Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

winlogon.exe infetto

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

winlogon.exe infetto

Messaggioda SkyHize » gio nov 26, 2009 3:18 am

ComboFix 09-11-22.04 - Administrator 24/11/2009 0.43.40.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.511.211 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\F Documenti\ComboFix.exe
AV: Sistema Antivirus NOD32 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documenti\?????? [???????×TEAM????[?]] ???????????
d:\documenti\?????? [???????×TEAM????[?]] ???????????

c:\windows\system32\winlogon.exe . . . è infetto!!

.
((((((((((((((((((((((((( Files Creati Da 2009-10-23 al 2009-11-23 )))))))))))))))))))))))))))))))))))
.

2009-11-23 00:38 . 2009-11-23 00:38 -------- d-----w- C:\VundoFix Backups
2009-11-23 00:29 . 2009-11-23 00:29 -------- d-----w- c:\programmi\Trend Micro
2009-11-23 00:12 . 2009-11-23 05:01 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-11-23 00:12 . 2009-11-23 00:14 -------- d-----w- c:\programmi\Spybot - Search & Destroy
2009-11-22 14:20 . 2009-11-22 17:52 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Skype
2009-11-22 14:20 . 2009-11-22 14:20 -------- d-----w- c:\programmi\File comuni\Skype
2009-11-21 00:43 . 2009-11-22 03:07 -------- d-----w- c:\programmi\a-squared Free
2009-11-20 10:36 . 2009-11-23 04:50 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\WarRockDF
2009-11-20 05:38 . 2009-11-20 05:38 -------- d-----w- c:\programmi\EcoleSoftware
2009-11-20 02:08 . 2009-11-20 07:03 -------- d-----w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GamersFirst LIVE!
2009-11-20 02:08 . 2009-11-20 08:17 -------- d-----w- c:\programmi\GamersFirst
2009-11-12 05:54 . 2009-11-13 09:44 -------- d-----w- c:\programmi\Hero Editor
2009-11-12 05:54 . 2009-11-13 09:42 249856 ------w- c:\windows\Setup1.exe
2009-11-12 05:54 . 2009-11-13 09:42 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-11 07:53 . 2009-11-21 05:03 -------- d-----w- c:\programmi\Diablo II
2009-11-09 14:52 . 2000-05-16 09:40 83968 ----a-w- c:\windows\UnGins.exe
2009-11-06 10:11 . 2009-11-06 10:11 -------- d-----w- c:\programmi\Microsoft
2009-11-03 02:46 . 2009-11-03 04:07 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-03 02:38 . 2009-11-03 02:38 -------- d-----w- c:\programmi\Atari
2009-10-27 16:50 . 2007-07-11 15:09 20480 ----a-w- c:\windows\FixCamera.exe
2009-10-27 16:50 . 2007-09-06 15:56 98304 ----a-w- c:\windows\amcap.exe
2009-10-27 16:50 . 2009-02-20 15:55 326656 ----a-w- c:\windows\tsnpstd3.exe
2009-10-27 16:49 . 2007-02-09 13:13 172032 ----a-w- c:\windows\system32\rsnpstd3.dll
2009-10-27 16:49 . 2005-11-23 12:55 53248 ----a-w- c:\windows\csnpstd3.dll
2009-10-27 16:49 . 2009-10-27 16:50 -------- d-----w- c:\programmi\File comuni\snpstd3
2009-10-27 16:49 . 2009-10-27 16:49 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\InstallShield
2009-10-25 09:37 . 2009-11-11 05:44 -------- d-----w- c:\programmi\StepMania

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 23:26 . 2009-08-16 19:06 -------- d-----w- c:\programmi\Warcraft III
2009-11-23 02:26 . 2009-05-17 19:36 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\BitTorrent
2009-11-22 16:33 . 2009-08-06 21:13 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\skypePM
2009-11-22 14:20 . 2009-08-06 21:08 -------- d-----r- c:\programmi\Skype
2009-11-22 14:20 . 2009-05-11 06:18 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype
2009-11-21 07:44 . 2009-05-30 17:47 -------- d-----w- c:\programmi\Cheat Engine
2009-11-21 00:27 . 2009-05-17 19:31 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\DNA
2009-11-21 00:27 . 2009-05-17 19:31 -------- d-----w- c:\programmi\DNA
2009-11-20 15:30 . 2009-05-22 16:47 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Orbit
2009-11-20 08:17 . 2009-05-08 07:03 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-11-18 14:11 . 2009-08-25 12:37 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\U3
2009-11-18 10:42 . 2009-05-07 17:34 81112 ----a-w- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-11-11 07:56 . 2009-05-12 17:57 -------- d-----w- c:\programmi\File comuni\Blizzard Entertainment
2009-11-08 11:55 . 2009-05-13 18:43 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\dvdcss
2009-11-08 00:45 . 2009-05-12 17:56 -------- d-----w- c:\programmi\Messenger Plus! Live
2009-11-06 10:12 . 2009-06-13 23:31 -------- d-----w- c:\programmi\Windows Live
2009-11-02 19:42 . 2009-10-03 00:18 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-25 02:18 . 2006-03-02 12:00 83936 ----a-w- c:\windows\system32\perfc010.dat
2009-10-25 02:18 . 2006-03-02 12:00 488988 ----a-w- c:\windows\system32\perfh010.dat
2009-10-21 20:16 . 2009-05-11 06:33 -------- d-----w- c:\programmi\DivX
2009-10-21 20:15 . 2009-05-11 06:33 -------- d-----w- c:\programmi\File comuni\DivX Shared
2009-10-17 21:35 . 2009-09-01 17:29 230432 ----a-w- C:\StiImg.dat
2009-10-11 01:23 . 2009-10-11 01:23 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\Toribash
2009-10-08 15:44 . 2009-10-08 15:42 -------- d-----w- c:\programmi\Traffic Shaper XP Server
2009-10-08 15:42 . 2009-10-08 15:42 -------- d-----w- c:\programmi\Traffic Shaper XP Client
2009-10-08 15:42 . 2009-10-08 15:42 1536 ----a-w- c:\windows\system32\bcevent.dll
2009-10-08 15:42 . 2009-10-08 15:42 226560 ----a-w- c:\windows\system32\drivers\bcim.sys
2009-10-02 13:51 . 2009-10-02 13:37 -------- d-----w- c:\documents and settings\Administrator\Dati applicazioni\PSpad
2009-10-02 13:37 . 2009-10-02 13:36 -------- d-----w- c:\programmi\PSPad editor
2009-09-30 20:23 . 2009-05-08 10:31 -------- d-----w- c:\programmi\DVDFab 5
2009-09-30 19:19 . 2009-05-11 06:33 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-09-30 19:18 . 2009-05-11 06:36 4045528 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-30 14:29 . 2009-08-16 18:48 -------- d-----w- c:\programmi\Garena
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-11 14:34 . 2006-03-02 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 12:54 . 2009-05-11 06:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 12:53 . 2009-05-11 06:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45 . 2006-03-02 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:26 . 2006-03-02 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:26 . 2006-03-02 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:26 . 2006-03-02 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:14 . 2006-03-02 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 07:30 . 2009-08-26 07:30 152576 ----a-w- c:\documents and settings\Administrator\Dati applicazioni\Sun\Java\jre1.6.0_15\lzma.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\programmi\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\programmi\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2009-05-07 . FD46B348FCA32A1987B9A32B6BA81D2E . 504832 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . 9259170D29B5A256735FCB8B80280857 . 510464 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\073a8e9684d59d4923c2eb2e44aa36af\winlogon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-11-22_09.39.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-23 23:53 . 2009-11-23 23:53 16384 c:\windows\Temp\Perflib_Perfdata_58c.dat
+ 2009-11-22 14:20 . 2009-11-22 14:20 794112 c:\windows\Installer\101aae4.msi
+ 2009-11-22 14:20 . 2009-11-22 14:20 371272 c:\windows\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
+ 2009-11-22 14:20 . 2009-11-22 14:20 1565696 c:\windows\Installer\101aad9.msi
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2004-10-13 1694208]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2009-05-08 949376]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-30 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-30 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-30 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-30 455168]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-01-05 413696]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^Adobe Gamma.lnk]
path=c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^hamachi.lnk]
path=c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Avvio^Programmi^Esecuzione automatica^Warkeys Update.lnk]
path=c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\Warkeys Update.lnk
backup=c:\windows\pss\Warkeys Update.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Warcraft III\\Warcraft III.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\DNA\\btdna.exe"=
"c:\\Programmi\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Programmi\\Lights\\CRUCIS FATAL FAKE\\data\\FF2.exe"=
"c:\\Programmi\\Orbitdownloader\\orbitdm.exe"=
"c:\\Programmi\\Orbitdownloader\\orbitnet.exe"=
"c:\\Programmi\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Programmi\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\F Documenti\\Warcraft III Tools\\ListChecker\\pickup.listchecker.exe"=
"c:\\Programmi\\Garena\\Garena.exe"=
"c:\\Programmi\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:CRUCIS FATAL FAKE PORT
"6113:TCP"= 6113:TCP:Warcraft III Port
"57168:TCP"= 57168:TCP:Pando Media Booster
"57168:UDP"= 57168:UDP:Pando Media Booster

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/05/2009 5.45.53 721904]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 16.49.07 77312]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [08/05/2009 9.10.18 15424]
S3 DBKDRVR54;DBKDRVR54;c:\programmi\Cheat Engine\dbk32.sys [30/05/2009 18.47.10 36096]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\ADMINI~1\IMPOST~1\Temp\JWX53E5.tmp --> c:\docume~1\ADMINI~1\IMPOST~1\Temp\JWX53E5.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 16.35.02 50704]
S3 oflpydin;oflpydin;\??\c:\docume~1\ADMINI~1\IMPOST~1\Temp\oflpydin.sys --> c:\docume~1\ADMINI~1\IMPOST~1\Temp\oflpydin.sys [?]
S3 PAC207;Trust WB-1400T Webcam;c:\windows\system32\DRIVERS\pfc027.sys --> c:\windows\system32\DRIVERS\pfc027.sys [?]
S4 WinDefend;Windows Defender;c:\programmi\Windows Defender\MsMpEng.exe [03/11/2006 18.19.58 13592]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - CLASSPNP_2

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{65EAD17A-7571-2E39-3447-FB58835972A6}]
c:\documents and settings\Administrator\Desktop\F Documenti\Warrock Hacks\ROFL\Up2Size.exe
.
Contenuto della cartella 'Scheduled Tasks'

2009-11-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmi\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-11-23 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]

2009-11-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 15:04]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: &Download by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\programmi\Orbitdownloader\orbitmxt.dll/202
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\eottx7qn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programmi\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\programmi\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-Skype - c:\documents and settings\Administrator\Desktop\F Documenti\Warrock Hacks\ROFL\Up2Size.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-24 00:53
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Skype = c:\documents and settings\Administrator\Desktop\F Documenti\Warrock Hacks\ROFL\Up2Size.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x825DD1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86aafc3
\Driver\ACPI -> ACPI.sys @ 0xf8424cb8
\Driver\atapi -> 0x825711f8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8057807e
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce0
NDIS: Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Coppe -> SendCompleteHandler -> NDIS.sys @ 0xf82afba0
PacketIndicateHandler -> NDIS.sys @ 0xf82bcb21
SendHandler -> NDIS.sys @ 0xf829a87b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bcserver]
"ImagePath"="c:\programmi\Traffic Shaper XP Server\bcserver.service"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\ADMINI~1\IMPOST~1\Temp\JWX53E5.tmp"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1016)
c:\windows\system32\imon.dll
c:\programmi\Eset\pr_imon.dll

- - - - - - - > 'explorer.exe'(1104)
c:\windows\system32\WININET.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WgaTray.exe
c:\programmi\a-squared Free\a2service.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\Eset\nod32krn.exe
c:\programmi\CyberLink\Shared files\RichVideo.exe
c:\programmi\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Ora fine scansione: 2009-11-24 00:59 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-11-23 23:59
ComboFix2.txt 2009-11-23 01:37
ComboFix3.txt 2009-11-22 09:44

Pre-Run: 27.445.338.112 byte disponibili
Post-Run: 27.414.339.584 byte disponibili

- - End Of File - - 42FA710EBD24F60654BF91480016C38A


Questo è il log di combofix che ho fatto un po' di tempo fa, ho risolto il problema di iexplore.exe ma ora ho altri problemi come l'infezione di winlogon.exe e la connessione molto lenta, sono sicuro che sia colpa del computer perché se mi connetto con il portatile la velocità di navigazione raddoppia (1.5mbps qui sul mip pc fisso e 3.0mbps sul portatile wireless, ANCHE SE IN TEORIA DOVREI AVERNE 8MBPS CON TISCALI [V] [V] [V] [V] ) il log di hijackthis l'ho già postato nell'altro topic sicurezza/processo-extra-sospetto-iexplore-exe-t59312.html
Un grazie in anticipo.
Avatar utente
SkyHize
Aficionado
Aficionado
 
Messaggi: 35
Iscritto il: ven nov 23, 2007 5:57 am

Re: winlogon.exe infetto

Messaggioda dario-vr » gio nov 26, 2009 8:37 am

Ciao intanto fai questo:

Scarica MBR:EXE direttamente nella Directory C:\
http://www2.gmer.net/mbr/mbr.exe

Da Start - Esegui - digita C:\mbr.exe e clicca su OK
La scansione dura pochi secondi.
Posta il log che troverai in C:\

poi

Entra in Modalità Provvisoria.

Start - Esegui - digita C:\mbr.exe -f e clicca su OK ( Per non sbagliare a digitare il comando, fai copia-incolla.)
Posta il log prodotto per il controllo e salvalo come MBR2
Si impara dagli errori degli altri: non si può vivere cosi' a lungo per farli tutti.
Avatar utente
dario-vr
Senior Member
Senior Member
 
Messaggi: 160
Iscritto il: gio gen 08, 2009 9:59 am
Località: Verona


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 5 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising