Condividi:        

Virus rootkit - pc lento

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Virus rootkit - pc lento

Postdi cia2006 » 06/03/10 10:46

Salve,
il pc anKaspersky durante la scansione mi segnala la presenza del seguente virus: Virus rootkit.Win32.agent.aioy in c/windows/system32/drivers/efss.sys

il problema è che quanto cerco di eliminarlo, kaspersky mi dice file non trovato.
allego il log di hijackthis:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10.45.31, on 06/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmi\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmi\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Programmi\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Programmi\Epson Software\Easy Photo Print\EPTBL.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Alaunch] C:\Windows\alaunch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Aggiungi ad Anti-Banner - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Tastiera Virtuale - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: C&ontrollo URL - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DC7094C6-8F61-42ED-AECE-63F5EEF647C5} (UpdateC2 Control) - http://www.uusee.com/player/updateC2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FD666BB-47F9-4BAB-A452-D57AEBC27743}: NameServer = 192.168.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - \bin\fbserver.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Servizio di Google Update (gupdate1c9e5a083cbca4e) (gupdate1c9e5a083cbca4e) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Start BT in service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10258 bytes

Vi ringrazio in anticipo per l'aiuto.
cia2006
Utente Junior
 
Post: 16
Iscritto il: 17/01/07 10:36

Sponsor
 

Re: Virus rootkit - pc lento

Postdi shel » 06/03/10 11:18

ciao

disattiva il tuo antivirus


scarica combofix

esegui ComboFix.exe
- digita 1
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Virus rootkit - pc lento

Postdi cia2006 » 06/03/10 14:57

ecco il log di combofix:

ComboFix 10-03-05.03 - ENZO 06/03/2010 14.19.04.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1023.611 [GMT 1:00]
Eseguito da: c:\documents and settings\ENZO\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\tpBe12
c:\temp\unins000.dat
c:\windows\Readme.txt
c:\windows\system\oeminfo.ini
c:\windows\system32\_000212_.tmp.dll
c:\windows\system32\SHELLLNK.TLB
c:\windows\system32\Thumbs.db
c:\windows\system32\twain_32.dll

c:\windows\system32\userinit.exe . . . è infetto!!

.
((((((((((((((((((((((((( Files Creati Da 2010-02-06 al 2010-03-06 )))))))))))))))))))))))))))))))))))
.

2010-03-04 22:18 . 2010-03-04 22:18 932368 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-03-04 22:18 . 2010-03-04 22:18 678416 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-03-04 22:18 . 2010-03-04 22:18 604688 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-03-04 22:18 . 2010-03-04 22:18 522768 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-03-04 22:18 . 2010-03-04 22:18 1096208 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-03-04 22:17 . 2010-03-04 22:17 80400 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-04 22:01 . 2010-03-04 22:01 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2010-03-03 22:28 . 2010-03-03 22:28 -------- d-----w- C:\FOUND.045
2010-02-28 14:53 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-28 14:53 . 2010-02-28 14:53 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-02-28 14:53 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 14:39 . 2010-02-28 14:39 388096 ----a-r- c:\documents and settings\ENZO\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-28 14:39 . 2010-02-28 14:39 -------- d-----w- c:\programmi\TrendMicro
2010-02-28 12:07 . 2010-02-28 12:07 -------- d-----w- C:\$AVG
2010-02-27 16:43 . 2010-02-27 16:43 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg9
2010-02-26 21:43 . 2010-02-26 21:43 -------- d-s---w- c:\documents and settings\LocalService\Preferiti
2010-02-26 21:38 . 2010-02-26 21:38 -------- d-----w- c:\documents and settings\ENZO\DoctorWeb
2010-02-26 21:20 . 2010-02-26 21:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-26 21:17 . 2009-11-25 10:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-26 19:12 . 2010-02-26 19:12 -------- d-----w- c:\programmi\Sophos
2010-02-26 18:44 . 2010-02-26 18:44 -------- d-----w- c:\windows\ERUNT
2010-02-26 07:35 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-26 07:35 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-02-26 07:35 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-26 07:35 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-02-10 22:07 . 2010-02-10 22:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-04 22:17 . 2010-03-04 22:17 397328 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-03-04 22:17 . 2010-03-04 22:17 315408 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-03-04 22:17 . 2010-03-04 22:17 19472 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-03-04 22:17 . 2010-03-04 22:17 109072 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-04 22:17 . 2010-03-04 22:17 397328 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-03-04 22:17 . 2010-03-04 22:17 109072 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-03-04 22:17 . 2010-03-04 22:17 17936 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-03-04 22:17 . 2010-03-04 22:17 80400 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-03-04 22:17 . 2010-03-04 22:17 315408 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-03-04 22:04 . 2010-03-04 22:04 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-04 22:04 . 2010-03-04 22:04 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-04 22:03 . 2010-03-04 22:03 -------- d-----w- c:\programmi\Kaspersky Lab
2010-02-26 20:59 . 2010-02-26 20:59 8 ----a-w- c:\documents and settings\LocalService\Dati applicazioni\rbuwzv.dat
2010-02-26 07:15 . 2010-02-26 07:15 16 ----a-w- c:\windows\system32\config\systemprofile\Dati applicazioni\rbuwzv.dat
2010-01-30 20:41 . 2010-01-30 20:41 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Bluetooth
2010-01-30 20:37 . 2010-01-30 20:37 -------- d-----w- c:\programmi\IVT Corporation
2010-01-01 10:13 . 2008-04-05 22:41 127916 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:14 . 2004-08-03 20:14 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 21:19 . 2008-08-28 21:10 24192 ----a-w- c:\documents and settings\ENZO\usbsermptxp.sys
2009-12-27 21:19 . 2008-08-28 21:10 22768 ----a-w- c:\documents and settings\ENZO\usbsermpt.sys
2009-12-27 21:19 . 2006-07-22 08:16 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-12-21 19:06 . 2004-08-19 12:39 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-17 07:58 . 2005-03-08 09:35 346112 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-19 12:39 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-12 20:22 . 1979-12-31 23:00 82168 ----a-w- c:\windows\system32\perfc010.dat
2009-12-12 20:22 . 1979-12-31 23:00 485232 ----a-w- c:\windows\system32\perfh010.dat
2009-12-09 10:25 . 2004-08-19 14:34 2019328 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-09 10:25 . 2004-08-19 12:34 2139648 ----a-w- c:\windows\system32\ntoskrnl.exe
2005-11-04 16:59 . 2005-11-04 16:59 135525 ----a-w- c:\programmi\File comuni\ReportPreview.app
2007-11-01 18:38 . 2007-11-01 18:38 0 --sh--w- c:\windows\SB8FC43C8.tmp
2008-10-04 14:32 . 2008-10-04 14:32 75 --sh--r- c:\windows\ICMET20.BIN
2006-02-10 15:48 . 2006-01-05 20:30 56 --sh--r- c:\windows\system32\ECB1598F86.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Alaunch"="c:\windows\alaunch.exe" [2002-05-24 409657]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 57344]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-23 3756032]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2007-12-11 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\ENZO\\Desktop\\mIRC-6.31-ITA_TuttoIRC\\mIRC.exe"=
"c:\\Programmi\\TVAnts\\Tvants.exe"=
"c:\\Programmi\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Documents and Settings\\ENZO\\Dati applicazioni\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:4\\mIRC-6.31-ITA_TuttoIRC\\mIRC.exe"=
"c:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4661:TCP"= 4661:TCP:192.168.2.100
"4672:UDP"= 4672:UDP:192.168.2.100
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [14/10/2009 21.18.34 36880]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [05/09/2007 19.41.43 108768]
R2 Start BT in service;Start BT in service;c:\programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [30/09/2007 9.16.38 51816]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [14/09/2009 14.42.46 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [02/10/2009 19.39.44 19472]
S1 SASKUTIL;SASKUTIL;\??\c:\programmi\SUPERAntiSpyware\SASKUTIL.sys --> c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 gupdate1c9e5a083cbca4e;Servizio di Google Update (gupdate1c9e5a083cbca4e);c:\programmi\Google\Update\GoogleUpdate.exe [05/06/2009 7.43.10 133104]
S2 PavProc;Panda Process Protection Driver; [x]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;\bin\fbserver.exe --> \bin\fbserver.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\19.tmp --> c:\windows\system32\19.tmp [?]
S3 UPnPService;UPnPService;c:\programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe [13/06/2008 21.21.51 544768]
S3 VtcDrv;Philips SA60xx Recovery Device;c:\windows\system32\drivers\vtcdrv.sys [18/07/2007 12.23.11 18560]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - esff
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-06 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-17 21:22]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-05 06:43]

2010-03-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-05 06:43]

2010-03-06 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-02 21:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Aggiungi all'elenco di stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Anteprima Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Stampa ad alta velocità Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {0FD666BB-47F9-4BAB-A452-D57AEBC27743} = 192.168.2.1
DPF: {DC7094C6-8F61-42ED-AECE-63F5EEF647C5} - hxxp://www.uusee.com/player/updateC2.cab
FF - ProfilePath - c:\documents and settings\ENZO\Dati applicazioni\Mozilla\Firefox\Profiles\380uycfo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJPI142_05.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPOJI610.dll
FF - plugin: c:\programmi\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Notify-avgrsstarter - avgrsstx.dll
Notify-WgaLogon - (no file)
AddRemove-2D & 3D Animator - c:\program files\2D and 3D Animator\PY_UNINSTAL.EXE SOFTWARE\PySoft\AD_DESIGNER
AddRemove-Allok Video to PSP Converter_is1 - j:\allok psp\Allok Video to PSP Converter\unins000.exe
AddRemove-mIRC - f:\miracle\Miracle black modificato www.tuttopcs.blogspot.com\miracleB.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 14:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\19.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\esff]
"ImagePath"="System32\drivers\esff.sys"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-2609876391-452860213-420786476-1005\Software\Zepter Software\RegLib*1a1a1b96]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2609876391-452860213-420786476-1005\Software\Zepter Software\RegLib*1a1a1b96\AnyDVD/1]
"1"=dword:44807a95
"2"=dword:472a1cb0

[HKEY_LOCAL_MACHINE\software\Classes\Applications\PowerDVD.exe\shell]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\DependentComponents]
@DACL=(02 0000)
@SACL=
"AvRack"="AvRack"
"iGxShareMedia1"="iGxShareMedia1"
"videoimpression"="videoimpression"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programmi\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\IVT Corporation\BlueSoleil\BTNtService.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\programmi\File comuni\InterVideo\DeviceService\DevSvc.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2010-03-06 14:50:20 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-03-06 13:50

Pre-Run: 94.693.883.904 byte disponibili
Post-Run: 95.237.865.472 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\="Sistema operativo precedente su C:"

- - End Of File - - 3F91168508837F9BBA623E7F9A727957
cia2006
Utente Junior
 
Post: 16
Iscritto il: 17/01/07 10:36

Re: Virus rootkit - pc lento

Postdi shel » 06/03/10 23:27

apri un file di testo (dal blocco note di windows), al suo interno incollaci il seguente script:

Codice: Seleziona tutto
file::
C:/WINDOWS/System32/drivers/esff.sys
c:\windows\system32\ECB1598F86.sys
c:\windows\system32\19.tmp

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\esff]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\esff]
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MEMSWEEP2]
"ImagePath"=-




salva il file nella stessa cartella dove hai messo combofix chiamandolo obbligatoriamente CFScript.txt

Fatto ciò, con il puntatore del mouse, trascina il file sull'icona di combofix. Il programma avvierà una nuova scansione, come la precedente. Non fare e non muovere nulla. Al termine di essa, se non si riavvierà automaticamente il computer, fallo tu. Allega il nuovo file c:\combofix.txt prodotto dalla scansione.


Combofix ha rilevato anche un'infezione nel reggistro

per eliminarla fai questa scansione

scarica malwarebytes

Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completata, posta il rapporto.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Virus rootkit - pc lento

Postdi cia2006 » 13/03/10 23:35

ecco i due log:

ComboFix 10-03-13.01 - ENZO 13/03/2010 23.07.02.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1023.613 [GMT 1:00]
Eseguito da: c:\combofix\ComboFix.exe
Opzioni usate :: c:\combofix\CFScript.txt
AV: avast! antivirus 4.7.1098 [VPS 100313-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Creati Da 2010-02-13 al 2010-03-13 )))))))))))))))))))))))))))))))))))
.

2010-03-13 22:00 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-13 22:00 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-13 21:53 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-13 21:53 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-13 21:53 . 2009-11-24 23:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-13 21:53 . 2009-11-24 23:51 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-13 21:53 . 2009-11-24 23:51 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-13 21:53 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-03-13 21:53 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-03 22:28 . 2010-03-03 22:28 -------- d-----w- C:\FOUND.045
2010-02-28 14:53 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-28 14:53 . 2010-02-28 14:53 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-02-28 14:53 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 14:39 . 2010-02-28 14:39 -------- d-----w- c:\programmi\TrendMicro
2010-02-27 16:43 . 2010-02-27 16:43 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg9
2010-02-26 21:43 . 2010-02-26 21:43 -------- d-s---w- c:\documents and settings\LocalService\Preferiti
2010-02-26 21:38 . 2010-02-26 21:38 -------- d-----w- c:\documents and settings\ENZO\DoctorWeb
2010-02-26 21:20 . 2010-02-26 21:20 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-02-26 21:17 . 2009-11-25 10:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-26 19:12 . 2010-02-26 19:12 -------- d-----w- c:\programmi\Sophos
2010-02-26 18:44 . 2010-02-26 18:44 -------- d-----w- c:\windows\ERUNT
2010-02-26 07:35 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-26 07:35 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-02-26 07:35 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-26 07:35 . 2004-08-03 22:00 8192 ----a-w- c:\windows\system32\dllcache\i2omgmt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 07:32 . 2005-07-18 11:18 183136 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-26 20:59 . 2010-02-26 20:59 8 ----a-w- c:\documents and settings\LocalService\Dati applicazioni\rbuwzv.dat
2010-01-30 20:41 . 2010-01-30 20:41 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Bluetooth
2010-01-30 20:37 . 2010-01-30 20:37 -------- d-----w- c:\programmi\IVT Corporation
2010-01-01 10:13 . 2008-04-05 22:41 127916 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:14 . 2004-08-03 20:14 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 21:19 . 2008-08-28 21:10 24192 ----a-w- c:\documents and settings\ENZO\usbsermptxp.sys
2009-12-27 21:19 . 2008-08-28 21:10 22768 ----a-w- c:\documents and settings\ENZO\usbsermpt.sys
2009-12-27 21:19 . 2006-07-22 08:16 22768 ----a-w- c:\windows\system32\drivers\usbsermpt.sys
2009-12-21 19:06 . 2004-08-19 12:39 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 07:58 . 2005-03-08 09:35 346112 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-19 12:39 33280 ----a-w- c:\windows\system32\csrsrv.dll
2007-11-01 18:38 . 2007-11-01 18:38 0 --sh--w- c:\windows\SB8FC43C8.tmp
2006-02-10 15:48 . 2006-01-05 20:30 56 --sh--r- c:\windows\system32\ECB1598F86.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 57344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-23 3756032]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2007-12-11 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\ENZO\\Desktop\\mIRC-6.31-ITA_TuttoIRC\\mIRC.exe"=
"c:\\Programmi\\TVAnts\\Tvants.exe"=
"c:\\Programmi\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Documents and Settings\\ENZO\\Dati applicazioni\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:4\\mIRC-6.31-ITA_TuttoIRC\\mIRC.exe"=
"c:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4661:TCP"= 4661:TCP:192.168.2.100
"4672:UDP"= 4672:UDP:192.168.2.100
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [05/09/2007 19.41.43 108768]
R2 Start BT in service;Start BT in service;c:\programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [30/09/2007 9.16.38 51816]
S1 SASKUTIL;SASKUTIL;\??\c:\programmi\SUPERAntiSpyware\SASKUTIL.sys --> c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 gupdate1c9e5a083cbca4e;Servizio di Google Update (gupdate1c9e5a083cbca4e);c:\programmi\Google\Update\GoogleUpdate.exe [05/06/2009 7.43.10 133104]
S2 PavProc;Panda Process Protection Driver; [x]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;\bin\fbserver.exe --> \bin\fbserver.exe [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S3 UPnPService;UPnPService;c:\programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe [13/06/2008 21.21.51 544768]
S3 VtcDrv;Philips SA60xx Recovery Device;c:\windows\system32\drivers\vtcdrv.sys [18/07/2007 12.23.11 18560]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - ASWUPDSV
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
*Deregistered* - esff
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-13 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-17 21:22]

2010-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-05 06:43]

2010-03-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-05 06:43]

2010-03-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-02 21:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Aggiungi all'elenco di stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Anteprima Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Stampa ad alta velocità Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Stampa Easy-WebPrint - c:\programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {0FD666BB-47F9-4BAB-A452-D57AEBC27743} = 192.168.2.1
DPF: {DC7094C6-8F61-42ED-AECE-63F5EEF647C5} - hxxp://www.uusee.com/player/updateC2.cab
FF - ProfilePath - c:\documents and settings\ENZO\Dati applicazioni\Mozilla\Firefox\Profiles\380uycfo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-13 23:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\esff]
"ImagePath"="System32\drivers\esff.sys"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-2609876391-452860213-420786476-1005\Software\Zepter Software\RegLib*1a1a1b96]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2609876391-452860213-420786476-1005\Software\Zepter Software\RegLib*1a1a1b96\AnyDVD/1]
"1"=dword:44807a95
"2"=dword:472a1cb0

[HKEY_LOCAL_MACHINE\software\Classes\Applications\PowerDVD.exe\shell]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\DependentComponents]
@DACL=(02 0000)
@SACL=
"AvRack"="AvRack"
"iGxShareMedia1"="iGxShareMedia1"
"videoimpression"="videoimpression"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(1960)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2010-03-13 23:14:24
ComboFix-quarantined-files.txt 2010-03-13 22:14

Pre-Run: 93.894.475.776 byte disponibili
Post-Run: 93.885.661.184 byte disponibili

- - End Of File - - AB176350E9557D4235F25641B2C1199E


------------------------
Malwarebytes' Anti-Malware 1.44
Versione del database: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

13/03/2010 22.32.41
mbam-log-2010-03-13 (22-32-41).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 262425
Tempo trascorso: 39 minute(s), 57 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 3

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\System Volume Information\_restore{3CBBBEAA-5DBD-4631-9434-64AA1214AB43}\RP398\A0195960.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3CBBBEAA-5DBD-4631-9434-64AA1214AB43}\RP379\A0192707.exe (HackTool.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3CBBBEAA-5DBD-4631-9434-64AA1214AB43}\RP379\A0192904.sys (Malware.Trace) -> Quarantined and deleted successfully.
cia2006
Utente Junior
 
Post: 16
Iscritto il: 17/01/07 10:36

Re: Virus rootkit - pc lento

Postdi cia2006 » 28/03/10 08:51

il rootkit esff.sys è ancora presente nel mio computer, non c'è proprio modo per eliminarlo??? :cry:
cia2006
Utente Junior
 
Post: 16
Iscritto il: 17/01/07 10:36

Re: Virus rootkit - pc lento

Postdi shel » 28/03/10 09:11

apri blocco note e incollaci dentro questo script

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\esff]
;



la salvi sul desktop come fix.reg

doppio clic sul file .reg e accetta le modifiche


abilita la visualizzazione dei file nascosti (apri una cartella qualsiasi, vai su Strumenti--> Opzioni cartella--> Visualizzazione e spunta Visualizza file e cartelle nascosti ed elimina a mano l'infezione

C:\System32\drivers\esff.sys


riesegui la scansione con combofix e posta il nuovo rapporto
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Virus rootkit - pc lento

Postdi antonpaco » 28/03/10 12:04

il virus risulta presente nelle cartelle di restore, hai disattivato il ripristino di configurazione? fallo, riavvia il pc e poi ricorda di riattivare il ripristino di configuraz.
antonpaco
Utente Junior
 
Post: 15
Iscritto il: 15/09/08 16:54

Re: Virus rootkit - pc lento

Postdi cia2006 » 09/04/10 15:56

non mi fa eliminare il file, ho anche disattivato
il rispristino, riavviato e ripristinato...
ecco il nuovo log di combofix:

ComboFix 10-04-08.02 - ENZO 09/04/10 16.43.16.5.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1023.513 [GMT 2:00]
Eseguito da: c:\documents and settings\TEMP\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\TEMP\Dati applicazioni\inst.exe

.
((((((((((((((((((((((((( Files Creati Da 2010-03-09 al 2010-04-09 )))))))))))))))))))))))))))))))))))
.

2010-04-09 14:26 . 2004-08-19 11:39 397824 ----a-w- c:\windows\system32\CF5030.exe
2010-04-09 14:19 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2010-04-08 21:26 . 2010-04-08 21:27 -------- d-----w- c:\documents and settings\TEMP\Impostazioni locali\Dati applicazioni\Mozilla
2010-04-03 20:36 . 2010-04-03 20:36 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\Ahead
2010-04-02 14:40 . 2010-04-02 14:40 -------- d-----w- c:\documents and settings\TEMP\Tracing
2010-04-02 07:32 . 2010-04-02 07:37 47360 ----a-w- c:\documents and settings\TEMP\Dati applicazioni\pcouffin.sys
2010-04-02 07:32 . 2010-04-02 07:32 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\Vso
2010-04-02 06:45 . 2010-04-02 06:45 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\Danea
2010-04-02 06:34 . 2010-04-02 06:34 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\vlc
2010-03-31 21:32 . 2010-03-31 21:32 -------- d-----w- c:\documents and settings\TEMP\Impostazioni locali\Dati applicazioni\Temp
2010-03-31 21:24 . 2009-03-30 07:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-31 21:24 . 2009-02-13 09:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-31 21:24 . 2009-02-13 09:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-31 21:24 . 2010-03-31 21:24 -------- d-----w- c:\programmi\Avira
2010-03-31 21:24 . 2010-03-31 21:24 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2010-03-31 20:01 . 2010-03-31 20:01 -------- d-----w- c:\documents and settings\TEMP\Impostazioni locali\Dati applicazioni\ESET
2010-03-31 15:15 . 2008-03-03 12:25 5702 ---ha-w- c:\windows\nod32restoretemdono.reg
2010-03-31 14:57 . 2010-03-31 14:57 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\ESET
2010-03-31 10:55 . 2010-03-31 10:55 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\uTorrent
2010-03-31 10:53 . 2010-03-31 10:53 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\Any DVD Converter Professional
2010-03-31 10:26 . 2010-03-31 10:26 5918776 ----a-w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-31 05:48 . 2010-03-31 05:48 -------- d-----w- c:\documents and settings\TEMP\Impostazioni locali\Dati applicazioni\Adobe
2010-03-30 12:46 . 2010-03-30 12:46 -------- d-----w- C:\FOUND.048
2010-03-30 12:41 . 2010-03-30 12:41 -------- d-s---w- c:\documents and settings\TEMP\Documenti
2010-03-30 12:38 . 2010-03-30 12:38 -------- d-sh--w- c:\documents and settings\TEMP\PrivacIE
2010-03-30 12:36 . 2010-03-30 12:36 -------- d-----w- c:\documents and settings\TEMP\Impostazioni locali\Dati applicazioni\Ahead
2010-03-30 12:32 . 2010-03-30 12:35 -------- d-s---w- c:\documents and settings\TEMP\Preferiti
2010-03-30 12:32 . 2005-03-08 08:32 -------- d--h--r- c:\documents and settings\TEMP\Dati applicazioni
2010-03-30 12:32 . 2005-03-08 08:32 -------- d--h--w- c:\documents and settings\TEMP\Modelli
2010-03-30 12:32 . 2005-03-08 08:38 -------- d-----w- c:\documents and settings\TEMP\Impostazioni locali\Dati applicazioni\Microsoft
2010-03-30 12:32 . 2005-03-08 08:32 -------- d--h--w- c:\documents and settings\TEMP\Impostazioni locali
2010-03-30 12:31 . 2010-01-12 21:31 -------- d-sh--w- c:\documents and settings\TEMP\IETldCache
2010-03-30 12:31 . 2010-03-30 12:31 -------- d-----w- c:\documents and settings\TEMP
2010-03-29 07:16 . 2010-03-29 07:16 -------- d-----w- C:\FOUND.047
2010-03-29 07:11 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-29 07:11 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-29 07:11 . 2010-03-29 07:11 -------- d-----w- c:\programmi\Alwil Software
2010-03-28 09:34 . 2010-03-28 09:34 -------- d-----w- C:\FOUND.046
2010-03-28 09:29 . 2010-03-28 09:29 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Alwil Software
2010-03-24 12:19 . 2010-03-24 12:19 -------- d-sh--w- c:\documents and settings\LUCIA\IECompatCache
2010-03-24 12:18 . 2010-03-24 12:18 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-03-14 11:01 . 2010-02-12 09:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-02 07:32 . 2008-11-15 06:48 47360 ----a-w- c:\windows\system32\drivers\Pcouffin.sys
2010-03-31 21:18 . 2010-03-31 21:18 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\Malwarebytes
2010-03-31 21:18 . 2010-03-31 21:18 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\AdobeUM
2010-03-31 21:18 . 2010-03-31 21:18 -------- d-----w- c:\documents and settings\TEMP\Dati applicazioni\Symantec
2010-03-29 22:46 . 2010-02-28 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2010-02-28 13:53 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 06:32 . 2005-07-18 10:18 183136 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-02-28 13:53 . 2010-02-28 13:53 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-02-28 13:39 . 2010-02-28 13:39 -------- d-----w- c:\programmi\TrendMicro
2010-02-27 15:43 . 2010-02-27 15:43 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\avg9
2010-02-26 19:59 . 2010-02-26 19:59 8 ----a-w- c:\documents and settings\LocalService\Dati applicazioni\rbuwzv.dat
2010-02-26 18:12 . 2010-02-26 18:12 -------- d-----w- c:\programmi\Sophos
2010-02-26 06:15 . 2010-02-26 06:15 16 ----a-w- c:\windows\system32\config\systemprofile\Dati applicazioni\rbuwzv.dat
2010-02-25 06:16 . 2004-08-19 11:39 916480 ----a-w- c:\windows\system32\WININET.DLL
2007-11-01 17:38 . 2007-11-01 17:38 0 --sh--w- c:\windows\SB8FC43C8.tmp
2006-02-10 14:48 . 2006-01-05 19:30 56 --sh--r- c:\windows\system32\ECB1598F86.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 57344]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-23 3756032]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2007-12-11 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Programmi\\TVAnts\\Tvants.exe"=
"c:\\Programmi\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Documents and Settings\\ENZO\\Dati applicazioni\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:4\\mIRC-6.31-ITA_TuttoIRC\\mIRC.exe"=
"c:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Documents and Settings\\TEMP\\Desktop\\mIRC-6.31-ITA_TuttoIRC\\mIRC.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4661:TCP"= 4661:TCP:192.168.2.100
"4672:UDP"= 4672:UDP:192.168.2.100
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [29/03/10 9.11.30 162640]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [05/09/07 19.41.43 108768]
R2 Start BT in service;Start BT in service;c:\programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [30/09/07 9.16.38 51816]
S1 SASKUTIL;SASKUTIL;\??\c:\programmi\SUPERAntiSpyware\SASKUTIL.sys --> c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 ShldDrv;Panda File Shield Driver; [x]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S2 gupdate1c9e5a083cbca4e;Servizio di Google Update (gupdate1c9e5a083cbca4e);c:\programmi\Google\Update\GoogleUpdate.exe [05/06/09 7.43.10 133104]
S2 PavProc;Panda Process Protection Driver; [x]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;\bin\fbserver.exe --> \bin\fbserver.exe [?]
S3 MEMSWEEP2;MEMSWEEP2; [x]
S3 UPnPService;UPnPService;c:\programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe [13/06/08 21.21.51 544768]
S3 VtcDrv;Philips SA60xx Recovery Device;c:\windows\system32\drivers\vtcdrv.sys [18/07/07 12.23.11 18560]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - esff
.
Contenuto della cartella 'Scheduled Tasks'

2010-04-09 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-17 20:22]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-05 05:43]

2010-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-05 05:43]

2010-04-09 c:\windows\Tasks\User_Feed_Synchronization-{C40395DF-D889-42E5-92F7-6775AC04F68E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 02:31]

2010-04-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-02 20:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {0FD666BB-47F9-4BAB-A452-D57AEBC27743} = 192.168.2.1
DPF: {DC7094C6-8F61-42ED-AECE-63F5EEF647C5} - hxxp://www.uusee.com/player/updateC2.cab
FF - ProfilePath - c:\documents and settings\TEMP\Dati applicazioni\Mozilla\Firefox\Profiles\7vynosov.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava11.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava12.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava13.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava14.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJava32.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPJPI142_05.dll
FF - plugin: c:\programmi\Java\j2re1.4.2_05\bin\NPOJI610.dll
FF - plugin: c:\programmi\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-09 16:48
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\esff]
"ImagePath"="System32\drivers\esff.sys"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Applications\PowerDVD.exe\shell]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\DependentComponents]
@DACL=(02 0000)
@SACL=
"AvRack"="AvRack"
"iGxShareMedia1"="iGxShareMedia1"
"videoimpression"="videoimpression"
.
Ora fine scansione: 2010-04-09 16:50:48
ComboFix-quarantined-files.txt 2010-04-09 14:50

Pre-Run: 99.514.089.472 byte disponibili
Post-Run: 99.663.118.336 byte disponibili

Current=1 Default=1 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 6647970ED38968741059A67B0975A24E
cia2006
Utente Junior
 
Post: 16
Iscritto il: 17/01/07 10:36

Re: Virus rootkit - pc lento

Postdi Luke57 » 10/04/10 21:27

Ciao, nel file CFScript.txt inserisci il seguente testo

Codice: Seleziona tutto
Driver::
esff

File::
C:/WINDOWS/System32/drivers/esff.sys

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\esff]


Fai la procedura di trascinamento del file su combofix, attendi la nuova scansione, e posta il nuovo report.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "Virus rootkit - pc lento":


Chi c’è in linea

Visitano il forum: Nessuno e 34 ospiti