Condividi:        

probabile trojan ddznab.exe

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

probabile trojan ddznab.exe

Postdi mymonix » 27/04/08 09:32

Buongiorno a tutti.
Ho fatto una scansione con hijackThis e, nell'analisi on-line, mi da come pericoloso (probabile trojan) questo processo:
C:\DOCUME~1\Client\IMPOST~1\Temp\ddznab.exe
C'è qualcuno che può controllarmi il log e dirme cosa posso fare???
Grazie a tutti per l'aiuto

Logfile of HijackThis v1.99.1
Scan saved at 10.31.03, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\TuneUp Utilities 2004\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
c:\mexal\prog\mxserver.exe
C:\Programmi\Microsoft SQL Server\MSSQL$ACCA_MSDE\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\DOCUME~1\Client\IMPOST~1\Temp\ddznab.exe
C:\windows\system32\services.exe
C:\Programmi\QuickTime\QTTask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\Client\IMPOST~1\Temp\Rar$EX00.469\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DIALux 3.1 ULDBrowserHelper Class - {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} - C:\Programmi\DIALux\DLXShellExtension.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programmi\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programmi\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ddznab.exe] C:\DOCUME~1\Client\IMPOST~1\Temp\ddznab.exe
O4 - HKLM\..\Run: [svctnegz] "c:\windows\system32\svctnegz.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6E2991C-975C-40E1-B899-02CFC402227C}: NameServer = 212.17.192.217,212.17.195.45
O18 - Protocol: dialux - {8352FA4C-39C6-11D3-ADBA-00A0244FB1A2} - C:\Programmi\DIALux\DLXToolBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MexalServer - Passepartout s.a. - c:\mexal\prog\mxserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programmi\TuneUp Utilities 2004\WinStylerThemeSvc.exe
mymonix
Utente Junior
 
Post: 68
Iscritto il: 27/05/06 14:26

Sponsor
 

Re: probabile trojan ddznab.exe

Postdi Luke57 » 27/04/08 10:37

Ciao, apri hijackthis, premi "open the misc tools section", "open process manager", cerca e spunta il seguente processo, se presente:
C:\DOCUME~1\Client\IMPOST~1\Temp\ddznab.exe
selezionalo e premi kill process.
Torna al menu principale con "back", premi "scan", cerca e spunta le voci seguenti:
O4 - HKLM\..\Run: [ddznab.exe] C:\DOCUME~1\Client\IMPOST~1\Temp\ddznab.exe
O4 - HKLM\..\Run: [svctnegz] "c:\windows\system32\svctnegz.exe"
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

premi fix checked.

scarica atfcleaner sul desktop
http://www.atribune.org/ccount/click.php?id=1

Riavvia in mod.provvisoria ( Immediatamente al termine del caricamento del BIOS, iniziare a premere ripetutamente il tasto F8 sulla tastiera. Continuare a farlo fino a visualizzare il menu Opzioni avanzate di Windows. Se si comincia a premere il tasto F8 troppo presto, su alcuni computer viene visualizzato il messaggio di errore "errore di tastiera". Per risolverlo, riavviare il computer e provare di nuovo.
Usando i tasti freccia sulla tastiera, scorrere le opzioni e selezionare il menu Modalità provvisoria, quindi premere Invio)

Da risorse del computer>strumenti>opzioni cartella>visualizzazione, metti la spunta a "visualizza file e cartelle nascosti">OK
Cerca ed elimina i seguenti file e cartelle:
C:\DOCUME~1\Client\IMPOST~1\Temp\ddznab.exe
c:\windows\system32\svctnegz.exe

Avvia ATFCleaner.exe con un doppio click
- clicca sul menu main
- seleziona la casella Select All
- clicca sul pulsante Empty selected
- aspetta l'avviso Done Cleaning.
(se non vuoi eliminare le password togli la spunta)
(se usi opera o firefox,spunta anche le loro sezioni)

Riavvia in modalità normale_
Poi scarica ComboFix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disconettiti da internet

Avvia il file ComboFix.exe
Digita 1 per avviare il tool (non fare altre manovre durante la scansione, se le icone del desktop spariscono è normale)
Segui le istruzioni e alla fine verrà generato un log.
collegati e posta il report (C:\combofix.txt)
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: probabile trojan ddznab.exe

Postdi mymonix » 01/05/08 10:18

Grazie Luke,
ho seguito tutta la procedura, ma non sono riuscita ad eliminare c:\windows\system32\svctnegz.exe ...... questo è il report di combofix:

ComboFix 08-04-29.5 - Client 2008-05-01 11:01:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.667 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Client\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Programmi\TuneUp Utilities 2004\WinStylerThemeHelper.dll


((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Client\ravmonlog
C:\Programmi\FunWebProducts
C:\Programmi\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Programmi\MyWebSearch
C:\Programmi\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Programmi\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Programmi\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Programmi\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Programmi\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Programmi\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Programmi\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Programmi\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Programmi\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Programmi\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Programmi\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Programmi\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Programmi\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Programmi\MyWebSearch\bar\Cache\01300400
C:\Programmi\MyWebSearch\bar\Cache\014EA2A0.bin
C:\Programmi\MyWebSearch\bar\Cache\014EA5CC.bin
C:\Programmi\MyWebSearch\bar\Cache\014EA734.bin
C:\Programmi\MyWebSearch\bar\Cache\014EEBBF.bin
C:\Programmi\MyWebSearch\bar\Cache\014EECF7.bin
C:\Programmi\MyWebSearch\bar\Cache\014EEE5E.bin
C:\Programmi\MyWebSearch\bar\Cache\014EF004.bin
C:\Programmi\MyWebSearch\bar\Cache\01719816.bin
C:\Programmi\MyWebSearch\bar\Cache\023770C5.bin
C:\Programmi\MyWebSearch\bar\Cache\02377384.bin
C:\Programmi\MyWebSearch\bar\Cache\02377539.bin
C:\Programmi\MyWebSearch\bar\Cache\files.ini
C:\Programmi\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Programmi\MyWebSearch\bar\Game\CHESS.F3S
C:\Programmi\MyWebSearch\bar\Game\REVERSI.F3S
C:\Programmi\MyWebSearch\bar\History\search2
C:\Programmi\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Programmi\MyWebSearch\bar\Settings\s_bfeats.dat
C:\Programmi\MyWebSearch\bar\Settings\s_pid.dat
C:\Programmi\MyWebSearch\bar\Settings\setting2.htm
C:\Programmi\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\10.tmp
C:\WINDOWS\12.tmp
C:\WINDOWS\system32\f3PSSavr.scr

.
((((((((((((((((((((((((( Files Creati Da 2008-04-01 al 2008-05-01 )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 09:01 --------- d-----w C:\Programmi\TuneUp Utilities 2004
2008-04-30 11:32 --------- d-----w C:\Programmi\Rhinoceros 3.0
2008-04-25 09:20 --------- d-----w C:\Programmi\File comuni\Autodesk Shared
2008-04-25 09:20 --------- d-----w C:\Programmi\AutoCAD 2005
2008-04-25 09:11 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-04-07 17:20 --------- d-----w C:\Documents and Settings\Client\Dati applicazioni\Skype
2008-04-05 12:19 --------- d-----w C:\Documents and Settings\Client\Dati applicazioni\skypePM
2008-03-29 10:21 --------- d-----w C:\Documents and Settings\Client\Dati applicazioni\PDFCreator
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:01 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-28 09:56 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2005-08-18 08:18 22,040,920 ----a-w C:\Programmi\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_20.34.30,92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 18:24:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 06:08:48 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 06:09:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2006-02-24 13:31 180269]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 09:47 67072 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 21:10 344064]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 00:27 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:39 15360]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 00:27 32768]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
ATI CATALYST System Tray.lnk - C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 00:27:20 32768]
BlueSoleil.lnk - C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 11:28:16 1200128]
Service Manager.lnk - C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MyWebSearch Email Plugin"=C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HP Component Manager"="C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" -atboottime
"SpySweeper"="C:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
"MyWebSearch Email Plugin"=C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Internet Explorer\\iexplore.exe"=
"C:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12222:TCP"= 12222:TCP:NortonAV
"16823:TCP"= 16823:TCP:NortonAV

R2 cpwnt;cpwnt;C:\WINDOWS\system32\drivers\cpwnt.sys [1997-05-30 00:00]
R2 KeyP;KeyP;C:\WINDOWS\system32\DRIVERS\KeyP.sys [1998-03-27 14:48]
R2 MexalServer;MexalServer;c:\mexal\prog\mxserver.exe [2006-12-05 17:41]
R2 MSSQL$ACCA_MSDE;MSSQL$ACCA_MSDE;C:\Programmi\Microsoft SQL Server\MSSQL$ACCA_MSDE\Binn\sqlservr.exe [2002-12-17 17:26]
R3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2005-07-26 15:42]
S2 CPUSB;CPUsb.Sys driver;C:\WINDOWS\system32\Drivers\CPUSB.sys [2002-10-24 04:00]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-18 15:19]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 scsiscan;Driver scanner SCSI;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 21:53]
S3 skeyusb;SmartKey USB;C:\WINDOWS\system32\Drivers\skeyusb.sys [2004-02-11 16:22]
S3 SQLAgent$ACCA_MSDE;SQLAgent$ACCA_MSDE;C:\Programmi\Microsoft SQL Server\MSSQL$ACCA_MSDE\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 07:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 08:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b97dcf8-6d9c-11dc-b1ca-0011673ad08e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{965862ec-ca64-11dc-b234-0011673ad08e}]
\Shell\Auto\command - fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2007-06-08 15:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programmi\TuneUp Utilities 2004\SystemOptimizer.exe
"2007-06-05 05:39:44 C:\WINDOWS\Tasks\aadhbyc.job"
mymonix
Utente Junior
 
Post: 68
Iscritto il: 27/05/06 14:26

Re: probabile trojan ddznab.exe

Postdi Luke57 » 01/05/08 11:07

Ciao, copia questo codice:

Codice: Seleziona tutto
File::
C:\WINDOWS\Tasks\aadhbyc.job

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MyWebSearch Email Plugin"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MyWebSearch Email Plugin"=-


apri un file di testo (start>programmi>accessori> blocco note), incollaci il codice, salva obbligatoriamente il dile testo con il nome CFScript.txt, trascinalo con il puntatore del mouse sull'icona di combofix per una nuova scansione.

Per eliminare quel file, se presente, prova così:
apri hiajckthis, con le applicazioni e i programmi chiusi, premi "open the misc tools section", "delete a file on reboot....", nella nuova finestra selezioni nel menu ad albero il file
c:\windows\system32\svctnegz.exe
premi il tasto Apri.
acconsenti al riavvio del computer.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: probabile trojan ddznab.exe

Postdi mymonix » 02/05/08 16:40

Fatto !!!

ComboFix 08-04-29.5 - Client 2008-05-02 17:16:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.675 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Client\Documenti\PROCEDURE ANTIVIRUS\ComboFix.exe
Command switches used :: C:\Documents and Settings\Client\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Tasks\aadhbyc.job
.
The following files were disabled during the run:
C:\Programmi\TuneUp Utilities 2004\WinStylerThemeHelper.dll


((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Tasks\aadhbyc.job
.
---- Previous Run -------
.
C:\Documents and Settings\Client\ravmonlog
C:\Programmi\FunWebProducts
C:\Programmi\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Programmi\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Programmi\MyWebSearch
C:\Programmi\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Programmi\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Programmi\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Programmi\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Programmi\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Programmi\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Programmi\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Programmi\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Programmi\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Programmi\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Programmi\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Programmi\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Programmi\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Programmi\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Programmi\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Programmi\MyWebSearch\bar\Cache\01300400
C:\Programmi\MyWebSearch\bar\Cache\014EA2A0.bin
C:\Programmi\MyWebSearch\bar\Cache\014EA5CC.bin
C:\Programmi\MyWebSearch\bar\Cache\014EA734.bin
C:\Programmi\MyWebSearch\bar\Cache\014EEBBF.bin
C:\Programmi\MyWebSearch\bar\Cache\014EECF7.bin
C:\Programmi\MyWebSearch\bar\Cache\014EEE5E.bin
C:\Programmi\MyWebSearch\bar\Cache\014EF004.bin
C:\Programmi\MyWebSearch\bar\Cache\01719816.bin
C:\Programmi\MyWebSearch\bar\Cache\023770C5.bin
C:\Programmi\MyWebSearch\bar\Cache\02377384.bin
C:\Programmi\MyWebSearch\bar\Cache\02377539.bin
C:\Programmi\MyWebSearch\bar\Cache\files.ini
C:\Programmi\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Programmi\MyWebSearch\bar\Game\CHESS.F3S
C:\Programmi\MyWebSearch\bar\Game\REVERSI.F3S
C:\Programmi\MyWebSearch\bar\History\search2
C:\Programmi\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Programmi\MyWebSearch\bar\Settings\s_bfeats.dat
C:\Programmi\MyWebSearch\bar\Settings\s_pid.dat
C:\Programmi\MyWebSearch\bar\Settings\setting2.htm
C:\Programmi\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\10.tmp
C:\WINDOWS\12.tmp
C:\WINDOWS\system32\f3PSSavr.scr

.
((((((((((((((((((((((((( Files Creati Da 2008-04-02 al 2008-05-02 )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 15:15 --------- d-----w C:\Programmi\TuneUp Utilities 2004
2008-04-30 11:32 --------- d-----w C:\Programmi\Rhinoceros 3.0
2008-04-25 09:20 --------- d-----w C:\Programmi\File comuni\Autodesk Shared
2008-04-25 09:20 --------- d-----w C:\Programmi\AutoCAD 2005
2008-04-25 09:11 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-04-07 17:20 --------- d-----w C:\Documents and Settings\Client\Dati applicazioni\Skype
2008-04-05 12:19 --------- d-----w C:\Documents and Settings\Client\Dati applicazioni\skypePM
2008-03-29 10:21 --------- d-----w C:\Documents and Settings\Client\Dati applicazioni\PDFCreator
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:01 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-28 09:56 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2005-08-18 08:18 22,040,920 ----a-w C:\Programmi\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_20.34.30,92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 18:24:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 15:08:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 15:09:04 16,384 ------w C:\WINDOWS\Temp\Perflib_Perfdata_104.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2006-02-24 13:31 180269]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SoundMan"="SOUNDMAN.EXE" [2004-05-14 09:47 67072 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-24 21:10 344064]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 00:27 32768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-20 00:39 15360]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2004-11-25 00:27 32768]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
ATI CATALYST System Tray.lnk - C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe [2004-11-25 00:27:20 32768]
BlueSoleil.lnk - C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe [2005-09-20 11:28:16 1200128]
Service Manager.lnk - C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Google Desktop Search"="C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"HP Component Manager"="C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" -atboottime
"SpySweeper"="C:\Programmi\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Internet Explorer\\iexplore.exe"=
"C:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12222:TCP"= 12222:TCP:NortonAV
"16823:TCP"= 16823:TCP:NortonAV

R2 cpwnt;cpwnt;C:\WINDOWS\system32\drivers\cpwnt.sys [1997-05-30 00:00]
R2 KeyP;KeyP;C:\WINDOWS\system32\DRIVERS\KeyP.sys [1998-03-27 14:48]
R2 MexalServer;MexalServer;c:\mexal\prog\mxserver.exe [2006-12-05 17:41]
R2 MSSQL$ACCA_MSDE;MSSQL$ACCA_MSDE;C:\Programmi\Microsoft SQL Server\MSSQL$ACCA_MSDE\Binn\sqlservr.exe [2002-12-17 17:26]
R3 eusk3usb;SmartKey 3 USB;C:\WINDOWS\system32\Drivers\eusk3usb.sys [2005-07-26 15:42]
S2 CPUSB;CPUsb.Sys driver;C:\WINDOWS\system32\Drivers\CPUSB.sys [2002-10-24 04:00]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-18 15:19]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 19:33]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 scsiscan;Driver scanner SCSI;C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2001-08-17 21:53]
S3 skeyusb;SmartKey USB;C:\WINDOWS\system32\Drivers\skeyusb.sys [2004-02-11 16:22]
S3 SQLAgent$ACCA_MSDE;SQLAgent$ACCA_MSDE;C:\Programmi\Microsoft SQL Server\MSSQL$ACCA_MSDE\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 07:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 08:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3b97dcf8-6d9c-11dc-b1ca-0011673ad08e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{965862ec-ca64-11dc-b234-0011673ad08e}]
\Shell\Auto\command - fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2007-06-08 15:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programmi\TuneUp Utilities 2004\SystemOptimizer.exe
"2007-12-18 08:29:22 C:\WINDOWS\Tasks\adgcm.job"
- c:\windows\system32\svctnegz.exe
"2008-03-04 06:17:32 C:\WINDOWS\Tasks\ahzblno.job"
- c:\windows\system32\svctnegz.exe
"2007-10-23 12:17:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2008-03-03 06:50:33 C:\WINDOWS\Tasks\aql.job"
- c:\windows\system32\svctnegz.exe
"2007-07-10 16:44:21 C:\WINDOWS\Tasks\aqvut.job"
- c:\windows\system32\svctnegz.exe
"2007-09-26 05:07:32 C:\WINDOWS\Tasks\aromkef.job"
mymonix
Utente Junior
 
Post: 68
Iscritto il: 27/05/06 14:26

Re: probabile trojan ddznab.exe

Postdi Luke57 » 03/05/08 10:31

Ciao, ripeti nuovamente l'operazione con il file testo, sostituendo però al testo precedente questo codice:

Codice: Seleziona tutto
File::
C:\WINDOWS\Tasks\adgcm.job
C:\WINDOWS\Tasks\ahzblno.job
C:\WINDOWS\Tasks\aql.job
C:\WINDOWS\Tasks\aqvut.job
C:\WINDOWS\Tasks\aromkef.job
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "probabile trojan ddznab.exe":

probabile infezione
Autore: giadamusi
Forum: Software Windows
Risposte: 1

Chi c’è in linea

Visitano il forum: Nessuno e 49 ospiti