www.MegaLab.it

[little-star91]

Salve , ho un piccolo problema . Ho notato un rallentamento del pc ultimamente . Ho fatto una scansione con nod32 , l'antivirus attuale che posseggo , e non mi ha trovato nulla . Ho fatto una scansione con malwarebytes' Anti-Malware e mi ha trovato 3 Adware nel registro di sistema , scansione con avg anti-rootkit free e mi ha trovato un rootkit . Dopo aver eliminato le varie minacce scansiono con gmer ed hijackthis e mi ritrovo tante voci ... Vi posto i log . Spero che qualcuno riuscirà ad aiutarmi !! Grazie in anticipo a tutti !

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-11-01 10:25:20
Windows 6.0.6000


---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF dinamico/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-11-01 10:40:11
Windows 6.0.6000


---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1944] kernel32.dll!SetUnhandledExceptionFilter 7692D187 4 Bytes [ C2, 04, 00, 00 ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF dinamico/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys

Device \FileSystem\cdfs \Cdfs A346C067

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\Temp\HTTE514.tmp 12657 bytes
File C:\WINDOWS\Temp\HTTF608.tmp 0 bytes

---- EOF - GMER 1.0.14 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.34.53, on 01/11/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\SMINST\scheduler.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Mariangela.PC-Mariangela\Desktop\sicurezza\tool anti bagle\Nuova cartella\MegaLab.it_G_m_E_r.exe
C:\Users\Mariangela.PC-Mariangela\Desktop\sicurezza\tool anti bagle\Nuova cartella\MegaLab.it_H_i_J_a_C_k_T_h_I_s.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: E_SPSU01.lnk = C:\WINDOWS\System32\spool\drivers\w32x86\3\E_SPSU01.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{66048E96-7A85-4E67-AF1F-0C97F4E393C1}: NameServer = 83.224.65.134 83.224.66.134
O17 - HKLM\System\CCS\Services\Tcpip\..\{798E50C8-8A23-4109-A100-F8A59570FE33}: NameServer = 213.205.36.70 213.205.32.70
O20 - Winlogon Notify: DeviceNP - C:\Windows\SYSTEM32\DeviceNP.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: @comres.dll,-947 (COMSysApp) - Unknown owner - C:\Windows\system32\dllhost.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Controllo/blocco dispositivi HP ProtectTools (FLCDLOCK) - Hewlett-Packard Ltd - C:\Windows\system32\flcdlock.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 7515 bytes

[crazy.cat]

scansione con avg anti-rootkit free e mi ha trovato un rootkit

Dove ti troverebbe questo rootkit?
Dai log che mostri sembra tutto a posto...

[little-star91]

Ti spiego ...
Praticamente ho scansionato con rootalyzer e mi ha trovato una lista infinita di file con accanto un pallino rosso ed una scritta " No ACL " o qualcosa del genere ... e mi chiedeva di rimuoverli ... Inoltrei mi chiedeva di rimuovere anche una cartella di sistema ... Così ho iniziato a girare per i siti prima di commettere guai e ho notato che tutti dicevano che il miglior a scovare rootkit era gmer ... Scansiono e posto il log ... Ma se mi dici che è tutto ok rootalyzer ha fatto cilecca !! =) grazie comunque della celere risposta ! Saluti .

[crazy.cat]

Gmer se trova un rootkit lo mostra in rosso e ti avvisa chiaramente.
Se l'altro programma ti permette di salvare un log posta anche quello che vediamo cosa ha trovato di strano.

[little-star91]

Se l'altro programma ti permette di salvare un log posta anche quello che vediamo cosa ha trovato di strano.

RootAlyzer non mi fa salvare un log ... Ma ad esempio mi riporta " C:\WINDOWS No admin in ACL " e altri file con accanto " Unknow ADS " , dove ACL sta per Acces Control List e ADS Alternate Data Stream ... Mi consiglia di cancellare tutto ...

[little-star91]

Se l'altro programma ti permette di salvare un log posta anche quello che vediamo cosa ha trovato di strano.

RootAliyzer finita la scansione mi ha dato questo log sottoforma di script di avenger

Comment:
File created using RootAlyzer to help your get rid of a rootkit.

Files to delete:
C:\WINDOWS\Internet Logs\dumpIndex
C:\WINDOWS\Internet Logs\GLB427B_2nd_2008_10_24_10_31_33_small.dmp.zip.old
C:\WINDOWS\Internet Logs\installer_102308220020.log
C:\WINDOWS\Internet Logs\installer_102308220305.log
C:\WINDOWS\Internet Logs\installer_102308221651.log
C:\WINDOWS\Internet Logs\installer_102308221725.log
C:\WINDOWS\Internet Logs\installer_102308225436.log
C:\WINDOWS\Internet Logs\installer_102308230945.log
C:\WINDOWS\Internet Logs\installer_102308231012.log
C:\WINDOWS\Internet Logs\installer_102308231046.log
C:\WINDOWS\Internet Logs\installer_102308232433.log
C:\WINDOWS\Internet Logs\installer_102308232443.log
C:\WINDOWS\Internet Logs\installer_102408100955.log
C:\WINDOWS\Internet Logs\vsmon_2nd_2008_10_23_22_30_23_small.dmp.zip.old
C:\WINDOWS\Internet Logs\vsmon_2nd_2008_10_23_22_31_13_small.dmp.zip.old
C:\WINDOWS\Internet Logs\vsmon_2nd_2008_10_23_23_23_36_small.dmp.zip.old
C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_10_24_11_23_15_full.dmp.zip.old
C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_10_24_14_03_26_full.dmp.zip
C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_10_24_14_27_14_full.dmp.zip
C:\WINDOWS\Internet Logs\zlclient_2nd_2008_10_23_23_18_52_small.dmp.zip.old
C:\WINDOWS\Internet Logs\zlclient_2nd_2008_10_23_23_20_41_small.dmp.zip.old
C:\Users\Mariangela.PC-Mariangela\Music\Music\Desaparecidos vs Walter Master J - Ibiza (Marchesini And Farina Remix).mp3:TOC.WMV:$DATA
C:\Users\Mariangela.PC-Mariangela\Music\Music\Musica\Celine Dion - I'm Alive.mp3:TOC.WMV:$DATA
C:\Users\Mariangela.PC-Mariangela\Documents\film\L'Esorcismo di Emily Rose.[ITA].DVDperfetto(valerossi).avi:TOC.WMV:$DATA
C:\Users\Mariangela.PC-Mariangela\AppData\Local\Temp\~DF9E95.tmp
C:\Users\Mariangela.PC-Mariangela\AppData\Local\Temp\~DF9E9A.tmp
C:\Users\Mariangela.PC-Mariangela\AppData\Local\Temp\~DFE0D9.tmp
C:\Users\Mariangela.PC-Mariangela\AppData\Local\Temp\~DFE0DE.tmp
C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat
C:\Users\All Users\avg8\Log\history.xml
C:\System Volume Information\SystemRestore\FRStaging\Program Files\Hp\HP Software Update\HpuFunction.dll
C:\System Volume Information\SystemRestore\FRStaging\Program Files\Hp\HP Software Update\HPWUCli.exe
C:\System Volume Information\SystemRestore\FRStaging\Program Files\Hp\HP Software Update\SelfUpdate.exe
C:\System Volume Information\SystemRestore\FRStaging\Program Files\Hp\HP Software Update\SoftwareUpdate.dll
C:\System Volume Information\SystemRestore\FRStaging\Program Files\Hp\HP Software Update\unicows.dll
C:\ProgramData\avg8\Log\history.xml
C:\Program Files\Hp\HP Software Update\Contents.dat
C:\Program Files\Hp\HP Software Update\global.js
C:\Program Files\Hp\HP Software Update\HpuFunction.dll
C:\Program Files\Hp\HP Software Update\HPWUCli.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hp\HP Software Update\main.hta
C:\Program Files\Hp\HP Software Update\SelfUpdate.exe
C:\Program Files\Hp\HP Software Update\SoftwareUpdate.dll
C:\Program Files\Hp\HP Software Update\unicows.dll
C:\perflogs\System\Diagnostics\20081019-0001\report.xml:Qgrg2rf1Znaluncm1kfl1xla5h:$DATA

Folders to delete:
C:\System Recovery
C:\WINDOWS\Internet Logs
C:\Users\All Users\Microsoft\OFFICE\DATA
C:\System Volume Information\SystemRestore\FRStaging\Program Files\Hp\HP Software Update
C:\ProgramData\Microsoft\OFFICE\DATA
C:\Program Files\Hp\HP Software Update

Registry keys to delete:

Registry values to delete:

[little-star91]

Qualcuno mi risponde pleeeeeeeeaseeeeeeeee ?? :(

[little-star91]

Qualcuno mi risponde ?? Uffi T_T

[crazy.cat]

1) E sabato pomeriggio ed è pure festa.
2) questo non è un helpdesk dove vi sia l'obbligo di risposta veloce.

Non ci sono problemi di rootkit nel tuo pc, fidati solo di gmer e butta via l'altro programma.

[little-star91]

Infatti io non ho messo la pistola in testa a nessuno ... Solo che ho visto che gli altri avevano risposte ed io no ... Poi hai iniziato a rispondere ... Se non ti andava potevi anche evitare ... Qualcun altro sempre mi rispondeva E poi mi sembra di aver detto le cose sempre con gentilezza ...
Ecco perché l'Italia sta andando a rotoli ... Meglio che vada ... Saluti comunque ...
VISTO CHE ALMENO IO HO UN PO' DI EDUCAZIONE