Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Trojan Mediket

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Trojan Mediket

Messaggioda isotta » mer feb 14, 2007 11:58 am

Posto qui, visto che nel forum Windows non mi filano... [std]
Ho problemi con gli aggiornamenti di Windows e sto cercando di risolverli.

Facendo una scansione con AVS mi ha trovato 8 Trojan (o meglio solo uno in 8 file differenti), ne riporto uno ad esempio:
detected: Trojan program Trojan-Downloader.Win32.Mediket.df File: C:\System Volume Information\_restore{96CF19D8-81C3-4A35-8411-E2299A2E4BBA}\RP292\A0072619.exe

Ora la schermata di "Manual Scan Alert" mi dice: <<File contains Trojan program and cannot be disinfected>> e mi lascia solo 2 opzioni: Delete o Skip. Tralasciando Skip (che evidentemente non risolve il problema) la domanda è: se scelgo il delete elimino il file? Non sono file fondamentali?

Help me, please [V]
Avatar utente
isotta
Aficionado
Aficionado
 
Messaggi: 32
Iscritto il: mer nov 22, 2006 12:35 pm

Messaggioda Amantide » mer feb 14, 2007 1:41 pm

System Volume Information\_restore è la cartella che contiene i punti di ripristino. Disattiva il ripristino configurazione di sistema (sul sito c'è un articolo in merito) e riavvia il pc. Dopo il riavvio puoi ripristinare questa funzione.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda isotta » mer feb 14, 2007 2:27 pm

Ho disattivato il ripristino e ho riavviato. Ora AVS nel report mi mette <<Not found>> nelle 8 voci relative. Ma ne ha trovato un altro:
detected: Trojan program Trojan-Downloader.Win32.Mediket.df File: C:\WINDOWS\system32\mshlpa.exe

Che faccio... delete?

Ancora un aiuto please... [rolleyes]
Avatar utente
isotta
Aficionado
Aficionado
 
Messaggi: 32
Iscritto il: mer nov 22, 2006 12:35 pm


Messaggioda Amantide » mer feb 14, 2007 3:26 pm

Postami il log della scansione con Hijackthis ed il log della scansione con Kaspersky online.
Il file mshlpa.exe è da eliminare.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda isotta » mer feb 14, 2007 3:36 pm

Ecco il primo:

Logfile of HijackThis v1.99.0
Scan saved at 14.31.30, on 14/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\VIRITEXP\viritsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
C:\Programmi\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programmi\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\AntiMALWARE\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thecopperlink.com/services/m ... dex.php.it
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/defau ... l=it&s=gen
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Programmi\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O6 "USB002" /M "Stylus D88"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programmi\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Programmi\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [aol] "C:\Programmi\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{894BE4F4-6AA6-4B3F-B938-7B32381700A9}: NameServer = 62.211.69.150 212.48.4.15
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Programmi\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Active Virus Shield - AOL - C:\Programmi\AOL\Active Virus Shield\avp.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Programmi\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Virit eXplorer Pro - TG Soft Sas www.tgsoft.it - C:\VIRITEXP\viritsvc.exe
Avatar utente
isotta
Aficionado
Aficionado
 
Messaggi: 32
Iscritto il: mer nov 22, 2006 12:35 pm

Messaggioda Amantide » mer feb 14, 2007 4:35 pm

Il log di Hijackthis è pulito, aspetto quello di Kaspersky [;)]
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda isotta » mer feb 14, 2007 5:10 pm

Ed ecco finalmente il secondo:

Wednesday, February 14, 2007 3:57:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/02/2007
Kaspersky Anti-Virus database records: 252879


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 36253
Number of viruses found 1
Number of infected objects 1 / 0
Number of suspicious objects 0
Duration of the scan process 00:29:41


Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Dati applicazioni\AOL\AVP6\Report\0030_File_Monitoring_eventcritlog.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\AOL\AVP6\Report\0030_File_Monitoring_eventlog.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\AOL\AVP6\Report\0031_Mail_Monitoring_eventlog.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\AOL\AVP6\Report\detected.idx Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\AOL\AVP6\Report\detected.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\AOL\AVP6\Report\eventlog.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\AOL\AVP6\Report\report.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Amministratore2\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Amministratore2\Dati applicazioni\Microsoft\Modelli\Normal.dot Object is locked skipped

C:\Documents and Settings\Amministratore2\Dati applicazioni\Microsoft\Outlook\Outlook.srs Object is locked skipped

C:\Documents and Settings\Amministratore2\Documenti\Docuditta\Prezzi\QUARNA.XLS Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\archive.pst Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Dati applicazioni\Microsoft\Outlook\Outlook.pst Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\Acr18A0.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\Acr18C0.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\Acr18C2.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\Acr18C4.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\Acr18C6.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\PXRB.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\PXRC.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\PXRD.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\~DF1D47.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\~DF39E9.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\~DF4059.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temp\~DF4CC1.tmp Object is locked skipped

C:\Documents and Settings\Amministratore2\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Amministratore2\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Amministratore2\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\logMSfirewall.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\mshlpa.exe Infected: Trojan-Downloader.Win32.Mediket.df skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\~DFEE85.tmp Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\_cleaned.tmp Object is locked skipped

Scan process completed.
Avatar utente
isotta
Aficionado
Aficionado
 
Messaggi: 32
Iscritto il: mer nov 22, 2006 12:35 pm

Messaggioda Amantide » mer feb 14, 2007 5:17 pm

Anchè da kaspersky viene segnalato lo stesso file C:\WINDOWS\system32\mshlpa.exe

Elimina questo file dalla modalità provvisoria o con aiuto di Unlocker e fai la pulizia dei file temporanei con CCleaner.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Google [Bot] e 6 ospiti

cron
Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising