MegaLab.it

Inviato: **dom set 11, 2011 6:05 pm**

Buonasera a tutta la Community.
Dopo aver scoperto un linkoptimizer sul mio pc, mi sono messo all'opera e dopo tanto pellegrinare, sono capitato nell'articolo del vostro sito.
Ho passato tutto il pomeriggio a scannerizzare [B)]

di qua e di là e alla fino mi trova ora nella fase di "Uso di Avenger".
Non essendo un esperto informatico, avrei bisogno del vostro aiuto per trovare il giusto script.
Potreste aiutarmi?
Inoltre spero di essere nella parte di forum corretta.
Ecco i log generati con Gmer:
"Autorun"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = c:\windows\system32\userinit.exe,"c:\windows\cisco-service.exe",

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Apple Mobile Device@ = "C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
AVGIDSAgent@ = "C:\Programmi\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe"
avgwd@ = C:\Programmi\AVG\AVG10\avgwdsvc.exe
FsUsbExService@ = C:\WINDOWS\system32\FsUsbExService.Exe
Matrox Centering Service@ = "c:\Programmi\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe"
Matrox.Pdesk.ServicesHost@ = "c:\Programmi\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe"
MDM@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
MGABGEXE@ = %SystemRoot%\system32\mgabg.exe
NetGqk@ = "C:\Programmi\File comuni\Services\Mhl.exe" /*file not found*/
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default)@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
STI Simulator@ = C:\WINDOWS\System32\PAStiSvc.exe
viritsvclite@ = C:\VEXPLite\viritsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@C-Media MixerMixer.exe /startup = Mixer.exe /startup
@Matrox PowerDesk SE"c:\Programmi\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" = "c:\Programmi\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe"
@AVG_TRAYC:\Programmi\AVG\AVG10\avgtray.exe = C:\Programmi\AVG\AVG10\avgtray.exe
@VIRIT LITE MONITORC:\VEXPLite\MONLITE.EXE = C:\VEXPLite\MONLITE.EXE
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter 1*/C:\Programmi\Illustrate\dBpowerAMP\dBShell.dll = C:\Programmi\Illustrate\dBpowerAMP\dBShell.dll
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music Converter*/C:\Programmi\Illustrate\dBpowerAMP\dMCShell.dll = C:\Programmi\Illustrate\dBpowerAMP\dMCShell.dll
@{A4DF5659-0801-4A60-9607-1C48695EFDA9} /*Cartella di caricamento Share-to-Web*/C:\Programmi\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL = C:\Programmi\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll
@{06A2568A-CED6-4187-BB20-400B8C02BE5A} /**/(null) =
@{00F33137-EE26-412F-8D71-F84E4C2C6625} /**/C:\Programmi\Windows Live\Photo Gallery\PhotoViewerShim.dll = C:\Programmi\Windows Live\Photo Gallery\PhotoViewerShim.dll
@{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} /*Windows Live Photo Gallery Autoplay Drop Target*/(null) =
@{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} /*Windows Live Photo Gallery Viewer Drop Target*/(null) =
@{00F374B7-B390-4884-B372-2FC349F2172B} /*Windows Live Photo Gallery Editor Drop Target*/(null) =
@{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} /*Windows Live Photo Gallery Viewer Drop Target Shim*/C:\Programmi\Windows Live\Photo Gallery\PhotoViewerShim.dll = C:\Programmi\Windows Live\Photo Gallery\PhotoViewerShim.dll
@{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} /*Windows Live Photo Gallery Editor Drop Target Shim*/C:\Programmi\Windows Live\Photo Gallery\PhotoViewerShim.dll = C:\Programmi\Windows Live\Photo Gallery\PhotoViewerShim.dll
@{00F30F90-3E96-453B-AFCD-D71989ECC2C7} /*Windows Live Photo Gallery Autoplay Drop Target Shim*/C:\Programmi\Windows Live\Photo Gallery\PhotoViewerShim.dll = C:\Programmi\Windows Live\Photo Gallery\PhotoViewerShim.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG Find Extension*/(null) =
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG Shell Extension*/C:\Programmi\AVG\AVG10\avgse.dll = C:\Programmi\AVG\AVG10\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG9 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\AVG\AVG10\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG9 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\AVG\AVG10\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{2874ED8A-0FA2-97CA-D66F-CCF6B32780B6}C:\WINDOWS\rkkcd1.dll /*file not found*/ = C:\WINDOWS\rkkcd1.dll /*file not found*/
@{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}C:\Programmi\AVG\AVG10\avgssie.dll = C:\Programmi\AVG\AVG10\avgssie.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{A3BC75A2-1F87-4686-AA43-5347D756017C}C:\Programmi\AVG\AVG10\Toolbar\IEToolbar.dll = C:\Programmi\AVG\AVG10\Toolbar\IEToolbar.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.provincia.tn.it/ = http://www.provincia.tn.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
avgsecuritytoolbar@CLSID = C:\Programmi\AVG\AVG10\Toolbar\IEToolbar.dll
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
linkscanner@CLSID = C:\Programmi\AVG\AVG10\avgpp.dll
livecall@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
skype4com@CLSID = C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = NETGEAR WG111v3 Smart Wizard.lnk

Rootkit

Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6K040L0 rev.NAR61HA0
Running: vnuhdlsk.exe; Driver: C:\DOCUME~1\Lion\IMPOST~1\Temp\fxtdapog.sys

---- System - GMER 1.0.15 ----

SSDT VIRAGTLT.SYS (VirIT Agent System/TG Soft S.a.s.) ZwTerminateProcess [0xF7778B72]

---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk@Type 16
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk@ImagePath "C:\Programmi\File comuni\Services\Mhl.exe"
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk@DisplayName NetGqk
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk@ObjectName .\zed
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk@Description Fornisce tre servizi di gestione: il servizio Database catalogo, che serve per confermare le firme dei file di Windows; il servizio Archivio principale protetto, per aggiungere e rimuovere dal computer i certificati dell'autorit? di certificazione delle fonti attendibili; e il servizio Chiave, che aiuta a registrare i certificati nel computer. Se questo servizio ? interrotto, i servizi di gestione non funzioneranno in modo corretto. Se il servizio ? disabilitato, tutti i servizi che dipendono direttamente da questo non potranno essere avviati.
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\NetGqk\Security@Security 0x01 0x00 0x14 0x80 ...

---- EOF - GMER 1.0.15 ----

Grazie infinite!! [grazie]

Inviato: **dom set 11, 2011 6:44 pm**

Prova con questo script:

Codice: Seleziona tutto: Files to delete: c:\windows\cisco-service.exe C:\DOCUME~1\Lion\IMPOST~1\Temp\fxtdapog.sys C:\Programmi\File comuni\Services\Mhl.exe Registry keys to delete: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetGqk

Già avg non è che sia il massimo, ma almeno andrebbe aggiornato alla versione 2012, mi sembra che tu abbia ancora una versione precedente.

Se ancora non risolve fai una scansione con combofix e posta il suo log.

Inviato: **dom set 11, 2011 8:33 pm**

Questo è quello che mi ha detto Avenger alla fine:

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\windows\cisco-service.exe" not found!
Deletion of file "C:\windows\cisco-service.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
-->

the object does not exist

Error: file "C:\DOCUME~1\Lion\IMPOST~1\Temp\fxtdapog.sys" not found!
Deletion of file "C:\DOCUME~1\Lion\IMPOST~1\Temp\fxtdapog.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
-->

the object does not exist

Error: file "C:\Programmi\File comuni\Services\Mhl.exe" not found!
Deletion of file "C:\Programmi\File comuni\Services\Mhl.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
-->

the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NetGqk" deleted successfully.

Completed script processing.

Siccome non aveva trovato i 3 file, ho fatto eseguire anche HijackThis e li eliminati da lì ("Fix checked") per poi riavviare il sistema.

Non ho provato combofix ancora. Lo farò domani.
Però mi sorge un dubbio: nel txt di Avenger c'è scritto "No rootkits found!" quindi questo significa che ho fatto un lavoro inutile? Ovvero non c'era niente? O il giudizio che mette non è così certo?

Inviato: **lun set 12, 2011 4:47 am**

Il servizio fasullo è stato eliminato quindi lo script ha funzionato in qualche modo.
Il terzo file non doveva esserci ma l'avevo inserito per sicurezza
NetGqk@ = "C:\Programmi\File comuni\Services\Mhl.exe" /*file not found*/

Vediamo combofix e poi ne riparliamo.

MegaLab.it

Necessito di esperto in script

Necessito di esperto in script

Re: Necessito di esperto in script

Re: Necessito di esperto in script

Re: Necessito di esperto in script