Condividi:        

root-kit

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

root-kit

Postdi dupasquet » 17/11/09 14:29

ciao e grazie in anticipo
sistema operativo windows vista
dopo aver fatto una scansione con avg mi viene segnalato:
C:\Windows\System32\Drivers\avsh4t2y.SYS
nn riesco ad eliminarlo in alcun modo, posto il log fatto con winpatrol


Log created by WinPatrol version 12.0.2007.1:12.0.2007.1
Scan saved at 2:01:55 PM, on 11/17/2009
Platform: Windows Vista SP2 Home Edition Service Pack 2 (Build 6002)
MSIE: Internet Explorer (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\explorer.exe
C:\PROGRAM FILES\Tech\WHEEL MOUSE\5.3\Mouse32A.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\oodtray.exe
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\Windows\PixArt\Pac207\Monitor.exe
C:\PROGRAM FILES\Java\jre6\bin\jusched.exe
C:\Users\moira\AppData\Local\Google\Update\1.2.183.13\GOOGLECRASHHANDLER.EXE
C:\Windows\System32\mobsync.exe
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmpnscfg.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\PROGRAM FILES\AVG\AVG8\avgui.exe
C:\PROGRAM FILES\AVG\AVG8\avgcsrvx.exe
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O2 - BHO: - AutorunsDisabled -
O2 - BHO: - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: - {5C255C8A-E604-49b4-9D64-90988571CECB} -
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\Google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SweetIM Toolbar Helper - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: - -
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [LWBMOUSE]C:\Program Files\Tech\Wheel Mouse\5.3\Mouse32A.exe
O4 - HKLM\..\Run: [RtHDVCpl]RtHDVCpl.exe
O4 - HKLM\..\Run: [WheelMouse]C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [OODefragTray]C:\Windows\System32\oodtray.exe
O4 - HKLM\..\Run: [HP Software Update]C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Monitor]C:\Windows\PixArt\Pac207\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe ARM]C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
O4 - HKCU\..\Run: [Google Update]C:\Users\moira\AppData\Local\Google\Update\GoogleUpdate.exe /c
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O11 - Options group: [] -
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messenger ... E_UNO1.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) - http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) - http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: ePerformance Service - - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: appmgmts - - C:\Windows\System32\appmgmts.dll
O23 - Service: AVG8 WatchDog - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service - - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon
O23 - Service: CT Device Query service - - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: eRecovery Service - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: Google Updater Service - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqcxs08 - Hewlett-Packard Co. - C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
O23 - Service: Servizio di rilevamento dispositivi HP CUE - Hewlett-Packard Co. - C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Net Driver HPZ12 - Hewlett-Packard - C:\Windows\System32\HPZinw12.dll
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\Windows\System32\nvvsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\System32\oodag.exe
O23 - Service: Pml Driver HPZ12 - Hewlett-Packard - C:\Windows\System32\HPZipm12.dll
O23 - Service: PnkBstrA - - C:\Windows\System32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) - - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--- Additional WinPatrol Info ---
Default Browser: Windows® Internet Explorer - Internet Explorer version 8.00.6001.18702
MSIE: Internet Explorer (8.00.6001.18702)
Firefox 3.0.15 installed in C:\Program Files\Mozilla Firefox.
0 IE Cookies in Folder: C:\Users\moira\AppData\Roaming\Microsoft\Windows\Cookies\
0 Mozilla Cookies in Folder: C:\Users\moira\AppData\Roaming\Mozilla\FireFox\Profiles\vzh8k44i.default

WP00 - HKLM\CS1: BootExecute = autocheck autochk *
WP00 - HKLM\CCS: BootExecute = autocheck autochk *
WP00 - HKLM\CS2: BootExecute = autocheck autochk *
WP02 - HKLM\CCS: Command = C:\Windows\system32\cmd.exe


WP31 - Scheduled Tasks: [User_Feed_Synchronization-{96C1CD80-AC37-439E-9735-36CFF2F9E224}.job]C:\Windows\System32\msfeedssync.exe 11/17/2009 1:43 PM
WP31 - Scheduled Tasks: [GoogleUpdateTaskUserS-1-5-21-3823567654-1030167955-2503654186-1000UA.job]C:\Users\moira\AppData\Local\Google\Update\GoogleUpdate.exe 11/17/2009 1:02 PM
WP31 - Scheduled Tasks: [GoogleUpdateTaskUserS-1-5-21-3823567654-1030167955-2503654186-1000Core.job]C:\Users\moira\AppData\Local\Google\Update\GoogleUpdate.exe 11/17/2009 2:02 AM

WP32 - Hidden File: C:\bootmgr
WP32 - Hidden File: C:\hiberfil.sys
WP32 - Hidden File: C:\IO.SYS
WP32 - Hidden File: C:\MSDOS.SYS
WP32 - Hidden File: C:\pagefile.sys
WP32 - Hidden File: C:\Windows\WindowsShell.Manifest
WP32 - Hidden File: C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
WP32 - Hidden File: C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG1
WP32 - Hidden File: C:\Windows\System32\config\BCD-Template.LOG2
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG1
WP32 - Hidden File: C:\Windows\System32\config\COMPONENTS.LOG2
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG1
WP32 - Hidden File: C:\Windows\System32\config\DEFAULT.LOG2
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG1
WP32 - Hidden File: C:\Windows\System32\config\SAM.LOG2
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG1
WP32 - Hidden File: C:\Windows\System32\config\SECURITY.LOG2
WP32 - Hidden File: C:\Windows\System32\config\SOFTWARE.LOG
WP32 - Hidden File: C:\Windows\System32\config\SOFTWARE.LOG1
WP32 - Hidden File: C:\Windows\System32\config\SOFTWARE.LOG2
WP32 - Hidden File: C:\Windows\System32\config\SYSTEM.LOG
WP32 - Hidden File: C:\Windows\System32\config\SYSTEM.LOG1
WP32 - Hidden File: C:\Windows\System32\config\SYSTEM.LOG2
WP32 - Hidden File: C:\Windows\System32\desktop.ini
WP32 - Hidden File: C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
WP32 - Hidden File: C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
WP32 - Hidden File: C:\Windows\System32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
WP32 - Hidden File: C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
WP32 - Hidden File: C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
WP32 - Hidden File: C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
WP32 - Hidden File: C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
WP32 - Hidden File: C:\Windows\System32\NTIBUN4.dll

WP33 - File Type .BAT: [Windows Batch File]%1 %*
WP33 - File Type .CAB: [WinRAR archive]C:\Program Files\WinRAR\WinRAR.exe %1
WP33 - File Type .CAT: [Security Catalog]C:\Windows\system32\rundll32.exe cryptext.dll,CryptExtOpenCAT %1
WP33 - File Type .CHM: [Compiled HTML Help file]C:\Windows\hh.exe %1
WP33 - File Type .COM: [MS-DOS Application]%1 %*
WP33 - File Type .CMD: [Windows Command Script]%1 %*
WP33 - File Type .EML: [Internet E-Mail Message]C:\Program Files\Windows Mail\WinMail.exe /eml:%1
WP33 - File Type .EXE: [Application]%1 %*
WP33 - File Type .INF: [Setup Information]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .JS: [JScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .LOG: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .MSI: [Windows Installer Package]C:\Windows\System32\msiexec.exe /i %1 %*
WP33 - File Type .MID: [MIDI Sequence]C:\Program Files\Windows Media Player\wmplayer.exe /Open %L
WP33 - File Type .MP3: [MP3 Format Sound]C:\Program Files\Windows Media Player\wmplayer.exe /prefetch:6 /Open %L
WP33 - File Type .PIF: [Shortcut to MS-DOS Program]%1 %*
WP33 - File Type .REG: [Registration Entries]regedit.exe %1
WP33 - File Type .SCR: [Screen Saver]%1 /S
WP33 - File Type .TXT: [Text Document]C:\Windows\system32\NOTEPAD.EXE %1
WP33 - File Type .URL: [Collegamento Internet]C:\Windows\System32\rundll32.exe C:\Windows\System32\ieframe.dll,OpenURL %l
WP33 - File Type .VBS: [VBScript Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .VBE: [VBScript Encoded File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSF: [Windows Script File]C:\Windows\System32\WScript.exe %1 %*
WP33 - File Type .WSH: [Windows Script Host Settings File]C:\Windows\System32\WScript.exe %1 %*

Memory currently in use: 73%
Physical Memory Free: 279,088 KB
Paging File Free: 1,354,496 KB
Virtual Memory Free: 2,001,788 KB


--
End of file
dupasquet
Utente Junior
 
Post: 22
Iscritto il: 27/08/06 16:10

Sponsor
 

Re: root-kit

Postdi gahan » 17/11/09 14:43

ciao

fixa le seguenti voci:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O4 - HKLM\..\Run: [Monitor]C:\Windows\PixArt\Pac207\Monitor.exe

Poi scarica http://swandog46.geekstogo.com/avenger.zip , estrailo sul desktop e aprilo;
Nella finestra "Input script here" copia e incolla le seguenti righe in grassetto:

files to delete:
C:\Windows\System32\Drivers\avsh4t2y.SYS


Spunta "Automatically disable any rootkits found"

clicca sul pulsante "Execute"
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

posta il log di avenger che trovi in c:\
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: root-kit

Postdi dupasquet » 17/11/09 16:14

ciao , scusa cosa intendi per "fixa"
dupasquet
Utente Junior
 
Post: 22
Iscritto il: 27/08/06 16:10

Re: root-kit

Postdi gahan » 18/11/09 01:33

1 - Scarica "hijackthis" da questo link http://www.hijackthis.de/downloads/HJTInstall.exe;
Installa e successivamente esegui il programma;
clicca su "do a system scan only";

quando termina il processo seleziona le seguenti voci:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O4 - HKLM\..\Run: [Monitor]C:\Windows\PixArt\Pac207\Monitor.exe

e premi "fix checked" in basso;

2 - Scarica http://swandog46.geekstogo.com/avenger.zip , estrailo sul desktop e aprilo;
Nella finestra "Input script here" copia e incolla le seguenti righe in grassetto esattamente come le ho scritte io:

files to delete:
C:\Windows\System32\Drivers\avsh4t2y.SYS

Spunta "Automatically disable any rootkits found"

clicca sul pulsante "Execute"
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

posta il log di avenger che trovi in c:\

Ciao
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: root-kit

Postdi gahan » 18/11/09 01:35

gahan ha scritto:files to delete:
C:\Windows\System32\Drivers\avsh4t2y.SYS


files to delete:
C:\Windows\System32\Drivers\avsh4t2y.SYS
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09

Re: root-kit

Postdi dupasquet » 18/11/09 18:57

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Windows\System32\Drivers\avsh4t2y.SYS" not found!
Deletion of file "C:\Windows\System32\Drivers\avsh4t2y.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

grazie ancora !!!
per quanto riguarda la riga :
O4 - HKLM\..\Run: [Monitor]C:\Windows\PixArt\Pac207\Monitor.exe
credo si riferisca al programma per la webcam, al limite posso sempre reistallarlo..
dupasquet
Utente Junior
 
Post: 22
Iscritto il: 27/08/06 16:10

Re: root-kit

Postdi gahan » 18/11/09 19:00

Di niente...
sembra non ci siano rootkit sul tuo sistema
words like violence, break the silence
Avatar utente
gahan
Moderatore
 
Post: 1397
Iscritto il: 23/01/08 16:09


Torna a Sicurezza e Privacy


Topic correlati a "root-kit":

Permessi di root
Autore: ianus
Forum: Forum off-topic
Risposte: 4
FILE DI ROOT
Autore: massi.ka
Forum: Software Linux
Risposte: 1
root device busy[RISOLTO]
Autore: frogger
Forum: Software Linux
Risposte: 2

Chi c’è in linea

Visitano il forum: Nessuno e 9 ospiti