|
|||||||
|
|
|
 |
|
|
Strumenti |
11-01-2007, 12:25
|
#1 |
|
Senior Member
Iscritto dal: Dec 2000
Messaggi: 3294
|
File strani in MICROSOFT SHARED e incaccellabili !!!
Ciao, l'antivirus mi ha rilevato ed eliminato alcuni trojan installati sul pc nella cartella TEMP. Facendo un controllo su tutto il sistema mi sono imbattuto in una sfliza di file dai nomi piuttosto strani,tipo: HJY.exe...YKE.exe...LJT.exe e cosi via, sono una ventina e si trovano in c:\programmi\file comuni\microsoft shared, di cosa si tratta? Ho controllato altri pc e questi non ci sono. Ho provato ad eliminarli ma non c'è verso, nemmeno in modalita' provvisoria. Neanche utility come Unlocker riescono a farlo. Qualche consiglio? grazie
|
|
|
|
11-01-2007, 14:31
|
#2 |
|
Senior Member
Iscritto dal: Apr 2006
Messaggi: 22462
|
vhe antivirus hai?
__________________
amd a64x2 4400+ sk939;asus a8n-sli; 2x1gb ddr400; x850 crossfire; 2 x western digital abys 320gb|| asus g1
Se striscia fulmina, se svolazza l'ammazza |
|
|
|
|
11-01-2007, 16:17
|
#3 |
|
Senior Member
Iscritto dal: Nov 2006
Città: Monza (MI)
Messaggi: 3329
|
oltre a farci sapere l'antivirus, fai anche una scansione on line con bitdefender
http://www.bitdefender.com/scan8/ie.html
__________________
CM Haf 932 Advanced | EVGA Supernova 750 G5 | Asus ROG Maximus X Hero | i7 8700k @ 4.8 cooled by Noctua NH-D15 | G.Skill DDR4 Trident Z RGB 2x8GB @ 4133 MHz 1,45v | Asus ROG STRIX GTX 1080 Ti OC | Samsung 970 EvoPlus 500GB | Samsung 840 Pro 128 GB | WD Caviar Blue 1TB | AOC 24G2U/BK | Corsair K70 (CMX Red ) | Logitech G-Pro Wireless | Fnatic FOCUS V2 | HyperX Cloud II | Win 10 Pro X64 | Vodafone FTTH 1000/200 Toshiba L50-A-1EL + Samsung 830 128 GB |
|
|
|
|
11-01-2007, 16:53
|
#4 | ||
|
Senior Member
Iscritto dal: Dec 2000
Messaggi: 3294
|
Quote:
Quote:
grazie per i suggerimenti |
||
|
|
|
|
11-01-2007, 16:58
|
#5 |
|
Senior Member
Iscritto dal: Jun 2003
Città: ..By The Sea..
Messaggi: 564
|
Sono file legati ad agent/linkoptimizer
Per eliminarli puoi usare questo, e togliero uno ad uno: http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP Semmai dovresti verificare di non avere anche il resto del malware, ad esempio il rootkit. Se vuoi verificare potresti scaricare gmer (www.gmer.net o http://www.majorgeeks.com/download.php?det=5198) e fare due scansioni: rootkit e autostart, copiare i risultati (gmer ha direttamente il pulsante copy) e incollarli in un messaggio qua sul forum (premendo ctrl+v nella finestra in cui scrivi il messaggio). Assicurati che in entrambe le scansioni NON sia selezionata l'opzione show all e lascia tutte le altre opzioni così come sono. Infine, durante la scansione rootkit non utilizzare il pc e cerca di chiudere tutte le applicazion aperte.
__________________
Without Contraries is no Progression... |
|
|
|
|
11-01-2007, 19:02
|
#6 |
|
Senior Member
Iscritto dal: Mar 2006
Messaggi: 22121
|
__________________
Questa opera è distribuita secondo le regole di licenza Creative Commons salvo diversa indicazione. Chiunque volesse citare il contenuto di questo post deve necessariamente riportare il link originario. |
|
|
|
|
11-01-2007, 19:16
|
#7 |
|
Senior Member
Iscritto dal: Dec 2000
Messaggi: 3294
|
Ok,grazie 1000 .Dunque ho eliminato i file incriminati col toot di NOD32 wowwww ma che faticaccia
 . Poi ho fatto le scansioni e questi i risultati:GMER 1.0.12.12011 - http://www.gmer.net Autostart scan 2007-01-11 19:12:17 Windows 5.1.2600 Service Pack 2 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe, HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>> AtiExtEvent@DLLName = Ati2evxx.dll igfxcui@DLLName = igfxdev.dll klogon@DLLName = C:\WINDOWS\system32\klogon.dll HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe AVP /*Kaspersky Internet Security 6.0*/@ = "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r SLService /*SmartLinkService*/@ = slserv.exe Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd @MMTrayMMTray.exe = MMTray.exe @MMTray2KMMTray2k.exe = MMTray2k.exe @MMTrayLSIMMTrayLSI.exe = MMTrayLSI.exe @QuickTime Task"C:\WINDOWS\system32\qttask.exe" -atboottime = "C:\WINDOWS\system32\qttask.exe" -atboottime @NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe @IgfxTrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe @HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe @PersistenceC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe @Tweak UIRUNDLL32.EXE TWEAKUI.CPL,TweakMeUp = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp @SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0\bin\jusched.exe = C:\Programmi\Java\jre1.5.0\bin\jusched.exe @kis"C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" = "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" @ /*file not found*/ = /*file not found*/ @UnlockerAssistant"C:\Programmi\Unlocker\UnlockerAssistant.exe" = "C:\Programmi\Unlocker\UnlockerAssistant.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\[email protected] = C:\WINDOWS\system32\ctfmon.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/ @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll @{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) = @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll @{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL @{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL @{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL @{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll @{68f32140-2ca3-11d0-acc1-444553540000} /*PicaView32*/C:\PROGRA~1\PICAVI~1\PicaView32.dll = C:\PROGRA~1\PICAVI~1\PicaView32.dll @{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus*/C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll @{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Programmi\Unlocker\UnlockerCOM.dll = C:\Programmi\Unlocker\UnlockerCOM.dll HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>> Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll PicaView32@{68f32140-2ca3-11d0-acc1-444553540000} = C:\PROGRA~1\PICAVI~1\PicaView32.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>> Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmi\Unlocker\UnlockerCOM.dll HKCU\Control Panel\[email protected] = C:\WINDOWS\system32\ssmypics.scr HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main >>> @Start Pagehttp://www.google.it/ = http://www.google.it/ @Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll its@CLSID = C:\WINDOWS\system32\itss.dll mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll ms-its@CLSID = C:\WINDOWS\system32\itss.dll ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\msitss.dll mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL tv@CLSID = C:\WINDOWS\system32\msvidctl.dll HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>> Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk Alice ti aiuta.lnk = Alice ti aiuta.lnk Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk ---- EOF - GMER 1.0.12 ---- GMER 1.0.12.12011 - http://www.gmer.net Rootkit scan 2007-01-11 19:15:57 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.12 ---- SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2 SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey SSDT kl1.sys ZwOpenFile SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296] Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!KiDispatchInterrupt + 106 804DCE97 7 Bytes JMP B2E04E10 \??\C:\WINDOWS\system32\drivers\klif.sys .text ntoskrnl.exe!IoIsOperationSynchronous 804EC0FE 5 Bytes JMP B2E02B50 \??\C:\WINDOWS\system32\drivers\klif.sys .text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F4595 5 Bytes JMP B2E026C0 \??\C:\WINDOWS\system32\drivers\klif.sys ---- User code sections - GMER 1.0.12 ---- .text C:\WINDOWS\explorer.exe[1800] SHELL32.dll!SHFileOperationW 7CA7D1B9 5 Bytes JMP 10001102 C:\Programmi\Unlocker\UnlockerHook.dll ---- Threads - GMER 1.0.12 ---- Thread 4:116 82200A20 Thread 4:120 821E0C60 Thread 4:124 821E0C60 Thread 4:364 82200A20 Thread 4:432 82200A20 ---- EOF - GMER 1.0.12 ---- Resto in trepidante attesa
|
|
|
|
|
11-01-2007, 20:28
|
#8 |
|
Senior Member
Iscritto dal: Nov 2006
Città: Monza (MI)
Messaggi: 3329
|
e dire che ti è stato detto di postare il log nell'apposito 3d...
__________________
CM Haf 932 Advanced | EVGA Supernova 750 G5 | Asus ROG Maximus X Hero | i7 8700k @ 4.8 cooled by Noctua NH-D15 | G.Skill DDR4 Trident Z RGB 2x8GB @ 4133 MHz 1,45v | Asus ROG STRIX GTX 1080 Ti OC | Samsung 970 EvoPlus 500GB | Samsung 840 Pro 128 GB | WD Caviar Blue 1TB | AOC 24G2U/BK | Corsair K70 (CMX Red ) | Logitech G-Pro Wireless | Fnatic FOCUS V2 | HyperX Cloud II | Win 10 Pro X64 | Vodafone FTTH 1000/200 Toshiba L50-A-1EL + Samsung 830 128 GB |
|
|
|
|
11-01-2007, 21:21
|
#9 | |
|
Senior Member
Iscritto dal: Dec 2000
Messaggi: 3294
|
Quote:
|
|
|
|
|
|
11-01-2007, 21:23
|
#10 | |
|
Senior Member
Iscritto dal: Nov 2006
Città: Monza (MI)
Messaggi: 3329
|
Quote:
__________________
CM Haf 932 Advanced | EVGA Supernova 750 G5 | Asus ROG Maximus X Hero | i7 8700k @ 4.8 cooled by Noctua NH-D15 | G.Skill DDR4 Trident Z RGB 2x8GB @ 4133 MHz 1,45v | Asus ROG STRIX GTX 1080 Ti OC | Samsung 970 EvoPlus 500GB | Samsung 840 Pro 128 GB | WD Caviar Blue 1TB | AOC 24G2U/BK | Corsair K70 (CMX Red ) | Logitech G-Pro Wireless | Fnatic FOCUS V2 | HyperX Cloud II | Win 10 Pro X64 | Vodafone FTTH 1000/200 Toshiba L50-A-1EL + Samsung 830 128 GB |
|
|
|
|
|
11-01-2007, 21:26
|
#11 |
|
Senior Member
Iscritto dal: Jun 2003
Città: ..By The Sea..
Messaggi: 564
|
I log sono puliti.
Ciao!
__________________
Without Contraries is no Progression... |
|
|
|
|
11-01-2007, 22:53
|
#12 |
|
Senior Member
Iscritto dal: Dec 2000
Messaggi: 3294
|
Grazie,siete stati gentilissimi
|
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 14:35.
