Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

W32/Agobot

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

W32/Agobot

Messaggioda tyger » gio apr 02, 2009 8:50 pm

Sono ancora qui a chiedere il vostro prezioso aiuto.
Con il portatile, mi sono purtroppo imbattuto nel worm AGOBOT.RT.
Win XP home è enormemente rallentato;
Ho cercato qui, in MegaLab, ma non ho trovato nessun aiuto. Non ho saputo cercare ???
Posto il log di HijackThis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.27.36, on 02/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system\svhost.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\NETGEAR\WPN511\Utility\WPN511.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\sysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\TEMP\53.exe
C:\WINDOWS\system32\msr.exe
C:\WINDOWS\System32\svchost.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AS00_WPN511] C:\Programmi\NETGEAR\WPN511\Utility\WPN511.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebCam Go Sti Service Application] wbcgosvc
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [\\Pc-giuseppe\EPSON Stylus Office B40W(Rete)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIELE.EXE /FU "C:\DOCUME~1\Alexia\IMPOST~1\Temp\E_S3.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Network Monitor service (MSNETDED) - Unknown owner - C:\WINDOWS\system\svhost.exe
O23 - Service: Microsoft Reverse Proxy Service (msrpxy) - Unknown owner - C:\WINDOWS\system32\msr.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7138 bytes

Posto anche il log di ScanSpyware, spero possa essere utile

ScanSpyware 3.9 (Build 1.5)
===========================

Scan Log created at: April 02, 2009 [05:35:58 PM] (GMT+02:00)

Platform: Microsoft Windows XP Home Edition Service Pack 2 (5.1.2600)
MSIE: Internet Explorer 6.0.2900

Unique App Id: 56779D95-DD78ADAF-5EA304E7-E49D5C4B
Last Updated: April 02, 2009 (05:29:24 PM)


Preferences
~~~~~~~~~~~

[ ] Quick Scan
(Fast yet Powerfull)
[X] Deep Scan
(Recommended)
[ ] Custom Scan
(Be Selective)

[ ] Remove threats automatically after every scan.
[X] Create a 'Restore Point' before removing threats.
[X] Always send found threats to quarantine.
[X] Create a log-file automatically after every scan.
[ ] Launch app at Windows startup
[ ] Start scan when app starts
[ ] Scan in silent mode
[ ] Close app after completing scan


Scan Summary
~~~~~~~~~~~~

Processes scanned: 47
Processes detected: 0
Cookies scanned: 46
Cookies detected: 0
Directories scanned: 9128
Directories detected: 0
Files scanned: 219822
Files detected: 5
Registry entries scanned: 155800
Registry entries detected: 10
Total objects scanned: 384843
Total objects detected: 15
Total objects removed: 0
Elapsed Time: 00:05:28


Scan Report
~~~~~~~~~~~


[Object Type : File]
--------------------
C:\WINDOWS\system32\msr.exe - (bcb07d5ec848a53ea16153ff38bc8cd8) - (Action to be taken : Quarantine) - belongs to "Agobot.RT"
C:\WINDOWS\system32\msvcrt2.dll - (c12b6317a2ef23300beaad9043e6ba85) - (Action to be taken : Quarantine) - belongs to "Rbot.CIG"
C:\WINDOWS\system32\perfh010.dat - (f823e4cff5ecf84fe217d82721971397) - (Action to be taken : Quarantine) - belongs to "Keylog-AG"
C:\WINDOWS\system32\SysMgr.exe - (916db2e2c2d1ed7af89dd8ebb9c7d84c) - (Action to be taken : Quarantine) - belongs to "Rbot.CIG"
C:\WINDOWS\system32\drivers\sysdrv32.sys - (0e219b74e2c68a34ca09d8fe114f6d11) - (Action to be taken : Quarantine) - belongs to "IRCbot.K"

[Object Type : Registry Key]
----------------------------
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysdrv32 - (Action to be taken : Quarantine) - belongs to "IRCbot.K"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysdrv32 - (Action to be taken : Quarantine) - belongs to "IRCbot.K"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32 - (Action to be taken : Quarantine) - belongs to "IRCbot.K"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SYSDRV32 - (Action to be taken : Quarantine) - belongs to "IRCbot.K"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SYSDRV32 - (Action to be taken : Quarantine) - belongs to "IRCbot.K"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32 - (Action to be taken : Quarantine) - belongs to "IRCbot.K"
HKEY_CURRENT_USER\SOFTWARE\FreeWare - (Action to be taken : Quarantine) - belongs to "MainPean"
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} - (Action to be taken : Quarantine) - belongs to "Virus Melt"
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} - (Action to be taken : Quarantine) - belongs to "Virus Melt"

[Object Type : Registry Value]
------------------------------
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, Microsoft(R) System Manager - (Action to be taken : Quarantine) - belongs to "Rbot.CIG"

Ringrazio tutti in anticipo !!
[grazie]
Avatar utente
tyger
Aficionado
Aficionado
 
Messaggi: 74
Iscritto il: mar ago 05, 2008 5:09 pm
Località: Andora

Re: W32/Agobot

Messaggioda ste_95 » gio apr 02, 2009 9:04 pm

ScanSpyware ha già messo in quarantena tutto, comunque scarica ComboFix , salvandolo sul desktop con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG, in questo modo:
Codice: Seleziona tutto
[LOG]qui va inserito il log[/LOG]
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: W32/Agobot

Messaggioda tyger » gio apr 02, 2009 10:10 pm

ste_95 ha scritto:ScanSpyware ha già messo in quarantena...

Ho usato ScanSpyware in versione trial, quindi dopo la scansione non ha risolto il problema.
Allego il log di ComboFix

ComboFix 09-04-01.01 - Alexia 2009-04-02 22.16.01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.511.240 [GMT 2:00]
Eseguito da: G:\Pincopallino.exe
AV: avast! antivirus 4.8.1169 [VPS 080329-0] *On-access scanning disabled* (Outdated)
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system\services.exe
c:\windows\system\svhost.exe
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\sysmgr.exe
c:\windows\Temp\14.exe
c:\windows\Temp\26.exe
c:\windows\Temp\34.exe
c:\windows\Temp\36.exe
c:\windows\Temp\53.exe
c:\windows\Temp\55.exe
c:\windows\Temp\68.exe
c:\windows\Temp\75.exe
c:\windows\Temp\76.exe
c:\windows\Temp\78.exe
c:\windows\Temp\84.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Creati Da 2009-03-02 al 2009-04-02 )))))))))))))))))))))))))))))))))))
.

2009-04-02 22:03 . 2009-04-02 22:05 <DIR> d-------- C:\ComboFix
2009-04-02 18:39 . 2009-04-02 18:39 102,425 --a------ c:\windows\system32\msvcrt2.dll
2009-04-02 18:31 . 2008-05-04 23:41 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-04-02 18:31 . 2008-05-04 23:41 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2009-04-02 18:31 . 2008-05-04 23:41 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2009-04-02 18:31 . 2008-05-04 23:42 <DIR> dr------- c:\documents and settings\Administrator\Preferiti
2009-04-02 18:31 . 2008-05-04 23:42 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2009-04-02 18:31 . 2008-05-04 23:42 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2009-04-02 18:31 . 2009-04-02 22:17 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2009-04-02 18:31 . 2008-05-04 23:42 <DIR> dr------- c:\documents and settings\Administrator\Documenti
2009-04-02 18:31 . 2008-05-04 23:42 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2009-04-02 18:31 . 2009-04-02 18:31 <DIR> d-------- c:\documents and settings\Administrator
2009-04-02 17:24 . 2009-04-02 17:24 <DIR> d-------- c:\programmi\ScanSpyware
2009-04-02 17:24 . 2008-09-07 17:22 8,704 --a------ c:\windows\system32\ssbtsr.exe
2009-04-02 17:08 . 2009-04-02 17:11 <DIR> d-------- C:\scanspyware
2009-03-29 15:20 . 2009-03-29 15:20 59,904 --a------ c:\windows\system32\75.scr
2009-03-29 13:25 . 2009-03-29 13:25 59,904 --a------ c:\windows\system32\51.scr
2009-03-28 13:36 . 2009-03-28 13:36 59,904 --a------ c:\windows\system32\86.scr
2009-03-20 08:41 . 2009-03-20 08:41 966,656 ---h----- c:\windows\system32\msr.exe
2009-03-19 10:28 . 2009-04-02 22:20 <DIR> d-a------ c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-03-08 10:34 . 2009-03-08 22:16 <DIR> d-------- c:\programmi\WinUAE
2009-03-05 18:18 . 2009-03-05 18:18 <DIR> d-------- c:\documents and settings\Alexia\Dati applicazioni\fltk.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 16:53 --------- d-----w c:\documents and settings\Alexia\Dati applicazioni\Spyware Terminator
2009-04-02 13:17 --------- d-----w c:\programmi\Spyware Terminator
2009-04-02 13:14 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spyware Terminator
2009-04-02 06:53 --------- d-----w c:\programmi\AdunanzA
2009-03-31 16:57 --------- d-----w c:\documents and settings\Alexia\Dati applicazioni\Corel
2009-03-31 16:53 2,568 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-05-05 17:14 88 --sh--r c:\windows\system32\ECE7800293.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-20 68856]
"\\Pc-giuseppe\EPSON Stylus Office B40W(Rete)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIELE.EXE" [2008-03-12 188928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCam Go Sti Service Application"="wbcgosvc" [X]
"SynTPLpr"="c:\programmi\Synaptics\SynTP\SynTPLpr.exe" [2003-11-19 98304]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2003-11-19 499712]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-12-17 3059712]
"AS00_WPN511"="c:\programmi\NETGEAR\WPN511\Utility\WPN511.exe" [2006-01-20 1421419]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2004-07-16 77824]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 79224]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= divxa32.acm
"VIDC.CJPG"= ctwbjpg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0oodbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSNETDED]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\microsoft office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\RealVNC\\VNC4\\vncviewer.exe"=
"c:\\Programmi\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Programmi\\AdunanzA\\eMule_AdnzA.exe"=
"c:\\WINDOWS\\System32\\86.scr"=
"c:\\WINDOWS\\System32\\51.scr"=
"c:\\WINDOWS\\System32\\75.scr"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [2004-07-16 11264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-04-02 75856]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-01-21 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-04-02 20560]
R2 msrpxy;Microsoft Reverse Proxy Service;c:\windows\system32\msr.exe [2009-03-20 966656]
R3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2008-05-04 16194]
S2 MSNETDED;Network Monitor service;"c:\windows\system\svhost.exe" --> c:\windows\system\svhost.exe [?]
S3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:\windows\system32\drivers\wpn511.sys [2008-05-04 449888]
S3 WBCGOHAL;WBCGOHAL;c:\windows\system32\drivers\wbcgohal.sys [2008-11-07 6592]
S3 WBCGOVID;Video Blaster WebCam Go (WDM);c:\windows\system32\drivers\wbcgovid.sys [2008-11-07 86656]
S3 WCGOHAL;WCGOHAL;c:\windows\system32\drivers\wbcgohal.sys [2008-11-07 6592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0781dd96-404d-11dd-904b-806d6172696f}]
\Shell\AutoRun\command - G:\load.exe /CDROM
.
Contenuto della cartella 'Scheduled Tasks'

2008-05-18 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-07-15 10:14]

2008-05-11 c:\windows\Tasks\Promemoria registrazione 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-19 15:39]

2008-05-18 c:\windows\Tasks\Promemoria registrazione 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-08-19 15:39]

2009-04-02 c:\windows\Tasks\Verifica aggiornamenti per Windows Live Toolbar.job
- c:\programmi\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-Microsoft(R) System Manager - c:\windows\system32\sysmgr.exe
SafeBoot-SVCWINSPOOL


.
------- Scansione supplementare -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &Windows Live Search - c:\programmi\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 22:20:31
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="7AFCFE9C5B13A82E8C97F5C87C32626F87E9B94368E9AF5F7EBDE7370AA6D49F4BD5CD919DA437C1FD203A8A0FF14F6398881DC7128377539C4B7805A15382C7E4682258BE1AA3A05596517F050AA74553D2813C1225FC0797F422C3B5228C98C56198BD7B57E192DBC08C53FB46238C6E460D4D01275C44B19000C07B1014CDDC90604FC72437E4CF85507742FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5CA2D97226D213B555FEBC9E127BECC74CF4624C949DB3A88B9C7846E32F759C1DDA48A22CF600889CD39B5BEF31DD934BB045ACF59337D61E4D02D8FB4CE3AF4E81B387AC084B9CC46E6922708D942B48653DD00A6BA97987557181FCAC023EE851F479D42947703224A2FEA75B48EB7B6AE08EF74DB3B7F2D30624DD132CD1F4530F0F8755A68DEA842FD7036B9E7D86FC20B95C83127EBFCBD1A60663D4B6ACF55BDE9A2B30BFA7874C1767B4D3CFBF3B3CAEC78094FA7FA8BBF5D2A6017B81880487576B3D1A54880AA9A9543615B0A8CACA3D552020F8B4FD0195884A7515C20B297C7B3D7191C34D031607294295ACB572B6BB2CA6A6A029BC92DBDDBCBF3BC1E63CE6B0DD34DCCF966BB0A412E092B90A9D8FC589B7811E208415FB2D0E72CF6B3BDA2F3D445B1EDE5B57B382B80AE97ED3508C868D4F94A596CCFBE5BD47B3E295A8E2B1FDA818D98F27F55675262C3CAC213521C06697CDEAC0C4CC43013AFC58C68A1D5391F389A1ED9D92265EB9B7F04B08229908859C1650550AC6C70AEF84CF77ACE7CAB871A09FF2020A8FA0E7DBB9DF131756911AA0803E0822A998721180104B93E9449E8FD150B398F641C59DFC2F436CDB41D089FA24F8E517B2C2683B4FAA6469C79BE440A6787B3854CF59C8F9C600057051BF8DC24F56E6F6A16806C2BF98A7467C0D4AF6660EDCE08B29F55773EBA0CD2EA8276444E8D1DAD2E20B0DC328E61B5466715AD8644DC57B97FDF265FEE45C009E5EEBD2CBF4251E1D17E3B3384DF03E435E7B6DC2DB34AE260210FB3C6872E2EC6A4EBCDB53F1D1529C92D027654959EBD99985223AB3B0C5C6805959293A75D52A9406AECF31BEB0B27620051EF8C49AD487C8317F9B9461B32DE5C007B4DB0E9CDC758A35A638D811826C16CA2927FD612EA0D0289BF1D4D3124B9146B13DBE685798EA306918E118BC40D31FD52ABA3507BA9713B4636ED840F99E8E5AC504554A3E0154663B5647BFED69B6CF7CE5AD2209CD04BC8673945A256DED27A470508E7BAE935C803246390B38913DCD8B48A2C2F022DD7F9C809BC23A53E90E87EA91288BCA5F4D695E6BEF558F95542AA73FE1B37894F293384D8EF194C2B8435953E064B4578A62FB2DBA88F8A44BB593C4A37976348D"
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\programmi\Alwil Software\Avast4\aswUpdSv.exe
c:\programmi\Alwil Software\Avast4\ashServ.exe
c:\programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
c:\programmi\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\programmi\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wdfmgr.exe
c:\programmi\RealVNC\VNC4\winvnc4.exe
c:\programmi\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\programmi\Alwil Software\Avast4\ashWebSv.exe
c:\programmi\File comuni\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Ora fine scansione: 2009-04-02 22:22:16 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-04-02 20:22:13

Pre-Run: 993.218.560 byte disponibili
Post-Run: 1,078,611,968 byte disponibili

183
Avatar utente
tyger
Aficionado
Aficionado
 
Messaggi: 74
Iscritto il: mar ago 05, 2008 5:09 pm
Località: Andora


Re: W32/Agobot

Messaggioda ste_95 » ven apr 03, 2009 7:55 am

Questi mi puzzano:

"c:\\WINDOWS\\System32\\86.scr"=
"c:\\WINDOWS\\System32\\51.scr"=
"c:\\WINDOWS\\System32\\75.scr"=


Falli scansionare su http://www.virustotal.com.

Poi scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto
Files to delete:
C:\WINDOWS\system32\msr.exe
C:\WINDOWS\system32\msvcrt2.dll
C:\WINDOWS\system32\perfh010.dat
C:\WINDOWS\system32\SysMgr.exe
C:\WINDOWS\system32\drivers\sysdrv32.sys


Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Se Avenger riporta un errore, prova a riscrivere manualmente la prima riga (Files to delete:) ricordando i due punti.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: W32/Agobot

Messaggioda tyger » ven apr 03, 2009 6:41 pm

I file che suggerivi di testare li ho controllati sul sito che mi dicevi e risultano essere rimasugli di "svhost.exe". Combofix non lo vedeva perché probabilmente ero riuscito a cancellarlo manualmente ieri sera. Lo script di The Avenger ha funzionato, alcuni file non li ha trovati, comunque al successivo riavvio del pc, "msr.exe", che ritengo sia il file incriminato, non figurava più nell'elenco dei processi in Task Manager e nella cartella di sistema System32. Dovremmo quindi aver debellato il tutto. Ti allego il log di The Avenger [^]
[grazie]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File "C:\WINDOWS\system32\msr.exe" deleted successfully.
File "C:\WINDOWS\system32\msvcrt2.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\perfh010.dat" not found!
Deletion of file "C:\WINDOWS\system32\perfh010.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\SysMgr.exe" not found!
Deletion of file "C:\WINDOWS\system32\SysMgr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\sysdrv32.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\sysdrv32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
Avatar utente
tyger
Aficionado
Aficionado
 
Messaggi: 74
Iscritto il: mar ago 05, 2008 5:09 pm
Località: Andora

Re: W32/Agobot

Messaggioda ste_95 » ven apr 03, 2009 7:25 pm

Quindi hai cancellato anche i 3 file .scr?
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Re: W32/Agobot

Messaggioda tyger » ven apr 03, 2009 8:22 pm

ste_95 ha scritto:Quindi hai cancellato anche i 3 file .scr?

Si ! Scusami per non avertelo sottolineato !!! Ancora grazie per l'aiuto. [^]
[grazie]
Avatar utente
tyger
Aficionado
Aficionado
 
Messaggi: 74
Iscritto il: mar ago 05, 2008 5:09 pm
Località: Andora

Re: W32/Agobot

Messaggioda ste_95 » ven apr 03, 2009 8:34 pm

Allora dovresti essere a posto. [^]
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 1 ospite

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising