Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

Cavallo di Troia Win32:VB-EIJ[trj]

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

Cavallo di Troia Win32:VB-EIJ[trj]

Postdi starlightnightly » 25/03/08 21:08

Ciao a tutti

sul mio computer ho 3 sistemi operativi, windows xp service pack 2, windows vista e linux fedora.

Ho Fatto una scansione su windows xp con spybot search e destroy e ho rilevato
virtumode.dll e virtumode.

Ho eliminato con lo stesso programma le infezioni e riavviato il pc.
Mi sono prima scollegato da internet e disattivato il ripristino configurazione di sistema.
Al riavvio del windows xp spybot mi cancella i file e tutto quello che riguarda virtumode.

Dopo un po il problema si ripresenta, rifaccio tutto da capo e cancello di nuovo tutto.
Alla fine esco da xp, vado su vista e faccio una scansione della partizione del windows xp con avast.

Trova il virus Cavallo di Troia Win32:VB-EIJ[trj] nel file pagefile.sys.
Cancello il file.
L'operazione riesce.

Ritorno in winodws xp e dopo un pò che lo uso ritorna dinuovo.


Eseguo Hijackthis e il log e il seguente:

Logfile of HijackThis v1.99.1
Scan saved at 20.21.04, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\ATKKBService.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Programmi\File comuni\LightScribe\LSSrvc.exe
E:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Programmi\CyberLink\Shared files\RichVideo.exe
E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\ASUS\AI Remote\AiRc.exe
E:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
E:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
E:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Programmi\Unlocker\UnlockerAssistant.exe
E:\Program Files\ASUS\AI Remote\AiRemote.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programmi\Creative\MediaSource5\Go\CTCMSGoU.exe
E:\Programmi\Skype\Phone\Skype.exe
E:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe
E:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
E:\Programmi\ASUS\SmartDoctor\SmartDoctor.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
E:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
E:\Programmi\Media Key\MagicKey.exe
E:\Programmi\ASUS\ScreenDUO\AsG_Manager.exe
E:\Programmi\Media Key\OSD.EXE
E:\Programmi\Skype\Plugin Manager\skypePM.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\LaunchApplication\AsG_LaunchApplication.exe
E:\Programmi\Asus\ScreenDUO\Gadgets\Time\AsG_Time.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\VolumeControl\AsG_VolumeControl.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\HardwareMonitoring\AsG_HardwareMonitor.exe
E:\Programmi\ASUS\AASP\1.00.25\aaCenter.exe
E:\WINDOWS\system32\wuauclt.exe
F:\Programmi\Aggiornamenti_Continui\Diagnosi_Virtumonde\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - E:\WINDOWS\system32\khfebxx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ai Remote Help] "E:\Program Files\ASUS\AI Remote\AiRc.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] E:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [VolPanel] "E:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "E:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "E:\Programmi\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ai Nap] "E:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] E:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] E:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "E:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "E:\Programmi\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [Skype] "E:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ASUS SmartDoctor] E:\Programmi\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Media Key.lnk = E:\Programmi\Media Key\MagicKey.exe
O4 - Global Startup: ScreenDUO.lnk = ?
O8 - Extra context menu item: Scarica con il Wizard di LeechGet - file://E:\Programmi\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: Scarica con LeechGet - file://E:\Programmi\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Scarica pagina con LeechGet - file://E:\Programmi\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Programmi\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfebxx - E:\WINDOWS\SYSTEM32\khfebxx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - E:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

Il problema secondo me sono le seguenti due linee:

O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - E:\WINDOWS\system32\khfebxx.dll
O20 - Winlogon Notify: khfebxx - E:\WINDOWS\SYSTEM32\khfebxx.dll

ho provato a selezionarle e a cancellarle, il programma mi dice che le ha cancellate ma in realtà sono sempre lì.

Ho provato a cancellare manualmente dal registro tutte le chiavi che riguardavo il file khfebxx.dll ma subito dopo
riapparivano.

Prima di usare Hijackthis ho fatto una scansione con spybot e virtumode non c'era più almeno fino a quel momento.
Ho provato a cancellare il BHO con spybot ma ha lo stesso effetto che con hijack in un primo momento scompare e
dopo un po riappare come per magia.

Qualcuno sà come risolvere il problema?

Ciao a tutti !!!
starlightnightly
Utente Junior
 
Post: 26
Iscritto il: 15/12/07 16:40

Sponsor
 

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi Luke57 » 26/03/08 08:41

Ciao, scarica combofix sul desktop
ComboFix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disconettiti da internet
disattiva l'antivirus


Avvia il file ComboFix.exe
Digita 1 per avviare il tool (non fare altre manovre durante la scansione che è piuttosto lenta, se spariscono le icone dal desktop è normale))
Segui le istruzioni e alla fine verrà generato un log (C:\combofix.txt).

Riavvia il pc, copia e incolla il contenuto del report.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi starlightnightly » 26/03/08 18:39

Ciao prima di leggere il tuo messaggio ho usato un programmino che si chiama
removeit pro enterprise che mi ha cancellato una delle due righe e dopo sono riuscito a cancellare con hijackthis
anche l'altra.

Questo è il file di log di hijackthis dopo aver usato il programma removeit pro:

Logfile of HijackThis v1.99.1
Scan saved at 17.31.58, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\ATKKBService.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Programmi\File comuni\LightScribe\LSSrvc.exe
E:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Programmi\CyberLink\Shared files\RichVideo.exe
E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\ASUS\AI Remote\AiRc.exe
E:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
E:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
E:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Programmi\Unlocker\UnlockerAssistant.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programmi\Creative\MediaSource5\Go\CTCMSGoU.exe
E:\Programmi\Skype\Phone\Skype.exe
E:\Program Files\ASUS\AI Remote\AiRemote.exe
E:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe
E:\Programmi\ASUS\SmartDoctor\SmartDoctor.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
E:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
E:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
E:\Programmi\Media Key\MagicKey.exe
E:\Programmi\ASUS\ScreenDUO\AsG_Manager.exe
E:\Programmi\Media Key\OSD.EXE
E:\Programmi\ASUS\ScreenDUO\Gadgets\LaunchApplication\AsG_LaunchApplication.exe
E:\Programmi\Asus\ScreenDUO\Gadgets\Time\AsG_Time.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\VolumeControl\AsG_VolumeControl.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\HardwareMonitoring\AsG_HardwareMonitor.exe
E:\Programmi\ASUS\AASP\1.00.25\aaCenter.exe
E:\Programmi\Skype\Plugin Manager\skypePM.exe
E:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
E:\Diagnosi_Virtumonde\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Ai Remote Help] "E:\Program Files\ASUS\AI Remote\AiRc.exe"
O4 - HKLM\..\Run: [JMB36X IDE Setup] E:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] E:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [VolPanel] "E:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "E:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "E:\Programmi\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Ai Nap] "E:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] E:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] E:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "E:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "E:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "E:\Programmi\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [Skype] "E:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ASUS SmartDoctor] E:\Programmi\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Media Key.lnk = E:\Programmi\Media Key\MagicKey.exe
O4 - Global Startup: ScreenDUO.lnk = ?
O8 - Extra context menu item: Scarica con il Wizard di LeechGet - file://E:\Programmi\LeechGet 2006\\Wizard.html
O8 - Extra context menu item: Scarica con LeechGet - file://E:\Programmi\LeechGet 2006\\AddUrl.html
O8 - Extra context menu item: Scarica pagina con LeechGet - file://E:\Programmi\LeechGet 2006\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Programmi\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - E:\WINDOWS\ATKKBService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - E:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

Ma dopo non contento ho eseguito anche combofix e questo è il risultato:

ComboFix 08-03-25.4 - Domenico 2008-03-26 18.08.45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1475 [GMT 1:00]
Eseguito da: E:\Diagnosi_Virtumonde\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\BM031b7a6a.xml
E:\WINDOWS\pskt.ini
E:\WINDOWS\system32\ayadd.ini
E:\WINDOWS\system32\ayadd.ini2
E:\WINDOWS\system32\gfhkj.ini
E:\WINDOWS\system32\gfhkj.ini2
E:\WINDOWS\system32\hgjlm.ini
E:\WINDOWS\system32\hgjlm.ini2
E:\WINDOWS\system32\hjllm.ini
E:\WINDOWS\system32\hjllm.ini2
E:\WINDOWS\system32\jjllm.ini
E:\WINDOWS\system32\jjllm.ini2
E:\WINDOWS\system32\kjjlm.ini
E:\WINDOWS\system32\kjjlm.ini2
E:\WINDOWS\system32\mcrh.tmp
E:\WINDOWS\system32\mpqss.ini
E:\WINDOWS\system32\mpqss.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Creati Da 2008-02-26 al 2008-03-26 )))))))))))))))))))))))))))))))))))
.

2008-03-26 17:57 . 2008-03-26 17:57 8,704 --a------ E:\WINDOWS\system32\drivers\wmikvgsagcjo.sys
2008-03-26 17:22 . 2008-03-26 17:21 8,704 --a------ E:\WINDOWS\system32\drivers\rmombwijlwas.sys
2008-03-26 17:21 . 2008-03-26 17:21 <DIR> d-------- E:\Documents and Settings\Domenico\Pavark
2008-03-26 17:21 . 2008-03-26 17:21 8,704 --a------ E:\WINDOWS\system32\drivers\roshkspyjhcr.sys
2008-03-26 16:40 . 2008-03-26 16:40 <DIR> d-------- E:\SpyBot-26.03.2008
2008-03-26 16:31 . 2008-03-26 18:07 <DIR> d-------- E:\Diagnosi_Virtumonde
2008-03-26 15:19 . 2008-03-26 18:05 <DIR> d-------- E:\suspectfile
2008-03-25 17:21 . 2008-03-25 17:52 294 --ahs---- E:\WINDOWS\system32\yrctvqka.ini
2008-03-25 16:57 . 2008-03-25 16:57 <DIR> d-------- E:\download_leechget
2008-03-25 15:19 . 2008-03-25 15:47 294 --ahs---- E:\WINDOWS\system32\puquqocj.ini
2008-03-24 13:32 . 2008-03-24 13:32 <DIR> d-------- E:\VundoFix Backups
2008-03-24 13:20 . 2008-03-24 13:27 294 --ahs---- E:\WINDOWS\system32\hakxuiml.ini
2008-03-24 13:19 . 2008-03-24 13:19 <DIR> d-------- E:\Programmi\CCleaner
2008-03-23 19:21 . 2008-03-23 20:02 294 --ahs---- E:\WINDOWS\system32\vbqcgtxs.ini
2008-03-23 18:42 . 2008-03-23 19:52 <DIR> d-------- E:\Programmi\Enigma Software Group
2008-03-23 17:35 . 2008-03-23 17:53 294 --ahs---- E:\WINDOWS\system32\qxyhdawe.ini
2008-03-23 14:54 . 2008-03-23 15:06 294 --ahs---- E:\WINDOWS\system32\inavdsoy.ini
2008-03-23 13:38 . 2008-03-25 17:52 1,237 --a------ E:\WINDOWS\wininit.ini
2008-03-23 11:01 . 2008-03-23 11:01 <DIR> d-------- E:\Documents and Settings\Domenico\Dati applicazioni\InstallShield Installation Information
2008-03-23 10:55 . 2008-03-23 10:55 <DIR> d-------- E:\Programmi\Unreal Tournament 3
2008-03-23 10:55 . 2007-05-16 16:45 3,497,832 --a------ E:\WINDOWS\system32\d3dx9_34.dll
2008-03-23 10:55 . 2007-05-16 16:45 1,124,720 --a------ E:\WINDOWS\system32\D3DCompiler_34.dll
2008-03-23 10:55 . 2007-05-16 16:45 443,752 --a------ E:\WINDOWS\system32\d3dx10_34.dll
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d----c--- E:\WINDOWS\system32\DRVSTORE
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d-------- E:\WINDOWS\system32\AGEIA
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d-------- E:\Programmi\AGEIA Technologies
2008-03-23 10:52 . 2008-03-23 13:40 354 --ahs---- E:\WINDOWS\system32\rqjhqkpv.ini
2008-02-29 09:54 . 2008-02-29 09:54 <DIR> dr-h----- E:\Documents and Settings\Domenico\Dati applicazioni\SecuROM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 16:52 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\Skype
2008-03-26 15:27 --------- d-----w E:\Programmi\AntiRootkit
2008-03-26 14:12 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\skypePM
2008-03-23 16:42 --------- d-----w E:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-03-23 16:33 196,608 ----a-w E:\WINDOWS\system32\drivers\nVivid.bin
2008-03-23 16:32 --------- d-----w E:\Programmi\DivX
2008-03-23 16:27 --------- d-----w E:\Programmi\AudioStreamer Pro
2008-03-23 15:41 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\OpenOffice.org2
2008-03-23 10:04 --------- d-----w E:\Programmi\Java
2008-03-23 09:54 --------- d-----w E:\Programmi\File comuni\Wise Installation Wizard
2008-02-29 06:53 --------- d--h--w E:\Programmi\InstallShield Installation Information
2008-02-27 17:38 --------- d-----w E:\Programmi\GameShadow
2008-02-20 19:13 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\Microsoft Games
2008-02-20 16:54 --------- d-----w E:\Programmi\Mozilla Thunderbird
2008-02-19 12:10 --------- d-----w E:\Documents and Settings\All Users\Dati applicazioni\Yahoo!
2008-02-19 12:09 --------- d-----w E:\Programmi\Yahoo!
2008-02-07 06:53 --------- d-----w E:\Programmi\Spybot - Search & Destroy
2008-02-07 06:46 691,545 ----a-w E:\WINDOWS\unins000.exe
2008-01-10 10:42 32 ----a-w E:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
"Creative MediaSource Go"="E:\Programmi\Creative\MediaSource5\Go\CTCMSGoU.exe" [2005-12-12 09:36 143360]
"Skype"="E:\Programmi\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]
"AlcoholAutomount"="E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 08:23 221568]
"ASUS SmartDoctor"="E:\Programmi\ASUS\SmartDoctor\SmartDoctor.exe" [2007-10-01 21:58 1126400]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 E:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Ai Remote Help"="E:\Program Files\ASUS\AI Remote\AiRc.exe" [2007-01-19 14:24 3347456]
"JMB36X IDE Setup"="E:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="E:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 10:05 1953792]
"VolPanel"="E:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11 122880]
"AudioDrvEmulator"="E:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
"CTHelper"="CTHELPER.EXE" [2006-05-24 05:20 17920 E:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 05:20 18944 E:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="E:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Ai Nap"="E:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-01-11 23:39 1423360]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-26 15:57 79224]
"SunJavaUpdateSched"="E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RemoteControl"="E:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="E:\Programmi\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152]
"NeroFilterCheck"="E:\Programmi\File comuni\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="E:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"UnlockerAssistant"="E:\Programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19 15872]
"QuickTime Task"="E:\Programmi\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

E:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Media Key.lnk - E:\Programmi\Media Key\MagicKey.exe [2008-01-10 10:08:25 159744]
ScreenDUO.lnk - E:\Programmi\ASUS\ScreenDUO\AsG_Manager.exe [2008-01-10 10:01:41 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\WINDOWS\\system32\\sessmgr.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Programmi\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"E:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 DHAHELPER;DHAHELPER;E:\WINDOWS\system32\drivers\dhahelper.sys [2005-03-05 15:35]
R1 kbfilter;Keyboard Filter Driver;E:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12:00]
R1 UsbFltr;WayTechUSBFilterDriver;E:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 18:27]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;E:\WINDOWS\system32\drivers\asusgsb.sys [2007-08-28 10:58]
R3 ha20x2k;Creative 20X HAL Driver;E:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-24 04:40]
R3 Video3D;ASUS Video3D Service;E:\WINDOWS\system32\Drivers\Video3D32.sys [2007-08-28 10:58]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"E:\Programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-26 17:13:01 E:\WINDOWS\Tasks\User_Feed_Synchronization-{FCB39023-4FC9-4F90-ACC9-6275215F4F4E}.job"
- E:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 18:11:34
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\explorer.exe
-> E:\Programmi\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
E:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\WINDOWS\ATKKBService.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Programmi\File comuni\LightScribe\LSSrvc.exe
E:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Programmi\CyberLink\Shared files\RichVideo.exe
E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
E:\Program Files\ASUS\AI Remote\AiRemote.exe
E:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
E:\Programmi\Media Key\OSD.EXE
E:\Programmi\ASUS\ScreenDUO\Gadgets\LaunchApplication\AsG_LaunchApplication.exe
E:\Programmi\Asus\ScreenDUO\Gadgets\Time\AsG_Time.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\VolumeControl\AsG_VolumeControl.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\HardwareMonitoring\AsG_HardwareMonitor.exe
E:\Programmi\ASUS\AASP\1.00.25\aaCenter.exe
E:\Programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2008-03-26 18:13:09 - machine was rebooted [Domenico]
ComboFix-quarantined-files.txt 2008-03-26 17:13:07


Devo dire che ora non funziona più l'antivirus di windows xp e panda antirootkit va in crash e non
termina la scansione.
In questo momento sto facendo una scansione della partizione di windows xp da windows vista
per vedere se non è uscito qualche altro virus.

Fammi sapere cosa ne pensi dei log.

Ciao !!!
starlightnightly
Utente Junior
 
Post: 26
Iscritto il: 15/12/07 16:40

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi Luke57 » 26/03/08 19:10

Ciao, copia questo codice:

file::
E:\WINDOWS\system32\drivers\roshkspyjhcr.sys
E:\WINDOWS\system32\yrctvqka.ini
E:\WINDOWS\system32\puquqocj.ini
E:\WINDOWS\system32\hakxuiml.ini
E:\WINDOWS\system32\vbqcgtxs.ini
E:\WINDOWS\system32\qxyhdawe.ini
E:\WINDOWS\system32\rqjhqkpv.ini


incollalo in un file di testo, salvalo obbligatoriamente con il nome CFScript.txt , poi trascinalo con il puntatore del mouse sìtrascinalo sull'icona di combofix per una nuova scansione.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi starlightnightly » 27/03/08 12:14

Ciao qui sotto il log della nuova scansione con lo script:

ComboFix 08-03-25.4 - Domenico 2008-03-27 11.51.42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1463 [GMT 1:00]
Eseguito da: E:\Diagnosi_Virtumonde\ComboFix.exe
Command switches used :: E:\Documents and Settings\Domenico\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\tmp43.tmp
E:\WINDOWS\system32\tmp73.tmp

.
((((((((((((((((((((((((( Files Creati Da 2008-02-27 al 2008-03-27 )))))))))))))))))))))))))))))))))))
.

2008-03-26 20:23 . 2008-03-26 20:23 <DIR> d-------- E:\Documents and Settings\Domenico\Dati applicazioni\FileZilla
2008-03-26 19:36 . 2007-12-04 14:04 837,496 --a------ E:\WINDOWS\system32\aswBoot.exe
2008-03-26 19:36 . 2004-01-09 10:13 380,928 --a------ E:\WINDOWS\system32\actskin4.ocx
2008-03-26 19:36 . 2007-12-04 13:54 95,608 --a------ E:\WINDOWS\system32\AvastSS.scr
2008-03-26 19:36 . 2007-12-04 15:55 94,544 --a------ E:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-26 19:36 . 2007-12-04 15:56 93,264 --a------ E:\WINDOWS\system32\drivers\aswmon.sys
2008-03-26 19:36 . 2007-12-04 15:51 42,912 --a------ E:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-26 19:36 . 2007-12-04 15:49 26,624 --a------ E:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-26 19:36 . 2007-12-04 15:53 23,152 --a------ E:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-26 17:57 . 2008-03-26 17:57 8,704 --a------ E:\WINDOWS\system32\drivers\wmikvgsagcjo.sys
2008-03-26 17:22 . 2008-03-26 17:21 8,704 --a------ E:\WINDOWS\system32\drivers\rmombwijlwas.sys
2008-03-26 17:21 . 2008-03-26 17:21 8,704 --a------ E:\WINDOWS\system32\drivers\roshkspyjhcr.sys
2008-03-26 16:31 . 2008-03-27 11:38 <DIR> d-------- E:\Diagnosi_Virtumonde
2008-03-25 17:21 . 2008-03-25 17:52 294 --ahs---- E:\WINDOWS\system32\yrctvqka.ini
2008-03-25 16:57 . 2008-03-25 16:57 <DIR> d-------- E:\download_leechget
2008-03-25 15:19 . 2008-03-25 15:47 294 --ahs---- E:\WINDOWS\system32\puquqocj.ini
2008-03-24 13:20 . 2008-03-24 13:27 294 --ahs---- E:\WINDOWS\system32\hakxuiml.ini
2008-03-24 13:19 . 2008-03-24 13:19 <DIR> d-------- E:\Programmi\CCleaner
2008-03-23 19:21 . 2008-03-23 20:02 294 --ahs---- E:\WINDOWS\system32\vbqcgtxs.ini
2008-03-23 18:42 . 2008-03-23 19:52 <DIR> d-------- E:\Programmi\Enigma Software Group
2008-03-23 17:35 . 2008-03-23 17:53 294 --ahs---- E:\WINDOWS\system32\qxyhdawe.ini
2008-03-23 14:54 . 2008-03-23 15:06 294 --ahs---- E:\WINDOWS\system32\inavdsoy.ini
2008-03-23 13:38 . 2008-03-25 17:52 1,237 --a------ E:\WINDOWS\wininit.ini
2008-03-23 11:01 . 2008-03-23 11:01 <DIR> d-------- E:\Documents and Settings\Domenico\Dati applicazioni\InstallShield Installation Information
2008-03-23 10:55 . 2008-03-23 10:55 <DIR> d-------- E:\Programmi\Unreal Tournament 3
2008-03-23 10:55 . 2007-05-16 16:45 3,497,832 --a------ E:\WINDOWS\system32\d3dx9_34.dll
2008-03-23 10:55 . 2007-05-16 16:45 1,124,720 --a------ E:\WINDOWS\system32\D3DCompiler_34.dll
2008-03-23 10:55 . 2007-05-16 16:45 443,752 --a------ E:\WINDOWS\system32\d3dx10_34.dll
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d----c--- E:\WINDOWS\system32\DRVSTORE
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d-------- E:\WINDOWS\system32\AGEIA
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d-------- E:\Programmi\AGEIA Technologies
2008-03-23 10:52 . 2008-03-23 13:40 354 --ahs---- E:\WINDOWS\system32\rqjhqkpv.ini
2008-02-29 09:54 . 2008-02-29 09:54 <DIR> dr-h----- E:\Documents and Settings\Domenico\Dati applicazioni\SecuROM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 10:43 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\Skype
2008-03-27 10:33 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\skypePM
2008-03-26 15:27 --------- d-----w E:\Programmi\AntiRootkit
2008-03-23 16:42 --------- d-----w E:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-03-23 16:33 196,608 ----a-w E:\WINDOWS\system32\drivers\nVivid.bin
2008-03-23 16:32 --------- d-----w E:\Programmi\DivX
2008-03-23 16:27 --------- d-----w E:\Programmi\AudioStreamer Pro
2008-03-23 15:41 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\OpenOffice.org2
2008-03-23 10:04 --------- d-----w E:\Programmi\Java
2008-03-23 09:54 --------- d-----w E:\Programmi\File comuni\Wise Installation Wizard
2008-02-29 06:53 --------- d--h--w E:\Programmi\InstallShield Installation Information
2008-02-27 17:38 --------- d-----w E:\Programmi\GameShadow
2008-02-21 02:05 524,288 ----a-w E:\WINDOWS\system32\DivXsm.exe
2008-02-21 02:05 3,596,288 ----a-w E:\WINDOWS\system32\qt-dx331.dll
2008-02-21 02:05 200,704 ----a-w E:\WINDOWS\system32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w E:\WINDOWS\system32\libdivx.dll
2008-02-21 02:04 823,296 ----a-w E:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 02:04 823,296 ----a-w E:\WINDOWS\system32\divx_xx07.dll
2008-02-21 02:04 81,920 ----a-w E:\WINDOWS\system32\dpl100.dll
2008-02-21 02:04 802,816 ----a-w E:\WINDOWS\system32\divx_xx11.dll
2008-02-21 02:04 682,496 ----a-w E:\WINDOWS\system32\DivX.dll
2008-02-21 02:04 593,920 ----a-w E:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 02:04 57,344 ----a-w E:\WINDOWS\system32\dpv11.dll
2008-02-21 02:04 53,248 ----a-w E:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 02:04 344,064 ----a-w E:\WINDOWS\system32\dpus11.dll
2008-02-21 02:04 294,912 ----a-w E:\WINDOWS\system32\dpu11.dll
2008-02-21 02:04 294,912 ----a-w E:\WINDOWS\system32\dpu10.dll
2008-02-21 02:04 196,608 ----a-w E:\WINDOWS\system32\dtu100.dll
2008-02-21 02:03 156,992 ----a-w E:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 02:03 12,288 ----a-w E:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-20 19:13 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\Microsoft Games
2008-02-20 16:54 --------- d-----w E:\Programmi\Mozilla Thunderbird
2008-02-19 12:10 --------- d-----w E:\Documents and Settings\All Users\Dati applicazioni\Yahoo!
2008-02-19 12:09 --------- d-----w E:\Programmi\Yahoo!
2008-02-07 10:12 98,304 ----a-w E:\WINDOWS\system32\CmdLineExt.dll
2008-02-07 06:53 --------- d-----w E:\Programmi\Spybot - Search & Destroy
2008-02-07 06:46 691,545 ----a-w E:\WINDOWS\unins000.exe
2008-01-17 17:13 409,600 ----a-w E:\WINDOWS\system32\wrap_oal.dll
2008-01-17 17:13 114,688 ----a-w E:\WINDOWS\system32\OpenAL32.dll
2008-01-11 08:56 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2008-01-10 10:42 32 ----a-w E:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2006-06-23 06:48 32,768 ----a-r E:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
"Creative MediaSource Go"="E:\Programmi\Creative\MediaSource5\Go\CTCMSGoU.exe" [2005-12-12 09:36 143360]
"Skype"="E:\Programmi\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]
"AlcoholAutomount"="E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 08:23 221568]
"ASUS SmartDoctor"="E:\Programmi\ASUS\SmartDoctor\SmartDoctor.exe" [2007-10-01 21:58 1126400]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 E:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Ai Remote Help"="E:\Program Files\ASUS\AI Remote\AiRc.exe" [2007-01-19 14:24 3347456]
"JMB36X IDE Setup"="E:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="E:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 10:05 1953792]
"VolPanel"="E:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11 122880]
"AudioDrvEmulator"="E:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
"CTHelper"="CTHELPER.EXE" [2006-05-24 05:20 17920 E:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 05:20 18944 E:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="E:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Ai Nap"="E:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-01-11 23:39 1423360]
"SunJavaUpdateSched"="E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RemoteControl"="E:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="E:\Programmi\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152]
"NeroFilterCheck"="E:\Programmi\File comuni\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="E:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"UnlockerAssistant"="E:\Programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19 15872]
"QuickTime Task"="E:\Programmi\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

E:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Media Key.lnk - E:\Programmi\Media Key\MagicKey.exe [2008-01-10 10:08:25 159744]
ScreenDUO.lnk - E:\Programmi\ASUS\ScreenDUO\AsG_Manager.exe [2008-01-10 10:01:41 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\WINDOWS\\system32\\sessmgr.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Programmi\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"E:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 DHAHELPER;DHAHELPER;E:\WINDOWS\system32\drivers\dhahelper.sys [2005-03-05 15:35]
R1 kbfilter;Keyboard Filter Driver;E:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12:00]
R1 UsbFltr;WayTechUSBFilterDriver;E:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 18:27]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;E:\WINDOWS\system32\drivers\asusgsb.sys [2007-08-28 10:58]
R3 ha20x2k;Creative 20X HAL Driver;E:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-24 04:40]
R3 Video3D;ASUS Video3D Service;E:\WINDOWS\system32\Drivers\Video3D32.sys [2007-08-28 10:58]

*Newly Created Service* - FQNGRJLNOGFU

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"E:\Programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-26 18:46:39 E:\WINDOWS\Tasks\User_Feed_Synchronization-{FCB39023-4FC9-4F90-ACC9-6275215F4F4E}.job"
- E:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 11:52:12
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\explorer.exe
-> E:\Programmi\Unlocker\UnlockerHook.dll
.
Ora fine scansione: 2008-03-27 11.52.29
ComboFix-quarantined-files.txt 2008-03-27 10:52:21
ComboFix2.txt 2008-03-26 17:13:10


Quando faccio la scansione della partizione di windows xp da windows vista
trova sempre nel file pagefile.sys il cavallo di troia.
Con spybot non trova niente.
Con panda antirootkit non trova niente.
Il log di hijackthis ora mi sembra pulito.

Ciao e grazie per il tuo aiuto
Aspetto tue notizie.
starlightnightly
Utente Junior
 
Post: 26
Iscritto il: 15/12/07 16:40

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi Luke57 » 27/03/08 12:20

Ciao, ripeti l'operazione di trascinamento del file CFScript.txt
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi starlightnightly » 27/03/08 12:40

ciao ho ripetuto ma mi ero sbagliato non avevo copiato la prima riga file::

ComboFix 08-03-25.4 - Domenico 2008-03-27 12.28.26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1506 [GMT 1:00]
Eseguito da: E:\Diagnosi_Virtumonde\ComboFix.exe
Command switches used :: E:\Documents and Settings\Domenico\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
E:\WINDOWS\system32\drivers\roshkspyjhcr.sys
E:\WINDOWS\system32\hakxuiml.ini
E:\WINDOWS\system32\puquqocj.ini
E:\WINDOWS\system32\qxyhdawe.ini
E:\WINDOWS\system32\rqjhqkpv.ini
E:\WINDOWS\system32\vbqcgtxs.ini
E:\WINDOWS\system32\yrctvqka.ini
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\drivers\roshkspyjhcr.sys
E:\WINDOWS\system32\hakxuiml.ini
E:\WINDOWS\system32\puquqocj.ini
E:\WINDOWS\system32\qxyhdawe.ini
E:\WINDOWS\system32\rqjhqkpv.ini
E:\WINDOWS\system32\vbqcgtxs.ini
E:\WINDOWS\system32\yrctvqka.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_roshkspyjhcr
-------\roshkspyjhcr


((((((((((((((((((((((((( Files Creati Da 2008-02-27 al 2008-03-27 )))))))))))))))))))))))))))))))))))
.

2008-03-26 20:23 . 2008-03-26 20:23 <DIR> d-------- E:\Documents and Settings\Domenico\Dati applicazioni\FileZilla
2008-03-26 19:36 . 2007-12-04 14:04 837,496 --a------ E:\WINDOWS\system32\aswBoot.exe
2008-03-26 19:36 . 2004-01-09 10:13 380,928 --a------ E:\WINDOWS\system32\actskin4.ocx
2008-03-26 19:36 . 2007-12-04 13:54 95,608 --a------ E:\WINDOWS\system32\AvastSS.scr
2008-03-26 19:36 . 2007-12-04 15:55 94,544 --a------ E:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-26 19:36 . 2007-12-04 15:56 93,264 --a------ E:\WINDOWS\system32\drivers\aswmon.sys
2008-03-26 19:36 . 2007-12-04 15:51 42,912 --a------ E:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-26 19:36 . 2007-12-04 15:49 26,624 --a------ E:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-26 19:36 . 2007-12-04 15:53 23,152 --a------ E:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-26 17:57 . 2008-03-26 17:57 8,704 --a------ E:\WINDOWS\system32\drivers\wmikvgsagcjo.sys
2008-03-26 17:22 . 2008-03-26 17:21 8,704 --a------ E:\WINDOWS\system32\drivers\rmombwijlwas.sys
2008-03-26 16:31 . 2008-03-27 11:53 <DIR> d-------- E:\Diagnosi_Virtumonde
2008-03-25 16:57 . 2008-03-25 16:57 <DIR> d-------- E:\download_leechget
2008-03-24 13:19 . 2008-03-24 13:19 <DIR> d-------- E:\Programmi\CCleaner
2008-03-23 18:42 . 2008-03-23 19:52 <DIR> d-------- E:\Programmi\Enigma Software Group
2008-03-23 14:54 . 2008-03-23 15:06 294 --ahs---- E:\WINDOWS\system32\inavdsoy.ini
2008-03-23 13:38 . 2008-03-25 17:52 1,237 --a------ E:\WINDOWS\wininit.ini
2008-03-23 11:01 . 2008-03-23 11:01 <DIR> d-------- E:\Documents and Settings\Domenico\Dati applicazioni\InstallShield Installation Information
2008-03-23 10:55 . 2008-03-23 10:55 <DIR> d-------- E:\Programmi\Unreal Tournament 3
2008-03-23 10:55 . 2007-05-16 16:45 3,497,832 --a------ E:\WINDOWS\system32\d3dx9_34.dll
2008-03-23 10:55 . 2007-05-16 16:45 1,124,720 --a------ E:\WINDOWS\system32\D3DCompiler_34.dll
2008-03-23 10:55 . 2007-05-16 16:45 443,752 --a------ E:\WINDOWS\system32\d3dx10_34.dll
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d----c--- E:\WINDOWS\system32\DRVSTORE
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d-------- E:\WINDOWS\system32\AGEIA
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d-------- E:\Programmi\AGEIA Technologies
2008-02-29 09:54 . 2008-02-29 09:54 <DIR> dr-h----- E:\Documents and Settings\Domenico\Dati applicazioni\SecuROM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 11:26 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\Skype
2008-03-27 10:33 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\skypePM
2008-03-26 15:27 --------- d-----w E:\Programmi\AntiRootkit
2008-03-23 16:42 --------- d-----w E:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-03-23 16:33 196,608 ----a-w E:\WINDOWS\system32\drivers\nVivid.bin
2008-03-23 16:32 --------- d-----w E:\Programmi\DivX
2008-03-23 16:27 --------- d-----w E:\Programmi\AudioStreamer Pro
2008-03-23 15:41 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\OpenOffice.org2
2008-03-23 10:04 --------- d-----w E:\Programmi\Java
2008-03-23 09:54 --------- d-----w E:\Programmi\File comuni\Wise Installation Wizard
2008-02-29 06:53 --------- d--h--w E:\Programmi\InstallShield Installation Information
2008-02-27 17:38 --------- d-----w E:\Programmi\GameShadow
2008-02-20 19:13 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\Microsoft Games
2008-02-20 16:54 --------- d-----w E:\Programmi\Mozilla Thunderbird
2008-02-19 12:10 --------- d-----w E:\Documents and Settings\All Users\Dati applicazioni\Yahoo!
2008-02-19 12:09 --------- d-----w E:\Programmi\Yahoo!
2008-02-07 06:53 --------- d-----w E:\Programmi\Spybot - Search & Destroy
2008-02-07 06:46 691,545 ----a-w E:\WINDOWS\unins000.exe
2008-01-10 10:42 32 ----a-w E:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2006-06-23 06:48 32,768 ----a-r E:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-27_11.52.17,78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-27 11:31:41 16,384 ----atw E:\WINDOWS\TEMP\Perflib_Perfdata_3e0.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
"Creative MediaSource Go"="E:\Programmi\Creative\MediaSource5\Go\CTCMSGoU.exe" [2005-12-12 09:36 143360]
"Skype"="E:\Programmi\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]
"AlcoholAutomount"="E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 08:23 221568]
"ASUS SmartDoctor"="E:\Programmi\ASUS\SmartDoctor\SmartDoctor.exe" [2007-10-01 21:58 1126400]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 E:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Ai Remote Help"="E:\Program Files\ASUS\AI Remote\AiRc.exe" [2007-01-19 14:24 3347456]
"JMB36X IDE Setup"="E:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="E:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 10:05 1953792]
"VolPanel"="E:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11 122880]
"AudioDrvEmulator"="E:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
"CTHelper"="CTHELPER.EXE" [2006-05-24 05:20 17920 E:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 05:20 18944 E:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="E:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Ai Nap"="E:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-01-11 23:39 1423360]
"SunJavaUpdateSched"="E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RemoteControl"="E:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="E:\Programmi\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152]
"NeroFilterCheck"="E:\Programmi\File comuni\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="E:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"UnlockerAssistant"="E:\Programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19 15872]
"QuickTime Task"="E:\Programmi\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

E:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Media Key.lnk - E:\Programmi\Media Key\MagicKey.exe [2008-01-10 10:08:25 159744]
ScreenDUO.lnk - E:\Programmi\ASUS\ScreenDUO\AsG_Manager.exe [2008-01-10 10:01:41 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\WINDOWS\\system32\\sessmgr.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Programmi\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"E:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 DHAHELPER;DHAHELPER;E:\WINDOWS\system32\drivers\dhahelper.sys [2005-03-05 15:35]
R1 kbfilter;Keyboard Filter Driver;E:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12:00]
R1 UsbFltr;WayTechUSBFilterDriver;E:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 18:27]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;E:\WINDOWS\system32\drivers\asusgsb.sys [2007-08-28 10:58]
R3 ha20x2k;Creative 20X HAL Driver;E:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-24 04:40]
R3 Video3D;ASUS Video3D Service;E:\WINDOWS\system32\Drivers\Video3D32.sys [2007-08-28 10:58]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"E:\Programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-26 18:46:39 E:\WINDOWS\Tasks\User_Feed_Synchronization-{FCB39023-4FC9-4F90-ACC9-6275215F4F4E}.job"
- E:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 12:31:57
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\explorer.exe
-> E:\Programmi\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
E:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\ATKKBService.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Programmi\File comuni\LightScribe\LSSrvc.exe
E:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Programmi\CyberLink\Shared files\RichVideo.exe
E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\ASUS\AI Remote\AiRemote.exe
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
E:\Programmi\Media Key\OSD.EXE
E:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\LaunchApplication\AsG_LaunchApplication.exe
E:\Programmi\Asus\ScreenDUO\Gadgets\Time\AsG_Time.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\VolumeControl\AsG_VolumeControl.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\HardwareMonitoring\AsG_HardwareMonitor.exe
E:\Programmi\ASUS\AASP\1.00.25\aaCenter.exe
E:\Programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2008-03-27 12:33:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 11:33:35
ComboFix2.txt 2008-03-27 10:52:30
ComboFix3.txt 2008-03-26 17:13:10
starlightnightly
Utente Junior
 
Post: 26
Iscritto il: 15/12/07 16:40

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi Luke57 » 27/03/08 13:00

Ciao, adesso nel file CFScript.txt, ci inserisci questo codice e ripeti l'operazione di trascinamento:


file::
E:\WINDOWS\system32\drivers\wmikvgsagcjo.sys
E:\WINDOWS\system32\drivers\rmombwijlwas.sys
E:\WINDOWS\system32\inavdsoy.ini
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi starlightnightly » 27/03/08 15:28

Ciao il nuovo log è:

ComboFix 08-03-25.4 - Domenico 2008-03-27 15.11.59.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.1495 [GMT 1:00]
Eseguito da: E:\Diagnosi_Virtumonde\ComboFix.exe
Command switches used :: E:\Documents and Settings\Domenico\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
E:\WINDOWS\system32\drivers\rmombwijlwas.sys
E:\WINDOWS\system32\drivers\wmikvgsagcjo.sys
E:\WINDOWS\system32\inavdsoy.ini
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\system32\drivers\rmombwijlwas.sys
E:\WINDOWS\system32\drivers\wmikvgsagcjo.sys
E:\WINDOWS\system32\inavdsoy.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_rmombwijlwas
-------\Legacy_wmikvgsagcjo
-------\rmombwijlwas
-------\wmikvgsagcjo


((((((((((((((((((((((((( Files Creati Da 2008-02-27 al 2008-03-27 )))))))))))))))))))))))))))))))))))
.

2008-03-26 20:23 . 2008-03-26 20:23 <DIR> d-------- E:\Documents and Settings\Domenico\Dati applicazioni\FileZilla
2008-03-26 19:36 . 2007-12-04 14:04 837,496 --a------ E:\WINDOWS\system32\aswBoot.exe
2008-03-26 19:36 . 2004-01-09 10:13 380,928 --a------ E:\WINDOWS\system32\actskin4.ocx
2008-03-26 19:36 . 2007-12-04 13:54 95,608 --a------ E:\WINDOWS\system32\AvastSS.scr
2008-03-26 19:36 . 2007-12-04 15:55 94,544 --a------ E:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-26 19:36 . 2007-12-04 15:56 93,264 --a------ E:\WINDOWS\system32\drivers\aswmon.sys
2008-03-26 19:36 . 2007-12-04 15:51 42,912 --a------ E:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-26 19:36 . 2007-12-04 15:49 26,624 --a------ E:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-26 19:36 . 2007-12-04 15:53 23,152 --a------ E:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-26 16:31 . 2008-03-27 12:34 <DIR> d-------- E:\Diagnosi_Virtumonde
2008-03-25 16:57 . 2008-03-25 16:57 <DIR> d-------- E:\download_leechget
2008-03-24 13:19 . 2008-03-24 13:19 <DIR> d-------- E:\Programmi\CCleaner
2008-03-23 18:42 . 2008-03-23 19:52 <DIR> d-------- E:\Programmi\Enigma Software Group
2008-03-23 13:38 . 2008-03-25 17:52 1,237 --a------ E:\WINDOWS\wininit.ini
2008-03-23 11:01 . 2008-03-23 11:01 <DIR> d-------- E:\Documents and Settings\Domenico\Dati applicazioni\InstallShield Installation Information
2008-03-23 10:55 . 2008-03-23 10:55 <DIR> d-------- E:\Programmi\Unreal Tournament 3
2008-03-23 10:55 . 2007-05-16 16:45 3,497,832 --a------ E:\WINDOWS\system32\d3dx9_34.dll
2008-03-23 10:55 . 2007-05-16 16:45 1,124,720 --a------ E:\WINDOWS\system32\D3DCompiler_34.dll
2008-03-23 10:55 . 2007-05-16 16:45 443,752 --a------ E:\WINDOWS\system32\d3dx10_34.dll
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d----c--- E:\WINDOWS\system32\DRVSTORE
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d-------- E:\WINDOWS\system32\AGEIA
2008-03-23 10:54 . 2008-03-23 10:54 <DIR> d-------- E:\Programmi\AGEIA Technologies
2008-02-29 09:54 . 2008-02-29 09:54 <DIR> dr-h----- E:\Documents and Settings\Domenico\Dati applicazioni\SecuROM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 14:11 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\Skype
2008-03-27 10:33 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\skypePM
2008-03-26 15:27 --------- d-----w E:\Programmi\AntiRootkit
2008-03-23 16:42 --------- d-----w E:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-03-23 16:33 196,608 ----a-w E:\WINDOWS\system32\drivers\nVivid.bin
2008-03-23 16:32 --------- d-----w E:\Programmi\DivX
2008-03-23 16:27 --------- d-----w E:\Programmi\AudioStreamer Pro
2008-03-23 15:41 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\OpenOffice.org2
2008-03-23 10:04 --------- d-----w E:\Programmi\Java
2008-03-23 09:54 --------- d-----w E:\Programmi\File comuni\Wise Installation Wizard
2008-02-29 06:53 --------- d--h--w E:\Programmi\InstallShield Installation Information
2008-02-27 17:38 --------- d-----w E:\Programmi\GameShadow
2008-02-20 19:13 --------- d-----w E:\Documents and Settings\Domenico\Dati applicazioni\Microsoft Games
2008-02-20 16:54 --------- d-----w E:\Programmi\Mozilla Thunderbird
2008-02-19 12:10 --------- d-----w E:\Documents and Settings\All Users\Dati applicazioni\Yahoo!
2008-02-19 12:09 --------- d-----w E:\Programmi\Yahoo!
2008-02-07 06:53 --------- d-----w E:\Programmi\Spybot - Search & Destroy
2008-02-07 06:46 691,545 ----a-w E:\WINDOWS\unins000.exe
2008-01-10 10:42 32 ----a-w E:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2006-06-23 06:48 32,768 ----a-r E:\WINDOWS\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-27_11.52.17,78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-27 14:10:52 16,384 ----atw E:\WINDOWS\TEMP\Perflib_Perfdata_3dc.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]
"Creative MediaSource Go"="E:\Programmi\Creative\MediaSource5\Go\CTCMSGoU.exe" [2005-12-12 09:36 143360]
"Skype"="E:\Programmi\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="E:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe" [2007-08-03 12:51 202024]
"AlcoholAutomount"="E:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 08:23 221568]
"ASUS SmartDoctor"="E:\Programmi\ASUS\SmartDoctor\SmartDoctor.exe" [2007-10-01 21:58 1126400]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 E:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"Ai Remote Help"="E:\Program Files\ASUS\AI Remote\AiRc.exe" [2007-01-19 14:24 3347456]
"JMB36X IDE Setup"="E:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"36X Raid Configurer"="E:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-16 10:05 1953792]
"VolPanel"="E:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11 122880]
"AudioDrvEmulator"="E:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07 49152]
"CTHelper"="CTHELPER.EXE" [2006-05-24 05:20 17920 E:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 05:20 18944 E:\WINDOWS\system32\CTXFIHLP.EXE]
"UpdReg"="E:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Ai Nap"="E:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-01-11 23:39 1423360]
"SunJavaUpdateSched"="E:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RemoteControl"="E:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="E:\Programmi\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 11:09 49152]
"NeroFilterCheck"="E:\Programmi\File comuni\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"NBKeyScan"="E:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"UnlockerAssistant"="E:\Programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 18:19 15872]
"QuickTime Task"="E:\Programmi\QuickTime\QTTask.exe" [2007-10-19 20:16 286720]
"avast!"="E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

E:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Media Key.lnk - E:\Programmi\Media Key\MagicKey.exe [2008-01-10 10:08:25 159744]
ScreenDUO.lnk - E:\Programmi\ASUS\ScreenDUO\AsG_Manager.exe [2008-01-10 10:01:41 73728]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\WINDOWS\\system32\\sessmgr.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"E:\\Programmi\\Yahoo!\\Messenger\\YServer.exe"=
"E:\\Programmi\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"E:\\Programmi\\Skype\\Phone\\Skype.exe"=

R1 DHAHELPER;DHAHELPER;E:\WINDOWS\system32\drivers\dhahelper.sys [2005-03-05 15:35]
R1 kbfilter;Keyboard Filter Driver;E:\WINDOWS\system32\drivers\kbfilter.sys [2002-07-11 12:00]
R1 UsbFltr;WayTechUSBFilterDriver;E:\WINDOWS\system32\drivers\UsbFltr.sys [2003-12-29 18:27]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;E:\WINDOWS\system32\drivers\asusgsb.sys [2007-08-28 10:58]
R3 ha20x2k;Creative 20X HAL Driver;E:\WINDOWS\system32\drivers\ha20x2k.sys [2006-05-24 04:40]
R3 Video3D;ASUS Video3D Service;E:\WINDOWS\system32\Drivers\Video3D32.sys [2007-08-28 10:58]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"E:\Programmi\File comuni\LightScribe\LSRunOnce.exe"
.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-26 18:46:39 E:\WINDOWS\Tasks\User_Feed_Synchronization-{FCB39023-4FC9-4F90-ACC9-6275215F4F4E}.job"
- E:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 15:15:12
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\explorer.exe
-> E:\Programmi\Unlocker\UnlockerHook.dll
.
------------------------ Other Running Processes ------------------------
.
E:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\ATKKBService.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\Programmi\File comuni\LightScribe\LSSrvc.exe
E:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Programmi\CyberLink\Shared files\RichVideo.exe
E:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\ASUS\AI Remote\AiRemote.exe
E:\Programmi\Media Key\OSD.EXE
E:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
E:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\LaunchApplication\AsG_LaunchApplication.exe
E:\Programmi\Asus\ScreenDUO\Gadgets\Time\AsG_Time.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\VolumeControl\AsG_VolumeControl.exe
E:\Programmi\ASUS\ScreenDUO\Gadgets\HardwareMonitoring\AsG_HardwareMonitor.exe
E:\Programmi\ASUS\AASP\1.00.25\aaCenter.exe
E:\Programmi\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Ora fine scansione: 2008-03-27 15:16:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 14:16:50
ComboFix2.txt 2008-03-27 11:33:38
ComboFix3.txt 2008-03-27 10:52:30
ComboFix4.txt 2008-03-26 17:13:10
starlightnightly
Utente Junior
 
Post: 26
Iscritto il: 15/12/07 16:40

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi Luke57 » 27/03/08 15:33

Ciao, sembra tutto a posto, adesso come va?
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi starlightnightly » 27/03/08 17:55

Ciao

Spybot non rileva niente
Panda AntiRootKit non rileva niente
il log di Hijackthis sembra normale senza nessun file strano

ma ogni volta che faccio la scansione della partizione di windows xp
da windows vista, avast trova sempre il cavallo di troia nel file pagefile.sys.
Anche se io lo cancello quando ritorno in windows xp e poi esco e vado in vista
ritrovo sempre Win32:VB-EIJ[trj] nel file.

Che facciamo adesso?
starlightnightly
Utente Junior
 
Post: 26
Iscritto il: 15/12/07 16:40

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi Luke57 » 28/03/08 08:42

Ciao, il report di combofix adesso è pulito, potrebbe essere anche un falso positivo, avast non è immune da queste segnalazioni. Fai uno scan on line con kaspersky. trovi qui le istruzioni dettagliate:
http://forum.wininizio.it/index.php?showtopic=36981&hl
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Cavallo di Troia Win32:VB-EIJ[trj]

Postdi starlightnightly » 28/03/08 19:20

Ciao

Ho fatto la scansione con Kaspersky e non ha trovato niente nella partizione di windows xp.

Con Avast il virus si e traformato da Cavallo di Troia a

Malware Win32:Trat-D[drp]

Molto probabilmente è come dici tu un falso positivo.
Il Sistema Operativo win xp funziona e va bene.
Ho fatto anche una scansione con
Avast Cleaner e SuperAntiSpyware e non hanno trovato niente.
starlightnightly
Utente Junior
 
Post: 26
Iscritto il: 15/12/07 16:40


Torna a Sicurezza e Privacy


Topic correlati a "Cavallo di Troia Win32:VB-EIJ[trj]":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27
win32/sinowal.gen!y
Autore: diego78
Forum: Sicurezza e Privacy
Risposte: 15

Chi c’è in linea

Visitano il forum: Nessuno e 3 ospiti

cron