Condividi:        

worm CONFLICKER.X

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

worm CONFLICKER.X

Postdi seriz » 05/01/09 12:43

sul server dell'ufficio dove lavoro abbiamo beccato il virus variante win32/conficker.x worm
il worm è stato rilevato dal nod 32 e bloccato, ma non eliminato

come fare ?

grazie
seriz
Utente Junior
 
Post: 16
Iscritto il: 03/09/07 08:38

Sponsor
 

Re: worm CONFLICKER.X

Postdi shel » 05/01/09 12:49

ciao

posta un log di hijackthis - http://www.trendsecure.com/portal/en-US ... kthis.php#

Una volta scaricato l'eseguibile, posizionalo in una sua cartella specifica, che avrai creato in precedenza, ad esempio in C:\Programmi. Questo perché se non ha una sua cartella dedicata, non riesce a creare un backup delle voci rimosse prima di effettuare la pulizia.
Ora lancia il programma cliccando l’eseguibile e avvia la scansione, scegliendo la voce "Do a system scan and save a logfile" Posta il report qui nel forum
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: worm CONFLICKER.X

Postdi seriz » 05/01/09 13:15

ecco il risultato:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.13.52, on 05/01/2009
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Persits Software\AspEmail\BIN\EmailAgent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINNT\System32\CPQMgmt\cpqwmgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PAGINE BIANCHE 2005-06\CD\ServerCDItalia.exe
C:\Documents and Settings\Administrator\Desktop\PULIZIA COMPUTER\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infoimprese.it/impr/index.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKUS\S-1-5-21-854245398-1708537768-839522115-1006\..\Run: [internat.exe] internat.exe (User 'ASPNET')
O4 - HKUS\S-1-5-21-854245398-1708537768-839522115-1006\..\RunOnce: [^SetupICWDesktop] C:\Programmi\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'ASPNET')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmi\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Gestione servizi.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F000E49-1E38-4431-A857-FE0754C53C9B}: NameServer = 192.168.10.75,213.140.2.21
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Web Agent (CpqWebMgmt) - HP Corporation - C:\WINNT\System32\CPQMgmt\cpqwmgmt.exe
O23 - Service: Foundation Agent (CqMgHost) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Persits Software EmailAgent - Persits Software, Inc. - C:\Programmi\Persits Software\AspEmail\BIN\EmailAgent.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6673 bytes
seriz
Utente Junior
 
Post: 16
Iscritto il: 03/09/07 08:38

Re: worm CONFLICKER.X

Postdi shel » 05/01/09 13:44

per togliere quello che hai nel pc, fai una scansione online

http://www.bitdefender.com/scan8/ie.html

devi usare il browser internet explorer
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: worm CONFLICKER.X

Postdi seriz » 05/01/09 15:17

ho fatto la scansione con bit defender ma non è risultato nulla.......
:-((
seriz
Utente Junior
 
Post: 16
Iscritto il: 03/09/07 08:38

Re: worm CONFLICKER.X

Postdi Luke57 » 05/01/09 16:56

Ciao, nel report non c'è niente, disattiva l'antivirus e scarica combofix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Fatto questo, clicca su start>esegui, nel box bianco copia e incolla questo comando, virgolette comprese:

"%userprofile%\desktop\combofix.exe" /killall

Premi OK, se tutto va bene parte il programma che potrebbe impiegare molto (non fare altre manovre durante la scansione),una volta terminata, se tutto è andato bene, in C:\ dovresti trovare il file combofix.txt , riavvia in modalità normale e posta il contenuto del file o allegalo.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: worm CONFLICKER.X

Postdi seriz » 08/01/09 09:52

pare si sia tolto, senza fare l'ultima istruzione che mi avevi indicato.........
non esce + l'avviso di nod32 relativo al worm......

vedremo
grazie
seriz
Utente Junior
 
Post: 16
Iscritto il: 03/09/07 08:38

Re: worm CONFLICKER.X

Postdi paolop » 14/01/09 11:01

CIao credo di essermi "ammalato" !!!


ComboFix 09-01-13.04 - MANUTP2KDE 2009-01-14 10.43.36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.503.224 [GMT 1:00]
Eseguito da: c:\documents and settings\MANUTP2KDE\desktop\combofix.exe
Opzioni usate :: /killall
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated)
* Creato nuovo punto di ripristino
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MANUTP~1\IMPOST~1\Temp\rasesnet.exe
c:\docume~1\MANUTP~1\IMPOST~1\Temp\snapsnet.exe
c:\docume~1\MANUTP~1\IMPOST~1\Temp\wavvsnet.exe
c:\recycled\Recycled
c:\windows\17PHolmes1535.exe

.
((((((((((((((((((((((((( Files Creati Da 2008-12-14 al 2009-01-14 )))))))))))))))))))))))))))))))))))
.

2009-01-14 09:52 . 2009-01-14 09:52 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-13 18:06 . 2009-01-14 10:22 <DIR> d-------- C:\a-virus
2009-01-13 17:21 . 2009-01-13 17:21 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 16:23 --------- d-----w c:\programmi\ESET
2004-08-19 12:00 166,512 --sha-r c:\windows\system32\ebxmap.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"DBISQL9"="c:\programmi\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2006-11-24 139264]
"SybaseCentral43"="c:\programmi\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2006-09-28 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-08 1451264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\MANUTP2KDE\Menu Avvio\Programmi\Esecuzione automatica\
Creazione dischi.bat.lnk - C:\Creazione dischi.bat [2008-01-14 48]
SETTIME.lnk - C:\SETTIME.BAT [2008-01-11 26]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Firewall Client Connectivity Monitor.LNK - c:\programmi\Microsoft Firewall Client\ISATRAY.EXE [2008-01-11 52496]
UltraVNC Server.lnk - c:\programmi\UltraVNC\winvnc.exe [2008-01-14 712704]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"c:\\Programmi\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Programmi\\UltraVNC\\winvnc.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-08 34312]
R4 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-08 468224]
R4 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-01-14 6016]
S3 VSPerfDrv;Performance Tools Driver;c:\programmi\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [2006-12-02 48128]
S4 ccahvno;Update Config;c:\windows\system32\svchost.exe -k netsvcs [2004-08-19 14336]
S4 ibwow;Driver Task;c:\windows\system32\svchost.exe -k netsvcs [2004-08-19 14336]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\programmi\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ibwow
ccahvno
.
Contenuto della cartella 'Scheduled Tasks'

2009-01-13 c:\windows\Tasks\At1.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At10.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At11.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At12.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At13.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At14.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At15.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At16.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At17.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At18.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At19.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At2.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At20.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At21.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At22.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At23.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At24.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At3.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At4.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At5.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At6.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At7.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At8.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At9.job
- c:\windows\system32\g5104iMO.exe []
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uInternet Settings,ProxyServer = PROXYSRV:8080
uInternet Settings,ProxyOverride = <local>
IE: Add to &Teleport - c:\programmi\Teleport Pro\teleport.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\programmi\Microsoft Firewall Client\wspwsp.dll
FF - ProfilePath - c:\documents and settings\MANUTP2KDE\Dati applicazioni\Mozilla\Firefox\Profiles\ati7cnhb.default\
FF - prefs.js: browser.startup.homepage - hxxp://it.yahoo.com/
FF - prefs.js: network.proxy.ftp - PROXYSRV
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - PROXYSRV
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - PROXYSRV
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - PROXYSRV
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - PROXYSRV
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 10:50:39
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccahvno]
"ServiceDll"="c:\windows\system32\ebxmap.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ibwow]
"ServiceDll"="c:\windows\system32\ebxmap.dll"
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
.
**************************************************************************
.
Ora fine scansione: 2009-01-14 10:54:27 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-01-14 09:54:24

Pre-Run: 4.980.981.760 byte disponibili
Post-Run: 5,628,350,464 byte disponibili

165
paolop
Newbie
 
Post: 5
Iscritto il: 14/01/09 10:57

Re: worm CONFLICKER.X

Postdi Luke57 » 14/01/09 11:40

Ciao, apri un file di testo dal blocco note, al suo interno copi e incolli il seguente codice:


Codice: Seleziona tutto
Driver::
ccahvno
ibwow

Folder::
c:\windows\Tasks

File::
c:\windows\system32\ebxmap.dll


lo chiami CFScript.txt e lo salvi nella stessa direzione (directory) di combofix.
Poi, con il puntatore del mouse, lo trascina sull'icona di combofix e il programma avvierà una nuova scansione. Al termine, riavvia il computer e posta il nuovo report, se prodotto.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: worm CONFLICKER.X

Postdi paolop » 14/01/09 14:04

GRAZIE 1000

Sembra che ora sia tutto ok: il fatto di avere il virus o no lo capivo da un'eccezione nel firewall di Windows con un nome strano (lettere a caso) presente ad ogni riavvio, ora non c'è più!

Cmq ecco il log

ComboFix 09-01-13.04 - MANUTP2KDE 2009-01-14 13:48:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.503.93 [GMT 1:00]
Eseguito da: c:\documents and settings\MANUTP2KDE\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\MANUTP2KDE\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Outdated)
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
c:\windows\system32\ebxmap.dll
c:\windows\Tasks -- Whitelisted --
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ebxmap.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCAHVNO
-------\Legacy_IBWOW
-------\Service_ccahvno
-------\Service_ibwow


((((((((((((((((((((((((( Files Creati Da 2008-12-14 al 2009-01-14 )))))))))))))))))))))))))))))))))))
.

2009-01-14 11:05 . 2009-01-14 11:06 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-14 09:52 . 2009-01-14 09:52 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-13 18:06 . 2009-01-14 10:22 <DIR> d-------- C:\a-virus
2009-01-13 17:21 . 2009-01-13 17:21 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 16:23 --------- d-----w c:\programmi\ESET
.

((((((((((((((((((((((((((((( snapshot@2009-01-14_10.53.38.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-09 14:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-01-09 14:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"DBISQL9"="c:\programmi\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2006-11-24 139264]
"SybaseCentral43"="c:\programmi\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2006-09-28 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-08 1451264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

c:\documents and settings\MANUTP2KDE\Menu Avvio\Programmi\Esecuzione automatica\
Creazione dischi.bat.lnk - C:\Creazione dischi.bat [2008-01-14 48]
SETTIME.lnk - C:\SETTIME.BAT [2008-01-11 26]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Firewall Client Connectivity Monitor.LNK - c:\programmi\Microsoft Firewall Client\ISATRAY.EXE [2008-01-11 52496]
UltraVNC Server.lnk - c:\programmi\UltraVNC\winvnc.exe [2008-01-14 712704]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"c:\\Programmi\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Programmi\\UltraVNC\\winvnc.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-08 34312]
R4 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-10-08 468224]
R4 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-01-14 6016]
S3 VSPerfDrv;Performance Tools Driver;c:\programmi\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys [2006-12-02 48128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\programmi\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contenuto della cartella 'Scheduled Tasks'

2009-01-13 c:\windows\Tasks\At1.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At10.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At11.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At12.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At13.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At14.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At15.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At16.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At17.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At18.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At19.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At2.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At20.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At21.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At22.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At23.job
- c:\windows\system32\g5104iMO.exe []

2009-01-13 c:\windows\Tasks\At24.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At3.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At4.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At5.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At6.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At7.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At8.job
- c:\windows\system32\g5104iMO.exe []

2009-01-14 c:\windows\Tasks\At9.job
- c:\windows\system32\g5104iMO.exe []
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://it.yahoo.com/
uInternet Settings,ProxyServer = PROXYSRV:8080
uInternet Settings,ProxyOverride = <local>
IE: Add to &Teleport - c:\programmi\Teleport Pro\teleport.htm
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\programmi\Microsoft Firewall Client\wspwsp.dll
FF - ProfilePath - c:\documents and settings\MANUTP2KDE\Dati applicazioni\Mozilla\Firefox\Profiles\ati7cnhb.default\
FF - prefs.js: browser.startup.homepage - hxxp://it.yahoo.com/
FF - prefs.js: network.proxy.ftp - PROXYSRV
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - PROXYSRV
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - PROXYSRV
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - PROXYSRV
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - PROXYSRV
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 13:57:55
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
.
**************************************************************************
.
Ora fine scansione: 2009-01-14 14:01:35 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-01-14 13:01:33
ComboFix2.txt 2009-01-14 10:16:34
ComboFix3.txt 2009-01-14 09:54:28

Pre-Run: 5,590,958,080 byte disponibili
Post-Run: 5,486,202,880 byte disponibili

170
paolop
Newbie
 
Post: 5
Iscritto il: 14/01/09 10:57

Re: worm CONFLICKER.X

Postdi paolop » 19/01/09 17:25

Scusatemi ancora, credo che un mio amico abbia un problema simile, ma non so come impostare il CFScript.txt per risolvere il problema.

Ecco il suo log, credo che sia un servizio che crea il virus ogni volta

ComboFix 09-01-15.01 - maggi 2009-01-16 16:22:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.3062.2279 [GMT 1:00]
Eseguito da: c:\documents and settings\MAGGI\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\MAGGI\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated)
FW: Trend Micro Personal Firewall *disabled*
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
c:\windows\system32\umsof.dll
c:\windows\Tasks -- Whitelisted --
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZEXSGX
-------\Service_zexsgx


((((((((((((((((((((((((( Files Creati Da 2008-12-16 al 2009-01-16 )))))))))))))))))))))))))))))))))))
.

2009-01-16 16:27 . 2009-01-16 16:27 <DIR> d-------- c:\temp\WPDNSE
2009-01-16 16:27 . 2009-01-16 16:27 53,248 --a------ c:\temp\catchme.dll
2009-01-16 16:25 . 2007-05-08 01:43 300,656 --a------ c:\temp\GQA943.EXE
2009-01-16 16:25 . 2009-01-16 16:25 16,384 --a----t- c:\temp\Perflib_Perfdata_ad4.dat
2009-01-16 16:25 . 2009-01-16 16:25 16,384 --a----t- c:\temp\Perflib_Perfdata_134.dat
2009-01-16 16:20 . 2009-01-16 16:27 <DIR> d-------- c:\temp\Rar$DR00.547
2009-01-15 10:18 . 2009-01-08 11:00 706,872 --a------ C:\WindowsXP-KB921883-x86-ITA.exe
2009-01-15 10:18 . 2009-01-08 11:01 654,704 --a------ C:\WindowsXP-KB958644-x86-ITA.exe
2009-01-15 09:19 . 2009-01-15 09:19 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-15 08:46 . 2009-01-15 08:47 38 --a------ c:\windows\AviSplitter.INI
2009-01-15 08:43 . 2008-07-25 09:38 323,000,872 --a------ C:\WindowsXP-KB936929-SP3-x86-ITA.exe
2009-01-14 11:44 . 2007-11-26 12:24 49,152 --a------ c:\windows\system32\LMJCALCOCX.OCX
2009-01-14 11:42 . 2009-01-14 11:48 <DIR> d-------- c:\temp\PUNCH5
2009-01-13 08:37 . 2009-01-13 08:37 <DIR> d-------- c:\temp\is-DG3OS.tmp
2009-01-13 08:37 . 2009-01-13 12:52 <DIR> d-------- c:\documents and settings\MAGGI\Dati applicazioni\Vso
2009-01-13 08:37 . 2009-01-13 08:37 47,360 --a------ c:\documents and settings\MAGGI\Dati applicazioni\pcouffin.sys
2009-01-08 16:24 . 2009-01-08 16:24 <DIR> d--h----- c:\windows\$hf_mig$
2009-01-08 16:24 . 2008-10-15 17:36 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-18 08:47 . 2008-12-18 08:47 <DIR> d-------- c:\programmi\XP Codec Pack
2008-12-18 08:47 . 2008-07-09 10:05 421,888 --a------ c:\windows\system32\ac3filter.acm
2008-12-16 16:31 . 2008-12-16 16:31 <DIR> d-------- c:\temp\Div2D9.tmp
2008-12-16 16:04 . 2008-12-16 16:04 <DIR> d-------- c:\programmi\vso
2008-12-16 16:04 . 2009-01-13 08:37 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 14:33 --------- d-----w c:\documents and settings\MAGGI\Dati applicazioni\Skype
2009-01-15 08:10 --------- d-----w c:\programmi\ContabilitaPMI
2009-01-15 08:09 --------- d-----w c:\documents and settings\MAGGI\Dati applicazioni\Eltima Software
2009-01-12 13:53 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2008-12-15 12:56 8,864 ----a-w c:\windows\system32\drivers\CDAC15BA.SYS
2008-12-15 12:56 39,936 ----a-w c:\windows\system32\drivers\CDAC11BA.EXE
2008-12-15 12:56 30,720 ---h--r c:\windows\CdaC13BA.EXE
2008-12-15 12:56 112,128 ---h--r c:\windows\CdaC14BA.DLL
2008-12-04 13:05 --------- d-----w c:\programmi\File comuni\Adobe
2008-12-04 12:51 --------- d-----w c:\documents and settings\MAGGI\Dati applicazioni\GiMagazzinoWeb
2008-12-04 09:34 --------- d-----w c:\documents and settings\MAGGI\Dati applicazioni\TortoiseSVN
2008-12-04 09:21 --------- d-----w c:\documents and settings\MAGGI\Dati applicazioni\Subversion
2008-12-04 09:20 --------- d-----w c:\programmi\TortoiseSVN
2008-12-04 09:20 --------- d-----w c:\programmi\File comuni\TortoiseOverlays
2008-12-04 09:20 --------- d-----w c:\programmi\AnkhSvn 2.0
2008-11-26 12:46 --------- d-----w c:\programmi\Axis Communications
2008-11-24 07:44 --------- d-----w c:\programmi\Beyond Compare 2
.

((((((((((((((((((((((((((((( snapshot@2009-01-16_12.35.50.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBISQL9"="c:\programmi\File comuni\ASA9\win32\dbisqlg.exe" [2006-11-24 139264]
"SybaseCentral43"="c:\programmi\File comuni\ASA9\shared\Sybase Central 4.3\win32\scjview.exe" [2006-09-28 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\programmi\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-11 137752]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"OfficeScanNT Monitor"="c:\programmi\Trend Micro\OfficeScan Client\pccntmon.exe" [2007-05-08 702072]
"NeroFilterCheck"="c:\programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"WinVNC"="c:\programmi\UltraVNC\winvnc.exe" [2006-06-18 712704]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

c:\documents and settings\MAGGI\Menu Avvio\Programmi\Esecuzione automatica\
DB Server 14.0.lnk - c:\programmi\File comuni\ASA9\win32\dbsrv9.exe [2008-05-21 73728]
dbserver P2000.lnk - c:\programmi\File comuni\ASA9\win32\dbsrv9.exe [2008-05-21 73728]
Monitor License.lnk - c:\asis1v11\BIN\tool\AprMonitorLicense.exe [2008-05-20 61440]
Sdd Service Manager.lnk - c:\asis1v11\BIN\Sddmangr.exe [2008-05-20 172138]
settime.cmd [2005-08-25 30]
Skype.lnk - c:\windows\Installer\{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}\Skype.ico [2008-07-02 94334]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Service Manager.lnk - c:\programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Asis1v11\\BIN\\tool\\AprMonitorLicense.exe"=
"c:\\Programmi\\File comuni\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Programmi\\File comuni\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Programmi\\File comuni\\ASA9\\win32\\dbeng9.exe"=
"c:\\Programmi\\File comuni\\ASA9\\win32\\dbsrv9.exe"=
"c:\\Programmi\\File comuni\\ASA9\\win32\\dbisqlg.exe"=
"c:\\Programmi\\File comuni\\ASA9\\shared\\Sybase Central 4.2\\scjview.exe"=
"c:\\Programmi\\File comuni\\ASA9\\shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Visual Studio\\COMMON\\MSDev98\\Bin\\MSDEV.EXE"=
"c:\\CARLO\\Half\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-04-20 307984]
R4 dpinject;DevPartner Injection Driver;c:\programmi\File comuni\Compuware\NMShared\Injector\2.12\DPInject.sys [2007-08-10 65896]
R4 dpinjsvc;DevPartner Injection Service;c:\programmi\File comuni\Compuware\NMShared\Injector\2.12\DPInjCfgService.exe [2007-08-01 40960]
R4 NCS;DevPartner Control Service;c:\progra~1\COMPUW~1\DEVPAR~1\Analysis\NCS.exe [2007-08-10 52736]
R4 SDDServerService;SDDServerService;c:\asis1v11\BIN\SDDServerService.exe [2008-05-20 28672]
R4 SentinelKeysServer;Sentinel Keys Server;c:\programmi\File comuni\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [2008-03-21 327800]
R4 TmPreFilter;Trend Micro PreFilter;c:\programmi\Trend Micro\OfficeScan Client\tmpreflt.sys [2006-09-27 36368]
R4 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-05-21 6016]
S3 mach5;mach5;c:\windows\system32\mach5.sys [2007-08-01 26624]
S3 TmPfw;OfficeScan NT Firewall;c:\programmi\Trend Micro\OfficeScan Client\TmPfw.exe [2007-04-04 943696]
S3 TmProxy;OfficeScan NT Proxy Service;c:\programmi\Trend Micro\OfficeScan Client\TmProxy.exe [2007-04-27 575064]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\programmi\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-05 55664]
S4 TmFilter;Trend Micro Filter;c:\programmi\Trend Micro\OfficeScan Client\tmxpflt.sys [2006-09-27 205328]
.
Contenuto della cartella 'Scheduled Tasks'
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyServer = 172.17.6.2:8080
uInternet Settings,ProxyOverride = 172.17.*;127.0.0.1;localhost;192.168.211.*;*.computesweb.it;l*.computes.lan;<local>
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: imon.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://190.203.79.142/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 16:27:45
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\drivers\CDAC11BA.EXE
c:\programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\programmi\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\programmi\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexingService.exe
c:\programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
c:\programmi\Trend Micro\OfficeScan Client\Misc\xpupg.exe
c:\programmi\Trend Micro\OfficeScan Client\PccNTUpd.exe
.
**************************************************************************
.
Ora fine scansione: 2009-01-16 16:31:45 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-01-16 15:31:42
ComboFix2.txt 2009-01-16 11:36:30

Pre-Run: 38,749,265,920 byte disponibili
Post-Run: 38,636,982,272 byte disponibili

218
paolop
Newbie
 
Post: 5
Iscritto il: 14/01/09 10:57

Re: worm CONFLICKER.X

Postdi Luke57 » 19/01/09 23:28

Ciao, nel report del tuo amico non appare niente, fagli fare un scan on line qui:
http://www.kaspersky.com/virusscanner
e poi postare il report.
Invece, tu apri la cartella C:\windows\tasks, vai nel menu Avanzate, metti la spunta a "visualizza operazioni nascoste" poi elimina i file con estensione .job presenti, per intendersi quelli che sono nel tuo report di combofix nel settore
"Contenuto della cartella 'Scheduled Tasks'.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: worm CONFLICKER.X

Postdi paolop » 20/01/09 08:22

Ancora grazie... non 1000... 10.000,
stiamo seguendo le indicazioni
paolop
Newbie
 
Post: 5
Iscritto il: 14/01/09 10:57

Re: worm CONFLICKER.X

Postdi paolop » 20/01/09 13:46

Ecco il log

Tuesday, January 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 20, 2009 08:05:17
Records in database: 1652194
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
C:\Documents and Settings\MAGGI\Menu Avvio\Programmi\Esecuzione automatica
C:\Program Files
C:\Programmi
C:\WINDOWS
Scan statistics
Files scanned 75943
Threat name 2
Infected objects 3
Suspicious objects 0
Duration of the scan 01:35:21

File name Threat name Threats count
C:\Programmi\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Programmi\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Programmi\UltraVNC\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
The selected area was scanned.
paolop
Newbie
 
Post: 5
Iscritto il: 14/01/09 10:57

Re: worm CONFLICKER.X

Postdi conf » 20/02/09 17:55

Luke57 ha scritto:Ciao, nel report non c'è niente, disattiva l'antivirus e scarica combofix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Fatto questo, clicca su start>esegui, nel box bianco copia e incolla questo comando, virgolette comprese:

"%userprofile%\desktop\combofix.exe" /killall

Premi OK, se tutto va bene parte il programma che potrebbe impiegare molto (non fare altre manovre durante la scansione),una volta terminata, se tutto è andato bene, in C:\ dovresti trovare il file combofix.txt , riavvia in modalità normale e posta il contenuto del file o allegalo.



Ciao a tutti,

cercando in internet ho trovato questo thread relativo a questo worm.
Io sono esattamente nella stessa situazione, il Nod 32 mih a rilevato questo Conflicker.x, compaionio Operazioni pianificate in continuazione (At1, At2) che lanciano rundll32.exe più quelli che sono parametri del malware.

Ho updatato Windows, aggiornato Nod ed eseguito la scansione ma ad ogni riavvio dopo un pò ricompare il problema. :(

Seguendo i consigli di questo thread ho scaricato combofix e questo è il logo che mi ha estratto (ma è solo un logo o esegue già un'azione?)

Codice: Seleziona tutto
ComboFix 09-02-19.01 - maspero 2009-02-20 17.25.30.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1040.18.3071.2576 [GMT 1:00]
Eseguito da: c:\documents and settings\maspero\desktop\combofix.exe
Opzioni usate :: /killall
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
 * Creato nuovo punto di ripristino
 * Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Driver/Servizi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


(((((((((((((((((((((((((   Files Creati Da 2009-01-20 al 2009-02-20  )))))))))))))))))))))))))))))))))))
.

2009-02-20 17:02 . 2009-02-20 17:05   <DIR>   d--------   c:\programmi\Windows Live Safety Center
2009-02-20 16:36 . 2009-02-20 16:37   <DIR>   d--------   c:\windows\BDOSCAN8
2009-02-20 10:56 . 2009-02-20 11:01   <DIR>   d--------   c:\windows\NV3040468.TMP
2009-02-20 10:56 . 2008-09-17 23:55   201,050   --a------   c:\windows\system32\nvapps.nvb
2009-02-20 10:38 . 2009-02-20 10:38   <DIR>   d--------   c:\windows\system32\XPSViewer
2009-02-20 10:38 . 2009-02-20 10:38   <DIR>   d--------   c:\programmi\Reference Assemblies
2009-02-20 10:38 . 2009-02-20 10:38   <DIR>   d--------   c:\programmi\MSBuild
2009-02-20 10:37 . 2009-02-20 10:38   <DIR>   d--------   C:\32640fef16eaf6c9274a1b
2009-02-20 10:37 . 2008-07-06 13:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2009-02-20 10:37 . 2008-07-06 13:06   1,676,288   -----c---   c:\windows\system32\dllcache\xpssvcs.dll
2009-02-20 10:37 . 2008-07-06 11:50   597,504   -----c---   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-20 10:37 . 2008-07-06 13:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2009-02-20 10:37 . 2008-07-06 13:06   575,488   -----c---   c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-20 10:37 . 2008-07-06 13:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2009-02-20 10:37 . 2008-07-06 13:06   89,088   -----c---   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-20 10:34 . 2009-02-20 10:35   <DIR>   d--------   C:\836fb87bb6d6da5fdd63c7e9
2009-02-20 10:34 . 2009-02-20 10:34   <DIR>   d--------   C:\4a3fa52be2d3d727af70c6
2009-02-19 22:25 . 2009-02-19 22:25   <DIR>   d--------   c:\programmi\AnswerWorks 4.0
2009-02-19 22:16 . 2009-02-19 22:26   <DIR>   d--------   c:\programmi\AutoCAD 2007
2009-02-19 22:16 . 2009-02-19 22:27   <DIR>   d--------   c:\documents and settings\maspero\Dati applicazioni\Autodesk
2009-02-19 22:16 . 2009-02-19 22:16   <DIR>   d--------   c:\documents and settings\All Users\Dati applicazioni\Autodesk
2009-02-19 22:14 . 2009-02-19 22:26   <DIR>   d--------   c:\programmi\File comuni\Autodesk Shared
2009-02-19 22:14 . 2009-02-19 22:14   <DIR>   d--------   c:\programmi\Autodesk
2009-02-19 20:24 . 2008-10-24 12:21   455,296   -----c---   c:\windows\system32\dllcache\mrxsmb.sys
2009-02-19 20:22 . 2009-02-19 20:22   <DIR>   d--------   c:\programmi\MSXML 4.0
2009-02-19 20:22 . 2008-12-11 11:57   333,952   -----c---   c:\windows\system32\dllcache\srv.sys
2009-02-19 20:00 . 2009-02-19 20:00   <DIR>   d--------   c:\windows\ServicePackFiles
2009-02-19 20:00 . 2008-04-13 19:14   294,912   -----c---   c:\windows\system32\dllcache\dlimport.exe
2009-02-19 19:56 . 2006-12-28 12:01   19,569   --a------   c:\windows\[u]0[/u]02829_.tmp
2009-02-19 19:41 . 2008-06-14 18:32   272,768   -----c---   c:\windows\system32\dllcache\bthport.sys
2009-02-19 19:40 . 2008-09-15 16:24   1,846,400   -----c---   c:\windows\system32\dllcache\win32k.sys
2009-02-19 18:20 . 2008-06-17 20:01   8,490,496   -----c---   c:\windows\system32\dllcache\shell32.dll
2009-02-19 18:07 . 2009-02-19 18:07   <DIR>   d--h-----   c:\windows\system32\GroupPolicy
2009-02-19 16:47 . 2008-08-14 14:22   2,192,896   -----c---   c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-19 16:47 . 2008-08-14 14:22   2,148,864   -----c---   c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-19 16:47 . 2008-08-14 14:22   2,069,760   -----c---   c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-19 16:47 . 2008-08-14 14:22   2,027,520   -----c---   c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-19 16:42 . 2008-04-11 20:04   691,712   -----c---   c:\windows\system32\dllcache\inetcomm.dll
2009-02-19 16:42 . 2008-05-01 15:34   331,776   -----c---   c:\windows\system32\dllcache\msadce.dll
2009-02-19 16:39 . 2008-09-04 18:15   1,106,944   -----c---   c:\windows\system32\dllcache\msxml3.dll
2009-02-19 16:39 . 2008-10-15 17:36   337,408   -----c---   c:\windows\system32\dllcache\netapi32.dll
2009-02-19 16:27 . 2008-10-16 14:08   27,672   --a------   c:\windows\system32\wuapi.dll.mui
2009-02-19 14:33 . 2009-02-20 10:40   1,374   --a------   c:\windows\imsins.BAK
2009-02-09 10:37 . 2009-02-09 10:37   <DIR>   d--------   c:\programmi\TortoiseSVN
2009-02-09 10:37 . 2009-02-09 10:37   <DIR>   d--------   c:\programmi\File comuni\TortoiseOverlays
2009-01-29 15:55 . 2009-02-20 14:19   664   --a------   c:\windows\system32\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 15:34   ---------   d-----w   c:\documents and settings\maspero\Dati applicazioni\foobar2000
2009-02-20 15:30   ---------   d-----w   c:\programmi\Mozilla Thunderbird
2009-02-20 11:22   ---------   d-----w   c:\documents and settings\Administrator.DPC\Dati applicazioni\foobar2000
2009-02-19 21:09   ---------   d-----w   c:\programmi\Microsoft Silverlight
2009-02-19 19:34   ---------   d-----w   c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-02-19 09:46   ---------   d-----w   c:\programmi\foobar2000
2009-02-18 13:08   ---------   d-----w   c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-02-17 10:47   ---------   d-----w   c:\programmi\Spybot - Search & Destroy
2009-02-17 10:38   ---------   d-----w   c:\programmi\Malwarebytes' Anti-Malware
2009-02-16 13:13   ---------   d-----w   c:\documents and settings\maspero\Dati applicazioni\FileZilla
2009-02-12 13:10   ---------   d-----w   c:\programmi\Google
2009-02-11 09:19   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 09:19   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-01-28 10:24   ---------   d-----w   c:\programmi\GuildFTPd
2009-01-22 10:04   ---------   d-----w   c:\programmi\CCleaner
.

(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-09-25 94208]
"Google Update"="c:\documents and settings\maspero\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"Acrobat Assistant 7.0"="c:\programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2005-09-25 155648]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-01-31 385024]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
AutoCAD Startup Accelerator.lnk - c:\programmi\File comuni\Autodesk Shared\acstart17.exe [2006-03-05 11000]
Launchy.lnk - c:\programmi\Launchy\Launchy.exe [2008-12-04 286720]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\[u]0[/u]OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Acrobat.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Acrobat.lnk
backup=c:\windows\pss\Avvio veloce di Adobe Acrobat.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^maspero^Menu Avvio^Programmi^Esecuzione automatica^Adobe Gamma.lnk]
path=c:\documents and settings\maspero\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-01-18 24635]
R2 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
S2 gupdate1c8f7ab5b44c074;Google Update Service (gupdate1c8f7ab5b44c074);c:\programmi\Google\Update\GoogleUpdate.exe [2008-08-06 133104]
S2 ipjnuvrdb;Installer Shell;c:\windows\system32\svchost.exe -k netsvcs [2006-03-02 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
ipjnuvrdb
.
Contenuto della cartella 'Scheduled Tasks'

2009-02-20 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2008-09-08 08:37]

2009-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1107963886-539718272-1231754661-3393.job
- c:\documents and settings\maspero\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-09-08 08:37]

2009-02-19 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-02-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.206.213:3128
uInternet Settings,ProxyOverride = *.local;<local>
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: {38021B14-24E5-45EB-9E23-2AECE18ED78A} = 192.168.202.202
FF - ProfilePath - c:\documents and settings\maspero\Dati applicazioni\Mozilla\Firefox\Profiles\e75lyydo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - component: c:\documents and settings\maspero\Dati applicazioni\Mozilla\Firefox\Profiles\e75lyydo.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\maspero\Dati applicazioni\Mozilla\Firefox\Profiles\e75lyydo.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\maspero\Dati applicazioni\Mozilla\Firefox\Profiles\e75lyydo.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\programmi\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\documents and settings\maspero\Impostazioni locali\Dati applicazioni\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\programmi\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 17:30:08
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ipjnuvrdb]
"ServiceDll"="c:\windows\system32\jyifu.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="F7C0667230F202213193EB00DAFC49221F2146D65D2E18E3CB3D1F010A4FE21CE7D8992D8A28F28CD8DA522D7D3B351E563AF2B699CF91531A7D5602E2CFD88A1E78382F74763C0EEAE27B8156C9D972783BF76460E7D6C617FEE0453625891AF32DB53C4776B0C6A396C4876E2E4615C10B3C4D0E89D1A922C5D03B4D0ED54B88376B6A5E34CBEB81966F985162AC1034C689327DBC0B7BDB0C172B78C042B0C11015A398B1A8C64936A0E590D3E082143F0F2892FA334EAC3F8D2E88637575C3E052A75AE3873404FCE1714066DE9F6CF75F18B1B31C4B3C006EB1D5123C53FB89A98A0A34CFFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5CBA7FD869164D6794A6A0AC4980AC7933EB0FF43D79C750198F8C474C09FBBD242ED65073669074A056F2DE9FC196EAAFA415CD695A39DAF440198A032CC32F4D2E1466BE65B5429B70F23D23316B67A578A9E9854D55C9FB646D0A44F6BC1872140815089E1B7F2F05B43B127201FBC1040FA024380A7151308D5C6DF3E69751C9184F13E0F23BD0D11E4BBC3AD7C5D37B4B01BC54491ABD6C42CABD8245C5C94D6C3D88516F77992B588F559377D0CD2729CA2B300AFEAB7414D35B54DFA8622F6F3AF7E8CB2AC9F64FE1715867A2C6E037F4AFABC7D12EB9D42ACC70C13F429553D4D16F43BDC22E35CE8B3B37327918C5A9EB7E01B4F53F9535FEB17B79B8B78AD1EA88950F88DF7E9682BEF7E846D0EB45E8B137415C9DAD8E434720BCB364CE27FCA68970C5AE65AD98BE3EA62E22045910A372025C0239054D3447E2CAFC9A032690E62949D065BBF3E5A5BF5937ACAAB285BBF717AB979BB44E8CB7B476AFC166E279F1048FC11F9FB5C978914FC6B382DDA31750EF6A08F7C0107CCF5A9179A40E13F80DCA7D670982CD8E473EF92319843CC7EEB59AB4750BF5E69CC408702A5587619CF263D803F5D6308CE93059EF299BE480F951C1F17E641F3F6820A1234F3040928F00ECC58B8D7E98CE16EAE7CCDBBF32CD00FE964388C2020A29BE216A681FEE3AA44F6815A113447B9EA2C2C59D1BDA545876EF529062D00337291BE3137DD8A26661EAB643F7911400FD29BC813070C5D1DFEDFC3183BC4123F868D0934C1A091EB5B06A29ACA1CF352E263130AA10EFA6AA6464221FFA45887AC898D1F19FC569177F7B8B233C787B18A873522AF8B157798C7F9E23642348ACDB76BAC87CC1A801000CA9434B6E555705A917C28F7FA7228219656E750606C2A6FB401E667B02A4430FC3E65EA508B6F14E327D5BE09CB0C7D0BB574F2BA825948A56B3B6845E65BACE205F29A41F3A8AAED8D308F303623E98E8A6B7E25F6E71DBF5406B856A5C3CE7096D0186E895506BC7B965E7"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(760)
c:\programmi\Bonjour\mdnsNSP.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\programmi\Analog Devices\SoundMAX\SMAgent.exe
c:\programmi\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\programmi\Adobe\Acrobat 7.0\Distillr\acrodist.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Ora fine scansione: 2009-02-20 17:33:34 - Il pc è stato riavviato
ComboFix-quarantined-files.txt  2009-02-20 16:33:31

Pre-Run: 57.036.423.168 byte disponibili
Post-Run: 57,056,944,128 byte disponibili

250   --- E O F ---   2009-02-20 09:43:39



Devo eseguire qualche particolare operazione adesso?
Altrimenti dopo due giorni a tentare mi toccherà formattare.
grazie in anticipo.
conf
Newbie
 
Post: 2
Iscritto il: 20/02/09 17:48

Re: worm CONFLICKER.X

Postdi Luke57 » 21/02/09 10:41

Ciao, nel report era presente anche un'infezione da worm bagle, apri un file di testo dal blocco note di windowws, incollaci al suo interno il seguente script:

Codice: Seleziona tutto
Driver::
ipjnuvrdb

File::
c:\windows\system32\jyifu.dll
c:\windows\[u]0[/u]02829_.tmp
c:\windows\imsins.BAK


salcvalo con il nome di CFScript.txt sulla stessa directory di combofix poi trascinalo con il puntatore del mouse sull'icona di combofix, il programma eseguirà una nuova scansione. Al termine posta il nuovo report C:\combofix.txt.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: worm CONFLICKER.X

Postdi conf » 23/02/09 13:01

Grazie delle info. :)

Ecco il log generato dal ComboFix con lo script che mi hai detto.
Prima di lanciarlo ho disabilitato il nod e ripristinato il file incriminato jyifu.dll, dato che il nod ogni volta che lo trova lo cancella, ma si ricrea continuamente.
Ho pensato fosse meglio rimetterlo dove stava.

ecco il risultato:
Codice: Seleziona tutto
ComboFix 09-02-21.01 - maspero 2009-02-23 12:50:16.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1040.18.3071.2514 [GMT 1:00]
Eseguito da: C:\ComboFix.exe
Opzioni usate :: C:\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
 * Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
c:\windows\[u]0[/u]02829_.tmp
c:\windows\imsins.BAK
c:\windows\system32\jyifu.dll
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((   Driver/Servizi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPJNUVRDB
-------\Service_ipjnuvrdb


(((((((((((((((((((((((((   Files Creati Da 2009-01-23 al 2009-02-23  )))))))))))))))))))))))))))))))))))
.

2009-02-23 09:45 . 2009-02-23 09:45   171,362   --ahs----   c:\windows\system32\jyifu.hd
2009-02-20 17:22 . 2009-02-23 12:47   2,924,943   -ra------   C:\ComboFix.exe
2009-02-20 17:02 . 2009-02-20 17:05   <DIR>   d--------   c:\programmi\Windows Live Safety Center
2009-02-20 16:36 . 2009-02-20 16:37   <DIR>   d--------   c:\windows\BDOSCAN8
2009-02-20 10:56 . 2009-02-20 11:01   <DIR>   d--------   c:\windows\NV3040468.TMP
2009-02-20 10:56 . 2008-09-17 23:55   201,050   --a------   c:\windows\system32\nvapps.nvb
2009-02-20 10:38 . 2009-02-20 10:38   <DIR>   d--------   c:\windows\system32\XPSViewer
2009-02-20 10:38 . 2009-02-20 10:38   <DIR>   d--------   c:\programmi\Reference Assemblies
2009-02-20 10:38 . 2009-02-20 10:38   <DIR>   d--------   c:\programmi\MSBuild
2009-02-20 10:37 . 2009-02-20 10:38   <DIR>   d--------   C:\32640fef16eaf6c9274a1b
2009-02-20 10:37 . 2008-07-06 13:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2009-02-20 10:37 . 2008-07-06 13:06   1,676,288   -----c---   c:\windows\system32\dllcache\xpssvcs.dll
2009-02-20 10:37 . 2008-07-06 11:50   597,504   -----c---   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-20 10:37 . 2008-07-06 13:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2009-02-20 10:37 . 2008-07-06 13:06   575,488   -----c---   c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-20 10:37 . 2008-07-06 13:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2009-02-20 10:37 . 2008-07-06 13:06   89,088   -----c---   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-20 10:34 . 2009-02-20 10:35   <DIR>   d--------   C:\836fb87bb6d6da5fdd63c7e9
2009-02-20 10:34 . 2009-02-20 10:34   <DIR>   d--------   C:\4a3fa52be2d3d727af70c6
2009-02-19 22:25 . 2009-02-19 22:25   <DIR>   d--------   c:\programmi\AnswerWorks 4.0
2009-02-19 22:16 . 2009-02-19 22:26   <DIR>   d--------   c:\programmi\AutoCAD 2007
2009-02-19 22:16 . 2009-02-19 22:27   <DIR>   d--------   c:\documents and settings\maspero\Dati applicazioni\Autodesk
2009-02-19 22:16 . 2009-02-19 22:16   <DIR>   d--------   c:\documents and settings\All Users\Dati applicazioni\Autodesk
2009-02-19 22:14 . 2009-02-19 22:26   <DIR>   d--------   c:\programmi\File comuni\Autodesk Shared
2009-02-19 22:14 . 2009-02-19 22:14   <DIR>   d--------   c:\programmi\Autodesk
2009-02-19 20:24 . 2008-10-24 12:21   455,296   -----c---   c:\windows\system32\dllcache\mrxsmb.sys
2009-02-19 20:22 . 2009-02-19 20:22   <DIR>   d--------   c:\programmi\MSXML 4.0
2009-02-19 20:22 . 2008-12-11 11:57   333,952   -----c---   c:\windows\system32\dllcache\srv.sys
2009-02-19 20:00 . 2009-02-19 20:00   <DIR>   d--------   c:\windows\ServicePackFiles
2009-02-19 20:00 . 2008-04-13 19:14   294,912   -----c---   c:\windows\system32\dllcache\dlimport.exe
2009-02-19 19:56 . 2006-12-28 12:01   19,569   --a------   c:\windows\[u]0[/u]02829_.tmp
2009-02-19 19:41 . 2008-06-14 18:32   272,768   -----c---   c:\windows\system32\dllcache\bthport.sys
2009-02-19 19:40 . 2008-09-15 16:24   1,846,400   -----c---   c:\windows\system32\dllcache\win32k.sys
2009-02-19 18:20 . 2008-06-17 20:01   8,490,496   -----c---   c:\windows\system32\dllcache\shell32.dll
2009-02-19 18:07 . 2009-02-19 18:07   <DIR>   d--h-----   c:\windows\system32\GroupPolicy
2009-02-19 16:47 . 2008-08-14 14:22   2,192,896   -----c---   c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-19 16:47 . 2008-08-14 14:22   2,148,864   -----c---   c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-19 16:47 . 2008-08-14 14:22   2,069,760   -----c---   c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-19 16:47 . 2008-08-14 14:22   2,027,520   -----c---   c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-19 16:42 . 2008-04-11 20:04   691,712   -----c---   c:\windows\system32\dllcache\inetcomm.dll
2009-02-19 16:42 . 2008-05-01 15:34   331,776   -----c---   c:\windows\system32\dllcache\msadce.dll
2009-02-19 16:39 . 2008-09-04 18:15   1,106,944   -----c---   c:\windows\system32\dllcache\msxml3.dll
2009-02-19 16:39 . 2008-10-15 17:36   337,408   -----c---   c:\windows\system32\dllcache\netapi32.dll
2009-02-19 16:27 . 2008-10-16 14:08   27,672   --a------   c:\windows\system32\wuapi.dll.mui
2009-02-09 10:37 . 2009-02-09 10:37   <DIR>   d--------   c:\programmi\TortoiseSVN
2009-02-09 10:37 . 2009-02-09 10:37   <DIR>   d--------   c:\programmi\File comuni\TortoiseOverlays
2009-01-29 15:55 . 2009-02-20 14:19   664   --a------   c:\windows\system32\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 11:45   ---------   d-----w   c:\documents and settings\maspero\Dati applicazioni\foobar2000
2009-02-23 08:24   ---------   d-----w   c:\programmi\Mozilla Thunderbird
2009-02-20 11:22   ---------   d-----w   c:\documents and settings\Administrator.DPC\Dati applicazioni\foobar2000
2009-02-19 21:09   ---------   d-----w   c:\programmi\Microsoft Silverlight
2009-02-19 19:34   ---------   d-----w   c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-02-19 09:46   ---------   d-----w   c:\programmi\foobar2000
2009-02-18 13:08   ---------   d-----w   c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-02-17 10:47   ---------   d-----w   c:\programmi\Spybot - Search & Destroy
2009-02-17 10:38   ---------   d-----w   c:\programmi\Malwarebytes' Anti-Malware
2009-02-16 13:13   ---------   d-----w   c:\documents and settings\maspero\Dati applicazioni\FileZilla
2009-02-12 13:10   ---------   d-----w   c:\programmi\Google
2009-02-11 09:19   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 09:19   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-01-28 10:24   ---------   d-----w   c:\programmi\GuildFTPd
2009-01-22 10:04   ---------   d-----w   c:\programmi\CCleaner
.

(((((((((((((((((((((((((((((   SnapShot@2009-02-20_17.32.18.41   )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-20 14:45:34   67,312   ----a-w   c:\windows\system32\perfc009.dat
+ 2009-02-23 08:16:40   67,312   ----a-w   c:\windows\system32\perfc009.dat
- 2009-02-20 14:45:34   79,292   ----a-w   c:\windows\system32\perfc010.dat
+ 2009-02-23 08:16:40   79,292   ----a-w   c:\windows\system32\perfc010.dat
- 2009-02-20 14:45:34   432,356   ----a-w   c:\windows\system32\perfh009.dat
+ 2009-02-23 08:16:40   432,356   ----a-w   c:\windows\system32\perfh009.dat
- 2009-02-20 14:45:34   478,808   ----a-w   c:\windows\system32\perfh010.dat
+ 2009-02-23 08:16:40   478,808   ----a-w   c:\windows\system32\perfh010.dat
.
(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52   80384   --a------   c:\programmi\File comuni\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-09-25 94208]
"Google Update"="c:\documents and settings\maspero\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2008-09-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"Acrobat Assistant 7.0"="c:\programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2005-09-25 155648]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-01-31 385024]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-11 2512392]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"UnlockerAssistant"="c:\programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
AutoCAD Startup Accelerator.lnk - c:\programmi\File comuni\Autodesk Shared\acstart17.exe [2006-03-05 11000]
Launchy.lnk - c:\programmi\Launchy\Launchy.exe [2008-12-04 286720]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\[u]0[/u]OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Acrobat.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Acrobat.lnk
backup=c:\windows\pss\Avvio veloce di Adobe Acrobat.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^maspero^Menu Avvio^Programmi^Esecuzione automatica^Adobe Gamma.lnk]
path=c:\documents and settings\maspero\Menu Avvio\Programmi\Esecuzione automatica\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-07-01 34312]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-01-18 24635]
R2 ekrn;Eset Service;c:\programmi\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]
S2 gupdate1c8f7ab5b44c074;Google Update Service (gupdate1c8f7ab5b44c074);c:\programmi\Google\Update\GoogleUpdate.exe [2008-08-06 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08
.
Contenuto della cartella 'Scheduled Tasks'

2009-02-23 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2008-09-08 08:37]

2009-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1107963886-539718272-1231754661-3393.job
- c:\documents and settings\maspero\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-09-08 08:37]

2009-02-23 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-02-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
.
------- Scansione supplementare -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.206.213:3128
uInternet Settings,ProxyOverride = *.local;<local>
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\programmi\File comuni\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: {38021B14-24E5-45EB-9E23-2AECE18ED78A} = 192.168.202.202
FF - ProfilePath - c:\documents and settings\maspero\Dati applicazioni\Mozilla\Firefox\Profiles\e75lyydo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - component: c:\documents and settings\maspero\Dati applicazioni\Mozilla\Firefox\Profiles\e75lyydo.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - component: c:\documents and settings\maspero\Dati applicazioni\Mozilla\Firefox\Profiles\e75lyydo.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\documents and settings\maspero\Dati applicazioni\Mozilla\Firefox\Profiles\e75lyydo.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\programmi\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\documents and settings\maspero\Impostazioni locali\Dati applicazioni\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\programmi\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 12:54:55
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="F7C0667230F202213193EB00DAFC49221F2146D65D2E18E3CB3D1F010A4FE21CE7D8992D8A28F28CD8DA522D7D3B351E563AF2B699CF91531A7D5602E2CFD88A1E78382F74763C0EEAE27B8156C9D972783BF76460E7D6C617FEE0453625891AF32DB53C4776B0C6A396C4876E2E4615C10B3C4D0E89D1A922C5D03B4D0ED54B88376B6A5E34CBEB81966F985162AC1034C689327DBC0B7BDB0C172B78C042B0C11015A398B1A8C64936A0E590D3E082143F0F2892FA334EAC3F8D2E88637575C3E052A75AE3873404FCE1714066DE9F6CF75F18B1B31C4B3C006EB1D5123C53FB89A98A0A34CFFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5CBA7FD869164D6794A6A0AC4980AC7933EB0FF43D79C750198F8C474C09FBBD242ED65073669074A056F2DE9FC196EAAFA415CD695A39DAF440198A032CC32F4D2E1466BE65B5429B70F23D23316B67A578A9E9854D55C9FB646D0A44F6BC1872140815089E1B7F2F05B43B127201FBC1040FA024380A7151308D5C6DF3E69751C9184F13E0F23BD0D11E4BBC3AD7C5D37B4B01BC54491ABD6C42CABD8245C5C94D6C3D88516F77992B588F559377D0CD2729CA2B300AFEAB7414D35B54DFA8622F6F3AF7E8CB2AC9F64FE1715867A2C6E037F4AFABC7D12EB9D42ACC70C13F429553D4D16F43BDC22E35CE8B3B37327918C5A9EB7E01B4F53F9535FEB17B79B8B78AD1EA88950F88DF7E9682BEF7E846D0EB45E8B137415C9DAD8E434720BCB364CE27FCA68970C5AE65AD98BE3EA62E22045910A372025C0239054D3447E2CAFC9A032690E62949D065BBF3E5A5BF5937ACAAB285BBF717AB979BB44E8CB7B476AFC166E279F1048FC11F9FB5C978914FC6B382DDA31750EF6A08F7C0107CCF5A9179A40E13F80DCA7D670982CD8E473EF92319843CC7EEB59AB4750BF5E69CC408702A5587619CF263D803F5D6308CE93059EF299BE480F951C1F17E641F3F6820A1234F3040928F00ECC58B8D7E98CE16EAE7CCDBBF32CD00FE964388C2020A29BE216A681FEE3AA44F6815A113447B9EA2C2C59D1BDA545876EF529062D00337291BE3137DD8A26661EAB643F7911400FD29BC813070C5D1DFEDFC3183BC4123F868D0934C1A091EB5B06A29ACA1CF352E263130AA10EFA6AA6464221FFA45887AC898D1F19FC569177F7B8B233C787B18A873522AF8B157798C7F9E23642348ACDB76BAC87CC1A801000CA9434B6E555705A917C28F7FA7228219656E750606C2A6FB401E667B02A4430FC3E65EA508B6F14E327D5BE09CB0C7D0BB574F2BA825948A56B3B6845E65BACE205F29A41F3A8AAED8D308F303623E98E8A6B7E25F6E71DBF5406B856A5C3CE7096D0186E895506BC7B965E7"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(760)
c:\programmi\Bonjour\mdnsNSP.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Bonjour\mDNSResponder.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\programmi\Analog Devices\SoundMAX\SMAgent.exe
c:\programmi\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\programmi\Adobe\Acrobat 7.0\Distillr\acrodist.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Ora fine scansione: 2009-02-23 12:58:09 - Il pc è stato riavviato [maspero]
ComboFix-quarantined-files.txt  2009-02-23 11:58:06

Pre-Run: 57,003,790,336 byte disponibili
Post-Run: 56,996,306,944 byte disponibili

262   --- E O F ---   2009-02-20 09:43:39

conf
Newbie
 
Post: 2
Iscritto il: 20/02/09 17:48


Torna a Sicurezza e Privacy


Topic correlati a "worm CONFLICKER.X":

Worm Dorkbot
Autore: gallico
Forum: Sicurezza e Privacy
Risposte: 7
trovato worm,
Autore: eleivga
Forum: Sicurezza e Privacy
Risposte: 25

Chi c’è in linea

Visitano il forum: Nessuno e 71 ospiti

cron