Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

irremovibile trojan M0KSEMYU.EXE

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

irremovibile trojan M0KSEMYU.EXE

Postdi dado » 22/07/08 22:30

Ciao ragazzi!!
E' un po' che non passo ufficialmente di qua.

Ma mi ripropongo con una "bella" rogna! :aaah

E' ormai quasi una settimana che sto combattendo contro un odiosissimo trojan di cui non conosco il nome ma del quale posso descrivere gli effetti: mi apre delle schermate di Internet Explorer riguardanti diversi siti a tema commerciale (ma tutti comunque abbastanza noti, ad es. c'è il sito dvd.it oppure quello di meridiana.it, nessuna pagina straniera o porno o simile). Come tempistiche di comparsa di questi effetti, variano abbastanza: a volte mi apre 2-3 finestre di IE nel giro di pochi minuti, altre volte (come oggi), passa tutta la giornata e si manifesta solo la sera tardi con una schermatina di IE!

Quello che ho notato è che:
:arrow: compare nella cartella C:\DOCUMENTS AND SETTINGS\UTENTE1\IMPOSTAZIONI LOCALI\TEMP un file composto da una serie alfanumerica (per citarne uno dei tanti, 046EC7JR.EXE);
:arrow: si crea nella cartella C:\WINDOWS\PREFETCH il file M0KSEMYU.EXE-252E549A.pf;
:arrow: si creano nella cartella C:\WINDOWS\SYSTEM32 i file M0KSEMYU.EXE.A_A e M0KSEMYU.EXE;
:arrow: nel registro di sistema compare un valore relativo a questo file M0KSEMYU.EXE.

Quello che ho fatto finora è fare scansioni, sia in modalità normale che provvisoria, con i seguenti programmi e risultati:

:arrow: AD-AWARE 2007: rilevato il trojan e rimosso;
:arrow: SPYBOT - SEARCH & DESTROY: non rilevato nulla;
:arrow: SYMANTEC ANTIVIRUS CE: non rilevato nulla;
:arrow: HIJACKTHIS: rilevato il trojan ma non dà la possibilità di eliminare la voce nel registro;
:arrow: SUPERAntiSpyware Free Edition: rilevato il trojan e rimosso;
:arrow: TROJAN REMOVER: non rilevato nulla.

Inoltre ho pulito il sistema ed il registro con i seguenti programmi:
:arrow: CRAP CLEANER
:arrow: REGCLEANER

Ma nonostante tutto, lo schifoso continua a ricomparire! :evil:

Ormai ogni volta che mi compare una finestra di IE pubblicitaria, so di chi è la colpa e vado nelle cartelle su indicate a fare pulizia, passando subito dopo al registro di sistema da START-ESEGUI-REGEDIT per cercare chiavi con nome M0KSEMYU.ESE e .A_A per eliminarle. Ma evidentemente c'è ancora qualcosa che mi sfugge... :mmmh:

Riuscissi almeno a capire da dove arriva il trojan... come si riforma... :eeh:

Ultima cosa che posso dirvi è che aprendo i file M0KSEMYU.EXE-252E549A.pf e
M0ksEMYu.exe_ , M0ksEMYu.exe.a_a e M0ksEMYu.exe con il blocco note, l'unica cosa che si riesce a distinguere in mezzo ad una serie di caratteri apparentemente senza senso e la seguente lista di file:
KERNEL32.DLL ADVAPI32.dll NETAPI32.dll ole32.dll OLEAUT32.dll SHELL32.dll SHLWAPI.dll USER32.dll WININET.dll

Raga', ora sbizzarritevi e date sfogo alle idee...
Grazie,
dado

House: "Vede, tutti pensano che sia un paziente a causa del bastone"
Wilson: "Allora perchè non indossa un camice bianco come tutti noi?"
House: "Perchè altrimenti pensano che sia un medico".
Avatar utente
dado
Utente Senior
 
Post: 16208
Iscritto il: 21/08/01 01:00
Località: La Città dei Sette Assedi

Sponsor
 

Re: irremovibile trojan M0KSEMYU.EXE

Postdi dado » 22/07/08 22:58

Aggiungo una cosa, che ho dimenticato nel mio messaggio precedente: per poter procedere con l'eliminazione dei file citati nel messaggio precedente, devo prima terminare dal TASK MANAGER il processo M0KSEMYU.EXE.

House: "Vede, tutti pensano che sia un paziente a causa del bastone"
Wilson: "Allora perchè non indossa un camice bianco come tutti noi?"
House: "Perchè altrimenti pensano che sia un medico".
Avatar utente
dado
Utente Senior
 
Post: 16208
Iscritto il: 21/08/01 01:00
Località: La Città dei Sette Assedi

Re: irremovibile trojan M0KSEMYU.EXE

Postdi Luke57 » 23/07/08 09:31

Ciao, scarica combofix da qui sul destop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Poi clicca su start>esegui, nel box bianco copia e incolla questo comando:
"%userprofile%\desktop\combofix.exe" /killall
Premi ok, se tutto va bene parte il programma che potrebbe impiegare molto, non fare altre manovre durante la scansione, finito, riavvia il pc normalmente, se tutto è andato bene, in C:\ dovresti trovare il file combofix.txt , allegalo a un post.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: irremovibile trojan M0KSEMYU.EXE

Postdi dado » 23/07/08 19:17

Ciao luke.
Innanzitutto grazie per la risposta.

Riporto qui di seguito il contenuto del file di log.

************************************************************************************************************

ComboFix 08-07-22.4 - Utente1 2008-07-23 19.47.55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1581 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Utente1\desktop\combofix.exe
Command switches used :: /killall
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((( Files Creati Da 2008-06-23 al 2008-07-23 )))))))))))))))))))))))))))))))))))
.

2008-07-21 21:04 . 2008-07-21 21:04 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Simply Super Software
2008-07-21 20:34 . 2008-07-21 20:34 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\SUPERAntiSpyware.com
2008-07-21 00:05 . 2008-07-21 00:05 <DIR> d-------- C:\Programmi\Orbitdownloader
2008-07-21 00:05 . 2008-07-21 00:05 <DIR> d-------- C:\Downloads
2008-07-21 00:05 . 2008-07-21 01:53 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\Orbit
2008-07-20 23:56 . 2008-07-20 23:56 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\Xi
2008-07-20 23:28 . 2008-07-20 23:34 <DIR> d-------- C:\Programmi\MemInfo
2008-07-20 19:20 . 2008-07-21 20:29 <DIR> d-------- C:\Programmi\Trojan Remover
2008-07-20 19:20 . 2008-07-20 19:20 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\Simply Super Software
2008-07-20 19:20 . 2008-07-20 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Simply Super Software
2008-07-20 19:20 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-20 19:20 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-07-20 19:20 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-20 19:20 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-20 19:20 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-07-20 15:21 . 2008-07-20 15:21 <DIR> d-------- C:\Programmi\SUPERAntiSpyware
2008-07-20 15:21 . 2008-07-20 15:21 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\SUPERAntiSpyware.com
2008-07-20 15:21 . 2008-07-20 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-07-18 10:00 . 2008-07-18 10:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Preferiti
2008-07-17 18:59 . 2008-07-17 18:58 29,760 --a------ C:\WINDOWS\system32\W8CQT3e0.exe
2008-07-17 18:59 . 2008-07-17 18:59 0 --a------ C:\WINDOWS\system32\W8CQT3e0.exe.a_a
2008-07-13 16:38 . 2008-07-13 16:38 <DIR> d-------- C:\Programmi\MSXML 4.0
2008-07-12 18:45 . 2008-07-12 18:45 <DIR> d-------- C:\Marco Polo
2008-07-12 13:50 . 2008-07-12 13:50 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\PC Suite
2008-07-12 13:19 . 2008-07-12 13:19 <DIR> d-------- C:\Documents and Settings\LUCA\Dati applicazioni\Datalayer
2008-07-12 13:08 . 2008-07-13 14:19 <DIR> d-------- C:\Documents and Settings\LUCA\Phone Browser
2008-07-12 13:08 . 2008-07-12 13:19 <DIR> d-------- C:\Documents and Settings\LUCA\Dati applicazioni\Nokia
2008-07-12 13:01 . 2008-07-12 13:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-12 13:00 . 2008-07-12 13:00 <DIR> d-------- C:\Programmi\DIFX
2008-07-12 12:59 . 2008-07-20 16:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-12 12:59 . 2008-07-12 13:03 <DIR> d-------- C:\Programmi\Nokia
2008-07-12 12:59 . 2008-07-12 13:00 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2008-07-12 12:59 . 2008-07-12 13:00 <DIR> d-------- C:\Programmi\File comuni\Nokia
2008-07-12 12:59 . 2008-07-12 12:59 <DIR> d-------- C:\Documents and Settings\LUCA\Dati applicazioni\PC Suite
2008-07-12 12:59 . 2008-07-12 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PC Suite
2008-07-12 12:59 . 2008-07-12 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Downloaded Installations
2008-07-12 12:59 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-07-12 12:59 . 2006-05-29 08:26 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-12 12:59 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-12 12:59 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-07-12 12:59 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-07-12 12:59 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-07-12 12:59 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-07-10 00:14 . 2008-07-10 00:17 183 --a------ C:\WINDOWS\wininit.ini
2008-07-10 00:03 . 2008-07-10 00:04 <DIR> d-------- C:\Programmi\QuickMediaConverter
2008-07-09 23:45 . 2008-07-09 23:45 <DIR> d-------- C:\Programmi\Trend Micro
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-07-09 21:32 . 2007-10-29 17:59 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-07-09 21:32 . 2008-07-21 21:04 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-07-09 21:32 . 2008-07-21 21:04 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-07-09 21:32 . 2008-07-09 21:32 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-09 20:56 . 2008-07-09 20:56 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\AVS4YOU
2008-07-09 20:56 . 2008-07-09 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\AVS4YOU
2008-07-09 20:34 . 2008-07-09 23:58 <DIR> d-------- C:\Programmi\AVS4YOU
2008-07-08 23:54 . 2008-07-09 00:02 <DIR> d-------- C:\Programmi\VirtualDub
2008-07-08 20:55 . 2008-07-08 20:56 <DIR> d-------- C:\Programmi\XMPEG
2008-07-05 10:14 . 2002-07-17 08:03 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-07-05 10:14 . 2002-07-17 07:05 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-07-05 01:02 . 2008-07-05 01:02 <DIR> d-------- C:\Programmi\QuickTime Alternative
2008-07-05 01:02 . 2008-07-05 01:02 <DIR> d-------- C:\Programmi\Media Player Classic
2008-07-05 01:02 . 2008-07-05 01:02 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2008-07-05 01:02 . 2007-04-27 09:42 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-07-05 01:02 . 2007-04-27 09:42 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-07-05 00:56 . 2008-07-05 00:56 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\MPEG Streamclip
2008-07-04 18:52 . 2008-07-04 18:52 <DIR> d-------- C:\Programmi\DVD Decrypter
2008-06-28 12:16 . 2008-06-28 12:16 <DIR> d-------- C:\Programmi\File comuni\Skype
2008-06-28 12:16 . 2008-06-28 12:16 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 17:56 --------- d-----w C:\Programmi\Symantec AntiVirus
2008-07-23 17:46 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\uTorrent
2008-07-23 17:17 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\Skype
2008-07-23 17:16 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\skypePM
2008-07-22 21:37 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-07-21 19:04 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-07-20 14:01 --------- d-----w C:\Programmi\eMule
2008-07-20 13:21 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-07-20 11:06 --------- d-----w C:\Programmi\Lavasoft
2008-07-18 17:18 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Microsoft Help
2008-07-16 22:13 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\dvdcss
2008-07-16 21:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\DVD Shrink
2008-07-09 21:58 --------- d-----w C:\Programmi\File comuni\AVSMedia
2008-07-08 22:33 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-04 23:02 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\Apple Computer
2008-06-28 10:16 --------- d-----w C:\Programmi\Skype
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 21:36 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Office Genuine Advantage
2008-06-14 17:59 272,768 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 18:03 --------- d-----w C:\Programmi\PowerISO
2008-06-01 11:20 --------- d-----w C:\Programmi\uTorrent
2008-06-01 11:16 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\BitTorrent
2008-06-01 11:11 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\DNA
2008-05-31 09:06 --------- d-----w C:\Programmi\Lupas Rename 2000
2008-02-26 18:45 19,952 ----a-w C:\Documents and Settings\Utente1\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-02-16 10:21 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2008-02-09 10:27 19,952 ----a-w C:\Documents and Settings\LUCA\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"uTorrent"="C:\Programmi\uTorrent\uTorrent.exe" [2008-06-01 13:20 219952]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 02:07 81920]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2006-12-18 22:34 868352]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [2005-04-08 16:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 13:30 85184]
"CnxDslTaskBar"="C:\Programmi\digicom\Michelangelo USB ADSL\CnxDslTb.exe" [2002-11-01 12:28 397312]
"TrojanScanner"="C:\Programmi\Trojan Remover\Trjscan.exe" [2008-06-03 20:33 878672]
"nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-03-02 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\Utente1\Menu Avvio\Programmi\Esecuzione automatica\
FreePOPs.lnk - C:\Programmi\FreePOPs\freepopsd.exe [2007-06-22 21:17:44 31232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Orbit.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Orbit.lnk
backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CSIScanner"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\ICQ6\\ICQ.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programmi\\uTorrent\\uTorrent.exe"=
"C:\\Programmi\\Orbitdownloader\\orbitdm.exe"=
"C:\\Programmi\\Orbitdownloader\\orbitnet.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2697:UDP"= 2697:UDP:Windows Media Format SDK (firefox.exe)
"2696:UDP"= 2696:UDP:Windows Media Format SDK (firefox.exe)
"2702:UDP"= 2702:UDP:Windows Media Format SDK (firefox.exe)

S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 07:05]
S3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2002-10-31 18:31]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2002-10-31 18:31]
S3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2002-11-01 12:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81ba6123-bb77-11dc-bbc2-001d600bd566}]
\Shell\Auto\command - E:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
.
Contenuto della cartella 'Scheduled Tasks'
"2008-07-22 07:50:04 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-17 16:59:31 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-22 08:00:01 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-18 09:00:05 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-18 10:00:06 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 11:00:03 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 12:00:05 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 13:00:01 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 14:00:02 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 15:00:03 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 16:00:01 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 23:00:01 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-22 17:00:01 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-23 18:00:06 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-22 19:00:01 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-22 20:00:01 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-22 21:00:01 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 22:51:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-20 23:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 17:10:08 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 17:10:08 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 17:10:08 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 16:59:31 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-17 17:10:08 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 17:10:08 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 17:10:08 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 17:10:08 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 17:10:08 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-22 08:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-18 09:25:25 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-18 10:00:01 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-20 11:00:01 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-20 12:00:11 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 16:59:31 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-20 13:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-20 14:20:51 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-20 15:00:01 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-20 16:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-22 20:44:58 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-23 18:00:02 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-22 19:00:10 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-22 20:00:10 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-22 21:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\M0ksEMYu.exe
"2008-07-17 16:59:31 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-17 16:59:31 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-17 16:59:31 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-17 16:59:31 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-17 16:59:31 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-23 18:10:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{8CE3FA57-6A4F-4F1C-BCD9-230C80F6EBA5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.tim.it/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Download by Orbit - C:\Programmi\Orbitdownloader\orbitmxt.dll/201
O8 -: &Grab video by Orbit - C:\Programmi\Orbitdownloader\orbitmxt.dll/204
O8 -: Do&wnload selected by Orbit - C:\Programmi\Orbitdownloader\orbitmxt.dll/203
O8 -: Down&load all by Orbit - C:\Programmi\Orbitdownloader\orbitmxt.dll/202
O8 -: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 19:59:24
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

C:\WINDOWS\explorer.exe [2480] 0x89885020

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Ora fine scansione: 2008-07-23 20:11:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-23 18:10:51

Pre-Run: 59,755,438,080 byte disponibili
Post-Run: 60,021,174,272 byte disponibili

320 --- E O F --- 2008-07-18 17:18:15

House: "Vede, tutti pensano che sia un paziente a causa del bastone"
Wilson: "Allora perchè non indossa un camice bianco come tutti noi?"
House: "Perchè altrimenti pensano che sia un medico".
Avatar utente
dado
Utente Senior
 
Post: 16208
Iscritto il: 21/08/01 01:00
Località: La Città dei Sette Assedi

Re: irremovibile trojan M0KSEMYU.EXE

Postdi Luke57 » 23/07/08 22:24

Ciao, copia questo codice:

Codice: Seleziona tutto
File::
C:\WINDOWS\system32\W8CQT3e0.exe
C:\WINDOWS\system32\W8CQT3e0.exe.a_a
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


incollalo in un file di testo, salva il file di testo nella stessa direzione di combofix, chiamandolo obbligatoriamente CFScript.txt e trascinalo con il puntatore del mouse sull'icona di combofix per una nuova scansione.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: irremovibile trojan M0KSEMYU.EXE

Postdi dado » 23/07/08 23:05

Ho fatto quanto mi hai detto, Luke.
Il programma ha completato la pulizia e mi ha dato un altro file di log:

ComboFix 08-07-22.4 - Utente1 2008-07-23 23:48:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1381 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Utente1\Desktop\temp\Programmi\ComboFix.exe
Command switches used :: C:\Documents and Settings\Utente1\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
C:\WINDOWS\system32\W8CQT3e0.exe
C:\WINDOWS\system32\W8CQT3e0.exe.a_a
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\W8CQT3e0.exe
C:\WINDOWS\system32\W8CQT3e0.exe.a_a
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Creati Da 2008-06-23 al 2008-07-23 )))))))))))))))))))))))))))))))))))
.

2008-07-21 21:04 . 2008-07-21 21:04 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Simply Super Software
2008-07-21 20:34 . 2008-07-21 20:34 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\SUPERAntiSpyware.com
2008-07-21 00:05 . 2008-07-21 00:05 <DIR> d-------- C:\Programmi\Orbitdownloader
2008-07-21 00:05 . 2008-07-21 00:05 <DIR> d-------- C:\Downloads
2008-07-21 00:05 . 2008-07-21 01:53 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\Orbit
2008-07-20 23:56 . 2008-07-20 23:56 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\Xi
2008-07-20 23:28 . 2008-07-20 23:34 <DIR> d-------- C:\Programmi\MemInfo
2008-07-20 19:20 . 2008-07-21 20:29 <DIR> d-------- C:\Programmi\Trojan Remover
2008-07-20 19:20 . 2008-07-20 19:20 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\Simply Super Software
2008-07-20 19:20 . 2008-07-20 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Simply Super Software
2008-07-20 19:20 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-07-20 19:20 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-07-20 19:20 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-07-20 19:20 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-07-20 19:20 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-07-20 15:21 . 2008-07-20 15:21 <DIR> d-------- C:\Programmi\SUPERAntiSpyware
2008-07-20 15:21 . 2008-07-20 15:21 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\SUPERAntiSpyware.com
2008-07-20 15:21 . 2008-07-20 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-07-18 10:00 . 2008-07-18 10:00 <DIR> dr------- C:\Documents and Settings\NetworkService\Preferiti
2008-07-13 16:38 . 2008-07-13 16:38 <DIR> d-------- C:\Programmi\MSXML 4.0
2008-07-12 18:45 . 2008-07-12 18:45 <DIR> d-------- C:\Marco Polo
2008-07-12 13:50 . 2008-07-12 13:50 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\PC Suite
2008-07-12 13:19 . 2008-07-12 13:19 <DIR> d-------- C:\Documents and Settings\LUCA\Dati applicazioni\Datalayer
2008-07-12 13:08 . 2008-07-13 14:19 <DIR> d-------- C:\Documents and Settings\LUCA\Phone Browser
2008-07-12 13:08 . 2008-07-12 13:19 <DIR> d-------- C:\Documents and Settings\LUCA\Dati applicazioni\Nokia
2008-07-12 13:01 . 2008-07-12 13:03 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-07-12 13:00 . 2008-07-12 13:00 <DIR> d-------- C:\Programmi\DIFX
2008-07-12 12:59 . 2008-07-20 16:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-12 12:59 . 2008-07-12 13:03 <DIR> d-------- C:\Programmi\Nokia
2008-07-12 12:59 . 2008-07-12 13:00 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2008-07-12 12:59 . 2008-07-12 13:00 <DIR> d-------- C:\Programmi\File comuni\Nokia
2008-07-12 12:59 . 2008-07-12 12:59 <DIR> d-------- C:\Documents and Settings\LUCA\Dati applicazioni\PC Suite
2008-07-12 12:59 . 2008-07-12 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PC Suite
2008-07-12 12:59 . 2008-07-12 12:59 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Downloaded Installations
2008-07-12 12:59 . 2006-05-29 08:26 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2008-07-12 12:59 . 2006-05-29 08:26 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-07-12 12:59 . 2006-05-29 08:26 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-12 12:59 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2008-07-12 12:59 . 2006-05-29 08:26 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2008-07-12 12:59 . 2006-05-29 08:26 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2008-07-12 12:59 . 2006-05-29 08:26 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll
2008-07-10 00:14 . 2008-07-10 00:17 183 --a------ C:\WINDOWS\wininit.ini
2008-07-10 00:03 . 2008-07-10 00:04 <DIR> d-------- C:\Programmi\QuickMediaConverter
2008-07-09 23:45 . 2008-07-09 23:45 <DIR> d-------- C:\Programmi\Trend Micro
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-07-09 21:32 . 2007-10-29 17:59 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-07-09 21:32 . 2007-10-29 18:51 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-07-09 21:32 . 2008-07-23 23:50 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-07-09 21:32 . 2008-07-21 21:04 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-07-09 21:32 . 2008-07-21 21:04 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-07-09 21:32 . 2008-07-09 21:32 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-09 20:56 . 2008-07-09 20:56 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\AVS4YOU
2008-07-09 20:56 . 2008-07-09 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\AVS4YOU
2008-07-09 20:34 . 2008-07-09 23:58 <DIR> d-------- C:\Programmi\AVS4YOU
2008-07-08 23:54 . 2008-07-09 00:02 <DIR> d-------- C:\Programmi\VirtualDub
2008-07-08 20:55 . 2008-07-08 20:56 <DIR> d-------- C:\Programmi\XMPEG
2008-07-05 10:14 . 2002-07-17 08:03 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-07-05 10:14 . 2002-07-17 07:05 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-07-05 01:02 . 2008-07-05 01:02 <DIR> d-------- C:\Programmi\QuickTime Alternative
2008-07-05 01:02 . 2008-07-05 01:02 <DIR> d-------- C:\Programmi\Media Player Classic
2008-07-05 01:02 . 2008-07-05 01:02 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2008-07-05 01:02 . 2007-04-27 09:42 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-07-05 01:02 . 2007-04-27 09:42 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-07-05 00:56 . 2008-07-05 00:56 <DIR> d-------- C:\Documents and Settings\Utente1\Dati applicazioni\MPEG Streamclip
2008-07-04 18:52 . 2008-07-04 18:52 <DIR> d-------- C:\Programmi\DVD Decrypter
2008-06-28 12:16 . 2008-06-28 12:16 <DIR> d-------- C:\Programmi\File comuni\Skype
2008-06-28 12:16 . 2008-06-28 12:16 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 21:50 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\Skype
2008-07-23 21:48 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\uTorrent
2008-07-23 18:01 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\skypePM
2008-07-23 17:56 --------- d-----w C:\Programmi\Symantec AntiVirus
2008-07-22 21:37 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-07-21 19:04 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-07-20 14:01 --------- d-----w C:\Programmi\eMule
2008-07-20 13:21 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-07-20 11:06 --------- d-----w C:\Programmi\Lavasoft
2008-07-18 17:18 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Microsoft Help
2008-07-16 22:13 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\dvdcss
2008-07-16 21:52 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\DVD Shrink
2008-07-09 21:58 --------- d-----w C:\Programmi\File comuni\AVSMedia
2008-07-08 22:33 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-07-04 23:02 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\Apple Computer
2008-06-28 10:16 --------- d-----w C:\Programmi\Skype
2008-06-20 17:39 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 21:36 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Office Genuine Advantage
2008-06-14 17:59 272,768 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-01 18:03 --------- d-----w C:\Programmi\PowerISO
2008-06-01 11:20 --------- d-----w C:\Programmi\uTorrent
2008-06-01 11:16 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\BitTorrent
2008-06-01 11:11 --------- d-----w C:\Documents and Settings\Utente1\Dati applicazioni\DNA
2008-05-31 09:06 --------- d-----w C:\Programmi\Lupas Rename 2000
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 05:14 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 18:45 19,952 ----a-w C:\Documents and Settings\Utente1\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-02-16 10:21 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
2008-02-09 10:27 19,952 ----a-w C:\Documents and Settings\LUCA\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" [2008-05-30 15:54 21718312]
"uTorrent"="C:\Programmi\uTorrent\uTorrent.exe" [2008-06-01 13:20 219952]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 02:07 81920]
"SoundMAXPnP"="C:\Programmi\Analog Devices\Core\smax4pnp.exe" [2006-12-18 22:34 868352]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [2005-04-08 16:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 13:30 85184]
"CnxDslTaskBar"="C:\Programmi\digicom\Michelangelo USB ADSL\CnxDslTb.exe" [2002-11-01 12:28 397312]
"TrojanScanner"="C:\Programmi\Trojan Remover\Trjscan.exe" [2008-06-03 20:33 878672]
"nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-03-02 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\Utente1\Menu Avvio\Programmi\Esecuzione automatica\
FreePOPs.lnk - C:\Programmi\FreePOPs\freepopsd.exe [2007-06-22 21:17:44 31232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Orbit.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Orbit.lnk
backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CSIScanner"=2 (0x2)
"AcrSch2Svc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\ICQ6\\ICQ.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Programmi\\uTorrent\\uTorrent.exe"=
"C:\\Programmi\\Orbitdownloader\\orbitdm.exe"=
"C:\\Programmi\\Orbitdownloader\\orbitnet.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

S3 ASPI;Advanced SCSI Programming Interface Driver;C:\WINDOWS\System32\DRIVERS\ASPI32.sys [2002-07-17 07:05]
S3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys [2002-10-31 18:31]
S3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys [2002-10-31 18:31]
S3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys [2002-11-01 12:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81ba6123-bb77-11dc-bbc2-001d600bd566}]
\Shell\Auto\command - E:\bittorrent.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e
.
Contenuto della cartella 'Scheduled Tasks'
"2008-07-22 07:50:04 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\W8CQT3e0.exe
"2008-07-23 21:50:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{8CE3FA57-6A4F-4F1C-BCD9-230C80F6EBA5}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 23:50:52
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-07-23 23:52:53
ComboFix-quarantined-files.txt 2008-07-23 21:52:51
ComboFix2.txt 2008-07-23 18:11:08

Pre-Run: 64,210,423,808 byte disponibili
Post-Run: 64,200,146,944 byte disponibili

300 --- E O F --- 2008-07-18 17:18:15

House: "Vede, tutti pensano che sia un paziente a causa del bastone"
Wilson: "Allora perchè non indossa un camice bianco come tutti noi?"
House: "Perchè altrimenti pensano che sia un medico".
Avatar utente
dado
Utente Senior
 
Post: 16208
Iscritto il: 21/08/01 01:00
Località: La Città dei Sette Assedi

Re: irremovibile trojan M0KSEMYU.EXE

Postdi Luke57 » 24/07/08 15:15

Ciao, apri la cartella tasks, da avanzate, spunta "visualizza operazioni nascoste", elimina il file:
C:\WINDOWS\Tasks\At1.job
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: irremovibile trojan M0KSEMYU.EXE

Postdi dado » 24/07/08 18:03

Fatto! Eliminato il file.
In quella cartella c'è anche un altro file che si chiama
User_Feed_Synchronization-{8CE3FA57-6A4F-4F1C-BCD9-230C80F6EBA5}

Quello invece lo lascio lì dov'è?

Grazie
dado

House: "Vede, tutti pensano che sia un paziente a causa del bastone"
Wilson: "Allora perchè non indossa un camice bianco come tutti noi?"
House: "Perchè altrimenti pensano che sia un medico".
Avatar utente
dado
Utente Senior
 
Post: 16208
Iscritto il: 21/08/01 01:00
Località: La Città dei Sette Assedi

Re: irremovibile trojan M0KSEMYU.EXE

Postdi Luke57 » 24/07/08 22:15

Ciao, yes. Ti appare sempre il trojan?
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: irremovibile trojan M0KSEMYU.EXE

Postdi dado » 25/07/08 12:32

Ad ora sono quasi due giorni che non ho più nessun segnale di presenza dal trojan.
Speriamo!! Intanto grazie millissime, luke!! :D

House: "Vede, tutti pensano che sia un paziente a causa del bastone"
Wilson: "Allora perchè non indossa un camice bianco come tutti noi?"
House: "Perchè altrimenti pensano che sia un medico".
Avatar utente
dado
Utente Senior
 
Post: 16208
Iscritto il: 21/08/01 01:00
Località: La Città dei Sette Assedi


Torna a Sicurezza e Privacy


Topic correlati a "irremovibile trojan M0KSEMYU.EXE":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27

Chi c’è in linea

Visitano il forum: Nessuno e 3 ospiti