|
|||||||
|
|
|
 |
|
|
Strumenti |
15-09-2009, 16:05
|
#1 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Colpito da rootkit rotscxmdhndocy.sys [GMER log][VISTA]
Ciao a tutti,
gmer ha rilevato un servizio pericoloso ma non so cosa devo fare per eliminarlo. Ho provato a fare disattiva servizio da GMER ma al riavvio tutto come prima. Ho fatto la scansione e la tentata rimozione in modalità provvisoria. Come antivirus ho avira e quando non sono in modalità provvisoria mi mostra tante finestre di avviso di trovata infezione ma nonostante dica di bloccare l'accesso e di ricordare la scelta continua a sbucare una volta ogni 3-4 minuti. Vi prego aiutatemi!!!! Grazie in anticipo. Ecco il log: Codice:
GMER 1.0.15.15086 - http://www.gmer.net Rootkit scan 2009-09-15 15:56:34 Windows 6.0.6002 Service Pack 2 Running: 2mt526wb.exe; Driver: C:\Users\Antonio\AppData\Local\Temp\aujasnkj.sys ---- System - GMER 1.0.15 ---- Code 8CC70C18 ZwEnumerateKey Code 8C7DB2D0 ZwFlushInstructionCache Code 8C7D92BE ZwSaveKey Code 8C7D02C6 ZwSaveKeyEx Code 8558695D IofCallDriver Code 8C7CC32E IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!IofCallDriver 81C4D912 5 Bytes JMP 85586962 .text ntkrnlpa.exe!IofCompleteRequest 81C4D97F 5 Bytes JMP 8C7CC333 PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81DB8EF5 5 Bytes JMP 8C7DB2D4 PAGE ntkrnlpa.exe!ZwEnumerateKey 81E060BA 5 Bytes JMP 8CC70C1C PAGE ntkrnlpa.exe!ZwSaveKey 81E5B969 5 Bytes JMP 8C7D92C2 PAGE ntkrnlpa.exe!ZwSaveKeyEx 81E5BB07 5 Bytes JMP 8C7D02CA ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Gestione filtri file system Microsoft/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service C:\Windows\system32\drivers\rotscxmdhndocy.sys (*** hidden *** ) [SYSTEM] rotscxxpsbgnba <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bfb56facb Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e3d3a15ae Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba@imagepath \systemroot\system32\drivers\rotscxmdhndocy.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main@aid 10072 Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main@sid 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main@cmddelay 14400 Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main\delete Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main\injector Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main\injector@* rotscxwsp8.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main\tasks Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\drivers\rotscxmdhndocy.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxncxfosid.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxxdeeybem.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxqpwnqeqn.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxebnuivwv.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxtwxtvfpa.dll Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bfb56facb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e3d3a15ae (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba@group file system Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba@imagepath \systemroot\system32\drivers\rotscxmdhndocy.sys Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main@aid 10072 Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main@sid 0 Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main\delete (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main\injector (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main\injector@* rotscxwsp.dll Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main\tasks (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\drivers\rotscxmdhndocy.sys Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxncxfosid.dat Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxxdeeybem.dat Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxqpwnqeqn.dll Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxebnuivwv.dll ---- Files - GMER 1.0.15 ---- File C:\Windows\System32\drivers\rotscxmdhndocy.sys 69632 bytes <-- ROOTKIT !!! File C:\Windows\System32\rotscxbojipcos.dll 20480 bytes File C:\Windows\System32\rotscxebnuivwv.dll 20480 bytes File C:\Windows\System32\rotscxjieuexdj.dat 43 bytes File C:\Windows\System32\rotscxncxfosid.dat 43 bytes File C:\Windows\System32\rotscxqpwnqeqn.dll 44544 bytes File C:\Windows\System32\rotscxtqmiydck.dat 8848 bytes File C:\Windows\System32\rotscxtwxtvfpa.dll 19456 bytes executable File C:\Windows\System32\rotscxvewfqtup.dll 19456 bytes executable File C:\Windows\System32\rotscxxdeeybem.dat 2368 bytes File C:\Windows\System32\rotscxxsqweker.dll 44544 bytes ---- EOF - GMER 1.0.15 ---- Ultima modifica di MeridianEX : 15-09-2009 alle 16:09. Motivo: così se qualcuno cerca lo stesso rootkit potrebbe trovare prima il mio messaggio |
|
|
|
15-09-2009, 16:20
|
#2 |
|
Senior Member
Iscritto dal: Dec 2007
Città: Brianza
Messaggi: 14704
|
__________________
fattoebloggato.com • Trattamento post disinfezione • Recupero dati, RAID e Partizioni • Guida UBCD4Win • Test RAM • Controllo Disco • TestDisk • Operazioni di emergenza • Live cd Linux • UBCD • Backup • Gestione ISO & immagini virtuali • Partizionare un disco • Sardu • ScreenRecording • |
|
|
|
|
15-09-2009, 17:04
|
#3 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Ciao,
ti ringrazio per la repentina risposta. Allora faccio partire combofix in modalità provvisoria facendolo partire con i privilegi di amministratore ( ma ho provato più volte anche senza privilegi ) Ed ottengo i seguenti risultati: ogni tatno appare: Acces Denied. Administrator permessions are needed to use selected option. Use an administratrator command prompt to complete these tasks. Poi a un certo punto il seguente servizio (o processo? non lo so ) crasha e viene chiuso da windows: pev.cfxxe poi combofix dice: impossibile trovare il file temp04 e infine mi esce una finestra in cui dice che è stata rilevata attività rootkit e che sarà necessario riavviare il pc ma è utile prendere nota del nome del rootkit: rotscxmdhndocy.sys. In fine se riavviando vado in modalità normale lo schermo si oscura e vedo solo il cusrsore che si muove a comando ma il resto è nero. Se torno nella modaità provvisoria non succede un bel niente. In fine in C:\ non trovo il report .txt ma trovo una specie di cartella chiamata combofix con l'icona di esplora risorse ( il pc )ma se ci clicco sopra torna a visualizzare il contenuto del pc. E grave? XD Si sa che fa questo rootkit? |
|
|
|
|
15-09-2009, 17:06
|
#4 |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Perchè l'hai eseguito da modalità provvisoria?
__________________
Try again and you will be luckier.
|
|
|
|
|
15-09-2009, 17:22
|
#5 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Perchè generalmente leggevo che antivirus, antispy etc... lavorano meglio in modalità provvisoria; è falso? cmq ora in modalità normale non mi ci fa più entrare che faccio?
PS.: Nel caso estremo se formattassi risolverei il problema? Ho due partizioni non so se questo "virus" si sia "installato" anche sull'altra partizione causando un'infezione non risolvibile dalla formattazione. E' possibile una cosa del genere? EDIT: cmq nella guida non c'è scritto che non si può lanciare in modalità provvisoria. Ho fatto un casino? XD Ultima modifica di MeridianEX : 15-09-2009 alle 17:25. Motivo: per non mettere un doppio post |
|
|
|
|
15-09-2009, 17:26
|
#6 |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Tombola......segui questa Guida per creare e disinfettare il PC con Avira Rescue
http://www.hwupgrade.it/forum/showthread.php?t=1689812
__________________
Try again and you will be luckier.
|
|
|
|
|
15-09-2009, 17:38
|
#7 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Ok provo e ti faccio sapere.
Ti ringrazio. PS.: dire che siete tempetivi è dir poco! |
|
|
|
|
15-09-2009, 21:15
|
#8 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Ok ho eseguito prima l'utility linux di avira e poi dopo essere rientrato nel SO ho eseguito ComboFix che ha riavviato il pc un paio di volte e mi ha dato il log che ho allegato.
Posso ritenermi salvo? Mi conviene far partire un'altra scansione di combofix? PS.: Ma questo combofix va usato una volta ogni tanto per vedere se ci sono rootkit o solo in casi di emmergenza? esistono antirootkit in tempo reale tipo antivir per i virus? Grazie!!!!!!!!! EDIT: GMER mi ridà lo stesso rootkit ancora presente....quando finisce posto il log di gmer. Codice:
ComboFix 09-09-14.02 - Antonio 15/09/2009 20.50.09.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.2046.963 [GMT 2:00]
Eseguito da: c:\users\Antonio\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
Overlay Annulata ... Per Piacere rieseguite ComboFix
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1291333904-1192038900-1479001769-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-577328821-3187579651-2876703716-500
c:\windows\system32\drivers\rotscxmdhndocy.sys
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_rotscxxpsbgnba
((((((((((((((((((((((((( Files Creati Da 2009-08-15 al 2009-09-15 )))))))))))))))))))))))))))))))))))
.
2009-09-15 13:05 . 2009-09-15 13:05 -------- d-----w- c:\program files\CCleaner
2009-09-15 12:36 . 2009-09-15 15:19 43 ----a-w- c:\windows\system32\rotscxncxfosid.dat
2009-09-15 12:26 . 2009-09-15 12:26 20480 ----a-w- c:\windows\system32\rotscxebnuivwv.dll
2009-09-15 12:25 . 2009-09-15 12:25 44544 ----a-w- c:\windows\system32\rotscxqpwnqeqn.dll
2009-09-15 11:11 . 2009-09-15 18:54 6984 ----a-w- c:\windows\system32\rotscxxdeeybem.dat
2009-09-14 12:26 . 2009-09-14 12:26 -------- d-----w- c:\users\Antonio\AppData\Roaming\ArcSoft
2009-09-13 21:51 . 2009-09-13 21:51 -------- d-----w- c:\programdata\ArcSoft
2009-09-13 21:41 . 2009-09-13 21:41 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-09-13 21:41 . 2009-09-15 11:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-13 21:40 . 2009-09-13 21:40 -------- d-----w- c:\windows\Downloaded Installations
2009-09-13 14:30 . 2009-09-15 10:43 43 ----a-w- c:\windows\system32\rotscxjieuexdj.dat
2009-09-13 14:29 . 2009-09-13 14:29 -------- d-----w- c:\users\Public\CyberLink
2009-09-13 14:29 . 2009-09-13 14:35 -------- d-----w- c:\users\Antonio\AppData\Local\Cyberlink
2009-09-13 14:29 . 2009-09-13 14:29 -------- d-----w- c:\users\Antonio\AppData\Roaming\CyberLink
2009-09-13 14:28 . 2009-09-13 14:29 -------- d-----w- c:\programdata\CyberLink
2009-09-13 14:28 . 2009-09-13 14:28 -------- d-----w- c:\program files\Common Files\CyberLink
2009-09-13 14:27 . 2009-09-13 14:27 -------- d-----w- c:\users\Antonio\AppData\Roaming\dvdcss
2009-09-13 14:27 . 2009-09-13 14:28 -------- d-----w- c:\program files\CyberLink
2009-09-13 14:26 . 2009-09-13 14:26 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-09-13 14:25 . 2009-09-13 14:25 20480 ----a-w- c:\windows\system32\rotscxbojipcos.dll
2009-09-13 14:25 . 2009-09-13 14:34 -------- d-----w- c:\users\Antonio\AppData\Roaming\vlc
2009-09-13 14:24 . 2009-09-15 11:06 8848 ----a-w- c:\windows\system32\rotscxtqmiydck.dat
2009-09-13 14:24 . 2009-09-13 14:24 44544 ----a-w- c:\windows\system32\rotscxxsqweker.dll
2009-09-13 14:23 . 2009-09-13 14:23 -------- d-----w- c:\program files\VideoLAN
2009-09-13 12:50 . 2009-09-13 12:50 -------- d-----w- c:\windows\system32\AGEIA
2009-09-13 12:50 . 2009-09-13 12:51 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-13 12:50 . 2009-09-13 12:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 12:50 . 2009-09-13 12:50 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-13 12:50 . 2009-09-13 12:50 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-13 12:50 . 2009-09-13 12:50 -------- d-----w- c:\program files\OpenAL
2009-09-13 12:46 . 2009-09-15 18:44 -------- d-----w- c:\users\Antonio\Tracing
2009-09-13 12:45 . 2009-09-13 12:45 -------- d-----w- c:\program files\Microsoft
2009-09-13 12:45 . 2009-09-13 12:45 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-13 12:45 . 2009-09-13 12:45 -------- d-----w- c:\program files\Windows Live
2009-09-13 12:45 . 2009-09-13 12:45 -------- d-----w- c:\windows\PCHEALTH
2009-09-13 12:43 . 2009-09-13 12:43 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-13 07:26 . 2009-09-15 18:45 -------- d-----w- c:\program files\Common Files\Steam
2009-09-13 07:26 . 2009-09-15 18:57 -------- d-----w- c:\program files\Steam
2009-09-13 07:20 . 2009-09-13 07:20 -------- d-----w- c:\users\Antonio\AppData\Roaming\OpenOffice.org
2009-09-12 22:26 . 2009-09-15 18:57 -------- d-----w- c:\programdata\NVIDIA
2009-09-12 22:26 . 2009-09-12 22:26 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-12 22:20 . 2009-08-17 12:49 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-12 21:51 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-12 21:39 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-09-12 21:39 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-12 21:39 . 2009-04-23 12:14 623616 ----a-w- c:\windows\system32\localspl.dll
2009-09-12 21:39 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-09-12 21:39 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-09-12 21:39 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-09-12 21:39 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-09-12 21:39 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-09-12 21:39 . 2009-04-21 11:39 2034688 ----a-w- c:\windows\system32\win32k.sys
2009-09-12 21:39 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-12 21:39 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-12 21:38 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-12 21:38 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-12 21:38 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-09-12 21:38 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-09-12 21:38 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-09-12 21:38 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-09-12 21:36 . 2009-04-23 12:15 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-09-12 21:32 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll
2009-09-12 21:32 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe
2009-09-12 21:32 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-09-12 21:32 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll
2009-09-12 21:32 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-09-12 21:32 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-09-12 21:32 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll
2009-09-12 21:32 . 2008-10-16 12:08 162064 ----a-w- c:\windows\system32\wuwebv.dll
2009-09-12 21:32 . 2008-10-16 11:56 31232 ----a-w- c:\windows\system32\wuapp.exe
2009-09-12 21:30 . 2009-09-12 21:30 -------- d-----w- c:\program files\7-Zip
2009-09-12 21:27 . 2009-09-12 21:27 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-12 21:27 . 2009-09-12 21:27 -------- d-----w- c:\users\Administrator
2009-09-12 21:25 . 2009-09-12 21:25 -------- d-----w- c:\users\Antonio\AppData\Roaming\DivX
2009-09-12 21:24 . 2009-09-12 21:24 -------- d-----w- c:\users\Antonio\AppData\Roaming\InterVideo
2009-09-12 20:37 . 2009-07-28 14:34 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-12 20:37 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-09-12 20:37 . 2009-09-12 20:37 -------- d-----w- c:\programdata\Avira
2009-09-12 20:37 . 2009-09-12 20:37 -------- d-----w- c:\program files\Avira
2009-09-12 20:04 . 2009-09-12 20:04 -------- d-----w- c:\users\Antonio\AppData\Roaming\InstallShield
2009-09-12 19:55 . 2009-09-12 19:55 -------- d-----w- c:\program files\Turn off LCD
2009-09-12 19:53 . 2009-09-12 19:53 -------- d-----w- c:\program files\JRE
2009-09-12 19:52 . 2009-09-12 19:53 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-12 19:52 . 2009-09-12 19:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-12 19:49 . 2009-09-12 21:23 -------- d-----w- C:\Update
2009-09-12 19:46 . 2009-09-15 14:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-12 19:46 . 2009-09-15 14:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-12 19:40 . 2009-09-12 19:40 -------- d-----w- c:\users\Antonio\AppData\Local\Mozilla
2009-09-12 19:10 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\ca-ES
2009-09-12 19:10 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\eu-ES
2009-09-12 19:10 . 2009-09-12 19:11 -------- d-----w- c:\windows\system32\vi-VN
2009-09-12 19:02 . 2009-09-12 19:02 -------- d-----w- c:\windows\system32\SPReview
2009-09-12 18:51 . 2009-04-10 21:28 928768 ----a-w- c:\windows\system32\scavenge.dll
2009-09-12 18:51 . 2009-04-10 21:27 57856 ----a-w- c:\windows\system32\compcln.exe
2009-09-12 18:46 . 2009-04-10 21:32 3549672 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-09-12 18:45 . 2009-04-10 21:28 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-09-12 18:31 . 2009-09-12 18:31 -------- d-----w- C:\PerfLogs
2009-09-12 17:54 . 2008-01-18 21:36 6656 ----a-w- c:\windows\system32\sdspres.dll
2009-09-12 17:54 . 2008-01-18 21:33 193024 ----a-w- c:\windows\system32\recdisc.exe
2009-09-12 17:53 . 2008-01-18 21:36 28160 ----a-w- c:\windows\system32\sxproxy.dll
2009-09-12 17:47 . 2008-01-18 21:35 25088 ----a-w- c:\windows\system32\Nlsdl.dll
2009-09-12 17:46 . 2008-01-18 21:34 69120 ----a-w- c:\windows\system32\GuidedHelp.dll
2009-09-12 17:44 . 2007-12-06 04:04 6656 ----a-w- c:\windows\system32\kbd106n.dll
2009-09-12 17:42 . 2009-09-12 17:42 -------- d-----w- c:\windows\system32\EventProviders
2009-09-12 17:38 . 2009-09-12 17:38 -------- d-----w- c:\users\Antonio\AppData\Local\Sony_NSCE
2009-09-12 17:37 . 2009-09-12 22:28 -------- d-----w- c:\users\Antonio\AppData\Local\VirtualStore
2009-09-12 16:07 . 2009-09-12 16:07 -------- d-----w- c:\program files\Common Files\InterVideo
2009-09-12 16:06 . 2009-09-12 16:07 -------- d-----w- c:\program files\InterVideo
2009-09-12 16:04 . 2009-09-12 16:04 -------- d-----w- C:\Documentation
2009-09-12 15:59 . 2009-09-12 15:59 -------- d-----w- c:\program files\Sony Corporation
2009-09-12 15:50 . 2009-09-12 15:50 -------- d-----w- c:\programdata\Sonic
2009-09-12 15:50 . 2009-09-12 15:50 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-12 15:50 . 2009-09-12 15:50 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-12 15:50 . 2009-09-12 15:50 -------- d-----w- c:\program files\Roxio
2009-09-12 15:49 . 2008-01-14 22:15 129520 ------w- c:\windows\system32\pxafs.dll
2009-09-12 15:49 . 2007-02-13 17:06 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2009-09-12 15:49 . 2007-02-13 16:30 14072 ----a-w- c:\windows\system32\drivers\vproeventmonitor.sys
2009-09-12 15:49 . 2007-02-13 16:33 37864 ----a-w- c:\windows\system32\drivers\v2imount.sys
2009-09-12 15:49 . 2009-09-12 20:04 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-12 15:49 . 2007-02-13 16:33 131944 ----a-w- c:\windows\system32\drivers\symsnap.sys
2009-09-12 15:49 . 2009-09-12 20:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-12 15:49 . 2009-09-12 20:04 -------- d-----w- c:\programdata\Symantec
2009-09-12 15:48 . 2009-09-13 21:50 -------- d-----w- c:\program files\ArcSoft
2009-09-12 15:47 . 2009-09-12 15:47 -------- d-----w- C:\InstantON
2009-09-12 15:40 . 2009-09-12 15:40 -------- d-----w- c:\programdata\VAIO Media Platform
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-15 18:57 . 2009-09-12 22:28 58845 ----a-w- c:\programdata\nvModes.dat
2009-09-15 18:55 . 2006-11-06 01:52 648340 ----a-w- c:\windows\system32\perfh010.dat
2009-09-15 18:55 . 2006-11-06 01:52 115248 ----a-w- c:\windows\system32\perfc010.dat
2009-09-15 18:55 . 2007-11-05 09:48 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-15 18:44 . 2009-09-12 17:36 83984 ----a-w- c:\users\Antonio\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-13 22:05 . 2007-11-05 10:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-12 22:34 . 2007-11-05 12:55 -------- d-----w- c:\programdata\Sony Corporation
2009-09-12 22:18 . 2009-09-12 17:36 1356 ----a-w- c:\users\Antonio\AppData\Local\d3d9caps.dat
2009-09-12 21:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-12 21:28 . 2007-11-05 12:52 -------- d-----w- c:\program files\DivX
2009-09-12 21:21 . 2007-11-05 12:51 -------- d-----w- c:\program files\Sony
2009-09-12 20:35 . 2007-11-05 12:56 -------- d-----w- c:\programdata\Skype
2009-09-12 20:06 . 2007-11-05 12:42 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-09-12 20:00 . 2007-11-05 09:41 -------- d-----w- c:\program files\Google
2009-09-12 19:51 . 2007-11-05 12:56 -------- d-----w- c:\program files\Java
2009-09-12 19:49 . 2009-09-12 17:36 -------- d-----w- c:\users\Antonio\AppData\Roaming\Sony Corporation
2009-09-12 19:35 . 2007-11-05 12:46 -------- d-----w- c:\programdata\Microsoft Help
2009-09-12 19:29 . 2007-11-05 12:49 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2009-09-12 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-12 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-12 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-12 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-12 19:12 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-12 19:11 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-12 19:07 . 2009-09-12 19:07 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-09-12 18:14 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-09-12 18:14 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-09-12 17:36 . 2009-09-12 17:36 0 ---ha-r- c:\windows\system32\drivers\Sony_VGN-FZ31S.mrk
2009-09-12 15:50 . 2007-11-05 12:52 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-09-12 15:39 . 2007-11-05 09:51 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-12 15:15 . 2009-09-12 15:15 -------- d-----w- c:\program files\CONEXANT
2009-08-14 16:27 . 2009-09-12 21:40 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-12 21:40 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-12 21:40 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-12 21:40 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-12 21:40 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-12 21:40 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-12 21:40 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-12 21:40 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-12 21:40 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-12 21:40 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-12 21:40 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-07-26 14:44 . 2009-07-26 14:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-21 21:52 . 2009-09-12 21:47 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-09-12 21:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-09-12 21:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-09-12 21:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-11 19:01 . 2009-09-12 21:40 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-12 21:40 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-12 21:40 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-12 21:40 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-12 21:40 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-09-13 1217784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-10 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-09-19 311296]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2007-11-05 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-12 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13904416]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2009-08-28 75048]
c:\users\Antonio\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-28 739880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-14 19:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):64,5a,5f,bd,dd,33,ca,01
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{75B0B802-AE1A-4B82-8C35-D723A421839C}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{44C8D8A3-6A48-4126-B39F-58F7B9575C3D}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{6B2F052B-CB37-4953-BCEA-6C31D8B1C183}"= Disabled:UDP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{78EB8929-9ED3-46E5-971E-1D4BF9B407BB}"= Disabled:TCP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{CD0E059F-9B31-459F-B5B1-C2F04854CAA3}"= UDP:c:\program files\Steam\steamapps\common\unreal tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{4FAA92FE-B8FF-42E6-96C4-3A99355167C8}"= TCP:c:\program files\Steam\steamapps\common\unreal tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{37E710B1-41C4-480F-83B5-BC604F9A7DB8}"= c:\program files\CyberLink\PowerDVD9\PowerDVD Cinema\PowerDVDCinema.exe:CyberLink PowerDVD 9.0
"{4414FD1D-0B76-4C03-B71A-148F1707EAB1}"= c:\program files\CyberLink\PowerDVD9\PowerDVD9.EXE:CyberLink PowerDVD 9.0
R1 archlp;archlp;c:\windows\System32\drivers\ArcHlp.sys [19/02/2009 14.22.52 127744]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/09/13 16:28];c:\program files\CyberLink\PowerDVD9\000.fcl [28/08/2009 12.57.14 87536]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [17/04/2007 20.09.28 11032]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [17/08/2009 1.32.00 239648]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [05/11/2007 19.34.51 75008]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [05/11/2007 19.34.51 43904]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [05/11/2007 19.34.57 9344]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [05/11/2007 19.34.56 812544]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [05/11/2007 12.50.59 28464]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [12/09/2009 17.40.10 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [12/09/2009 17.40.09 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [12/09/2009 17.40.09 1089536]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [12/09/2009 17.56.30 292128]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [12/09/2009 22.06.29 87328]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.club-vaio.com
IE: Invia immagine alla periferica &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Invia pagina alla periferica &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Antonio\AppData\Roaming\Mozilla\Firefox\Profiles\adsr9r8m.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 20:57
Windows 6.0.6002 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxxpsbgnba]
"imagepath"="\systemroot\system32\drivers\rotscxmdhndocy.sys"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000059
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rotscxxpsbgnba]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\rotscxmdhndocy.sys"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
- - - - - - - > 'Explorer.exe'(548)
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\nvvsvc.exe
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\System32\stacsv.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Apoint\ApntEx.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Ora fine scansione: 2009-09-15 21.01.20 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-09-15 19:01
Pre-Run: 49.304.757.248 byte disponibili
Post-Run: 49.013.868.544 byte disponibili
341 --- E O F --- 2009-09-15 06:15
Ultima modifica di MeridianEX : 15-09-2009 alle 21:17. |
|
|
|
|
15-09-2009, 21:39
|
#9 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Codice:
GMER 1.0.15.15086 - http://www.gmer.net
Rootkit scan 2009-09-15 21:39:24
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Antonio\AppData\Local\Temp\aujasnkj.sys
---- System - GMER 1.0.15 ----
SSDT 9C708E2C ZwCreateThread
SSDT 9C708E18 ZwOpenProcess
SSDT 9C708E1D ZwOpenThread
SSDT 9C708E27 ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 221 81CB3964 4 Bytes [2C, 8E, 70, 9C] {SUB AL, 0x8e; JO 0xffffffffffffffa0}
.text ntkrnlpa.exe!KeSetEvent + 3F1 81CB3B34 4 Bytes [18, 8E, 70, 9C]
.text ntkrnlpa.exe!KeSetEvent + 40D 81CB3B50 4 Bytes [1D, 8E, 70, 9C]
.text ntkrnlpa.exe!KeSetEvent + 621 81CB3D64 4 Bytes [27, 8E, 70, 9C]
---- Devices - GMER 1.0.15 ----
Device \Driver\BTHUSB \Device\00000072 bthport.sys (Driver bus Bluetooth/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000074 bthport.sys (Driver bus Bluetooth/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service system32\drivers\rotscxmdhndocy.sys (*** hidden *** ) [SYSTEM] rotscxxpsbgnba <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bfb56facb
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e3d3a15ae
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba@imagepath \systemroot\system32\drivers\rotscxmdhndocy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main@aid 10072
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\drivers\rotscxmdhndocy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxncxfosid.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxxdeeybem.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxqpwnqeqn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxebnuivwv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxtwxtvfpa.dll
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bfb56facb (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001e3d3a15ae (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba@imagepath \systemroot\system32\drivers\rotscxmdhndocy.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main@aid 10072
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\drivers\rotscxmdhndocy.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxncxfosid.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxxdeeybem.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxqpwnqeqn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxebnuivwv.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxxpsbgnba\[email protected] \systemroot\system32\rotscxtwxtvfpa.dll
---- EOF - GMER 1.0.15 ----
|
|
|
|
|
16-09-2009, 08:18
|
#10 | |
|
Senior Member
Iscritto dal: Dec 2007
Città: Brianza
Messaggi: 14704
|
Quote:
__________________
fattoebloggato.com • Trattamento post disinfezione • Recupero dati, RAID e Partizioni • Guida UBCD4Win • Test RAM • Controllo Disco • TestDisk • Operazioni di emergenza • Live cd Linux • UBCD • Backup • Gestione ISO & immagini virtuali • Partizionare un disco • Sardu • ScreenRecording • |
|
|
|
|
|
16-09-2009, 09:23
|
#11 |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Modalità di pubblicazione dei log:
Ogni singolo log, esclusivamente in formato .txt deve essere hostato su uno dei server remoti elencati nelle Regole di sezione. Ti invito ad atternerti a questa modalità, grazie.
__________________
Try again and you will be luckier.
Ultima modifica di Chill-Out : 16-09-2009 alle 10:34. |
|
|
|
|
16-09-2009, 11:02
|
#12 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Innanzitutto scusate per aver trasgredito alle regole ma quando ho deciso di scrivere in questa sezione le ho lette sommariamente (perchè ero ansioso di trovare una soluzione) e non avevo visto la distinzione tra log lunghi e corti e pensavo di dover postare tutto con il redial.
Tornando al mio odisseico problema: quando faccio eseguire lo script a combofix (sia spuntando e sia non spuntando esegui con privilegi da amministratore) mi vengono mostrate tante (una ventina circa) di queste finestre a cui posso cliccare solo ok: C:\32788R22FWJFW\iexplorer.exe impossibile accedere al dispositivo, al percorso o al file specificato. E' probabile che non si disponga delle autorizzazioni necessarie. Dopodichè la schermata blu di combofix non vienne visualizzata e tutto torna calmo. Ho disattivato la protezione di Avira ( il programma non si chiude ma l'ombrello sì  ); ho chiuso Comodo internet security e in precedenza ho disinstallato spybot (al primo avvio di combofix) lasciando, tuttavia, le immunizzazioni.Un altro appunto; quando apro un browser per navigare tutti e due i processori aumentano il lavoro anche fino al 100% (non sempre ma spesso). Grazie ancora. |
|
|
|
|
16-09-2009, 11:06
|
#13 |
|
Senior Member
Iscritto dal: Dec 2007
Città: Brianza
Messaggi: 14704
|
combo ha lavorato o no alla fine? se si si è creato un nuovo log che puoi caricarci
__________________
fattoebloggato.com • Trattamento post disinfezione • Recupero dati, RAID e Partizioni • Guida UBCD4Win • Test RAM • Controllo Disco • TestDisk • Operazioni di emergenza • Live cd Linux • UBCD • Backup • Gestione ISO & immagini virtuali • Partizionare un disco • Sardu • ScreenRecording • |
|
|
|
|
16-09-2009, 11:26
|
#14 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
|
|
|
|
|
16-09-2009, 11:42
|
#15 | |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Devi essere loggato come amministratore, utilizza l'account creato al primo avvia di Vista, non serve quindi eseguire Combo come aministratore usando il tasto dx del mouse.
Lo Script da inserire è il seguente Quote:
con le modalità indicate precedentemente * Salva il file sul Desktop come CFScript.txt * Trascina il file di testo appena creato (CFScript.txt) sull'icona di ComboFix che riconoscerà il comando di cancellazione * al termine il PC si dovrebbe riavviare (eventualmente fallo tu manualmente) → al riavvio allega il log che trovi in C:\ComboFix.txt su uno dei server remoti indicati nelle regole di sezione, messo tra i tag code risulta difficile da leggere, grazie
__________________
Try again and you will be luckier.
|
|
|
|
|
|
16-09-2009, 11:53
|
#16 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Scusate l'ignoranza ma come faccio a loggarmi come amministratore? quando ho installato windovs vista ( cd di ripristino della sony ) non ho messo la pass al mio utente...
|
|
|
|
|
16-09-2009, 12:00
|
#17 | |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Quote:
__________________
Try again and you will be luckier.
|
|
|
|
|
|
16-09-2009, 12:29
|
#18 |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Ma io uso solo quell'utente; quindi anche prima, quando ho eseguito il CFScript, ero in modalità amministratore? Non posso quindi eseguire questo script? Non è che c'è la possibilità di far partire un cd autopartente di linux e fare eseguire lo script sotto linux? (non lo so l'ho buttata li...)
|
|
|
|
|
16-09-2009, 12:32
|
#19 | |
|
Moderatore
Iscritto dal: Jun 2007
Città: 127.0.0.1
Messaggi: 25885
|
Quote:
__________________
Try again and you will be luckier.
|
|
|
|
|
|
16-09-2009, 12:39
|
#20 | |
|
Member
Iscritto dal: Jun 2008
Messaggi: 30
|
Quote:
Cmq in entrambi i casi da sempre lo stesso problema.  EDIT: è normale che in C mi stiano apparendo tante cartelle con il nome: 32788R22FWJFW poi 32788R22FWJFW.0.tmp e così via cambiando lo 0 con 1, 2 , 3 ??? Ultima modifica di MeridianEX : 16-09-2009 alle 12:43. |
|
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 18:56.
