system32\zijbtq.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_USERS\S-1-5-21-2000478354-1788223648-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:14,f8,55,b3,db,6a,7d,e7,4d,df,53,f5,d5,e1,ed,92,a6,8c,98,d0,8c,
de,0a,74,37,34,57,a3,23,e7,78,65,3e,12,5a,cc,b3,46,e0,7b,f4,c5,57,a4,eb,e5,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'explorer.exe'(1328)
c:\progra~1\ALICET~1\SMARTB~1\SBHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2009-06-07 10.29.45
ComboFix-quarantined-files.txt 2009-06-07 08:29
Pre-Run: 189.944.283.136 byte disponibili
Post-Run: 189.991.710.720 byte disponibili
224
Codice:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-07 12:33:24
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6F866B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6F86574]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xBA780B00]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6F86A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6F8614C]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xBA7815DC]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xBA78D120]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwOpenFile [0xBA780B40]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6F8664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6F8608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6F860F0]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xBA7815FC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6F8676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6F8672E]
SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xBA78C550]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6F868AE]
Code \??\C:\DOCUME~1\utente1\IMPOST~1\Temp\catchme.sys pIofCallDriver
---- Kernel code sections - GMER 1.0.15 ----
? C:\DOCUME~1\utente1\IMPOST~1\Temp\catchme.sys Impossibile trovare il file specificato. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Impossibile trovare il file specificato. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1780] ntdll.dll!NtQueryInformationProcess 7C91D7E0 5 Bytes JMP 02999DC2
.text C:\WINDOWS\System32\svchost.exe[1780] NETAPI32.dll!NetpwPathCanonicalize 5BC7A3A9 5 Bytes JMP 02999D62
.text C:\WINDOWS\system32\svchost.exe[1964] ntdll.dll!NtQueryInformationProcess 7C91D7E0 5 Bytes JMP 007D9DC2
.text C:\Programmi\Microsoft Office\Office12\WINWORD.EXE[2696] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 32605629 C:\Programmi\File comuni\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[1428] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1428] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A85AB60
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fastfat \FatCdrom 8A2902E0
Device \FileSystem\Udfs \UdfsCdRom 8A49DB00
Device \FileSystem\Udfs \UdfsDisk 8A49DB00
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \Driver\Cdrom \Device\CdRom0 8A3A8450
Device \FileSystem\Rdbss \Device\FsWrap 8A3001F0
Device \Driver\Cdrom \Device\CdRom1 8A3A8450
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12 8A51DA58
Device \Driver\atapi \Device\Ide\IdePort0 8A51DA58
Device \Driver\atapi \Device\Ide\IdePort1 8A51DA58
Device \Driver\atapi \Device\Ide\IdePort2 8A51DA58
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7 8A51DA58
Device \Driver\atapi \Device\Ide\IdePort3 8A51DA58
Device \Driver\atapi \Device\Ide\IdePort4 8A51DA58
Device \Driver\atapi \Device\Ide\IdePort5 8A51DA58
Device \Driver\Cdrom \Device\CdRom2 8A3A8450
Device \FileSystem\Srv \Device\LanmanServer 8A2BB2C0
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A668D58
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A668D58
Device \FileSystem\Npfs \Device\NamedPipe 8A7ED880
Device \FileSystem\Msfs \Device\Mailslot 8A663C38
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port6Path0Target1Lun0 8A221008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 8A221008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port6Path0Target0Lun0 8A221008
Device \FileSystem\Fastfat \Fat 8A2902E0
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A64FB40
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A64FB40
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A64FB40
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A64FB40
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A64FB40
Device \FileSystem\Cdfs \Cdfs 8A3D5880
---- Modules - GMER 1.0.15 ----
Module _________ BA6E3000-BA6FB000 (98304 bytes)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] xwkwp <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej40 0xA3 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej41 0x3D 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej42 0x3D 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej43 0x3D 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40@ljej44 0x3D 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41@ljej40 0xA3 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41@ljej41 0x3D 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41@ljej42 0x3D 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41@ljej43 0x3D 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg41@ljej44 0x3D 0xD5 0x5A 0x7A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp@DisplayName Installer System
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp@Description Esegue le funzioni di ripristino del sistema. Per interrompere il servizio, disattivare Ripristino configurazione di sistema nella scheda Ripristino configurazione di sistema in Risorse del computer->Propriet?
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\xwkwp\Parameters@ServiceDll C:\WINDOWS\system32\zijbtq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp@DisplayName Installer System
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp@Description Esegue le funzioni di ripristino del sistema. Per interrompere il servizio, disattivare Ripristino configurazione di sistema nella scheda Ripristino configurazione di sistema in Risorse del computer->Propriet?
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\xwkwp\Parameters@ServiceDll C:\WINDOWS\system32\zijbtq.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120%
Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120%
---- EOF - GMER 1.0.15 ----
|
|
|
07-06-2009, 13:51
|
#2 |
|
Senior Member
Iscritto dal: Feb 2009
Messaggi: 481
|
segui questa guida e posta i log dei tool in quella disc.
http://www.hwupgrade.it/forum/showthread.php?t=1984665 I log vanno postati secondo le regole di sezione, cioé sui server remoti indicati(es www.wikisend.com)
__________________
|
|
|
|
07-06-2009, 20:28
|
#3 |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Chiudo
__________________
Try again and you will be luckier.
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 11:42.
