Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

PROBABILE VIRUS O TROJAN

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

PROBABILE VIRUS O TROJAN

Messaggioda SUMMERBOY » mar dic 02, 2008 1:11 pm

Ciao a tutti.Ho un problema con il mio pc.Una volta acceso se apro taskmanager mi rileva aperti più di un IEXPLORER.exe anche se nn sto usando internet inoltre mi appare un altro programma chiamato rs32net.exe vi posto il log di HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.01.38, on 02/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\rs32net.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\Programmi\Windows NT\Accessori\wordpad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Programmi\myBabylon\tbmyBa.dll
O2 - BHO: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Programmi\myBabylon\tbmyBa.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Programmi\myBabylon\tbmyBa.dll
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [TomTomHOME.exe] "D:\Programmi\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Utilità adattatore wireless ZyXEL G-202.lnk = ?
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF78D79F-4AAF-4551-9C95-BDF9EAA4D278}: NameServer = 213.156.54.80,213.156.54.81
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: atyhibwx - atyhibwx.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5294 bytes
Avatar utente
SUMMERBOY
Aficionado
Aficionado
 
Messaggi: 77
Iscritto il: lun dic 10, 2007 11:00 am

Re: PROBABILE VIRUS O TROJAN

Messaggioda Amantide » mar dic 02, 2008 1:22 pm

Oltre a rs32net.exe si vedono le tracce di altri trojan.

Scarica ComboFix ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: PROBABILE VIRUS O TROJAN

Messaggioda SUMMERBOY » mar dic 02, 2008 2:23 pm

Ciao ho fatto coem hai detto ora metto il log:

ComboFix 08-12-01.01 - User 2008-12-02 13.48.48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.9 [GMT 1:00]
Eseguito da: c:\documents and settings\User\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\recover.reg
c:\windows\system32\rs32net.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_restore


((((((((((((((((((((((((( Files Creati Da 2008-11-02 al 2008-12-02 )))))))))))))))))))))))))))))))))))
.

2008-12-01 20:08 . 2008-12-01 20:16 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-12-01 12:30 . 2008-12-01 21:49 32,768 --a------ c:\windows\system32\drivers\ati8pvxx.sys
2008-11-29 17:11 . 2008-11-29 17:11 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\TomTom
2008-11-29 16:53 . 2008-11-29 16:53 <DIR> d-------- c:\documents and settings\User\Dati applicazioni\TomTom
2008-11-26 19:02 . 2008-11-26 19:19 <DIR> d-------- c:\windows\system32\Adobe
2008-11-22 13:56 . 1996-11-07 14:51 308,736 --a------ c:\windows\system32\Fpxlib.dll
2008-11-22 13:56 . 1996-11-07 14:51 91,136 --a------ c:\windows\system32\Jpeglib.dll
2008-11-22 13:56 . 1999-08-18 01:51 56,832 --a------ c:\windows\system32\VideoSin.ax
2008-11-17 19:18 . 2008-11-17 19:26 754 --a------ c:\windows\WORDPAD.INI
2008-11-16 20:09 . 2008-11-16 20:09 <DIR> d-------- c:\programmi\Sony Setup
2008-11-10 17:52 . 2008-11-10 17:52 <DIR> d-------- c:\programmi\ASIX Electronics Corporation
2008-11-10 17:52 . 2006-09-06 16:35 19,072 --a------ c:\windows\system32\drivers\ax88772.sys
2008-11-10 17:24 . 2008-04-14 03:13 579,584 --a------ c:\windows\system32\user32.dll
2008-11-06 11:40 . 2008-11-06 11:40 <DIR> d-------- c:\programmi\ZyXEL
2008-11-06 11:39 . 2008-11-06 11:39 <DIR> d-------- c:\documents and settings\User\Dati applicazioni\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 22:24 --------- d-----w c:\programmi\eMule
2008-11-22 12:56 --------- d-----w c:\programmi\Philips Vesta Camera
2008-11-10 16:52 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-10 16:51 --------- d-----w c:\programmi\File comuni\InstallShield
2008-11-02 16:27 --------- d-----w c:\documents and settings\User\Dati applicazioni\gtk-2.0
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-02 17:53 --------- d-----w c:\documents and settings\User\Dati applicazioni\LimeWire
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:38 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:44 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-02-01 17:05 32 ----a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
.

------- Sigcheck -------

2005-03-02 19:20 578048 488019bfe2b0f9f8cd8394276d5b664a c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 16:48 579072 bab4f995e526484a235a276e269aaf7f c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-19 13:00 578048 08447bdfce5d1b1956f962602381f5c1 c:\windows\$NtUninstallKB890859$\user32.dll
2005-03-02 19:10 578048 14b5d6b20467dba209853d65d1f6a124 c:\windows\$NtUninstallKB925902$\user32.dll
2008-04-14 03:13 579584 fa94696c0727bd59e517c674cd6e7c72 c:\windows\SoftwareDistribution\Download\fc12fb9dc078edc471023573f97c4e40\user32.dll
2008-04-14 03:13 579584 fa94696c0727bd59e517c674cd6e7c72 c:\windows\system32\user32.dll

2008-04-14 03:14 510464 9259170d29b5a256735fcb8b80280857 c:\windows\SoftwareDistribution\Download\fc12fb9dc078edc471023573f97c4e40\winlogon.exe
2000-01-01 17:31 504832 1dbd3966123ac2f6ade783f7f17f8c7f c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
2008-02-14 13:54 1555480 --a------ c:\programmi\myBabylon\tbmyBa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{34EA1C70-42CC-42C5-AA29-EC58B95A343E}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"Google Update"="c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2008-11-27 133104]
"TomTomHOME.exe"="d:\programmi\TomTom HOME 2\HOMERunner.exe" [2008-11-27 234856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 217088]
"PE2CKFNT SE"="c:\programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"InstantAccess"="c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1998-07-07 37376]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 c:\windows\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-05-22 2756608]
Utilit… adattatore wireless ZyXEL G-202.lnk - c:\programmi\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [2008-11-06 10907648]
Watch.lnk - c:\windows\twain_32\CIS600X\WATCH.exe [2008-02-02 356352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4gjxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5qvxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7imxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8pvxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\programmi\File comuni\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\programmi\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra------ 2004-06-29 17:42 569344 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\DAP\\DAP.exe"=
"c:\\Programmi\\ZyXEL\\ZyXEL G-202 Wireless Adapter Utility\\ZyXEL G-202.exe"=

R0 ati8pvxx;ati8pvxx;c:\windows\system32\Drivers\ati8pvxx.sys [2008-12-01 32768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-23 97928]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-23 76040]
R2 SFC4;SFC4;c:\windows\system32\drivers\SFC4.sys [2008-02-02 41472]
R3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\ZDCNDIS5.SYS [2008-10-28 19072]
S0 ati4gjxx;ati4gjxx;c:\windows\system32\Drivers\ati4gjxx.sys []
S0 ati5qvxx;ati5qvxx;c:\windows\system32\Drivers\ati5qvxx.sys []
S0 ati7imxx;ati7imxx;c:\windows\system32\Drivers\ati7imxx.sys []
S3 AX88178;Sitecom USB Gigabit LAN LN-028;c:\windows\system32\DRIVERS\ax88178.sys [2000-01-01 22144]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ax88772.sys [2008-11-10 19072]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2008-10-28 20608]
S3 phil2vid;Fotocamera VGA USB Philip;c:\windows\system32\DRIVERS\philcam2.sys [2008-01-05 173696]
S3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\DRIVERS\WlanUZXP.sys [2008-10-28 437760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69184af5-c060-11d3-bacb-ca2a390875c2}]
\Shell\Auto\command - gsokjsuix.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL gsokjsuix.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{990be390-87f1-11dd-bc37-ae29209c9ae6}]
\Shell\auto\command - Knight.exe open
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Knight.exe open
\Shell\explore\command - Knight.exe open
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\command - Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1049a80-bbaf-11dc-bad1-d41fe9357ad6}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e274a8b1-be2d-11dd-bca0-bc0882c7ebbd}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe

*Newly Created Service* - ZDCNDIS5
.
Contenuto della cartella 'Scheduled Tasks'

2008-12-02 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-11-27 13:29]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-rs32net - c:\windows\System32\rs32net.exe
Notify-atyhibwx - atyhibwx.dll
MSConfigStartUp-Disk Knight - c:\windows\Knight.exe


.
------- Supplementare di scansione -------
.
uStart Page = about:blank
IE: &Download with &DAP - c:\progra~1\DAP\dapextie.htm
TCP: {AF78D79F-4AAF-4551-9C95-BDF9EAA4D278} = 213.156.54.80,213.156.54.81
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 14:01:58
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\windows\system32\wdfmgr.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgemc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
.
**************************************************************************
.
Ora fine scansione: 2008-12-02 14:12:02 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-12-02 13:11:36

Pre-Run: 8.147.091.456 byte disponibili
Post-Run: 8,518,811,648 byte disponibili

217 --- E O F --- 2008-11-14 15:57:26



P.S Avg mi ha trovato questo: C:\WINDOWS\sistem32\atyhibwx.dll lo devo cancellare???
Ultima modifica di Amantide il mar dic 02, 2008 2:50 pm, modificato 1 volta in totale.
Motivazione: Aggiunto il tag LOG
Avatar utente
SUMMERBOY
Aficionado
Aficionado
 
Messaggi: 77
Iscritto il: lun dic 10, 2007 11:00 am


Re: PROBABILE VIRUS O TROJAN

Messaggioda Amantide » mar dic 02, 2008 3:03 pm

La prossima volta allega i log seguendo queste istruzioni.

Copia ed incolla il seguente testo su blocconote e salva il file su desktop con il nome CFScript.txt.
Codice: Seleziona tutto
File::
c:\windows\gsokjsuix.exe
C:\WINDOWS\sistem32\atyhibwx.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69184af5-c060-11d3-bacb-ca2a390875c2}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{990be390-87f1-11dd-bc37-ae29209c9ae6}]


Ora trascina il file CFScript.txt sull'icona di ComboFix.exe Postami il log che produrrà Combofix al termine della scansione.

Dopo inserisci nel pc tutte le periferiche di archiviazione che hai, come pen drive, hard disk esterni, lettori mp3 ed esegui la scansione con Perlovga Removal Tool.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: PROBABILE VIRUS O TROJAN

Messaggioda SUMMERBOY » mar dic 02, 2008 4:47 pm

Ho fatto coem hai detto ora metto il log:

ComboFix 08-12-01.01 - User 2008-12-02 15.37.40.2 - NTFSx86
Eseguito da: c:\documents and settings\User\Desktop\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\User\Desktop\CFScript.txt

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
c:\windows\gsokjsuix.exe
c:\windows\sistem32\atyhibwx.dll
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_restore


((((((((((((((((((((((((( Files Creati Da 2008-11-02 al 2008-12-02 )))))))))))))))))))))))))))))))))))
.

2008-12-01 20:08 . 2008-12-01 20:16 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-12-01 12:30 . 2008-12-02 14:18 32,768 --a------ c:\windows\system32\drivers\ati8pvxx.sys
2008-11-29 17:11 . 2008-11-29 17:11 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\TomTom
2008-11-29 16:53 . 2008-11-29 16:53 <DIR> d-------- c:\documents and settings\User\Dati applicazioni\TomTom
2008-11-26 19:02 . 2008-11-26 19:19 <DIR> d-------- c:\windows\system32\Adobe
2008-11-22 13:56 . 1996-11-07 14:51 308,736 --a------ c:\windows\system32\Fpxlib.dll
2008-11-22 13:56 . 1996-11-07 14:51 91,136 --a------ c:\windows\system32\Jpeglib.dll
2008-11-22 13:56 . 1999-08-18 01:51 56,832 --a------ c:\windows\system32\VideoSin.ax
2008-11-17 19:18 . 2008-11-17 19:26 754 --a------ c:\windows\WORDPAD.INI
2008-11-16 20:09 . 2008-11-16 20:09 <DIR> d-------- c:\programmi\Sony Setup
2008-11-10 17:52 . 2008-11-10 17:52 <DIR> d-------- c:\programmi\ASIX Electronics Corporation
2008-11-10 17:52 . 2006-09-06 16:35 19,072 --a------ c:\windows\system32\drivers\ax88772.sys
2008-11-10 17:24 . 2008-04-14 03:13 579,584 --a------ c:\windows\system32\user32.dll
2008-11-06 11:40 . 2008-11-06 11:40 <DIR> d-------- c:\programmi\ZyXEL
2008-11-06 11:39 . 2008-11-06 11:39 <DIR> d-------- c:\documents and settings\User\Dati applicazioni\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 22:24 --------- d-----w c:\programmi\eMule
2008-11-22 12:56 --------- d-----w c:\programmi\Philips Vesta Camera
2008-11-10 16:52 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-10 16:51 --------- d-----w c:\programmi\File comuni\InstallShield
2008-11-02 16:27 --------- d-----w c:\documents and settings\User\Dati applicazioni\gtk-2.0
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-02 17:53 --------- d-----w c:\documents and settings\User\Dati applicazioni\LimeWire
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:38 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:44 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-02-01 17:05 32 ----a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-02_14.09.14.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-01 22:46:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-02 14:32:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-01 22:46:11 49,152 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-12-02 14:32:48 65,536 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-12-02 14:32:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008120220081203\index.dat
+ 2008-12-02 14:32:48 163,840 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
2008-02-14 13:54 1555480 --a------ c:\programmi\myBabylon\tbmyBa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{34EA1C70-42CC-42C5-AA29-EC58B95A343E}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"Google Update"="c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2008-11-27 133104]
"TomTomHOME.exe"="d:\programmi\TomTom HOME 2\HOMERunner.exe" [2008-11-27 234856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 217088]
"PE2CKFNT SE"="c:\programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"InstantAccess"="c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1998-07-07 37376]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 c:\windows\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-05-22 2756608]
Utilit… adattatore wireless ZyXEL G-202.lnk - c:\programmi\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [2008-11-06 10907648]
Watch.lnk - c:\windows\twain_32\CIS600X\WATCH.exe [2008-02-02 356352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4gjxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5qvxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7imxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8pvxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\programmi\File comuni\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\programmi\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra------ 2004-06-29 17:42 569344 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\DAP\\DAP.exe"=
"c:\\Programmi\\ZyXEL\\ZyXEL G-202 Wireless Adapter Utility\\ZyXEL G-202.exe"=

R0 ati8pvxx;ati8pvxx;c:\windows\system32\Drivers\ati8pvxx.sys [2008-12-01 32768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-23 97928]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-23 76040]
R2 SFC4;SFC4;c:\windows\system32\drivers\SFC4.sys [2008-02-02 41472]
R3 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;\??\c:\windows\system32\ZDCNDIS5.SYS [2008-10-28 19072]
R3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;c:\windows\system32\DRIVERS\WlanUZXP.sys [2008-10-28 437760]
S0 ati4gjxx;ati4gjxx;c:\windows\system32\Drivers\ati4gjxx.sys []
S0 ati5qvxx;ati5qvxx;c:\windows\system32\Drivers\ati5qvxx.sys []
S0 ati7imxx;ati7imxx;c:\windows\system32\Drivers\ati7imxx.sys []
S3 AX88178;Sitecom USB Gigabit LAN LN-028;c:\windows\system32\DRIVERS\ax88178.sys [2000-01-01 22144]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;c:\windows\system32\DRIVERS\ax88772.sys [2008-11-10 19072]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2008-10-28 20608]
S3 phil2vid;Fotocamera VGA USB Philip;c:\windows\system32\DRIVERS\philcam2.sys [2008-01-05 173696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1049a80-bbaf-11dc-bad1-d41fe9357ad6}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e274a8b1-be2d-11dd-bca0-bc0882c7ebbd}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
.
Contenuto della cartella 'Scheduled Tasks'

2008-12-02 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\User\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-11-27 13:29]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 15:47:38
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgemc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\programmi\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Ora fine scansione: 2008-12-02 15:57:59 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-12-02 14:57:33
ComboFix2.txt 2008-12-02 13:12:28

Pre-Run: 8.170.749.952 byte disponibili
Post-Run: 8,494,321,664 byte disponibili

193 --- E O F --- 2008-11-14 15:57:26

Devo inserire anche tipo le fotocamere??
Ho anche fatto als cansione con Malwarebytes' Anti-Malware e ho trovato 3 oggetti pericolosi che ho cancellato.Ora ho acceso di nuovo il pc ma AVG mi ha trovato questo:
C:\WINDOWS\SISTEM32\DRIVERS\ATI8PVXX.SYS
COSA DEVO FARE??
Avatar utente
SUMMERBOY
Aficionado
Aficionado
 
Messaggi: 77
Iscritto il: lun dic 10, 2007 11:00 am

Re: PROBABILE VIRUS O TROJAN

Messaggioda Amantide » mar dic 02, 2008 5:06 pm

Devo inserire anche tipo le fotocamere??

Possibilmente si.
Ho anche fatto als cansione con Malwarebytes' Anti-Malware e ho trovato 3 oggetti pericolosi che ho cancellato.Ora ho acceso di nuovo il pc ma AVG mi ha trovato questo:
C:\WINDOWS\SISTEM32\DRIVERS\ATI8PVXX.SYS
COSA DEVO FARE??

E già, mi era sfuggito [uhm] , l'avevo dato per un file della scheda video [acc2]
Ed oltre a questo ce ne sono anche altri simili.

Crea un altro file CFScript.txt con questo contenuto e trascinalo su Combofix:

Codice: Seleziona tutto
File::
C:\WINDOWS\SISTEM32\DRIVERS\ATI8PVXX.SYS
C:\WINDOWS\SISTEM32\DRIVERS\ati4gjxx.sys
C:\WINDOWS\SISTEM32\DRIVERS\ati5qvxx.sys
C:\WINDOWS\SISTEM32\DRIVERS\ati7imxx.sys

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati4gjxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5qvxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7imxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8pvxx.sys]

Driver::
ati4gjxx
ati5qvxx
ati7imxx
ATI8PVXX
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: PROBABILE VIRUS O TROJAN

Messaggioda SUMMERBOY » mar dic 02, 2008 5:41 pm

Dopo che ho fatto questi ho risolto???
Avatar utente
SUMMERBOY
Aficionado
Aficionado
 
Messaggi: 77
Iscritto il: lun dic 10, 2007 11:00 am

Re: PROBABILE VIRUS O TROJAN

Messaggioda Amantide » mar dic 02, 2008 5:52 pm

SUMMERBOY ha scritto:Dopo che ho fatto questi ho risolto???

Direi di si.
Ho ricontrollato altra volta il log ed oltre a queste voci non si vede nient'altro di sospetto.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: PROBABILE VIRUS O TROJAN

Messaggioda SUMMERBOY » mar dic 02, 2008 8:16 pm

Ciao ho eliminato anche gli ultimi ora posto il log:

ComboFix 08-12-01.01 - User 2008-12-02 19.48.56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.13 [GMT 1:00]
Eseguito da: c:\documents and settings\User\Desktop\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\User\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
c:\windows\SISTEM32\DRIVERS\ati4gjxx.sys
c:\windows\SISTEM32\DRIVERS\ati5qvxx.sys
c:\windows\SISTEM32\DRIVERS\ati7imxx.sys
c:\windows\SISTEM32\DRIVERS\ATI8PVXX.SYS
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI8PVXX
-------\Service_ati4gjxx
-------\Service_ati5qvxx
-------\Service_ati7imxx
-------\Service_ati8pvxx


((((((((((((((((((((((((( Files Creati Da 2008-11-02 al 2008-12-02 )))))))))))))))))))))))))))))))))))
.

2008-12-02 16:11 . 2008-12-02 16:11 <DIR> d-------- c:\documents and settings\User\Dati applicazioni\Malwarebytes
2008-12-02 16:11 . 2008-12-02 16:11 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-12-02 16:11 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-02 16:11 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 20:08 . 2008-12-01 20:16 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-11-29 17:11 . 2008-11-29 17:11 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\TomTom
2008-11-29 16:53 . 2008-11-29 16:53 <DIR> d-------- c:\documents and settings\User\Dati applicazioni\TomTom
2008-11-26 19:02 . 2008-11-26 19:19 <DIR> d-------- c:\windows\system32\Adobe
2008-11-22 13:56 . 1996-11-07 14:51 308,736 --a------ c:\windows\system32\Fpxlib.dll
2008-11-22 13:56 . 1996-11-07 14:51 91,136 --a------ c:\windows\system32\Jpeglib.dll
2008-11-22 13:56 . 1999-08-18 01:51 56,832 --a------ c:\windows\system32\VideoSin.ax
2008-11-17 19:18 . 2008-11-17 19:26 754 --a------ c:\windows\WORDPAD.INI
2008-11-16 20:09 . 2008-11-16 20:09 <DIR> d-------- c:\programmi\Sony Setup
2008-11-10 17:52 . 2008-11-10 17:52 <DIR> d-------- c:\programmi\ASIX Electronics Corporation
2008-11-10 17:52 . 2006-09-06 16:35 19,072 --a------ c:\windows\system32\drivers\ax88772.sys
2008-11-10 17:24 . 2008-04-14 03:13 579,584 --a------ c:\windows\system32\user32.dll
2008-11-06 11:40 . 2008-11-06 11:40 <DIR> d-------- c:\programmi\ZyXEL
2008-11-06 11:39 . 2008-11-06 11:39 <DIR> d-------- c:\documents and settings\User\Dati applicazioni\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-29 22:24 --------- d-----w c:\programmi\eMule
2008-11-22 12:56 --------- d-----w c:\programmi\Philips Vesta Camera
2008-11-10 16:52 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-10 16:51 --------- d-----w c:\programmi\File comuni\InstallShield
2008-11-02 16:27 --------- d-----w c:\documents and settings\User\Dati applicazioni\gtk-2.0
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-02 17:53 --------- d-----w c:\documents and settings\User\Dati applicazioni\LimeWire
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:38 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:44 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-02-01 17:05 32 ----a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-02_14.09.14.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-01 22:46:11 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-02 14:32:48 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-01 22:46:11 49,152 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-12-02 14:32:48 65,536 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-12-02 14:32:31 32,768 ----a-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008120220081203\index.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
2008-02-14 13:54 1555480 --a------ c:\programmi\myBabylon\tbmyBa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{34EA1C70-42CC-42C5-AA29-EC58B95A343E}"= "c:\programmi\myBabylon\tbmyBa.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"TomTomHOME.exe"="d:\programmi\TomTom HOME 2\HOMERunner.exe" [2008-11-27 234856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2005-12-13 217088]
"PE2CKFNT SE"="c:\programmi\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe" [1998-07-03 25088]
"InstantAccess"="c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1998-07-07 37376]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 c:\windows\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Bluetooth Manager.lnk - c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-05-22 2756608]
Utilit… adattatore wireless ZyXEL G-202.lnk - c:\programmi\ZyXEL\ZyXEL G-202 Wireless Adapter Utility\ZyXEL G-202.exe [2008-11-06 10907648]
Watch.lnk - c:\windows\twain_32\CIS600X\WATCH.exe [2008-02-02 356352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\programmi\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\programmi\File comuni\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\programmi\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra------ 2004-06-29 17:42 569344 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Nero BackItUp Scheduler 3"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgemc.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\DAP\\DAP.exe"=
"c:\\Programmi\\ZyXEL\\ZyXEL G-202 Wireless Adapter Utility\\ZyXEL G-202.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1049a80-bbaf-11dc-bad1-d41fe9357ad6}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e274a8b1-be2d-11dd-bca0-bc0882c7ebbd}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 20:01:41
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\AVG\AVG8\avgemc.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
c:\progra~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
.
**************************************************************************
.
Ora fine scansione: 2008-12-02 20:12:02 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-12-02 19:11:44
ComboFix2.txt 2008-12-02 14:58:12
ComboFix3.txt 2008-12-02 13:12:28

Pre-Run: 8.461.160.448 byte disponibili
Post-Run: 8,495,407,104 byte disponibili

176 --- E O F --- 2008-11-14 15:57:26

adesso il pc mi va meglio e si vede.
GRAZIE GRAZIE GRAZIE MILLE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Avatar utente
SUMMERBOY
Aficionado
Aficionado
 
Messaggi: 77
Iscritto il: lun dic 10, 2007 11:00 am

Re: PROBABILE VIRUS O TROJAN

Messaggioda Amantide » mar dic 02, 2008 9:59 pm

Ora il log sembra essere pulito [^]
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 6 ospiti

cron
Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising