www.MegaLab.it

[Ruger One]

Buongiorno Signori .

E' ormai da un po che ho preso erroneamente un maledetto viruss . Come ho fatto ? Semplice ho scaricato da un torrent un Add On per un programma , ma non era un Add On ma un maledetto viruzz . Da quel di ( un mese fa) vedo il led del mio router , nella mia porta lan, sempre attiva . C'è sempre traffico . Quindi il maledetto mi occupa banda e poi va a palla ! Inutile dire che noto questo quando non navigo o scarico . Seplicemente sono sul Desktop in idle , PC a riposo . Ma il led lampeggia come se scaricassi come un pazzoide. .

Bene ho provato a fare di tutto . Specialmente ho un altro HD con un altro sistema operativo e da li ho scansionato l' HD infetto . Ma niente . Inizialmente sembrava debellato , ma pare che il subdolo Viruzz si rigeneri

Non sono un esperto di informatica , appunto mi rivolgo a voi . ho istallato Kaspesky e SUPERAntiSpyware . La cosa interessante che quando lancio SUPERA dal' HD infetto , mi rileva le anomalie , ma mi riavvia il PC subito dopo . Quindi non mi da la possibilità di debellare questo Srtamaledetto Viruzz !
Signori . Ne sto uscendo Pazzo ! Questo viruss è più intelligente di me ma si può ! Azz .

Vi ringrazio in anticipo . Spero di trovare un valido supporto . Questa è l'ultima spiaggia per non formattare (e non lo vorrei fare per ora) . Scusate il disturbo

Saluti ! Rugg .

[crazy.cat]

Con currports http://www.nirsoft.net/utils/cports.html puoi intanto vedere se capisci chi è che trasmette.

Poi fai una scansione con combofix e posta qui il log che ne risulta.

[Ruger One]

Grazie Crazy !! Mo ti posto il Log di Combofix ! :

ComboFix 09-05-06.08 - Administrator 07/05/2009 17.25.50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3071.2600 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Dati applicazioni\drivers\downld
c:\documents and settings\Administrator\Preferiti\Videos.url
c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Install.txt
c:\windows\system32\Install.txt
c:\windows\system32\lowsec

----- BITS: Possibili siti infetti -----

hxxp://sunmicro.ht.rd.llnw.net
La copia infetta di c:\windows\system32\drivers\ndis.sys è stata trovata e disinfettata
ipristinata copia da -
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_restore


((((((((((((((((((((((((( Files Creati Da 2009-04-07 al 2009-05-07 )))))))))))))))))))))))))))))))))))
.

2009-05-06 16:38 . 2009-05-06 16:44 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-05-06 16:38 . 2009-05-06 16:44 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-05-06 16:38 . 2009-05-07 15:27 319520 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-06 16:38 . 2009-05-07 15:27 9580064 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-06 16:38 . 2009-05-06 16:38 -------- d-----w c:\programmi\Kaspersky Lab
2009-05-06 16:38 . 2009-05-07 12:58 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2009-05-06 16:36 . 2009-05-06 16:37 -------- d-----w c:\programmi\Kaspersky Anti-Virus 2009italian
2009-05-02 13:19 . 2009-05-02 13:19 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\DAEMON Tools Lite
2009-05-02 13:18 . 2009-05-02 16:54 -------- d-----w c:\programmi\DAEMON Tools Lite
2009-05-02 13:18 . 2009-05-02 13:20 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\DAEMON Tools Lite
2009-05-02 13:13 . 2009-05-02 13:13 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\DAEMON Tools Pro
2009-05-02 13:10 . 2009-05-02 13:10 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-05-02 13:10 . 2009-05-02 13:10 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\DAEMON Tools Pro
2009-05-02 12:55 . 2009-05-02 12:55 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\InstallShield
2009-04-23 18:04 . 2009-04-23 18:04 -------- d-----w c:\programmi\Spybot - Search & Destroy
2009-04-23 18:04 . 2009-04-23 18:04 -------- d-----w c:\programmi\OpenAL
2009-04-23 18:00 . 2009-04-23 18:00 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-04-23 18:00 . 2009-04-23 18:00 -------- d-----w c:\programmi\File comuni\Wise Installation Wizard
2009-04-22 18:17 . 2009-04-23 18:04 -------- d-----w c:\programmi\Unlocker
2009-04-21 23:04 . 2009-04-23 18:04 -------- d-----w c:\documents and settings\Administrator\.housecall6.6
2009-04-14 20:22 . 2009-04-14 20:22 -------- d-----w c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\ESET
2009-04-14 19:24 . 2009-04-14 19:24 -------- d-----w c:\programmi\ESET
2009-04-14 18:43 . 2009-04-30 18:53 -------- d-----w c:\programmi\SUPERAntiSpyware
2009-04-14 18:43 . 2009-04-14 18:43 -------- d-----w c:\documents and settings\Administrator\Dati applicazioni\SUPERAntiSpyware.com
2009-04-13 18:26 . 2009-04-23 18:00 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-04-11 20:45 . 2009-04-11 20:45 213120 ----a-w c:\windows\system32\dllcache\ndis.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 15:27 . 2009-05-06 16:38 78020 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-05-07 15:27 . 2009-05-06 16:38 4268 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-07 15:21 . 2008-04-14 12:00 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-06 16:44 . 2008-01-29 16:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-05-05 17:52 . 2008-11-07 16:51 -------- d--h--w c:\programmi\InstallShield Installation Information
2009-05-05 01:50 . 2008-11-09 01:36 -------- d-----w c:\programmi\SpeedFan
2009-05-01 22:12 . 2009-03-03 17:20 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-04-14 18:40 . 2008-11-15 17:02 -------- d-----w c:\programmi\Java
2009-04-12 21:26 . 2008-11-07 16:43 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-04 19:23 . 2008-11-07 17:02 22008 ----a-w c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-04-04 18:39 . 2009-04-04 18:39 -------- d-----w c:\programmi\OpenOffice.org 2.0
2009-04-03 16:32 . 2008-11-12 14:07 -------- d-----w c:\programmi\DivX
2009-04-03 16:31 . 2009-04-03 16:31 -------- d-----w c:\programmi\File comuni\DivX Shared
2009-04-01 18:30 . 2009-04-01 18:30 -------- d-----w c:\programmi\Schmads Inc
2009-04-01 10:32 . 2008-04-14 12:00 84552 ----a-w c:\windows\system32\perfc010.dat
2009-04-01 10:32 . 2008-04-14 12:00 489970 ----a-w c:\windows\system32\perfh010.dat
2009-03-31 19:10 . 2008-11-13 12:44 -------- d-----w c:\programmi\HOTAS
2009-03-31 12:25 . 2009-03-31 12:25 -------- d-----w c:\programmi\MSXML 4.0
2009-03-31 12:04 . 2009-03-31 12:04 -------- d-----w c:\programmi\Microsoft Games
2009-03-19 20:05 . 2008-11-09 13:53 -------- d-----w c:\programmi\File comuni\Adobe
2009-03-18 18:03 . 2009-03-18 18:02 6120 ----a-w c:\windows\BricoPackFoldersDelete.cmd
2009-03-18 18:03 . 2009-03-18 18:03 53060 ----a-w c:\windows\BricoPackUninst.cmd
2009-03-18 18:03 . 2008-04-14 12:00 219648 ----a-w c:\windows\system32\uxtheme.dll
2009-03-17 00:29 . 2008-11-09 17:05 201352 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-09 03:19 . 2008-11-15 17:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-13 09:31 . 2009-04-04 18:47 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\programmi\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\programmi\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HOTASMode"="c:\programmi\HOTAS\HOTASConfig.exe" [2001-12-27 475136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="c:\programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-30 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"Launch LCDMon"="c:\programmi\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\programmi\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"SideWinderTrayV4"="c:\progra~1\MICROS~1\GAMECO~1\Common\SWTrayV4.exe" [2000-06-28 24649]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-11-10 155648]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-3-19 630784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\temp\\TeamViewer3\\TeamViewer.exe"=
"c:\\Programmi\\America's Army Deploy Client\\AADeployClient.exe"=
"c:\\Programmi\\America's Army\\System\\ArmyOps.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\MicroProse\\Falcon4\\F4-BMS.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Bohemia Interactive\\ArmA\\arma.exe"=
"c:\\Programmi\\EA GAMES\\Battlefield 2\\BF2.exe"=
"e:\\Programmi\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Kaspersky Anti-Virus 2009italian\\setup.exe"=

R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [13/11/2008 13.28.27 7680]
R3 STDRIVER;USB Bulk Out Driver for STM;c:\windows\system32\drivers\STDriver.sys [13/11/2008 14.44.34 15930]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [29/01/2008 18.29.38 33808]
S1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [13/11/2008 15.16.16 2911848]
S1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [23/03/2009 14.07.26 9968]
S1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [23/03/2009 14.07.26 72944]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc c:\windows\System32\appdrvrem01.exe svc
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [25/03/2008 20.07.10 24592]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [23/03/2009 14.07.28 7408]
S3 SWUSBFLT;Driver filtro Microsoft SideWinder VIA;c:\windows\system32\drivers\SWUSBFLT.SYS [08/11/2008 22.08.29 3968]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - PARPORT
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/index.html
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\9u1fauf3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.goog7e.it/
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 17:31
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1604221776-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(260)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(316)
c:\windows\system32\scecli.dll

- - - - - - - > 'explorer.exe'(892)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\msi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
Ora fine scansione: 2009-05-07 17.34.58 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-05-07 15:34

Pre-Run: 165.242.757.120 byte disponibili
Post-Run: 165.201.997.824 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

197 --- E O F --- 2009-02-11 00:42

Speriamo bene ....

S!

[crazy.cat]

Combofix ha rimosso qualcosa.
Currports ti dice niente di utile?

[Ruger One]

Combofix ha rimosso qualcosa.
ti dice niente di utile?

Allora . Credo che il ComboFix abbia risolto il problema . Con il Currports non ho trovato nulla di anomalo .. Comunque ti allego il file log .

NB ho salvato questo Log con Currports prima di lanciare il killer .. Cioè ComboFix

Grazie Carazy !

S!