Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

Problemi con virus rootkit!!!

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

Problemi con virus rootkit!!!

Postdi lupoxs » 02/03/07 10:03

Salve ho letto tutte le notizie di questo forum, molto interessanti direi....!
Il mio problema è nato quando symantec corporate trovava in continuazione il file "lpt8.xxx" in continuazione e riusciva ad eliminarlo solo parzialmente...
Con una ricerca sono arrivato al vostro forum...
Credo di aver risolto il problema in parte con il "rootkit removal tool" infatti mi ha trovato il suddetto file + altri e li ha eliminati.
aggiungo il log creato dal "rootkit removal tool:

Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: \\?\I:\WINDOWS\system32\lpt8.eyk
\\?\I:\WINDOWS\system32\lpt8.eyk
Resetting file permissions...
Clearing attributes...
Accesso negato - I:\_cleaned.tmp
Removing file...
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: I:\WINDOWS
Scanning: I:\Programmi\File comuni
Removing protected file: I:\Programmi\File comuni\Microsoft Shared\GCSEqU.exe
Removing protected file: I:\Programmi\File comuni\Microsoft Shared\Kvh.exe
Removing protected file: I:\Programmi\File comuni\Microsoft Shared\QeQ.exe
Removing protected file: I:\Programmi\File comuni\Microsoft Shared\RGh.exe


Trojan.Gromozon Removed!



Credo che questo Trojan mi abbia lasciato il ricordino, alcuni programmi come ad esempio "Hijack" e "Teamspeak 2 RC2" non mi si aprono + o meglio "Hijack" non si apre e "Teamspeak 2 RC2" si apre, ma quando richiamo la videata tramite "connection\connect" il prog. si chiude.
Ovviamente ho provato a disinstallarli e reinstallarli come anche a riscaricarli, ma il problema persiste..
Un amico programmatore mi ha spiegato che questi rootkit modificano delle dll con dei loro dati e quando la minaccia viene rimossa rimango queste dll modificate che ovviamente non funzionano + a dovere...

Spero di avere spiegato bene il mio problema...
voi sapete aiutarmi?

Ringrazio cmq in anticipo per il vostro supporto.
lupoxs
Newbie
 
Post: 7
Iscritto il: 02/03/07 09:32

Sponsor
 

Postdi Luke57 » 02/03/07 10:46

Ciao, continua qui la discussione.
Scarica SystemScan
http://www.suspectfile.com/systemscan
aprilo ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verrà rilasciato in C:\suspectfile il file report.txt.
Vai su:
http://www.easy-share.com
carica il file (premendo Sfoglia e poi il tasto Upload) , ti sarà fornito l'URL per scaricarlo. Incolla in un post tale URL.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Risposta

Postdi lupoxs » 02/03/07 10:57

Ciao, ho provato a cliccare sul link da voi creato per scaricare systemscan, ma mi si chiude completamente il browser.
ho provato a digitare direttamente l'indirizzo e non appena compare la finestra di salvataggio si chiude tutto cmq...
Provero da un altro pc a scaricarlo, poi faro sapere...

per ora grazie
lupoxs
Newbie
 
Post: 7
Iscritto il: 02/03/07 09:32

Postdi Luke57 » 02/03/07 11:24

Ciao, elenca in un post tutti i processi in atto (apri il taskmanager con Ctrl+alt+canc, premi il tab. Processi), ne hai uno che impedisce l'esecuzione dei tool, hijackthis compreso.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

risposta

Postdi lupoxs » 02/03/07 11:58

ciao, infatti dopo alcune prove, pensavo la stessa cosa, qualche processo che mi impediva l'esecuzione di questi ultimi, cosi ne ho killati alcuni sospetti e poi lanciato systemscan e hijack.

system scan appena avviata la scansione mi da questo messaggio:

Option Explicit
on error resume next
Dim oWS : Set oWS = CreateObject("WScript.Shell")
Dim oFSO : Set oFSO = CreateObject("Scripting.FileSystemObject")
Dim sRegTmp, sOutTmp, eRegLine, aRegFileLines, sSearchFor, sSearchdll, sSearchdll2, sSearchdll3
sRegTmp = oWS.Environment("PROCESS")("SYSTEMDRIVE") & "\suspectfile\files.row "
sOutTmp = oWS.Environment("PROCESS")("SYSTEMDRIVE") & "\suspectfile\report.row"
With oFSO.OpenTextFile(sOutTmp, 8, True)
With oFSO.GetFile(sRegTmp)
aRegFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf)
End With
For Each eRegLine in aRegFileLines
if left (eregline,1) ="" then .writeline(eregline)
if datediff("d",left(eregline,10),date()) < 60 then
.WriteLine(eregline)
end if

Next


Poi successivamente mi da anche questo:

Dim fso,WshShell , pname
Set WshShell = Wscript.CreateObject("Wscript.Shell")
set fso = Wscript.CreateObject("scripting.Filesystemobject")
const HKEY_LOCAL_MACHINE = &H80000002
const REG_MULTI_SZ = 7
strComputer = "."
Set StdOut = WScript.StdOut
Set StdOut = fso.CreateTextFile("Svchost.txt",True)
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath = "Software\Microsoft\Windows NT\CurrentVersion\svchost"
oReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath,_
arrValueNames
For i=0 To UBound(arrValueNames)
StdOut.WriteLine "### " & arrValueNames(i) & ":"
Msg = Msg & arrValueNames(i) & ":"
oReg.GetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,_
arrValueNames(i),arrValues
On Error Resume Next
For Each strValue In arrValues
pname = Wshshell.RegRead ("HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\" & strValue & "\Parameters\ServiceDll")
If pname = "" then pname = "No File Listed"
StdOut.WriteLine strValue & vbcrlf & Wshshell.ExpandEnvironmentStrings(pname) & vbcrlf
pname = ""
Next
Next
StdOut.Close


Poi ne apre un altro:

Option Explicit
Dim oWS : Set oWS = CreateObject("WScript.Shell")
Dim oFSO : Set oFSO = CreateObject("Scripting.FileSystemObject")
Dim trvt, sRegTmp, sOutTmp, sOutTmp2, sOutTmp3, WshShell, Return, eRegLine, aRegFileLines, eBHOLine, eBHOFileLines
dim my_path, my_reg, my_int
my_path="suspectfile"
my_reg="swreg"
my_int="dumphive"
sRegTmp = oWS.Environment("PROCESS")("SYSTEMDRIVE") & "\" & my_path & "\report.row"
sOutTmp = oWS.Environment("PROCESS")("SYSTEMDRIVE") & "\" & my_path & "\reptr.row"

With oFSO.OpenTextFile(sOutTmp, 8, true)
With oFSO.GetFile(sRegTmp)
aRegFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf)
End With

For Each eRegLine in aRegFileLines
.WriteLine(eRegLine)
if right(eRegLine,2)="}]" then
eRegLine=replace(eRegLine,"}]","}")
sOutTmp2="output.bat"
oFSO.CreateTextFile(sOutTmp2)
sOutTmp3 = oWS.Environment("PROCESS")("SYSTEMDRIVE") & "\" & my_path & "\temp.txt"
With oFSO.OpenTextFile(sOutTmp2, 8, True)
.WriteLine(my_reg & " save HKCR\" & "CLSID\" & right(eregline, 38) & "\InprocServer32 output.hhv")
.WriteLine("if exist output.hhv " & my_int & " -e -N output.hhv output.tpm")
.WriteLine("if exist output.tpm echo " & "#### HKCR\" & "CLSID\" & right(eregline, 38) & "\InprocServer32 >> " & sOutTmp3)
.WriteLine("if exist output.tpm type output.tpm >>" & sOutTmp3)
.WriteLine("del *.hhv")
.WriteLine("del *.tpm")
.Close
End With
Set WshShell = WScript.CreateObject("WScript.Shell")
Return = WshShell.Run(sOutTmp2,0,true)
oFSO.DeleteFile(sOutTmp2)
Set WshShell = Nothing
If oFSO.FileExists(sOutTmp3) Then
With oFSO.GetFile(sOutTmp3)
ebhoFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf)
End With
For Each eBhoLine in ebhoFileLines
if left(eBHOline,4)="####" then trvt=trvt&eBHOline
if left(eBHOline,2)="@=" then
trvt=trvt&eBHOline
.writeline(trvt)
trvt=""
end if
next
oFSO.DeleteFile(sOutTmp3)
end if


end if

'--------inizio modifica
if mid(eRegLine,2,1)="{" then
sOutTmp2="output.bat"
oFSO.CreateTextFile(sOutTmp2)
sOutTmp3 = oWS.Environment("PROCESS")("SYSTEMDRIVE") & "\" & my_path & "\temp.txt"
With oFSO.OpenTextFile(sOutTmp2, 8, True)
.WriteLine(my_reg & " save HKCR\" & "CLSID\" & mid(eregline,2,38) & "\InprocServer32 output.hhv")
.WriteLine("if exist output.hhv " & my_int & " -e -N output.hhv output.tpm")
.WriteLine("if exist output.tpm echo " & "#### HKCR\" & "CLSID\" & mid(eregline,2,38) & "\InprocServer32 >> " & sOutTmp3)
.WriteLine("if exist output.tpm type output.tpm >>" & sOutTmp3)
.WriteLine("del *.hhv")
.WriteLine("del *.tpm")
.Close
End With
Set WshShell = WScript.CreateObject("WScript.Shell")
Return = WshShell.Run(sOutTmp2,0,true)
oFSO.DeleteFile(sOutTmp2)
Set WshShell = Nothing
If oFSO.FileExists(sOutTmp3) Then
With oFSO.GetFile(sOutTmp3)
ebhoFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf)
End With
For Each eBhoLine in ebhoFileLines
if left(eBHOline,4)="####" then trvt=trvt&eBHOline
if left(eBHOline,2)="@=" then
trvt=trvt&eBHOline
.writeline(trvt)
trvt=""
end if
next
oFSO.DeleteFile(sOutTmp3)
end if
end if

'--------fine modifica



Next
Erase aRegFileLines
.Close
End With
oFSO.DeleteFile(sRegTmp)
'Set oWS = Nothing
'Set oFSO = Nothing








Dim sSearchFor, sSearchdll, sSearchdll2, sSearchdll3
sRegTmp = oWS.Environment("PROCESS")("SYSTEMDRIVE") & "\" & my_path & "\reptr.row"
sOutTmp = oWS.Environment("PROCESS")("SYSTEMDRIVE") & "\" & my_path & "\report.txt"
sSearchFor = "http://wwwUSERProceTransmisswapdiskSpoolerGDIProceDeviceNTokenSiCapabiliDependOErrorConParseAuBuildNDontAskAutoAdmAutoResSFCShowSFCScanDCacheUCachePrDisableDefaultAltDefaShowLogSFCDisaDebugSescremovpassworcachedlallocatSfcQuotShutdowReportBPowerdoLegalNoDefaultRequirePerUserNoMachiNoBackgMaxNoGPNoUserPProcessEnableANotifyLNoGPOLiNoSlowLNumero dIl voluPrevSlowLastPoliVersionIsInstalAsynchroImperson@Owner=S@Group=S@DACL=(0END...:: SER@Securit@Ace=(ACREGEDIT4(GetSTS.CopyrighEFS InfoCopyrighSystems DUMPHIVE[command---> SIZ---> TYPEListDLLsSysinterStreams "
sSearchdll = "System32\ntdll.dllSystem32\kernel32.dllSystem32\ADVAPI32.dllSystem32\RPCRT4.dllSystem32\AUTHdllSystem32\msvcrt.dllsystem32\CRYPT32.dllsystem32\USER32.dllsystem32\GDI32.dllsystem32\MSASN1.dllsystem32\NDdeApi.dllsystem32\PROFMAP.dllsystem32\NETAPI32.dllsystem32\USERENV.dllsystem32\PSAPI.DLLsystem32\REGAPI.dllsystem32\Secur32.dllsystem32\SETUPAPI.dllsystem32\VERSION.dllsystem32\WINSTA.dllsystem32\WINTRUST.dllsystem32\IMAGEHLP.dllsystem32\WS2_32.dllsystem32\WS2HELP.dllsystem32\MSGINA.dllsystem32\SHELL32.dllsystem32\SHLWAPI.dllsystem32\COMCTL32.dllsystem32\ODBC32.dllsystem32\comdlg32.dllsystem32\odbcint.dllsystem32\SHSVCS.dllsystem32\sfc.dllsystem32\sfc_os.dllsystem32\ole32.dllsystem32\Apphelp.dllsystem32\WINSCARD.DLLsystem32\WTSAPI32.dllsystem32\WINMM.dllsystem32\uxtheme.dllsystem32\cscdll.dllsystem32\WlNotify.dllsystem32\WINSPOOL.DRVsystem32\MPR.dllsystem32\rsaenh.dllsystem32\SAMLIB.dllsystem32\sxs.dllsystem32\cscui.dllsystem32\MPRAPI.dllsystem32\ACTIVEDS.dllsystem32\adsldpc.dllstem32\WLDAP32.dllsystm32\ATL.DLLsystem32\OLEAUT32.dllsystem32\rtutils.dllsystem32\xpsp2res.dllsystem32\NTMARTA.DLLsystem32\msv1_0.dllsystem32\iphlpapi.dllsystem32\wdmaud.drvsystem32\msacm32.drvsystem32\MSACM32.dllsystem32\midimap.dllsystem32\COMRes.dllsystem32\CLBCATQ.DLLsystem32\WS2_32.dllsystem32\WS2HELP.dllsystem32\urlmon.dllsystem32\NETAPI32.dllsystem32\uxtheme.dllsystem32\msi.dllsystem32\BROWSEUI.dllsystem32\WININET.dllsystem32\SHDOCVW.dllsystem32\USERENV.dllsystem32\webcheck.dllsystem32\stobject.dllsystem32\LINKINFO.dllsystem32\tcpmon.dllsystem32\usbmon.dllsystem32\xpsp2res.dllsystem32\system32\system32\system32\system32"
sSearchdll2 = "system32\ADVAP132.DLLsystem32\AWMSC32.DLLsystem32\AWBTRV32.DLLsystem32\AWCAPI32.DLLsystem32\AWCL1_32.DLLsystem32\AWCL2_32.DLLsystem32\AWCODC32.DLLsystem32\AWDCX32.DLLsystem32\AWDEVL16.DLLsystem32\AWDEVL32.DLLsystem32\AWFAXP32.DLLsystem32\AWFEXT32.DLLsystem32\AWFLT332.DLLsystem32\AWFMON32.DLLsystem32\AWFR32.DLLsystem32\AWFX1032.DLLsystem32\AWFXAB32.DLLsystem32\AWFXCG32.DLLsystem32\AWFXEX32.DLLsystem32\AWFXRN32.DLLsystem32\AWKRNL32.DLLsystem32\AWLHUT32.DLLsystem32\AWLIN232.DLLsystem32\AWLZRD32.DLLsystem32\AWNFAX32.DLLsystem32\AWPWD32.DLLsystem32\AWRAMB32.DLLsystem32\AWRBAE32.DLLsystem32\AWRESX32.DLLsystem32\AWRNDR32.DLLsystem32\AWSCHD32.DLLsystem32\AWSRVR32.DLLsystem32\AWT30_32.DLLsystem32\AWUTIL32.DLLsystem32\AWVIEW32.DLLsystem32\BHNETB.DLLsystem32\BHSUPP.DLLsystem32\BKUPNET.DLLsystem32\BKUPPROP.DLLsystem32\CARDS.DLLsystem32\CCAPI.DLLsystem32\CCEI.DLLsystem32\CCPSH.DLLsystem32\CCTN20.DLLsystem32\CHEYPROP.DLLsystem32\CHIADI.DLLsystem32\CHIKDI.DLLsystem32\CHOOSUSR.DLLsystem32\CMC.DLLsystem32\COMCTL31.DLLsystem32\COMMCTRL.DLLsystem32\COMMDLG.DLLsystem32\COMPOBJ.DLLsystem32\CONFAPI.DLLsystem32\CRTDLL.DLLsystem32\DATAECL.DLLsystem32\DCIMAN.DLLsystem32\DCIMAN32.DLLsystem32\DEBMP.DLLsystem32\DECPSMW4.DLLsystem32\DEHEX.DLLsystem32\DEMET.DLLsystem32\DESKCP16.DLLsystem32\DESS.DLLsystem32\DIBENG.DLLsystem32\DISKCOPY.DLLsystem32\DISPDIB.DLLsystem32\DMCOLORD.DLLsystem32\DOCPROP.DLLsystem32\DSKMAINT.DLLsystem32\DUNZIPNT.DLLsystem32\DZIPNT.DLLsystem32\ENABLE3.DLLsystem32\EXUTIL32.DLLsystem32\FAXCODEC.DLLsystem32\FINDMVI.DLLsystem32\FINDSTUB.DLLsystem32\FINSTALL.DLLsystem32\FONTEXT.DLLsystem32\FTE.DLLsystem32\FTMAPI.DLLsystem32\FTSRCH.DLLsystem32\GROUPPOL.DLLsystem32\HOMEBASE.DLLsystem32\HPALERTS.DLLsystem32\HPARRKUL.DLLsystem32\HPCOLA.DLLsystem32\HPCOLOR.DLLsystem32\HPDMIX.DLLsystem32\HPJD.DLLsystem32\HPJDCOM.DLLsystem32\HPJDCOM.DLLsystem32\HPJDNP.DLLsystem32\HPJDPP.DLLsystem32\HPJDUI.DLLsystem32\HPNETSRV.DLLsystem32\HPNW416.DLLsystem32\HPNW432.DLLsystem32\HPNWPSRV.DLLsystem32\HPNWSHIM.DLLsystem32\HPPJL.DLLsystem32\HPPJLEXT.DLLsstem32\HPPRARRK.DLLsystem32\HPPRNTR.DLLsystem32\HPPRRUSH.DLLsystem32\HPPRUI.DLLsystem32\HPRUSHUI.DLLsystem32\HPSNMP.DLLsystem32\HPTABS.DLLsystem32\HPTRBIT.DLLsystem32\HPVBIT.DLLsystem32\HPVIOL.DLLsystem32\HPVMON.DLLsystem32\HPVRES.DLLsystem32\HPVUI.DLLsystem32\HPWIZ.DLLsystem32\HTICONS.DLLsystem32\HYPERTERM.DLLsystem32\ICCVID.DLLsystem32\ICM32.DLLsystem32\ICMP.DLLsystem32\ICMUI.DLLsystem32\ICONLIB.DLLsystem32\IDSCLASS.DLLsystem32\IMCLIENT.DLLsystem32\IMM32.DLLsystem32\INDICDLL.DLLsystem32\INETMIBI.DLLsystem32\INSTL50.DLLsystem32\INSTL51.DLLsystem32\IR32_32.DLLsystem32\JPJDUND.DLLsystem32\KERNL32.DLLsystem32\LGINT.DLLsystem32\LZ32.DLLsystem32\LZEXPAND.DLLsystem32\MAILCP16.DLLsystem32\MAILMSG.DLLsystem32\MAILUTIL.DLLsystem32\MAPI.DLLsystem32\MAPI32.DLLsystem32\MAPIABM.DLLsystem32\MAPIU.DLLsystem32\MAPIU32.DLLsystem32\MAPIX.DLLsystem32\MAPIX32.DLLsystem32\MCIOLE.DLLsystem32\MCM.DLLsystem32\MF3216.DLLsystem32\MFC30.DLLsystem32\MFCANS32.DLLsystem32\MFCD30.DLLsystem32\MFCN30.DLLsystem32\MFCO30.DLLsystem32\MFCUIA32.Lsystem32\MFCUIAW32.DLLsystem32\MLSHEXT.DLLsystem32\MMCI.DLLsystem32\MMMIXER.DLLsystem32\MMSYSTEM.DLLsystem32\MMVDIB12.DLLsystem32\MODEMUI.DLLsystem32\MORICONS.DLLsystem32\MOSABP32.DLLsystem32\MOSAF.DLLsystem32\MOSCC.DLLsystem32\MOSCFG.DLLsystem32\MOSCL.DLLsystem32\MOSCOMP.DLLsystem32\MOSCUDLL.DLLsystem32\MOSFIND.DLLsystem32\MOSMISC.DLLsystem32\MOSMULTI.DLLsystem32\MOSRXP32.DLLsystem32\MOSSHELL.DLLsystem32\MOSSTUB.DLLsystem32\MPCCL.DLLsystem32\MPRSRV.DLLsystem32\MSAB32.DLLsystem32\MSACM.DLLsystem32\MFCUIA32.DLL"
sSearchdll3 = "system32\MSFS32.DLLsystem32\MSFVW32.DLLsystem32\MSMIXMGR.DLLsystem32\MSNDUI.DLLsystem32\MSNET32.DLLsystem32\MSNP32.DLLsystem32\MSPCIC.DLLsystem32\MSPP32.DLLsystem32\MSPST32.DLLsystem32\MSPWL32.DLLsystem32\MSRLE32.DLLsystem32\MSSHRUI.DLLsystem32\MSTCP.DLLsystem32\MSVCRT20.DLLsystem32\MSVID32.DLLsystem32\MSVIDEO.DLLsystem32\MSVIEWUT.DLLsystem32\MVCL14N.DLLsystem32\MVPR14N.DLLsystem32\MVTTL14C.DLLsystem32\MVUT14N.DLLsystem32\NAL.DLLsystem32\NDDENB.DLLsystem32\NDIS30.DLLsystem32\NETAPI.DLLsystem32\NETBIOS.DLLsystem32\NETDI.DLLsystem32\NETSETUP.DLLsystem32\NM95SETP.DLLsystem32\NMTHUNK.DLLsystem32\NW16.DLLsystem32\NWAB32.DLLsystem32\NWNET32.DLLsystem32\NWNP32.DLLsystem32\NWPP32.DLLsystem32\OLE2.DLLsystem32\OLE2CONV.DLLsystem32\OLE2DISP.DLLsystem32\OLE2NLS.DLLsystem32\OLECLI.DLLsystem32\OLECLI32.DLLsystem32\OLECNV32.DLLsystem32\OLEDLG.DLLsystem32\OLESRV.DLLsystem32\OLESRV32.DLLsystem32\OLETHK32.DLLsystem32\PANMAP.DLLsystem32\PIFMGR.DLLsystem32\PJLMON.DLLsystem32\PKPD.DLLsystem32\PKPD32.DLLsystem32\PMSPL.DLLsystem32\INTER.DLLsystem32\POWERCFG.DLLsystem32\PRODINV.DLLsystem32\PSMON.DLLsystem32\RASAPI16.DLLsystem32\RASAPI32.DLLsystem32\RICHED.DLLsystem32\RICHED32.DLLsystem32\RNAL.DLLsystem32\RNANP.DLLsystem32\RNASERV.DLLsystem32\RNASETUP.DLLsystem32\RNATHUNK.DLLsystem32\RNAUI.DLLsystem32\RNDSRV32.DLLsystem32\RPCLTC1.DLLsystem32\RPCTLC3.DLLsystem32\RPCTLC5.DLLsystem32\RPCTLC6.DLLsystem32\RPCTLS3.DLLsystem32\RPCTLS5.DLLsystem32\RPCTLS6.DLLsystem32\RPCNS4.DLLsystem32\RPCPP.DLLsystem32\RPLIMAGE.DLLsystem32\RSRC16.DLLsystem32\RSRC32.DLLsystem32\SACLIENT.DLLsystem32\SAPNSP.DLLsystem32\SCCVIEW.DLLsystem32\SECURCL.DLLsystem32\SERIALUI.DLLsystem32\SETUP4.DLLsystem32\SETUPX.DLLsystem32\SETUPX.DLLsystem32\SHSCRAP.DLLsystem32\SLENH.DLLsystem32\SPOOLSS.DLLsystem32\STEM0409.DLLsystem32\STORAGE.DLLsystem32\SUEXPAND.DLLsystem32\SVCPROP.DLLsystem32\SVRAPI.DLLsystem32\SXCIEXT.DLLsystem32\SYNCENG.DLLsystem32\SYNCUI.DLLsystem32\SYSCLASS.DLLsystem32\SYSDETMG.DLLsystem32\SYSTHUNK.DLLsystem32\TAPI.DLLsystem32\TAPIADOR.DLLsystem32\TOOLHLP.DLLsystem32\TOURANI.DLLsystem32\TOURSTR.DLLsystem32\TOURUTIL.DLLsystem32\TREEDCL.DLLsystem32\TREENVVCL..DLLsystem32\TSD32.DLLsystem32\TYPELIB.DLLsystem32\UMDM16.DLLsystem32\UMDM32.DLLsystem32\UNIDRV.DLLsystem32\VBRUN300.DLLsystem32\VER.DLLsystem32\VER.DLLsystem32\VEREX.DLLsystem32\VLB32.DLLsystem32\VSAMI.DLLsystem32\VSASC8.DLLsystem32\VSBMP.DLLsystem32\VSDRW.DLLsystem32\VSEXE2.DLLsystem32\VSFLW.DLLsystem32\VSGIF.DLLsystem32\VSMP.DLLsystem32\VSMSW.DLLsystem32\VSPP.DLLsystem32\VSQPW2.DLLsystem32\VSRTF.DLLsystem32\VSTIFF.DLLsystem32\VSW6.DLLsystem32\VSWK3.DLLsystem32\VSWK4.DLLsystem32\VSWKS.DLLsystem32\VSWMF.DLLsystem32\VSWORD.DLLsystem32\VSWORK.DLLsystem32\VSWP5.DLLsystem32\VSWP6.DLLsystem32\VSWPF.DLLsystem32\VSXL5.DLLsystem32\WGPOADMN.DLLsystem32\WHLPP16T.DLLsystem32\WHLP32T.DLLsystem32\WIN32S16.DLLsystem32\WIN87EM.DLLsystem32\WIN95BB.DLLsystem32\WINASPI.DLLsystem32\WINASPI32.DLLsystem32\WINNET16.DLLsystem32\WINREG.DLLsystem32\WINSOCK.DLLsystem32\WMSFR32.DLLsystem32\WMSUI32.DLLsystem32\WNPP32.DLLsystem32\WPS_USPDT.DLLtem32\WPSAPD.DLLsystem32\WPSMON.DLLsystem32\WPSMON16.DLLsystem32\WPSUNIRE.DLLsystem32\WSOCK32.DLL\system32\POINTER.DLL"

With oFSO.OpenTextFile(sOutTmp, 8, True)
With oFSO.GetFile(sRegTmp)
aRegFileLines = Split(.OpenAsTextStream(1, 0).Read(.Size), vbcrlf)
End With
For Each eRegLine in aRegFileLines
if eregline = "" then
eregline = " "
.WriteLine(eRegLine)
end if
if left(eregline,7)="catchme" then eRegline="xxxxxxxx"
if mid(eregline,2,6)="Locale" then eRegline="xxxxxxxx"
if instr(1,eregline,"<DIR> ..",1)>0 then eRegline="xxxxxxxx"
if instr(1,eregline,"<DIR> .",1)>0 then eRegline="xxxxxxxx"
if instr(1,eregline,"Perfdata",1)>0 then eRegline="xxxxxxxx"
if left(eregline,8)=" " then eRegline="xxxxxxxx"
if right(eregline,5)="\Enum" then eRegline="xxxxxxxx"
if left(eregline,6)="(HKLM)" then eregline=eregline&" "
If InStr(1, sSearchdll, right(eRegLine,15), 1) > 0 then eRegline="xxxxxxxx"
If InStr(1, sSearchdll2, right(eRegLine,15), 1) > 0 then eRegline="xxxxxxxx"
If InStr(1, sSearchdll3, right(eRegLine,15), 1) > 0 then eRegline="xxxxxxxx"
If InStr(1, sSearchFor, mid(eRegLine,2,7), 1) > 0 Then eRegline="xxxxxxxx"
eRegLine=replace(eRegLine,"\\","\")
'If InStr(1, sSearchFor, mid(eRegLine,2,7), 1) = 0 Then
If InStr(1, "xxxxxxxx", eRegLine, 1) = 0 Then
if left (eregline,9)="---------" then eregline = vbcrlf & eregline
.WriteLine(eRegLine)
End If

Next
Erase aRegFileLines
.Close
End With
oFSO.DeleteFile(sRegTmp)
Set oWS = Nothing
Set oFSO = Nothing
WScript.Quit


In fine quando tenta di creare il file report.txt mi da il messaggio:

file report.txt non trovato, crearne uno nuovo?

Cliccando su si mi apre un file report.txt "vuoto"

Avoi vi indica qualcosa le scritte che vi ho riportato?

Continuo a ringraziarvi nel frattempo.
lupoxs
Newbie
 
Post: 7
Iscritto il: 02/03/07 09:32

Postdi lupoxs » 02/03/07 12:06

Inserisco anche il log file di hijack:


Logfile of HijackThis v1.99.1
Scan saved at 12.05.28, on 02/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
I:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\Programmi\Analog Devices\SoundMAX\SMTray.exe
I:\Programmi\File comuni\Symantec Shared\ccApp.exe
I:\PROGRA~1\SYMANT~1\VPTray.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Programmi\Symantec AntiVirus\DefWatch.exe
I:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
I:\WINDOWS\System32\svchost.exe
I:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\system32\nvsvc32.exe
I:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
I:\Programmi\Symantec AntiVirus\Rtvscan.exe
I:\WINDOWS\system32\wuauclt.exe
I:\WINDOWS\system32\svchost.exe
I:\Programmi\Internet Explorer\iexplore.exe
I:\WINDOWS\system32\mspaint.exe
I:\Documents and Settings\Alberto_PC\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Smapp] I:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "I:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] I:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://I:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://I:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://I:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://I:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://I:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{F080A5AA-5EE0-4C42-803F-CC2DE9CAF249}: NameServer = 195.130.224.18,195.130.225.129
O20 - Winlogon Notify: !SASWinLogon - I:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - I:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - I:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - I:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - I:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - I:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - I:\Programmi\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - I:\Programmi\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - I:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - I:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - I:\Programmi\Symantec AntiVirus\Rtvscan.exe

[/img]
lupoxs
Newbie
 
Post: 7
Iscritto il: 02/03/07 09:32

Postdi Luke57 » 02/03/07 12:19

Ciao, riprova a utilizzare systemscan, non conosco il significato di quelle scritte. Qual è il processo che hai interrotto per usare i tools?
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Task Manager

Postdi lupoxs » 02/03/07 12:26

Vi inserisco anche l'elenco del task manager attuale dopo un riavvio:

taskmgr.exe
explorer.exe
SMTray.exe
ccApp.exe
VPTray.exe
ctfmon.exe
iexplore.exe
svchost.exe
svchost.exe
wmpnetwk.exe
svchost.exe
svchost.exe
alg.exe
Ciclo idle del sistema
System
DefWatch.exe
SAgent2.exe
svchost.exe
MDM.exe
nvsvc32.exe
SMagent.exe
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
ccSetMgr.exe
ccEvtMgr.exe
spoolsv.exe
Rtvscan.exe
svchost.exe
lupoxs
Newbie
 
Post: 7
Iscritto il: 02/03/07 09:32

Postdi Luke57 » 02/03/07 12:35

Ciao, nel log di hijackthis non noto minacce attive, anche la lista dei processi pare a posto.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

ringraziamenti

Postdi lupoxs » 02/03/07 12:58

Vi ringrazio di tutto :)
Siete bravi
lupoxs
Newbie
 
Post: 7
Iscritto il: 02/03/07 09:32


Torna a Sicurezza e Privacy


Topic correlati a "Problemi con virus rootkit!!!":

alcuni problemi...
Autore: gibo
Forum: Assistenza Hardware
Risposte: 2

Chi c’è in linea

Visitano il forum: Nessuno e 8 ospiti