Condividi:        

Olmarik trojan horse

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Olmarik trojan horse

Postdi Giorgiz » 22/12/09 19:15

Salve gente purtroppo ho beccato questo virus, il nod 32 dice che non è in grado di disinfettare poichè il virus è nella memoria operativa. Questo virus mi ha pure installato un programma chiamato "antimalwere" che mi apriva pagine all'impazzata facendomi visualizzare falsi virus. Per fortuna sono riuscito ad eliminare antimalwere e adesso non ho + problemi di aperture indesiderate. Ma questo olmarik non si riesce ad eliminare purtroppo anche se comunque non mi dà fastidio. Cosa devo fare risolvere?
Giorgiz
Utente Junior
 
Post: 11
Iscritto il: 29/10/09 10:40

Sponsor
 

Re: Olmarik trojan horse

Postdi shel » 22/12/09 21:12

ciao

scarica sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- disconnetiti da internet
- disattiva l'antivirus
- esegui ComboFix.exe
- digita 1
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Giorgiz » 23/12/09 21:07

Ho eseguito il download dal link come hai postato, ma se clicco sull'icona combofx sul desktop, non succede nulla, non parte l'installazione del programma. Ho disocnnnesso la linea e ho disattivato la protezione virus e spam del nod32. Ma combofix non parte. Dove sbaglio?
Giorgiz
Utente Junior
 
Post: 11
Iscritto il: 29/10/09 10:40

Re: Olmarik trojan horse

Postdi shel » 23/12/09 21:36

disinstalla combofix : clicca su start - esegui - digita combofix /u e dai l'ok ... >>>(combofix[spazio]/u)<<<

riesegui il download rinominandolo....devi dare un altro nome al programma prima di scaricarlo sul desktop (123.exe ad esempio ) e dopo scaricato in questo modo lo esegui
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Spinach79 » 07/01/10 16:38

Ciao shel,
anche io ho avuto problema con lo stesso trojan e ho fatto esattamente come avevi suggerito, installato combofix.
premetto che come antivirus uso Eset Nod32.
ti invio il testo del riassunto . Ti sarei grato se potresti aiutarmi nel proseguimento :

ComboFix 10-01-04.01 - Paolo 07/01/2010 15.44.44.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.237 [GMT 1:00]
Running from: c:\documents and settings\Paolo\Desktop\123.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Paolo\LOCALS~1\Temp\wscsvc32.exe
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\recycler\NPROTECT
c:\recycler\NPROTECT\00025599.
c:\recycler\NPROTECT\00025600.
c:\recycler\NPROTECT\00113742.
c:\recycler\NPROTECT\00113776.
c:\recycler\NPROTECT\00138128.
c:\recycler\S-1-5-21-2643539919-4236421601-3944892517-500
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\H8SRTmybiurtqfn.sys
c:\windows\system32\H8SRThxvunfwrfh.dll
c:\windows\system32\H8SRTqltidxfqpb.dll
c:\windows\system32\H8SRTqojgmotqwe.dat
c:\windows\system32\H8SRTymetlewfao.dll
c:\windows\system32\inform.dat
c:\windows\system32\Thumbs.db
c:\windows\system32\xma

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2010-01-06 16:13 . 2010-01-06 16:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-06 10:30 . 2010-01-07 08:34 879 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-17 16:54 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-08 18:56 . 2004-03-09 10:39 8704 ----a-w- c:\windows\system32\vidccleaner.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-07 14:03 . 2008-09-29 07:34 -------- d-----w- c:\program files\ESET
2010-01-06 16:35 . 2004-12-31 03:49 -------- d-----w- c:\program files\TOSHIBA
2010-01-06 08:21 . 2009-10-25 11:40 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-06 08:21 . 2009-10-25 11:46 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-12-13 17:27 . 2007-09-17 09:28 -------- d-----w- c:\program files\eMule
2009-12-10 15:42 . 2009-03-18 15:02 -------- d-----w- c:\program files\Samsung
2009-12-10 15:42 . 2004-12-31 03:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-30 17:47 . 2009-11-30 17:12 141335 ----a-w- c:\windows\hpoins15.dat
2009-11-30 17:38 . 2009-11-26 14:04 -------- d-----w- c:\program files\HP
2009-11-30 17:38 . 2009-11-30 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-11-30 17:35 . 2009-11-30 17:35 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-28 13:10 . 2008-08-21 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-28 08:03 . 2008-08-21 14:55 -------- d-----w- c:\documents and settings\Paolo\Application Data\skypePM
2009-11-25 21:51 . 2006-10-22 19:03 -------- d-----w- c:\documents and settings\Paolo\Application Data\Apple Computer
2009-11-25 21:48 . 2009-11-25 21:47 -------- d-----w- c:\program files\iTunes
2009-11-25 21:47 . 2009-11-25 21:47 -------- d-----w- c:\program files\iPod
2009-11-25 21:47 . 2009-11-25 21:43 -------- d-----w- c:\program files\Common Files\Apple
2009-11-25 21:46 . 2009-11-25 21:46 -------- d-----w- c:\program files\Bonjour
2009-11-25 21:45 . 2009-11-25 21:44 -------- d-----w- c:\program files\QuickTime
2009-11-25 16:03 . 2009-11-25 16:03 -------- d-----w- c:\program files\MSXML 4.0
2009-11-16 08:06 . 2009-11-16 08:06 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-11-16 08:03 . 2009-11-16 08:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-11-15 17:29 . 2009-11-15 17:29 -------- d-----w- c:\program files\Microsoft
2009-11-15 17:29 . 2009-11-15 17:28 -------- d-----w- c:\program files\Windows Live
2009-11-15 17:24 . 2009-11-15 17:24 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-12 08:11 . 2005-01-22 19:34 -------- d-----w- c:\program files\Java
2009-11-10 15:07 . 2005-09-23 19:41 69976 -c--a-w- c:\documents and settings\Paolo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2004-12-31 00:17 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-12-31 00:17 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-12-31 00:17 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-12-31 00:17 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-12-31 00:17 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-12-31 00:17 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 03:17 . 2008-12-24 08:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2005-11-30 20:09 . 2005-11-30 20:08 80 --sh--r- c:\windows\system32\7AF43E3800.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2004-08-27 278528]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-01-15 352256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 88363]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2004-11-13 73728]
"TFncKy"="c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe" [2004-10-25 114688]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 135168]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 147456]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-12-31 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 15:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Fax"=2 (0x2)
"TapiSrv"=3 (0x3)
"BthServ"=2 (0x2)
"mnmsrvc"=3 (0x3)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)
"Swupdtmr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"4662:TCP"= 4662:TCP:emule_tcp
"4672:UDP"= 4672:UDP:emule_udp

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16/11/2009 9.03.36 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [16/11/2009 9.06.50 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16/11/2009 9.04.30 735960]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys --> c:\windows\system32\DRIVERS\qcusbser.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{18955D47-882E-48fc-B903-A4BDD030E7FD}
Trusted Zone: archiviosex.net\www
Trusted Zone: otherchance.com\www
Trusted Zone: redfunny.com\www
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-LogitechVideoRepair - c:\program files\Logitech\Video\ISStart.exe
MSConfigStartUp-iRiver Updater - \Updater.exe
MSConfigStartUp-settdebugx - c:\docume~1\Paolo\LOCALS~1\Temp\settdebugx.exe
AddRemove-OpenMG HotFix3.1-02-08-09-01 - c:\program files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.1-02-12-04-01\HotFixSetup\setup.exe
AddRemove-OpenMG HotFix3.1-02-08-15-01 - c:\program files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.1-02-10-22-01\HotFixSetup\setup.exe
AddRemove-OpenMG HotFix3.1-02-10-08-01 - c:\program files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.1-02-10-22-02\HotFixSetup\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 16:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

CF30546.cfxxe [2868]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(4012)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\TPSMain.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-07 16:29:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-07 15:29

Pre-Run: 5.861.801.984 bytes free
Post-Run: 10.131.599.360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EBA383D4621C57B61B6B23861DD496F9
Spinach79
Newbie
 
Post: 8
Iscritto il: 07/01/10 16:32

Re: Olmarik trojan horse

Postdi shel » 07/01/10 18:00

ciao

vai qui >>>>> http://www.virustotal.com/it/


analizza il file segnalato e posta il report

c:\windows\system32\drivers\ehdrv.sys
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Spinach79 » 08/01/10 09:38

Buongiorno,
grazie per la risposta anticipato, andato sul link , analizzato il file segnalato e questo e' il report:
Antivirus Versione Ultimo aggiornamento Risultato


a-squared 4.5.0.43 2009.12.23 -
AhnLab-V3 5.0.0.2 2009.12.23 -
AntiVir 7.9.1.122 2009.12.23 -
Antiy-AVL 2.0.3.7 2009.12.23 -
Authentium 5.2.0.5 2009.12.23 -
Avast 4.8.1351.0 2009.12.23 -
AVG 8.5.0.430 2009.12.23 -
BitDefender 7.2 2009.12.23 -
CAT-QuickHeal 10.00 2009.12.23 -
ClamAV 0.94.1 2009.12.22 -
Comodo 3340 2009.12.23 -
DrWeb 5.0.1.12222 2009.12.23 -
eSafe 7.0.17.0 2009.12.23 -
eTrust-Vet 35.1.7193 2009.12.23 -
F-Prot 4.5.1.85 2009.12.22 -
F-Secure 9.0.15370.0 2009.12.23 -
Fortinet 4.0.14.0 2009.12.22 -
GData 19 2009.12.23 -
Ikarus T3.1.1.79.0 2009.12.23 -
Jiangmin 13.0.900 2009.12.23 -
K7AntiVirus 7.10.926 2009.12.22 -
Kaspersky 7.0.0.125 2009.12.23 -
McAfee 5840 2009.12.22 -
McAfee+Artemis 5840 2009.12.22 -
McAfee-GW-Edition 6.8.5 2009.12.23 -
Microsoft 1.5302 2009.12.23 -
NOD32 4711 2009.12.23 -
Norman 6.04.03 2009.12.23 -
nProtect 2009.1.8.0 2009.12.23 -
Panda 10.0.2.2 2009.12.15 -
PCTools 7.0.3.5 2009.12.23 -
Prevx 3.0 2009.12.23 -
Rising 22.27.02.02 2009.12.23 -
Sophos 4.49.0 2009.12.23 -
Sunbelt 3.2.1858.2 2009.12.23 -
Symantec 1.4.4.12 2009.12.23 -
TheHacker 6.5.0.3.108 2009.12.23 -
TrendMicro 9.120.0.1004 2009.12.23 -
VBA32 3.12.12.0 2009.12.23 -
ViRobot 2009.12.23.2105 2009.12.23 -
VirusBuster 5.0.21.0 2009.12.23 -
Informazioni addizionali
File size: 108792 bytes
MD5 : 686a799c1bf1b18941994daf9f45db06
SHA1 : abf511243082176a064c3886446a4fa39395e036
SHA256: 369dc0ced6364718f1ebb6c8882196ecf2aeb3ec0db648096bb8d8a9f0527317
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1A005
timedatestamp.....: 0x4B01048F (Mon Nov 16 08:51:43 2009)
machinetype.......: 0x14C (Intel I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1479F 0x14800 6.55 edf074bf4c180c7800b77358fda27391
.rdata 0x16000 0x1164 0x1200 6.58 db07e1b7371926d86ac89a8705b75ebf
.data 0x18000 0x1660 0x1200 6.75 b7367ee75b205e56f25f0e9c2b4e63be
INIT 0x1A000 0x9E6 0xA00 5.64 7b07d7dd3aacab1b6efd828eda9af46d
.rsrc 0x1B000 0x410 0x600 2.46 59677bd3363a8f740973728f71630ece
.reloc 0x1C000 0xAB0 0xC00 5.09 97dfd6f6e08b28da818b9be878d2793d

( 2 imports )

> hal.dll: KfReleaseSpinLock, KfAcquireSpinLock, KeGetCurrentIrql
> ntoskrnl.exe: IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, IofCompleteRequest, ProbeForWrite, ProbeForRead, ExGetPreviousMode, IoGetCurrentProcess, PsGetCurrentProcessId, KdDebuggerNotPresent, KdDebuggerEnabled, IoCreateSymbolicLink, MmGetSystemRoutineAddress, IoCreateDevice, wcsncpy, InitSafeBootMode, memset, ZwClose, NtSetSecurityObject, ObOpenObjectByPointer, RtlValidSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlSetOwnerSecurityDescriptor, RtlCreateSecurityDescriptor, RtlAddAccessAllowedAce, SeExports, RtlCreateAcl, KeWaitForSingleObject, KeDelayExecutionThread, KeResetEvent, strncpy, _vsnprintf, strstr, mbstowcs, memmove, memcpy, wcschr, toupper, _strnicmp, _allmul, _aulldiv, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, RtlVolumeDeviceToDosName, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, ZwCreateFile, ExFreePoolWithTag, KeUnstackDetachProcess, KeStackAttachProcess, ObReferenceObjectByHandle, MmSystemRangeStart, ZwQueryDirectoryFile, wcsncmp, ZwOpenFile, RtlCopyUnicodeString, ObQueryNameString, wcsrchr, ZwQuerySymbolicLinkObject, ZwOpenSymbolicLinkObject, ZwQueryInformationProcess, ZwOpenProcess, isdigit, isspace, _purecall, ZwOpenKey, ZwQueryValueKey, ZwQuerySystemInformation, ZwSetInformationFile, ZwReadFile, ZwWriteFile, ZwQueryInformationFile, IofCallDriver, IoBuildSynchronousFsdRequest, IoGetRelatedDeviceObject, RtlCompareUnicodeString, RtlFreeUnicodeString, RtlAnsiStringToUnicodeString, RtlInitAnsiString, PsTerminateSystemThread, PsCreateSystemThread, KeWaitForMultipleObjects, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, MmIsAddressValid, _allshr, sprintf, qsort, KeTickCount, KeBugCheckEx, RtlUnwind, ExAllocatePoolWithTag, KeInitializeEvent, ObfDereferenceObject, KeSetEvent

( 0 exports )

TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 1536:3+oDq/MTQj4ajnW9Uo6S+U6mLHdPbUtiFzOHaj2L+qKNus69mwH6qc70g060hyh+:fkgLdP3taLjvs69mu6q4Ohyh5dm
PEiD : -
RDS : NSRL Reference Data Set
Spinach79
Newbie
 
Post: 8
Iscritto il: 07/01/10 16:32

Re: Olmarik trojan horse

Postdi shel » 08/01/10 10:21

apri un file di testo (dal blocco note di windows), al suo interno incollaci il seguente script:

file::
c:\windows\system32\krl32mainweq.dll
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\7AF43E3800.dll


salva il file nella stessa cartella dove hai messo combofix chiamandolo obbligatoriamente CFScript.txt

Fatto ciò, con il puntatore del mouse, trascina il file sull'icona di combofix

Immagine

Il programma avvierà una nuova scansione, come la precedente. Non fare e non muovere nulla. Al termine di essa, se non si riavvierà automaticamente il computer, fallo tu. Allega il nuovo file c:\combofix.txt prodotto dalla scansione.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Spinach79 » 08/01/10 19:08

Ciao,
ti allego il file report dopo aver fatto l'operazione :


Running from: c:\documents and settings\Paolo\Desktop\123.exe
Command switches used :: c:\documents and settings\Paolo\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FILE ::
"c:\windows\system32\7AF43E3800.dll"
"c:\windows\system32\drivers\logiflt.iad"
"c:\windows\system32\drivers\lvuvc.hs"
"c:\windows\system32\krl32mainweq.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\7AF43E3800.dll
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\krl32mainweq.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-06 16:13 . 2010-01-06 16:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-12-17 16:54 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-07 14:03 . 2008-09-29 07:34 -------- d-----w- c:\program files\ESET
2010-01-06 16:35 . 2004-12-31 03:49 -------- d-----w- c:\program files\TOSHIBA
2009-12-13 17:27 . 2007-09-17 09:28 -------- d-----w- c:\program files\eMule
2009-12-10 15:42 . 2009-03-18 15:02 -------- d-----w- c:\program files\Samsung
2009-12-10 15:42 . 2004-12-31 03:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-30 17:47 . 2009-11-30 17:12 141335 ----a-w- c:\windows\hpoins15.dat
2009-11-30 17:38 . 2009-11-26 14:04 -------- d-----w- c:\program files\HP
2009-11-30 17:38 . 2009-11-30 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-11-30 17:35 . 2009-11-30 17:35 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-28 13:10 . 2008-08-21 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-28 08:03 . 2008-08-21 14:55 -------- d-----w- c:\documents and settings\Paolo\Application Data\skypePM
2009-11-25 21:51 . 2006-10-22 19:03 -------- d-----w- c:\documents and settings\Paolo\Application Data\Apple Computer
2009-11-25 21:48 . 2009-11-25 21:47 -------- d-----w- c:\program files\iTunes
2009-11-25 21:47 . 2009-11-25 21:47 -------- d-----w- c:\program files\iPod
2009-11-25 21:47 . 2009-11-25 21:43 -------- d-----w- c:\program files\Common Files\Apple
2009-11-25 21:46 . 2009-11-25 21:46 -------- d-----w- c:\program files\Bonjour
2009-11-25 21:45 . 2009-11-25 21:44 -------- d-----w- c:\program files\QuickTime
2009-11-25 16:03 . 2009-11-25 16:03 -------- d-----w- c:\program files\MSXML 4.0
2009-11-21 15:51 . 2004-12-31 00:16 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 08:06 . 2009-11-16 08:06 96408 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2009-11-16 08:03 . 2009-11-16 08:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-11-15 17:29 . 2009-11-15 17:29 -------- d-----w- c:\program files\Microsoft
2009-11-15 17:29 . 2009-11-15 17:28 -------- d-----w- c:\program files\Windows Live
2009-11-15 17:24 . 2009-11-15 17:24 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-12 16:07 . 2009-11-12 16:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-12 08:11 . 2005-01-22 19:34 -------- d-----w- c:\program files\Java
2009-11-12 08:06 . 2009-11-12 08:06 152576 ----a-w- c:\documents and settings\Paolo\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 08:06 . 2009-11-10 13:35 79488 ----a-w- c:\documents and settings\Paolo\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-10 15:07 . 2005-09-23 19:41 69976 -c--a-w- c:\documents and settings\Paolo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 07:45 . 2004-12-31 00:17 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-12-31 00:17 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-12-31 00:17 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-12-31 00:17 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-12-31 00:17 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-12-31 00:17 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 03:17 . 2008-12-24 08:52 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPSMain"="TPSMain.exe" [2004-08-27 278528]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-01-15 352256]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 88363]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2004-11-13 73728]
"TFncKy"="c:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exe" [2004-10-25 114688]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 135168]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 147456]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-12-31 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 18:27 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=c:\windows\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 15:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Fax"=2 (0x2)
"TapiSrv"=3 (0x3)
"BthServ"=2 (0x2)
"mnmsrvc"=3 (0x3)
"hpqddsvc"=2 (0x2)
"hpqcxs08"=3 (0x3)
"Swupdtmr"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"4662:TCP"= 4662:TCP:emule_tcp
"4672:UDP"= 4672:UDP:emule_udp

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [16/11/2009 9.03.36 108792]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [16/11/2009 9.06.50 96408]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16/11/2009 9.04.30 735960]
S3 qcusbser;Qualcomm USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\qcusbser.sys --> c:\windows\system32\DRIVERS\qcusbser.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{18955D47-882E-48fc-B903-A4BDD030E7FD}
Trusted Zone: archiviosex.net\www
Trusted Zone: otherchance.com\www
Trusted Zone: redfunny.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-01-08 18:57:41
ComboFix-quarantined-files.txt 2010-01-08 17:57
ComboFix2.txt 2010-01-07 15:29

Pre-Run: 9.918.881.792 bytes free
Post-Run: 10.014.642.176 bytes free

- - End Of File - - 40ADF52CD3BC0288A782DFCAC8E3E228
Spinach79
Newbie
 
Post: 8
Iscritto il: 07/01/10 16:32

Re: Olmarik trojan horse

Postdi shel » 08/01/10 19:18

esegui questo passaggio

Scarica e installa malwarebytes.
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completata, posta il rapporto.

per ora non rimuovere nulla
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Spinach79 » 09/01/10 09:05

Ciao,
dunque ho fatto lo scan e in effetti mi aveva trovato altri 5 file infetti :eeh: ! solo che ho pensato prima di riavviare il pc e poi inviare il risultato, ma non trovo il file txt. Non c'e' nella cartella del malew.
E' nascosto in qlk altra cartella o devo rifare la scansione ? :undecided:

grazie,
Spinach79
Newbie
 
Post: 8
Iscritto il: 07/01/10 16:32

Re: Olmarik trojan horse

Postdi shel » 09/01/10 09:43

ciao

per recuperare il log, apri il programma e in alto premi su ''file di log'' - clicca su quello con la data della scansione e si aprira'
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Spinach79 » 09/01/10 12:04

ok non trovando il log (forse non lo avevo memorizzato) rifatto scansione. ecco il responso :

Malwarebytes' Anti-Malware 1.44
Versione del database: 3526
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

09/01/2010 11.59.06
mbam-log-2010-01-09 (11-58-57).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 229756
Tempo trascorso: 1 hour(s), 15 minute(s), 19 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 2
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 4

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SideFind (Trojan.BHO) -> No action taken.

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
C:\Qoobox\Quarantine\C\WINDOWS\system32\H8SRTymetlewfao.dll.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP1334\A0215452.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP1335\A0217565.sys (Malware.Trace) -> No action taken.
C:\System Volume Information\_restore{916D0DCA-2339-483A-B833-5F27C0AB6D6C}\RP1335\A0217718.sys (Malware.Trace) -> No action taken.
-----------------------------------------------------------------------------------------------------------------------------------------

cosa devo fare? cancellare i files?
Spinach79
Newbie
 
Post: 8
Iscritto il: 07/01/10 16:32

Re: Olmarik trojan horse

Postdi shel » 09/01/10 17:15

elimina tute le minacce trovate da malwarebytes

Disattiva il ripristino di sistema

1. clic su Start-> Programmi->Accessori->Esplora risorse.

2. clic con il pulsante destro del mouse sull'icona Risorse del computer e quindi su Proprietà.

3. Seleziona la scheda "Ripristino configurazione di sistema".

4. Seleziona la voce "Disattiva ripristino configurazione di sistema"

5. Premi OK. Verrà richiesto di confermare l'azione in quanto saranno eliminati tutti i punti di ripristino memorizzati. Conferma premendo SI.

Riavvia il pc

Riattiva il ripristino e crea un nuovo punto

Postami un log di hijackthis
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Spinach79 » 09/01/10 22:32

Ok Shel,
ti invio il log ... grazie :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.19.50, on 09/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Paolo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B8A7839C-51E8-4067-ADA3-CA74BABC1976} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {18955D47-882E-48fc-B903-A4BDD030E7FD} - (no file)
O9 - Extra 'Tools' menuitem: Barra degli strumenti GigaSize - {18955D47-882E-48fc-B903-A4BDD030E7FD} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.otherchance.com
O15 - Trusted Zone: www.redfunny.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylo ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/ph ... NPUpld.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe (file missing)
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
Spinach79
Newbie
 
Post: 8
Iscritto il: 07/01/10 16:32

Re: Olmarik trojan horse

Postdi shel » 09/01/10 22:47

riesegui la scansione con HijackThis, metti la spunta al fianco dei valori indicati e premi FIX CHECKED

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: (no name) - {B8A7839C-51E8-4067-ADA3-CA74BABC1976} - (no file)

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM

O9 - Extra button: (no name) - {18955D47-882E-48fc-B903-A4BDD030E7FD} - (no file)

O9 - Extra 'Tools' menuitem: Barra degli strumenti GigaSize - {18955D47-882E-48fc-B903-A4BDD030E7FD} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)



Per ripristinare la Trusted Zone scarica DelDomains e salvalo sul desktop.

http://www.mvps.org/winhelp2002/DelDomains.inf

=> clic con tasto destro del mouse e scegli "Installa".
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Spinach79 » 09/01/10 22:53

fatto,
passo successivo ?
P.S. ma quei O15 ? non li devo toccare ?
Spinach79
Newbie
 
Post: 8
Iscritto il: 07/01/10 16:32

Re: Olmarik trojan horse

Postdi shel » 09/01/10 22:59

le voci 015 sono state eliminate da DelDomains

se fai la scansione con hijackthis non dovrebbero piu' esserci

per il resto sembra tutto a posto- sai dirmi se hai ancora problemi?
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Olmarik trojan horse

Postdi Spinach79 » 10/01/10 17:13

direi di no ... funziona alla grande e aumentata di nuovo velocita' ,,,
un THANK YOU grande grande :) grazie grazie :P
Spinach79
Newbie
 
Post: 8
Iscritto il: 07/01/10 16:32

Re: Olmarik trojan horse

Postdi babaoriley » 12/01/10 18:13

Una questione per shel -
ho avuto un problema come Giorgiz, trovato questo trojan e fatto quello che hai consigliato a lui con ComboFix. L'antecedente è che, pur avendo abbonamento di due anni a Norton, questo improvvisamente ha smesso di andare, non si apriva più all'avvio. Dopo tentativi vari di riscaricarlo con le chiavi e tutto, ho installato un nod32 che avevo da parte e mi ha trovato questo Olmarik trojan, che non riesce a eliminare. Ho già fatto tutto il procedimento con ComboFix. Ma che faccio adesso? Intanto posto il report salvato.

ComboFix 10-01-11.04 - Barbara 12/01/2010 17.32.19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.703.449 [GMT 1:00]
Eseguito da: c:\documents and settings\Barbara\Desktop\123.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\$NtUninstallKB922582$
c:\windows\$NtUninstallKB922582$\fltlib.dll
c:\windows\$NtUninstallKB922582$\fltmc.exe
c:\windows\$NtUninstallKB922582$\fltmgr.sys
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.inf
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.txt
c:\windows\$NtUninstallKB922582$\spuninst\updspapi.dll
c:\windows\system32\drivers\H8SRTovymxewxnm.sys
c:\windows\system32\H8SRTbrmntjcfml.dll
c:\windows\system32\H8SRTeypmehwhxv.dll
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTlpajrnwuya.dat
c:\windows\system32\H8SRTrjxldkpbss.dll
c:\windows\system32\H8SRTsbfxmoqoob.dll
c:\windows\system32\h8srtshsyst.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Creati Da 2009-12-12 al 2010-01-12 )))))))))))))))))))))))))))))))))))
.

2010-01-12 10:05 . 2010-01-12 10:05 -------- d-----w- c:\documents and settings\Barbara\Impostazioni locali\Dati applicazioni\Mozilla
2010-01-12 09:57 . 2010-01-12 09:57 -------- d-----w- c:\documents and settings\LocalService\Impostazioni locali\Dati applicazioni\ESET
2010-01-12 09:55 . 2010-01-12 09:55 -------- d-----w- c:\documents and settings\Barbara\Impostazioni locali\Dati applicazioni\ESET
2010-01-12 09:37 . 2010-01-12 09:37 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\ESET
2010-01-11 21:14 . 2010-01-11 21:15 -------- d-----w- c:\documents and settings\Barbara\Impostazioni locali\Dati applicazioni\Tific
2010-01-11 21:11 . 2010-01-11 21:11 -------- d-----w- c:\documents and settings\Barbara\Dati applicazioni\Tific
2010-01-11 20:42 . 2010-01-11 20:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-11 18:26 . 2010-01-11 18:26 -------- d-----w- c:\documents and settings\Barbara\Impostazioni locali\Dati applicazioni\Symantec
2010-01-06 23:27 . 2010-01-06 23:30 -------- d-----w- c:\programmi\Il Pranzo è Servito
2010-01-05 17:06 . 2010-01-05 17:06 -------- d-----w- c:\programmi\Eidos Interactive
2010-01-05 16:56 . 2010-01-12 08:38 -------- d-----w- c:\programmi\DAEMON Tools Pro
2009-12-23 15:16 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-12-23 15:16 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-12-23 15:16 . 2009-12-23 15:17 -------- d-----w- c:\documents and settings\Barbara\Impostazioni locali\Dati applicazioni\Google
2009-12-23 15:15 . 2009-12-23 15:15 -------- d-----w- c:\windows\system32\IOSUBSYS
2009-12-20 20:46 . 2009-12-20 20:46 -------- d-----w- c:\programmi\Youdagames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 12:11 . 2008-05-24 19:40 -------- d-----w- c:\documents and settings\Barbara\Dati applicazioni\uTorrent
2010-01-12 09:42 . 2008-03-20 17:14 -------- d-----w- c:\programmi\File comuni\Symantec Shared
2010-01-12 09:42 . 2009-03-17 21:52 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Norton
2010-01-12 09:42 . 2008-03-20 17:56 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Symantec
2010-01-12 09:37 . 2006-11-13 10:51 -------- d-----w- c:\programmi\Eset
2010-01-10 14:29 . 2008-10-04 14:43 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Soulseek
2010-01-09 09:03 . 2009-11-22 18:54 -------- d-----w- c:\programmi\Alice ti aiuta
2010-01-09 09:03 . 2009-11-24 18:27 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Motive
2010-01-08 12:47 . 2009-11-22 18:52 -------- d-----w- c:\programmi\Alice Messenger
2010-01-08 12:42 . 2006-11-13 10:04 -------- d--h--w- c:\programmi\InstallShield Installation Information
2010-01-08 12:41 . 2009-11-22 18:50 -------- d-----w- c:\programmi\Telecom Italia
2010-01-07 12:17 . 2008-09-09 07:48 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\NOS
2010-01-06 23:21 . 2010-01-06 23:21 1956528 ----a-w- c:\documents and settings\All Users\Dati applicazioni\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-01-05 16:58 . 2009-12-07 19:29 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\DAEMON Tools Pro
2010-01-04 14:47 . 2009-11-23 09:25 -------- d-----w- c:\programmi\uTorrent
2009-12-23 15:51 . 2006-11-13 18:27 69224 -c--a-w- c:\documents and settings\Barbara\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-12-23 15:15 . 2007-12-15 10:23 -------- d-----w- c:\programmi\Google
2009-12-22 19:03 . 2009-11-26 18:36 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-12-12 14:26 . 2009-11-26 17:20 -------- d-----w- c:\programmi\TuneUp Utilities 2008
2009-12-12 13:42 . 2009-12-12 13:42 -------- d-----w- c:\programmi\File comuni\Adobe AIR
2009-12-12 13:42 . 2009-12-12 13:42 38784 ----a-w- c:\documents and settings\Barbara\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-12 13:42 . 2009-12-12 13:42 38784 ----a-w- c:\documents and settings\Default User\Dati applicazioni\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-09 11:12 . 2001-08-31 12:00 48766 ----a-w- c:\windows\system32\perfc010.dat
2009-12-09 11:12 . 2001-08-31 12:00 348104 ----a-w- c:\windows\system32\perfh010.dat
2009-12-07 20:39 . 2009-12-07 20:09 -------- d-----w- c:\programmi\THE SIMS 2 - COLLECTOR
2009-12-07 19:59 . 2009-12-07 19:59 -------- d-----w- c:\programmi\GUT
2009-12-07 19:38 . 2009-12-07 17:13 -------- d-----w- c:\documents and settings\Barbara\Dati applicazioni\DAEMON Tools Pro
2009-12-07 19:25 . 2009-12-07 17:02 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-07 17:01 . 2009-12-07 15:58 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\WinZip
2009-11-28 10:47 . 2006-11-26 10:45 -------- d-----w- c:\programmi\QuickTime
2009-11-28 10:46 . 2009-11-27 17:02 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2009-11-28 10:43 . 2009-11-28 10:43 -------- d-----w- c:\programmi\File comuni\Apple
2009-11-28 10:42 . 2009-11-28 10:42 -------- d-----w- c:\programmi\Apple Software Update
2009-11-28 10:42 . 2009-11-28 10:42 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Apple
2009-11-28 09:19 . 2008-02-22 20:48 -------- d-----w- c:\documents and settings\Barbara\Dati applicazioni\Skype
2009-11-28 09:19 . 2008-02-22 20:51 -------- d-----w- c:\documents and settings\Barbara\Dati applicazioni\skypePM
2009-11-26 20:57 . 2009-11-24 19:54 -------- d-----w- c:\programmi\DivX
2009-11-26 20:47 . 2009-11-26 20:47 -------- d-----w- c:\programmi\File comuni\DivX Shared
2009-11-26 17:20 . 2009-11-26 17:20 306432 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-11-26 17:19 . 2009-11-26 17:19 -------- d-----w- c:\programmi\File comuni\Wise Installation Wizard
2009-11-26 16:15 . 2009-11-23 09:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\TuneUp Software
2009-11-24 18:17 . 2009-11-24 18:17 -------- d--h--w- c:\documents and settings\All Users\Dati applicazioni\CanonBJ
2009-11-24 18:09 . 2009-11-24 18:09 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Bluetooth
2009-11-24 17:45 . 2006-11-25 17:25 -------- d-----w- c:\programmi\Soulseek
2009-11-24 17:41 . 2006-11-15 11:13 -------- d-----w- c:\programmi\Canon
2009-11-24 17:15 . 2009-11-24 15:44 32 ----a-w- c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2009-11-24 15:14 . 2006-11-13 11:05 -------- d-----w- c:\programmi\Microsoft Works
2009-11-23 10:00 . 2009-11-23 10:00 -------- d-----w- c:\documents and settings\LocalService\Dati applicazioni\TuneUp Software
2009-11-23 09:32 . 2009-11-23 09:32 -------- d-----w- c:\documents and settings\Barbara\Dati applicazioni\TuneUp Software
2009-11-23 09:31 . 2009-11-23 09:31 -------- d-sh--w- c:\documents and settings\All Users\Dati applicazioni\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2009-11-22 19:44 . 2009-11-22 19:44 -------- d-----w- c:\programmi\Microsoft Office Outlook Connector
2009-11-22 19:43 . 2008-03-19 19:54 -------- d-----w- c:\programmi\Windows Live
2009-11-22 19:08 . 2009-11-22 19:08 -------- d-----w- c:\documents and settings\Barbara\Dati applicazioni\Motive
2009-11-22 18:56 . 2009-11-22 18:56 -------- d-----w- c:\programmi\File comuni\Motive
2009-11-22 18:56 . 2009-11-22 18:56 -------- d-----w- c:\programmi\Common Files
2009-11-22 18:53 . 2009-11-22 18:53 2232 ----a-w- c:\windows\java\Packages\Data\T31BRVPV.DAT
2009-11-22 18:53 . 2009-11-22 18:53 155995 ----a-w- c:\windows\java\Packages\BVX7VXJR.ZIP
2009-11-22 18:53 . 2009-11-22 18:53 2678 ----a-w- c:\windows\java\Packages\Data\X73BRFNP.DAT
2009-11-22 18:53 . 2009-11-22 18:53 2678 ----a-w- c:\windows\java\Packages\Data\D3JNJ9FX.DAT
2009-11-22 18:53 . 2009-11-22 18:53 2678 ----a-w- c:\windows\java\Packages\Data\EBTBF53J.DAT
2009-11-22 18:53 . 2009-11-22 18:53 2678 ----a-w- c:\windows\java\Packages\Data\WUQYL3DZ.DAT
2009-11-22 18:53 . 2009-11-22 18:53 2678 ----a-w- c:\windows\java\Packages\Data\0G4GPBRP.DAT
2009-10-29 07:40 . 2004-08-19 13:39 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-19 13:39 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-19 13:39 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 21:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2008-01-26 21:36 . 2008-01-26 21:33 2293848 ----a-w- c:\programmi\FLV PlayerFCSetup.exe
2008-01-26 21:33 . 2008-01-26 21:30 3955352 ----a-w- c:\programmi\FLV PlayerRCATSetup.exe
2008-01-26 21:13 . 2008-01-26 21:12 411248 ----a-w- c:\programmi\FLV PlayerRCSetup.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-11-13 10:11 . 2004-05-15 20:10 339968 c:\programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2006-11-15 11:15 . 2004-01-14 01:10 409600 c:\programmi\Canon\Easy-PrintToolBox\bak\BJPSMAIN.EXE

2006-11-13 10:35 . 2005-12-07 21:57 30208 c:\programmi\CyberLink\PowerDVD\bak\PDVDServ.exe

2006-11-13 10:36 . 2006-04-13 10:09 49152 c:\programmi\CyberLink\PowerDVD\Language\bak\Language.exe

2006-11-13 10:51 . 2006-11-13 10:51 917504 c:\programmi\Eset\bak\nod32kui.exe

2003-09-29 22:14 . 2003-09-29 22:14 155648 c:\programmi\File comuni\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

2007-10-09 15:26 . 2007-09-24 23:11 132496 c:\programmi\Java\jre1.6.0_03\bin\bak\jusched.exe

2006-12-25 11:35 . 2005-12-07 09:26 489472 c:\programmi\Logitech\Video\bak\CameraAssistant.exe

2006-12-25 11:35 . 2005-12-07 09:33 73728 c:\programmi\Logitech\Video\bak\InstallHelper.exe

2006-11-13 10:06 . 2003-03-18 16:39 184320 c:\programmi\ltmoh\bak\Ltmoh.exe

2006-09-01 14:57 . 2006-12-06 09:25 282624 c:\programmi\QuickTime\bak\qttask.exe
2009-11-10 22:08 . 2009-11-10 22:08 417792 c:\programmi\QuickTime\QTTask.exe

2006-03-21 11:19 . 2006-03-21 11:19 69632 c:\programmi\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe

2006-11-13 10:07 . 2004-05-07 02:49 536576 c:\programmi\Synaptics\SynTP\bak\SynTPEnh.exe

2006-11-13 10:07 . 2004-05-07 02:49 98304 c:\programmi\Synaptics\SynTP\bak\SynTPLpr.exe

2006-11-13 18:16 . 2006-11-13 18:16 462848 c:\programmi\Trust\Trust MD3100 USB ADSL MODEM\bak\CnxDslTb.exe

2004-08-19 13:39 . 2004-08-19 13:39 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-19 13:39 . 2008-04-14 02:14 15360 c:\windows\system32\ctfmon.exe

2006-12-25 11:35 . 2004-11-01 16:22 262144 c:\windows\system32\bak\ElkCtrl.exe

2005-12-09 14:32 . 2005-12-09 14:32 225280 c:\windows\system32\bak\LVCOMSX.EXE

2006-11-13 10:38 . 2001-07-09 10:50 155648 c:\windows\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Pro Agent"="c:\programmi\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 133576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 67584]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-07 88363]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-11-10 417792]
"egui"="c:\programmi\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe"
"AliceMessenger"="c:\programmi\Alice Messenger\alicemessenger.exe"
"Skype"="c:\programmi\Skype\Phone\Skype.exe" /nosplash /minimized
"DAEMON Tools Pro Agent"="c:\programmi\DAEMON Tools Pro\DTProAgent.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"AliceRE_McciTrayApp"=c:\progra~1\ALICET~1\vendors\AliceRE\content\template\DRIVEN~1\syncer\MCCITR~1.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Programmi\\Last.fm\\LastFM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [13/11/2006 11.03.35 5632]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [06/02/2009 14.23.18 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [06/02/2009 14.24.24 93336]
R2 ekrn;ESET Service;c:\programmi\Eset\ESET NOD32 Antivirus\ekrn.exe [06/02/2009 14.23.36 727720]
R2 Network WanMiniport First Position;Network WanMiniport First Position;c:\programmi\Telecom Italia\WanMiniport1st\srvany.exe [22/11/2009 19.51.52 8192]
R3 IPN2220;acer IPN2220 Wireless LAN Card Driver;c:\windows\system32\drivers\i2220ntx.sys [13/11/2006 11.27.45 140288]
S3 CnxEtP;Trust MD3100 USB ADSL MODEM LAN Adapter Filter Driver;c:\windows\system32\drivers\CnxEtP.sys [13/11/2006 19.16.59 60288]
S3 CnxEtU;Trust MD3100 USB ADSL MODEM Loader;c:\windows\system32\drivers\CnxEtU.sys [13/11/2006 19.16.59 646400]
S3 CnxTgN;Trust MD3100 USB ADSL MODEM LAN Adapter Driver;c:\windows\system32\drivers\CnxTgN.sys [13/11/2006 19.17.00 108771]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [07/12/2009 18.02.56 722416]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contenuto della cartella 'Scheduled Tasks'

2010-01-08 c:\windows\Tasks\1-Click Maintenance.job
- c:\programmi\TuneUp Utilities 2008\OneClick.exe [2008-01-08 12:31]

2009-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-01-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.blackr.it/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/windows/Java/classes/xmldso.cab
DPF: {FFC1EBAA-5AEC-44AC-A937-B65D8D3ECBE2} - hxxp://aiuto.alice.it/ata/static/instal ... _4-1-5.cab
FF - ProfilePath - c:\documents and settings\Barbara\Dati applicazioni\Mozilla\Firefox\Profiles\mcxhtohz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.blackr.it/
FF - plugin: c:\programmi\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\programmi\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\programmi\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140710900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(6692)
c:\windows\system32\WININET.dll
c:\programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
c:\programmi\IVT Corporation\BlueSoleil\BTNtService.exe
c:\windows\system32\CTsvcCDA.exe
c:\programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
c:\programmi\CyberLink\Shared files\RichVideo.exe
c:\programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SOUNDMAN.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2010-01-12 17:50:21 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-01-12 16:50

Pre-Run: 17.563.881.472 byte disponibili
Post-Run: 18.318.749.696 byte disponibili

- - End Of File - - 06CD162A49616779A5671F30A160B2DD

Se riesci a darmi una mano... GRAZIE!
babaoriley
Newbie
 
Post: 5
Iscritto il: 12/01/10 13:15

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "Olmarik trojan horse":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27

Chi c’è in linea

Visitano il forum: Nessuno e 97 ospiti