Condividi:        

TROJAN/ROOTKIT GEN

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

TROJAN/ROOTKIT GEN

Postdi trilok83 » 26/02/10 00:54

Salve a tutti...
purtroppo ho beccato anch'io il sopra citato virus qualche giorno fa. L'immediato effetto indesiderato è stato quello di un rallentamento del pc, ed a volte l'ho dovuto anche riavviare perchè andava in crisi totale. Ho fatto varie scansioni con il mio Antivirus (AVG 9.0), ma il risultato è stato inutile; poi ho provato con Malware & Bitware la quale mi ha trovato il virus ma lo mette in "lista esclusioni" e non lo rimuove; poi ho scaricato SUPER ANTISPYWARE ed il risultato è stato uguale, l'ha individuato ma solo che lo mette in quarantena, nel momento in cui svuoto la quarantena il virus è ancora li. Avendolo identificato dopo varie scansioni ho provato inutilmente ad eliminarlo manualmente ed anke a cambiare estensioni. Ho provato anke con SOPHOS Antorootkit, ma il risultato è stato inutile.Leggendo nei vari forum via internet ho letto che COMBOFIX è un utile programma per eliminare questi virus solo che è consigliato l'utilizzo con esperti...quindi prima di formattarlo, mi rivolgo a voi con la speranza che il vostro aiuto possa evitare questo insano gesto "LA FORMATTAZIONE"...aggiungo tra l'altro che il SO è VISTA HOME PREMIUM SP2, già lo so che stai ridendo xkè lo so ke fa schifo...attendo UN vostro cortese aiuto, abbiate pietà di me...a presto TRILOK
trilok83
Utente Junior
 
Post: 19
Iscritto il: 26/02/10 00:30

Sponsor
 

Re: TROJAN/ROOTKIT GEN

Postdi shel » 26/02/10 09:52

ciao

purtroppo combofix non e' utilizzabile con vista

scarica virit

vai in modalita' provvisoria

aggiorna il programma e fai una scansione completa - quando finisce rilascera' un log

postalo nel forum
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: TROJAN/ROOTKIT GEN

Postdi -> EleKtrA <- » 26/02/10 11:11

shel ha scritto:ciao
purtroppo combofix non e' utilizzabile con vista

Ciao shel, questa informazione non è corretta.
Combofix è utilizzabile su qualsiasi sistema Windows a patto che sia a 32 bit.

Su Vista e Seven va eseguito come amministratore,
Tasto destro su Combofix.exe > esegui come amministratore.
“Ieri è storia, domani è mistero, ma oggi è un dono... per questo si chiama presente!”.
Avatar utente
-> EleKtrA <-
Moderatore
 
Post: 436
Iscritto il: 11/12/08 12:50

Re: TROJAN/ROOTKIT GEN

Postdi trilok83 » 27/02/10 14:25

Salve ragazzi...
ho fatto una scansione con hijackthis ed ho trovato questo file sospetto...
O23 - Service: YBPWJPTKZ - Sysinternals - www.sysinternals.com - C:\Users\Andrea\AppData\Local\Temp\YBPWJPTKZ.exe
ke ne pensate?

vi lascio cmq i dati scansiti:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.32.36, on 26/02/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragMonitorService.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Windows\tsnp2std.exe
C:\Windows\system32\jusched.exe
C:\Windows\ZSSnp211.EXE
C:\Windows\Domino.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\hp\kbd\kbd.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Windows\system32\conime.exe
E:\Win_Magazine.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {bd0e4d83-654e-4213-965b-fcbe887061f4} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [tsnp2std] C:\Windows\tsnp2std.exe
O4 - HKLM\..\Run: [ZSSnp211] C:\Windows\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\Windows\Domino.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DefragTaskBar] "C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: StupAssist.lnk = C:\Program Files\Common Files\Nikon\Utilities\StupAssist.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ashampoo Defrag Service (AshampooDefragService) - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: YBPWJPTKZ - Sysinternals - www.sysinternals.com - C:\Users\Andrea\AppData\Local\Temp\YBPWJPTKZ.exe

--
End of file - 9756 bytes
trilok83
Utente Junior
 
Post: 19
Iscritto il: 26/02/10 00:30

Re: TROJAN/ROOTKIT GEN

Postdi Luke57 » 28/02/10 22:15

Ciao, Disattiva momentaneamente l'antivirus
Scarica Combofix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Tutorial
http://www.bleepingcomputer.com/combofi ... e-combofix
Tasto destro su combofi.exe, esegui come amministratore
Non installare la recovery console
Lascia lavorare il programma senza interferire
Al termine della scansione, allega il rapporto C:\ComboFix.txt nella tua risposta.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: TROJAN/ROOTKIT GEN

Postdi trilok83 » 01/03/10 21:20

io t ringrazio anticipatamente per il tempo che mi stai dedicando, ora allego il log di combofix...

ComboFix 10-02-25.02 - Andrea 01/03/2010 20.58.20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.39.1040.18.3582.2325 [GMT 1:00]
Eseguito da: c:\users\Andrea\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3413520899-2070070034-3965275467-500
c:\$recycle.bin\S-1-5-21-3847188730-3686005283-2070384624-500

.
((((((((((((((((((((((((( Files Creati Da 2010-02-01 al 2010-03-01 )))))))))))))))))))))))))))))))))))
.

2010-03-01 20:03 . 2010-03-01 20:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-24 19:57 . 2010-02-24 19:57 52224 ----a-w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-24 19:17 . 2010-02-25 22:49 117760 ----a-w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-24 19:17 . 2010-02-24 19:17 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-02-24 19:16 . 2010-02-24 19:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-24 19:16 . 2010-02-24 19:16 -------- d-----w- c:\users\Andrea\AppData\Roaming\SUPERAntiSpyware.com
2010-02-24 19:14 . 2010-02-24 19:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-24 19:08 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 19:08 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 19:08 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 19:08 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 19:08 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 19:08 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 19:08 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 19:08 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 19:08 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 19:07 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 19:07 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 19:07 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-24 15:15 . 2010-02-24 15:15 -------- d-----w- c:\users\Andrea\AppData\Roaming\AVG9
2010-02-23 23:57 . 2010-02-23 23:57 -------- d-----w- c:\program files\Sophos
2010-02-23 23:00 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 22:45 . 2010-02-23 22:45 -------- d-----w- c:\users\Andrea\AppData\Roaming\Uniblue
2010-02-23 22:38 . 2010-02-23 22:38 -------- d-----w- c:\program files\Uniblue
2010-02-22 19:14 . 2010-02-22 13:47 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
2010-02-22 19:14 . 2010-02-22 13:47 1260800 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
2010-02-22 13:48 . 2010-02-22 13:48 -------- d-----w- C:\$AVG
2010-02-22 13:48 . 2010-02-22 13:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-22 13:48 . 2010-02-22 13:48 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-22 13:48 . 2010-02-22 13:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-22 13:48 . 2010-02-22 13:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-22 13:47 . 2010-03-01 18:51 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-22 13:47 . 2010-02-22 13:47 -------- d-----w- c:\programdata\avg9
2010-02-20 00:21 . 2010-02-20 00:21 -------- d-----w- c:\programdata\Alwil Software
2010-02-19 19:03 . 2010-02-19 19:03 -------- d-----w- c:\program files\Trend Micro
2010-02-15 22:11 . 2010-02-15 22:11 -------- d-----w- c:\users\Andrea\AppData\Local\Apple
2010-02-09 20:56 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-09 20:56 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-09 20:54 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-09 20:54 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-08 23:35 . 2010-02-08 23:35 -------- d-----w- c:\program files\Nuclear Coffee
2010-02-08 22:17 . 2010-02-13 15:30 -------- d-----w- c:\users\Andrea\AppData\Roaming\xVideoServiceThief
2010-02-08 22:17 . 2010-02-08 22:17 -------- d-----w- c:\program files\Xesc & Technology
2010-02-08 21:43 . 2010-02-08 21:43 -------- d-----w- c:\users\Andrea\dwhelper
2010-02-02 23:10 . 2010-02-02 23:11 -------- d-----w- C:\PCF10
2010-01-31 13:33 . 2010-01-31 13:36 -------- d-----w- c:\users\Andrea\.gimp-2.2
2010-01-31 13:27 . 2010-01-31 13:27 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 19:59 . 2007-11-21 06:37 662608 ----a-w- c:\windows\system32\perfh010.dat
2010-03-01 19:59 . 2007-11-21 06:37 120120 ----a-w- c:\windows\system32\perfc010.dat
2010-03-01 19:54 . 2008-04-30 20:38 121216 ----a-w- c:\users\Andrea\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-28 13:05 . 2010-02-28 13:04 -------- d-----w- c:\program files\Paint.NET
2010-02-28 11:58 . 2010-01-11 15:46 -------- d-----w- c:\programdata\Corel
2010-02-28 11:58 . 2009-05-10 15:56 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-02-28 11:58 . 2009-05-10 15:56 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-02-28 11:34 . 2010-02-28 11:34 -------- d-----w- c:\program files\CCleaner
2010-02-24 00:46 . 2008-12-21 09:40 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2010-02-23 23:52 . 2008-04-30 20:38 680 ----a-w- c:\users\Andrea\AppData\Local\d3d9caps.dat
2010-02-22 13:47 . 2008-07-05 11:34 -------- d-----w- c:\program files\AVG
2010-02-20 00:28 . 2009-06-02 14:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 22:14 . 2008-05-01 20:20 -------- d-----w- c:\program files\QuickTime
2010-02-15 22:13 . 2008-05-01 20:20 -------- d-----w- c:\programdata\Apple Computer
2010-02-11 00:56 . 2008-05-16 12:23 -------- d-----w- c:\programdata\Microsoft Help
2010-02-11 00:56 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-02 22:03 . 2008-12-28 10:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-02 22:03 . 2007-11-20 22:43 -------- d-----w- c:\program files\Java
2010-01-28 19:00 . 2010-01-28 19:00 -------- d-----w- c:\program files\Secunia
2010-01-26 18:55 . 2008-05-13 22:50 -------- d-----w- c:\program files\DivX
2010-01-14 10:12 . 2009-10-02 17:58 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 22:20 . 2010-01-11 22:20 -------- d-----w- c:\programdata\Electronic Arts
2010-01-11 22:20 . 2010-01-11 22:00 -------- d-----w- c:\program files\Electronic Arts
2010-01-11 22:19 . 2010-01-11 22:19 10134 ----a-r- c:\users\Andrea\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-01-11 22:19 . 2010-01-11 22:19 -------- d-----w- c:\program files\Microsoft WSE
2010-01-11 22:00 . 2007-11-20 22:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-11 17:27 . 2010-01-10 09:17 -------- d-----w- c:\program files\Attack on Pearl Harbor
2010-01-11 15:51 . 2009-05-10 15:56 88 --sh--r- c:\programdata\8811DCDF7C.sys
2010-01-11 15:51 . 2009-05-10 15:56 88 --sh--r- c:\programdata\8811DCDF7C.sys
2010-01-11 15:46 . 2010-01-11 15:46 -------- d-----w- c:\program files\Common Files\Protexis
2010-01-11 15:45 . 2010-01-11 15:45 -------- d-----w- c:\program files\Common Files\Corel
2010-01-11 15:44 . 2010-01-11 15:44 -------- d-----w- c:\program files\Corel
2010-01-10 09:24 . 2010-01-10 09:24 -------- d-----w- c:\programdata\Ashampoo
2010-01-10 09:24 . 2010-01-10 09:24 -------- d-----w- c:\program files\Ashampoo
2010-01-06 15:38 . 2010-02-24 19:07 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 19:07 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 19:07 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 19:07 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 08:26 . 2010-01-06 08:26 -------- d-----w- c:\program files\Microsoft
2010-01-06 08:26 . 2010-01-06 08:26 -------- d-----w- c:\program files\Windows Live
2010-01-04 21:11 . 2010-01-04 21:11 -------- d-----w- c:\program files\Zuma Deluxe
2010-01-02 06:38 . 2010-01-23 13:48 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-23 13:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-23 13:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-23 13:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-25 13:08 . 2009-07-20 22:42 4844296 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-19 14:06 . 2009-12-19 14:06 407304 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-16 15:05 . 2010-02-28 11:25 471040 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2009-12-16 15:05 . 2010-02-28 11:25 347136 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-16 15:05 . 2010-02-28 11:25 340992 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 15:05 . 2010-02-28 11:25 43008 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 15:05 . 2010-02-28 11:25 1452032 ----a-w- c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-11 11:43 . 2010-02-09 20:55 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 11:43 . 2010-02-09 20:55 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-08 20:01 . 2010-02-09 20:55 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 17:26 . 2010-02-09 20:55 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-12-08 13:12 . 2009-12-08 13:12 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-12-04 18:30 . 2010-02-09 20:55 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:29 . 2010-02-09 20:55 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:28 . 2010-02-09 20:55 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:28 . 2010-02-09 20:55 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:28 . 2010-02-09 20:55 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-04 18:28 . 2010-02-09 20:55 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:28 . 2010-02-09 20:55 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-04 18:28 . 2010-02-09 20:55 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:27 . 2010-02-09 20:55 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-03 15:14 . 2009-06-02 14:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2009-06-02 14:28 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-11-21 06:51 . 2007-11-21 06:39 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-12 1414144]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-16 114688]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2006-08-18 49152]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-01-10 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-10 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-10 88608]
"DefragTaskBar"="c:\program files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2008-10-09 173408]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-02 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-5-1 118784]
StupAssist.lnk - c:\program files\Common Files\Nikon\Utilities\StupAssist.exe [2008-5-1 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):2d,82,11,37,7b,47,ca,01

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [22/02/2010 14.48.29 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [22/02/2010 14.48.33 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 8.43.30 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 8.43.28 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [22/02/2010 14.47.42 285392]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [31/07/2008 23.44.55 717296]
S3 PSI;PSI;c:\windows\System32\drivers\psi_mf.sys [17/06/2009 13.20.34 12648]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 8.43.30 7408]
S3 YBPWJPTKZ;YBPWJPTKZ;c:\users\Andrea\AppData\Local\Temp\YBPWJPTKZ.exe --> c:\users\Andrea\AppData\Local\Temp\YBPWJPTKZ.exe [?]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - wkwzeh

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.libero.it/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://it.yhs.search.yahoo.com/avg/sear ... -web_it&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\Andrea\AppData\Roaming\Mozilla\Firefox\Profiles\q68204it.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
.
------- Associazioni dei file -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-01 21:03
Windows 6.0.6002 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wkwzeh]

.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Ora fine scansione: 2010-03-01 21:05:24
ComboFix-quarantined-files.txt 2010-03-01 20:05

Pre-Run: 344.469.225.472 byte disponibili
Post-Run: 344.468.463.616 byte disponibili

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 12B6D45DCA89A6A7B2CBC4CB7AB0290E
trilok83
Utente Junior
 
Post: 19
Iscritto il: 26/02/10 00:30

Re: TROJAN/ROOTKIT GEN

Postdi trilok83 » 07/03/10 13:04

DEVO FARE UN'IMPORTANTE RETTIFICA....HO CAMBIATO ANTIVIRUS SONO PASSATO DA AVG 9.0 A PANDA CLOUD ANTIVIRUS. FACENDO UNA SCANSIONE CON QUESTO ANTIVIRUS MI RILEVA KE CIò KE AVEVO SEMPRE PENSATO CHE FOSSE UN TROJAN è UN WORM. DI PRECISO SI TROVA IN C:WINDOWS/SISTEM32/DRIVERS/WKWZEH.SYS ED è DI PRECISO UN WORM.SPAMTA.AIP, HO PROVATO A SEGUIRE LE LORO INDICAZIONI MA NIENTE...SAPETE QLK IN + VOI?...ASPETTO INFO GRAZIE ANTICIPATAMENTE
trilok83
Utente Junior
 
Post: 19
Iscritto il: 26/02/10 00:30


Torna a Sicurezza e Privacy


Topic correlati a "TROJAN/ROOTKIT GEN":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27

Chi c’è in linea

Visitano il forum: Nessuno e 40 ospiti