Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

cavallo di Troya TR/Rootkit.Gen!

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 01/03/10 18:27

Aiuto,ho preso questo virus.il pc va lento e quando lo avvio dopo un pò di tempo,minuti variabili, si blocca e lo devo riavviare con il tasto di accenzione....
aiuto non so proprio che devo fare, non ci capisco nulla...grazie mille
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Sponsor
 

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 01/03/10 18:30

Ciao,

scarica ed installa HijackThis
http://www.hijackthis.de/downloads/HJTInstall.exe

- apri il software
- accetta i termini di licenza
- clicca su "do a system scan and save a logfile"
- posta qui sul forum il log risultante
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 01/03/10 18:38

grazie dell'aiuto...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.33.01, on 01/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\ALESSIA\IMPOST~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\Avira\AntiVir Desktop\avmailc.exe
C:\Programmi\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Java\jre1.6.0_07\bin\jucheck.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programmi\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C4CF94C-7B81-4C15-9EDB-E0E9CDF0ABE9}: NameServer = 212.216.112.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{81DE70BC-95E0-4FB7-873C-4B3EC2AFB8AD}: NameServer = 212.216.112.112
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C4CF94C-7B81-4C15-9EDB-E0E9CDF0ABE9}: NameServer = 212.216.112.112
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Servizio di Google Update (gupdate1caac1519369f42) (gupdate1caac1519369f42) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Programmi\WinPcap\rpcapd.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Unknown owner - C:\Programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe (file missing)

--
End of file - 9104 bytes
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 01/03/10 19:06

Il log di hijackthis sembra apposto...effettuiamo una scansione piu approfondita con Combofix.

Scarica combofix direttamente sul desktop dal link seguente:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

- disconnetiti da internet
- disattiva il tuo antivirus
- avvia il file ComboFix.exe
- digita 1 per avviare il software
- segui le istruzioni (non installare la recovery console)
- alla fine verrà generato un log situato in C:\Combofix.txt
- posta il log qui sul forum.
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 01/03/10 19:47

ComboFix 10-02-28.04 - ALESSIA 01/03/2010 19.40.21.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.2046.1499 [GMT 1:00]
Eseguito da: c:\documents and settings\ALESSIA\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.

((((((((((((((((((((((((( Files Creati Da 2010-02-01 al 2010-03-01 )))))))))))))))))))))))))))))))))))
.

2010-03-01 17:32 . 2010-03-01 17:32 -------- d-----w- c:\programmi\Trend Micro
2010-03-01 16:22 . 2010-03-01 16:22 -------- d-----w- C:\FOUND.007
2010-03-01 14:38 . 2010-03-01 14:38 -------- d-----w- C:\FOUND.006
2010-03-01 13:55 . 2010-03-01 13:55 -------- d-----w- C:\FOUND.005
2010-03-01 12:24 . 2010-03-01 12:24 -------- d-----w- C:\FOUND.004
2010-03-01 11:23 . 2010-03-01 11:23 -------- d-----w- c:\programmi\CCleaner
2010-03-01 10:56 . 2010-03-01 10:56 -------- d-----w- c:\documents and settings\GENNARO\Dati applicazioni\DivX
2010-02-28 09:37 . 2010-02-28 09:37 -------- d-----w- C:\FOUND.003
2010-02-27 11:48 . 2010-02-27 11:48 -------- d--h--w- c:\windows\msdownld.tmp
2010-02-26 08:26 . 1998-09-02 08:28 38160 ----a-w- c:\windows\system32\LMRTREND.dll
2010-02-26 08:26 . 1998-08-27 04:51 182032 ----a-w- c:\windows\system32\dxtmsft3.dll
2010-02-26 08:26 . 1998-09-02 08:28 63488 ----a-w- c:\windows\system32\unam4ie.exe
2010-02-26 08:26 . 2010-02-26 08:26 4608 ----a-w- c:\windows\system32\w95inf32.dll
2010-02-26 08:26 . 2010-02-26 08:26 2272 ----a-w- c:\windows\system32\w95inf16.dll
2010-02-26 08:26 . 1998-09-02 08:02 194320 ----a-w- c:\windows\system32\qcut.dll
2010-02-26 08:26 . 1998-08-17 09:21 11776 ----a-w- c:\windows\system32\mciqtz.drv
2010-02-25 20:08 . 2010-02-25 20:08 -------- d-----w- c:\documents and settings\ALESSIA\Impostazioni locali\Dati applicazioni\Temp
2010-02-24 14:11 . 2009-03-09 14:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-02-24 14:10 . 2009-03-16 13:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-02-24 14:10 . 2009-03-16 13:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-02-24 14:10 . 2009-03-16 13:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-02-24 14:10 . 2007-04-04 17:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2010-02-21 18:51 . 2010-02-22 17:30 17 ----a-w- c:\windows\popcinfo.dat
2010-02-21 09:49 . 2010-02-21 09:49 0 ----a-w- c:\windows\popcreg.dat
2010-02-21 09:09 . 2010-02-21 09:09 -------- d--h--r- c:\documents and settings\ALESSIA\Dati applicazioni\SecuROM
2010-02-20 16:10 . 2010-02-20 16:10 -------- d-----w- c:\windows\Logs
2010-02-20 16:09 . 2010-02-20 16:09 -------- d-----w- c:\programmi\Telltale Games
2010-02-20 15:25 . 2010-02-20 15:25 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FarmFrenzy-PizzaParty
2010-02-19 19:53 . 2010-02-19 19:53 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FarmFrenzy3_Arctica
2010-02-19 19:45 . 2010-02-19 19:45 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\AlawarWrapper
2010-02-18 22:45 . 2010-02-22 17:30 88 ----a-w- c:\windows\popcinfot.dat
2010-02-18 19:31 . 2010-02-18 19:31 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\PopCapv1002
2010-02-18 19:29 . 2010-02-18 19:29 -------- d-----w- c:\programmi\PopCap Games
2010-02-18 17:27 . 2010-02-18 17:27 -------- d-----w- c:\programmi\Alawar
2010-02-16 17:49 . 2010-02-16 17:49 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\PopCap Games
2010-02-14 16:53 . 2010-02-14 16:53 -------- d-----w- C:\FOUND.002
2010-02-13 09:31 . 2010-02-13 09:31 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\DivX
2010-02-12 19:08 . 2010-02-12 19:08 -------- d-----w- c:\documents and settings\NetworkService\Impostazioni locali\Dati applicazioni\Google
2010-02-10 10:37 . 2010-02-10 10:37 -------- d-----w- c:\programmi\MSXML 6.0
2010-02-09 19:13 . 2010-02-09 19:13 -------- d-----w- c:\programmi\Microsoft CAPICOM 2.1.0.2
2010-02-09 19:09 . 2010-02-09 19:09 -------- d-----w- c:\windows\ServicePackFiles
2010-02-09 15:39 . 2010-02-09 15:39 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\Avira
2010-02-09 13:33 . 2010-02-09 15:38 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-09 13:33 . 2009-05-08 13:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys
2010-02-09 13:33 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-02-09 13:33 . 2009-02-24 12:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys
2010-02-09 13:33 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-02-09 13:33 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-02-09 13:33 . 2010-02-09 13:33 -------- d-----w- c:\programmi\Avira
2010-02-09 13:33 . 2010-02-09 13:33 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2010-02-09 11:53 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-09 11:53 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-09 10:22 . 2010-02-09 10:22 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\pdf995
2010-02-07 14:47 . 2010-02-07 14:48 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Alwil Software
2010-02-06 18:53 . 2010-02-06 18:53 -------- d-----w- c:\windows\system32\LogFiles
2010-02-06 18:35 . 2004-09-07 19:00 25600 ----a-w- c:\documents and settings\LocalService\Dati applicazioni\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-02-06 17:38 . 2010-02-06 17:38 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\vlc
2010-02-04 16:54 . 2010-02-04 16:54 -------- d-----w- c:\documents and settings\ALESSIA\Impostazioni locali\Dati applicazioni\Identities
2010-02-04 16:03 . 2010-02-04 16:03 -------- d-----w- c:\documents and settings\ALESSIA\Impostazioni locali\Dati applicazioni\Adobe
2010-02-04 15:14 . 2010-02-04 15:14 -------- d-----w- c:\documents and settings\ALESSIA\Dati applicazioni\Vodafone

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 16:26 . 2006-08-30 23:34 12 ----a-w- c:\windows\bthservsdp.dat
2010-03-01 10:55 . 2008-05-31 20:40 94200 ----a-w- c:\documents and settings\GENNARO\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-12 18:56 . 2010-02-12 18:56 -------- d-----w- c:\programmi\Google
2010-02-12 18:56 . 2010-02-12 18:56 -------- d-----w- c:\programmi\File comuni\DivX Shared
2010-02-12 18:56 . 2010-02-12 18:56 -------- d-----w- c:\programmi\DivX
2010-02-11 08:13 . 2006-08-30 23:13 85070 ----a-w- c:\windows\system32\perfc010.dat
2010-02-11 08:13 . 2006-08-30 23:13 490898 ----a-w- c:\windows\system32\perfh010.dat
2010-02-10 10:50 . 2008-08-10 20:11 94200 ----a-w- c:\documents and settings\ALESSIA\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-02-10 10:40 . 2010-02-10 10:40 -------- d-----w- c:\programmi\MSBuild
2010-02-10 10:40 . 2010-02-10 10:40 -------- d-----w- c:\programmi\Reference Assemblies
2010-01-24 16:45 . 2010-01-24 16:45 -------- d-----w- c:\programmi\Microsoft Silverlight
2010-01-24 16:08 . 2010-01-24 16:08 -------- d-----w- c:\documents and settings\GENNARO\Dati applicazioni\Vodafone
2010-01-24 16:08 . 2010-01-24 16:08 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\InstallShield
2010-01-24 16:07 . 2010-01-24 16:07 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\Vodafone
2010-01-24 16:07 . 2010-01-24 16:07 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Vodafone
2010-01-24 15:53 . 2010-01-24 15:53 -------- d-----w- c:\documents and settings\GENNARO\Dati applicazioni\dvdcss
2009-12-31 16:14 . 2004-09-07 19:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:34 . 2006-01-09 18:59 671232 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:34 . 2004-09-07 19:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-17 07:58 . 2004-09-07 19:00 346112 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-09-07 19:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 10:18 . 2005-09-29 19:27 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:18 . 2005-09-29 19:28 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 14:41 . 2004-09-07 19:00 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-06-02 11:41 . 2008-06-02 11:41 382352 ----a-w- c:\programmi\jxpiinstall.exe
2008-05-31 23:32 . 2008-05-31 23:29 24064656 ----a-w- c:\programmi\AdbeRdr812_it_IT.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-09-07 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-09-07 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-12 7577600]
"nwiz"="nwiz.exe" [2006-06-12 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-12 86016]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-20 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-06-23 225280]
"LogitechCameraAssistant"="c:\programmi\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\programmi\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 14:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-08-16 503808]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-07 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=

R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [09/02/2010 14.33.06 97608]
R2 AntiVirFirewallService;Avira Firewall;c:\programmi\Avira\AntiVir Desktop\avfwsvc.exe [09/02/2010 14.33.03 388865]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\programmi\Avira\AntiVir Desktop\avmailc.exe [09/02/2010 14.33.03 194817]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programmi\Avira\AntiVir Desktop\sched.exe [09/02/2010 14.33.05 108289]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\programmi\Avira\AntiVir Desktop\avwebgrd.exe [09/02/2010 14.33.04 434945]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [09/02/2010 14.33.06 69632]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [19/06/2006 12.20.24 1097728]
S2 gupdate1caac1519369f42;Servizio di Google Update (gupdate1caac1519369f42);c:\programmi\Google\Update\GoogleUpdate.exe [12/02/2010 19.56.33 133104]
S2 VMCService;Vodafone Mobile Connect Service;"c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe" --> c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [?]
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-02-12 18:56]

2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2010-02-12 18:56]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://global.acer.com
uInternet Settings,ProxyOverride = local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\programmi\Avira\AntiVir Desktop\avsda.dll
TCP: {6C4CF94C-7B81-4C15-9EDB-E0E9CDF0ABE9} = 212.216.112.112
TCP: {81DE70BC-95E0-4FB7-873C-4B3EC2AFB8AD} = 212.216.112.112
FF - ProfilePath - c:\documents and settings\ALESSIA\Dati applicazioni\Mozilla\Firefox\Profiles\jrb4no1r.default\
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-MobileConnect - c:\programmi\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 19:44
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89818838]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba98cfc3
\Driver\ACPI -> 0x89818838
\Driver\atapi -> atapi.sys @ 0xba6db7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582544
SecurityProcedure -> ntkrnlpa.exe @ 0x80582be6
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x8995b330
PacketIndicateHandler -> NDIS.sys @ 0xba5fba0b
SendHandler -> NDIS.sys @ 0xba60fb31
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-250300247-1244742074-3286369238-1006\Software\SecuROM\License information*]
"datasecu"=hex:10,e1,e7,ed,2d,e8,d0,4f,f1,a4,f3,2a,46,c4,3e,89,b8,aa,d3,3c,a4,
63,2d,70,1c,0b,03,ad,cb,4f,f5,a0,58,42,1b,bb,57,9d,af,6e,e4,85,be,9f,40,38,\
"rkeysecu"=hex:25,f3,69,14,e1,43,2f,e2,55,85,c7,3f,0e,29,b4,32
.
mi è comparso un messaggio che mi dice pev.exe danneggiato, il log è



--------------------- Dlls caricate dai processi in esecuzione ---------------------





- - - - - - - > 'lsass.exe'(1460)
c:\programmi\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(5092)
c:\programmi\Avira\AntiVir Desktop\avsda.dll
.
Ora fine scansione: 2010-03-01 19:45:15
ComboFix-quarantined-files.txt 2010-03-01 18:45
ComboFix2.txt 2010-03-01 14:56

Pre-Run: 2.890.891.264 byte disponibili
Post-Run: 3.004.825.600 byte disponibili

- - End Of File - - 45BB5EF1CA9176922FE7D3B8A1EF7D40
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 01/03/10 20:00

Scarica mbr.exe e salvalo direttamente nella Directory C:\

http://www2.gmer.net/mbr/mbr.exe

Riavvia il PC e avvialo in modalità provvisoria, premendo ripetutamente F5 subito dopo l'accensione del PC finchè non compare una schermata in nero con delle opzioni in bianco.

Da Start --> Esegui --> digita

C:\mbr.exe -f

e clicca su OK

NB - C'è uno spazio vuoto tra "C:\mbr.exe" e "-f"

La scansione durerà pochi secondi.
Posta il log situato in C:\ come mbr.log
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 01/03/10 21:31

non mi parte in modalità provvisoria,che faccio?
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 01/03/10 22:09

Scarica Norman SinowalMBR Cleaner sul desktop dal link sottostante:

http://www.norman.com/support/support_tools/58733/it

- doppio click su Norman_Sinowal_Cleaner.exe
- accetta la licensa d'uso
- avvia la scansione cliccando su Start scan

Al termine posta il log che troverai sul Desktop col nome di NFix
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 02/03/10 09:52

Norman SinowalMBR Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/05/13 16:21:18

Norman Scanner Engine Version: 5.92.04
Nvcbin.def Version: 5.92.00, Date: 2008/05/13 16:21:18, Variants: 0

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2
Logged on user: GENNARO_PORT\ALESSIA


Scan started: 02/03/2010 08:07:15

Scanning bootsectors...

No SinowalMBR hooks found

Number of sectors found: 1
Number of sectors scanned: 1
Number of sectors not scanned: 0
Number of infections found: 0
Number of infections removed: 0
Total scanning time: 0s 594ms


Scanning running processes and process memory...

Number of processes/threads found: 3014
Number of processes/threads scanned: 3014
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 9s


Scanning file system...

Scanning: C:\*.*

C:\WINDOWS\Prefetch\AVWSC.EXE-02281408.pf (Error whilst scanning file: I/O Error)

C:\WINDOWS\Prefetch\AVMAILC.EXE-2D8EC997.pf (Error whilst scanning file: I/O Error)

C:\WINDOWS\Prefetch\USRREQ.EXE-011EC6F2.pf (Error whilst scanning file: I/O Error)

C:\WINDOWS\Prefetch\AVWEBGRD.EXE-064CE190.pf (Error whilst scanning file: I/O Error)

C:\WINDOWS\Prefetch\CHECKT.EXE-0C7DCA5F.pf (Error whilst scanning file: I/O Error)

C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf (Error whilst scanning file: I/O Error)

C:\Documents and Settings\ALESSIA\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\jrb4no1r.default\urlclassifier3.sqlite-journal (Error whilst scanning file: I/O Error)

C:\Documents and Settings\ALESSIA\Desktop\NeroC..rar/CMT (Error whilst scanning file: I/O Error)

C:\System Volume Information\_RESTO~1\RP130\A0068276.bat (Error whilst scanning file: I/O Error)

Scanning: D:\*.*
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 02/03/10 10:13

Ciao, effettuaimo questo controllo:

Scarica systemscan dal link seguente:

http://www.suspectfile.com/systemscan

disattiva il tuo antivirus
esegui il programma
la finestra presenta molte opzioni
togli la spunta a tutte le voci, lasciando abilitata solo "master boot record" e quindi clicca su "scan now"
Alla fine verrà creato un log.
Postalo qui sul forum per un controllo.
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 02/03/10 11:53

ciao...

SystemScan - www.suspectfile.com - ver. 3.6.7 (code: holifay & bReAkdOWn)

Running on: Windows XP PROFESSIONAL Edition, Service Pack 2 (2600.5.1)
System directory: C:\WINDOWS
SystemScan file: C:\Documents and Settings\ALESSIA\Desktop\sys38553.exe
Running in: User mode
Date: 02/03/2010
Time: 11.52.27

Output limited to:
-Master Boot Record

===================== MASTER BOOT RECORD =====================


device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
\Driver\ACPI -> 0x898d31f0
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x89939330
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !

==========================================
Scan completed in 0 minutes
End of report


~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "
* dumphive (Markus Stephany)--> "Registry scan"
* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"
* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"
---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 02/03/10 12:14

Ciao, ascolta...

dobbiamo eseguire il tool mbr.exe (vedi sopra), per rimuovere l'infezione.

non mi parte in modalità provvisoria,che faccio?


in che senso non ti parte?
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 02/03/10 12:30

spingo f5 vado su mod provvisoria premo invio viene una scermata con scritte bianche per 1 secondo poi una schermata nera con un trattino bianco che lampeggia e poi più niente...
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 02/03/10 12:57

Il trattino bianco lampeggiante in alto a sinistra è normalissimo.
Attendi un po di pù, affinchè parta la modalità privvisoria. Il tempo di attesa varia dai 2 ai 5 minuti
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 02/03/10 13:00

ci riprovo ma sono stata buoni 10 minuti....
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 02/03/10 13:21

ci sono riuscita, solo che con il -f mi dava errore, quindi ho provatp a farlo senza, dimmi tu che devo fare....

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 02/03/10 13:37

quando digiti

C:\mbr.exe -f

devi lasciare uno spazio vuoto tra

C:\mbr.exe e -f
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 02/03/10 14:50

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi gahan » 02/03/10 14:58

ok, ti chiedo un'ultima cosa è poi dovremmo aver finito :)

esegui il comando

C:\mbr.exe

stavolta senza -f, e posta il log
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: cavallo di Troya TR/Rootkit.Gen!

Postdi tittipe » 02/03/10 15:07

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
tittipe
Utente Junior
 
Post: 15
Iscritto il: 01/03/10 17:34

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "cavallo di Troya TR/Rootkit.Gen!":

rootkit non si elimina
Autore: diego78
Forum: Sicurezza e Privacy
Risposte: 27

Chi c’è in linea

Visitano il forum: Nessuno e 9 ospiti