Rootkit ? richiesta porta 3460

[Bimbosoft]

Outpost mi rileva continui tentativi di accesso remoto

Remote address: knud.no-ip.org
Remote Service: TCP:3460

knud.no-ip.org (87.158.159.99)

Da quello che ho potuto capire dovrebbe essere un rootkit, il punto è come toglierlo di mezzo.
Grazie a jstef ho potuto trovare queste info http://forums.mozillazine.org/viewt...1603873f1b8857f che purtroppo non ho capito molto bene causa inglese ma la certezza è che sia un pericolo da eliminare prima poissibile, x fortuna outpost 4 lo tiene buono ed ho provveduto a bloccare la porta 3460 in modo totale.
Qualcuno puo' confermare la possibilita' che le password siano state violate ? eventualmente meglio sostituirle tutte ? oppure posso stare tranquillo ? ovviamente quelle dei forum ecc non sono un problema, ma quella di paypal mi preoccupa.

[Bimbosoft]

Ho provato a fare uno scan con F-secure BlackLight rootkit eliminator senza found da parte del programma.
Rootkit Revealer 1.7 invece mi ha trovato qualcosa di sospetto ma da quello che ho capito non e' sicuro e comunque questo programma non puo' elimirare ma solo trovare.
Ho fatto un giretto sul registro x vedere 2 voci sospette ma non le ho trovate, cosa strana ma pare non esistano....strano perche' col registro mi muovo bene, il tutto adesso è ancora più sospetto.


Suggerimenti ?

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 19/11/2006 11.42 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 06/09/2006 23.54 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 06/09/2006 22.28 0 bytes Access is denied.
C:\Documents and Settings\Ale\Cookies\[email protected][1].txt 19/11/2006 11.42 254 bytes Visible in Windows API, directory index, but not in MFT.
C:\Documents and Settings\Ale\Cookies\[email protected][2].txt 19/11/2006 11.43 254 bytes Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Ale\Impostazioni locali\Temporary Internet Files\Content.IE5\PHUWSY19\forumdisplay[1].htm 19/11/2006 11.43 96.43 KB Hidden from Windows API.
C:\Documents and Settings\Ale\Impostazioni locali\Temporary Internet Files\Content.IE5\PHUWSY19\thread_moved[1].gif 19/11/2006 11.43 740 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\PdmHist\d54.6231F6AC01C70BC7.history\00000000.bak 19/11/2006 11.43 4.19 MB Hidden from Windows API.
C:\WINDOWS\Temp\cch~83d663d1231.htp 19/11/2006 11.42 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83d664bf4e2.htp 19/11/2006 11.42 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83e801b47e1.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83e802aae05.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83eb7c9b383.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83eb7daa571.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83edafe2a4b.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83edb12bb66.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83edb32370a.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83edb4153c6.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee0a6a4e9.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee0b87249.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee0ddf1f2.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee0ef9d2f.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee17dfe45.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee1993496.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee1b75692.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee1c797c5.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee31d27c3.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~83ee33198e9.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~8589641611a.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\Temp\cch~85896524819.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\Temp\cch~85ac06e45cd.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85ac0814afa.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2e03b467.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2e149f68.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2e3a29a6.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2e4a310d.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2e8755fc.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2e985d9b.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2eed8aa3.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2efc4fcc.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b2ff97656.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b300ac7db.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b3053fda7.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b3063b231.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b30b88ad9.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b30c9de83.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b30f33197.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~85b31022be8.htp 19/11/2006 11.43 8.00 KB Visible in Windows API, but not in MFT or directory index.

[Bimbosoft]

Logfile of HijackThis v1.99.1
Scan saved at 11.58.42, on 19/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\svchost.exe
E:\Emule\emule.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [GBB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Programmi\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Programmi\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [kav] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download with GetRight Pro - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Programmi\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Programmi\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Pro Home 2007.SP1\RpcSandraSrv.exe

[jstef]

Ciao, leggi prima di tutto questo post (mi scuso per non avertelo suggerito prima):

http://www.hwupgrade.it/forum/showthread.php?t=1142673

Vedrai che anche per il log di Hijackthis c'è un thread apposta.
Non disperare, abbi fede e dai tempo ai volonterosi

[Bimbosoft]

Sto' povando i piu' consigliati software seguendo le varie guide e post......nessuno rileva nulla, eppure c'e' Internet Explorer che continua a voler accedere alla posta 3460 del sito knud.no-ip.org 87.158.159.99

Si puo' togliere IE7 e tornare al 6 ?


ps: è explorer che punta a questa porta, non altri processi


pecceto che non si possa postare immagini

[jstef]

Quote:

Originariamente inviato da Bimbosoft

pecceto che non si possa postare immagini

Qui ti posso aiutare

# Click su http://www.imageshack.us/ (oppure su www.uploadimages.net )
# Click sul tasto Sfoglia... e selezionare l'immagine appena salvata (massimo 1Mb!)
# Click su host it!
# Click col tasto destro sulla seconda riga di codice che appare delimitata da un rettangolo (in pratica la Thumbnail for forums (1) ) e selezionare Copia
# Ora basta cliccare su rispondi in questa discussione e fare Incolla nel post di risposta.

(dal post di Psiche "Novembre 2006 - Desktops Thread")

EDIT.
Non conosco outpost, ma almeno per il momento non puoi impostare una regola permanente che impedisce a IE di uscire su quella porta? Avevi detto che ci prova ogni minuto o giù di lì...

[Bimbosoft]

Ho rimosso IE7 ma il problema resta, a sto punto e' altro oppure qualcosa che c'era dentro al rar che ho scaricato.....ora lo sto' riscaricando x esaminarlo.



Ogni 20 sec c'e' la richiesta......ho bloccato la porta dal router ma con outpost non ho ancora capito come bloccare un programma che voglia accedere ad una singola porta, ma questa è un problema secondario x ora