Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

Aiuto: Trojan horse Pakes.AK

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

Aiuto: Trojan horse Pakes.AK

Postdi PGSimo » 12/07/08 11:17

Buongiorno a tutti..
vi chiedo aiuto per la risoluzione del seguente problema:

---------
Threat Detected
While Opening File: C:\WINDOWS\Temp\loader.exe
Trojan horse Pakes.AK
---------

Nulla lo estirpa dal PC.
Ricompare non appena cancellato.

Vi ringrazio fin d'ora per l'attenzione.. ;-)

Ecco il log di Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.05.51, on 12/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\svchost.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programmi\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programmi\FlashGet\getflash.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: &Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programmi\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programmi\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{26CFD432-75B8-44D4-8BF3-F9D8AE54676F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{26CFD432-75B8-44D4-8BF3-F9D8AE54676F}: NameServer = 151.99.125.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{26CFD432-75B8-44D4-8BF3-F9D8AE54676F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{26CFD432-75B8-44D4-8BF3-F9D8AE54676F}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ClipBook ClipSrvWmiApSrv (ClipSrvWmiApSrv) - Unknown owner - C:\WINDOWS\system32\aaaamong.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe

--
End of file - 7554 bytes
PGSimo
Newbie
 
Post: 2
Iscritto il: 12/07/08 10:53

Sponsor
 

Re: Aiuto: Trojan horse Pakes.AK

Postdi Luke57 » 12/07/08 14:04

Ciao, scarica combofix da qui:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Per eseguirlo,doppio click su Combofix.exe
Si aprirà una finestra blu....Attendere....
Dopo qualche attimo apparirà l'avviso che declina l'autore da ogni problema legato ad una errata utilizzazione del tool.
A questo punto selezionate 1 quindi ENTER per lanciare lo scan..
Attendere.....
Un avviso vi segnalerà la fine dell'operazione e dopo qualche attimo apparirà il log con i dettagli dello scan.
IL log verrà memorizzato in C:\Combofix.txt
Allegalo a un post
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Aiuto: Trojan horse Pakes.AK

Postdi PGSimo » 15/07/08 10:14

Ecco il report di Combofix..

-----------------------------------


ComboFix 08-07-14.2 - Administrator 2008-07-15 11:04:46.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.630 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\aaaamong.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLIPSRVWMIAPSRV
-------\Service_ClipSrvWmiApSrv


((((((((((((((((((((((((( Files Creati Da 2008-06-15 al 2008-07-15 )))))))))))))))))))))))))))))))))))
.

2008-07-12 10:46 . 2008-07-15 10:29 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2008-07-12 10:46 . 2008-07-15 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-07-12 10:27 . 2008-07-12 10:27 <DIR> d-------- C:\Programmi\Lavasoft
2008-07-12 10:27 . 2008-07-12 10:27 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-07-12 10:27 . 2008-07-12 10:27 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-12 10:17 . 2008-07-15 10:44 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avira
2008-07-02 17:26 . 2008-07-02 17:26 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Intenium
2008-07-01 19:14 . 2008-07-01 19:14 <DIR> d-------- C:\users
2008-07-01 19:14 . 2008-07-07 15:37 <DIR> d-------- C:\Programmi\RealArcade
2008-06-30 18:29 . 2008-07-10 11:45 110 --a-s---- C:\WINDOWS\system32\4077535987.dat
2008-06-28 11:46 . 2004-08-19 15:39 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-06-28 11:46 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-06-28 11:46 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-06-28 11:46 . 2001-08-30 23:07 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-06-16 19:43 . 2008-06-17 11:03 <DIR> d-------- C:\Casino

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 08:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\avg7
2008-07-15 08:30 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\AVG7
2008-07-07 17:30 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\OpenOffice.org2
2008-07-07 13:36 --------- d-----w C:\Programmi\Google
2008-06-28 09:51 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\gtk-2.0
2008-06-20 17:39 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 15:49 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\U3
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 16:11 --------- d-----w C:\Programmi\Inkscape
2008-06-17 16:15 --------- d-----w C:\Programmi\FlashGet
2008-06-16 17:53 --------- d-----w C:\Programmi\Oberon Media
2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 16:55 --------- d-----w C:\Programmi\Alwil Software
2008-06-09 16:39 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-06-09 16:33 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\MumboJumbo
2008-06-09 16:32 --------- d-----w C:\Programmi\File comuni\Oberon Media
2008-05-31 10:30 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Apple Computer
2008-05-19 17:04 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Zylom
2008-05-19 16:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\PlayFirst
2008-05-19 16:52 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\PlayFirst
2008-05-19 16:26 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\PlayPond
2008-05-19 15:51 774,144 ----a-w C:\Programmi\RngInterstitial.dll
2008-05-19 15:51 --------- d-----w C:\Programmi\Real
2008-05-19 15:51 --------- d-----w C:\Programmi\File comuni\Real
2008-05-16 16:27 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\vlc
2008-05-16 16:26 --------- d-----w C:\Programmi\Metin2_Italiano
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:14 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-13 09:01 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2008-03-13 09:01 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
2008-03-13 09:01 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 18:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2006-03-02 14:00 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 19:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-06-20 12:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 C:\WINDOWS\SoftwareDistribution\Download\957b98bb2f2c79f2c14ff4a90146c2e8\sp2gdr\tcpip.sys
2008-06-20 12:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\SoftwareDistribution\Download\957b98bb2f2c79f2c14ff4a90146c2e8\sp2qfe\tcpip.sys
2008-06-20 13:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\SoftwareDistribution\Download\957b98bb2f2c79f2c14ff4a90146c2e8\sp3gdr\tcpip.sys
2008-06-20 13:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\SoftwareDistribution\Download\957b98bb2f2c79f2c14ff4a90146c2e8\sp3qfe\tcpip.sys
2008-06-20 12:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 12:45 360320 1cc09561e21a48a7f649a40f18235860 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2008-03-02 13:48 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06-28 10:04 580096]
"VTTimer"="VTTimer.exe" [2006-09-21 10:36 53248 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2006-10-09 23:14 176128 C:\WINDOWS\system32\S3Trayp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 11:21 16270848 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-13 17:13 219136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\FlashGet\\flashget.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgemc.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 14:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 11:39]
R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-11-15 03:38]
R3 usbstor;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2006-03-02 14:00]
S3 SetupNTGLM7X;SetupNTGLM7X;H:\NTGLM7X.sys []
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df9f3ddf-9e7f-11dc-b5ec-0019db8a1f72}]
\Shell\verb1\command - I:\Thumbs.dn\1.{3aea-1069-a2de-08002b30309d}\Thumbs.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e460e916-323a-11dd-a744-0019db8a1f72}]
\Shell\Auto\command - I:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2007-12-28 14:00:00 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Programmi\Norton Security Scan\Nss.exe
"2008-06-11 15:37:05 C:\WINDOWS\Tasks\zxwpew.job"
PGSimo
Newbie
 
Post: 2
Iscritto il: 12/07/08 10:53

Re: Aiuto: Trojan horse Pakes.AK

Postdi Luke57 » 15/07/08 11:45

Ciao, copia questo codice:



Codice: Seleziona tutto
File::
C:\WINDOWS\system32\4077535987.dat
C:\WINDOWS\Tasks\zxwpew.job


incollalo in un file di testo (dal blocco note di windows), salva il file di testo nella stessa posizione di combofix con il nome obbligatorio di CFScript.txt trascinalo sull'icona di combofix per una nuova scansione.
Allega l'eventuale nuovo report prodotto.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "Aiuto: Trojan horse Pakes.AK":


Chi c’è in linea

Visitano il forum: Nessuno e 9 ospiti