Comodo Firewall e Application System

[vitren54]

uso Comodo Firewall ed è da un po' che mi vedo nelle Activity/Connections questa applicazione System (non mi sembrava ci fosse prima).

Spyboot Search & destroy non trova niente (ma è da un pò che non trova più niente).
Malvarebyte dice che è tutto ok.
AVG 8.5 idem.

Ho fatto una ricerca su google degli ip. segnalati da Comodo Firewall:
41.234.63.113 manda alla telecom in egitto
79.113.55.158 manda ad un sito in romania

Una leggera attività di movimento dati si rileva anche con browser e posta chiusi.

Avete qualche suggerimento?

Grazie in anticipo

[menatwork]

Buonasera

prova a fare

start\esegui\control userpasswords2 e dimmi quali utenti vedi

scarica hijackthis e mettilo nella directory C dove avrai preparato una cartella con il suo nome.
Lanci l'eseguibile e clicchi su " do a system scan and save a log" alla fine salvi questo file con estensione *.TXT e lo alleghi ad un post sul forum.

[vitren54]

c'è uno strano IUSR_WFXEXPERT

oltre ai miei conosciuti

[menatwork]

lo hai mai visto questo IUSR_WFXEXPERT ?

mi posti anche un log di hjt?

[vitren54]

non l'ho mai visto,

per hjt sto provvedendo (non ho l'adsl), appena pronto lo posto.

Grazie per il momento.

[vitren54]

Spero sia questo....

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 19.01.22, on 25/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Programmi\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\Programmi\AVG\AVG8\avgcsrvx.exe
D:\Programmi\AceLogix\Free Ram Optimizer\fro.exe
D:\Programmi\Comodo\Firewall\CPF.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\WINDOWS\SYSTEM32\mspaint.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\SYSTEM32\notepad.exe
D:\Programmi\Free Download Manager\fdm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmi\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mvrsoft.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\Programmi\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\Programmi\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programmi\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - D:\Programmi\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [StartupDelayer] "D:\Programmi\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Scarica con Free Download Manager - file://D:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica i video con Free Download Manager - file://D:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://D:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://D:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Programmi\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Programmi\Apache Group\Apache2\bin\Apache.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BvrpKrnl - Unknown owner - D:\Programmi\FaxTools eXPert\BVRPKrnl.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MySql - Unknown owner - C:/PROGRAMMI/MYSQL/bin/mysqld-opt.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programmi\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 0: (no name) - file:///E:/pic/scarica.jpg

--
End of file - 5704 bytes

[menatwork]

il log appare pulito

fammi questa scansione scarica FindAWF

lo avvii, nella finestra dos che si apre premi 1 e poi invio; alla fine dello scan copia il report rilasciato e caricalo qui

[vitren54]

il link filedropper.com rifiuta la connessione, il log che è venuto fuori è molto piccolo e lo posto qui:


Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

[menatwork]

disattiva il tuo antivirus

scarica combofix sul desktop e avvialo
(non installare la recovery console)
Lascia lavorare il programma senza interferire
Allega il rapporto C:\ComboFix.txt nella tua risposta.

prova a caricarlo su questo server

[vitren54]

Questo è il log di Combofix:


ComboFix 10-03-25.02 - vitren 25/03/2010 21.03.07.4.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1023.687 [GMT 1:00]
Eseguito da: c:\documents and settings\vitren\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\windows\winhelp.ini
D:\RegClean.exe

.
((((((((((((((((((((((((( Files Creati Da 2010-02-25 al 2010-03-25 )))))))))))))))))))))))))))))))))))
.

2010-03-25 17:59 . 2010-03-25 17:59 388096 ----a-r- c:\documents and settings\vitren\Dati applicazioni\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-25 17:59 . 2010-03-25 17:59 -------- d-----w- c:\programmi\TrendMicro
2010-03-25 17:58 . 2010-03-25 17:58 -------- d-----w- C:\HijackThis
2010-03-24 07:11 . 2010-03-24 07:21 13824 ----a-w- c:\windows\system32\LAYOUT.DLL
2010-03-17 14:25 . 2010-01-06 12:13 506368 ----a-w- c:\windows\system32\sqlite3.dll
2010-03-09 09:43 . 2010-03-09 09:44 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-03-22 09:31 . 2009-04-02 23:31 768 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-09 14:56 . 2009-04-04 22:41 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-19 12:55 . 2010-02-19 12:55 -------- d-----w- c:\documents and settings\vitren\Dati applicazioni\SQLyog
2010-02-15 13:35 . 2010-02-15 13:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-12 21:02 . 2009-09-19 11:54 5115824 ----a-w- c:\windows\All Users\Dati applicazioni\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 22:38 . 2010-01-11 22:38 79488 ----a-w- c:\documents and settings\vitren\Dati applicazioni\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-07 15:07 . 2009-08-25 23:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2009-08-25 23:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-03-11 09:06 . 2009-03-11 09:06 11267 ---h--w- c:\programmi\folder.htt
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "d:\programmi\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 12:03 1230080 ----a-w- d:\programmi\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "d:\programmi\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "d:\programmi\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Sl owFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-07-03 14:14 8483840 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"StartupDelayer"="d:\programmi\r2 Studios\Startup Delayer\Startup Launcher.exe" [2009-03-08 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-28 07:17 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"HP Component Manager"="c:\programmi\HP\HPCORETECH\HPCMPMGR.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"d:\\Programmi\\Namo\\WebEditor 5\\bin\\WebEditor.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\Programmi\\FaxTools eXPert\\BvrpKrnl.exe"=
"d:\\Programmi\\FaxTools eXPert\\FaxTools.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:Port DCOM (135)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [05/05/2009 21.14.33 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [05/05/2009 21.14.48 108552]
R3 atirage;atirage;c:\windows\SYSTEM32\DRIVERS\atirag em.sys [02/04/2009 20.30.09 70784]
S2 A4SII300;A4SII300;c:\windows\SYSTEM32\DRIVERS\a4si i300.sys [23/11/2009 13.49.06 25632]
S3 BvrpKrnl;BvrpKrnl;d:\programmi\FaxTools eXPert\BvrpKrnl.exe [26/05/2009 8.29.34 548864]
S3 SFC4;SFC4;c:\windows\system32\drivers\SFC4.sys --> c:\windows\system32\drivers\SFC4.sys [?]
S3 V90drv;v90drv;c:\windows\SYSTEM32\DRIVERS\v90drv.s ys [16/04/2009 14.11.28 1412352]
S4 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [18/05/2009 16.56.25 908056]
S4 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [18/05/2009 16.56.25 297752]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - PROCEXP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 15:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.mvrsoft.it/
mLocal Page = c:\windows\SYSTEM\blank.htm
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
IE: Scarica con Free Download Manager - file://d:\programmi\Free Download Manager\dllink.htm
IE: Scarica i video con Free Download Manager - file://d:\programmi\Free Download Manager\dlfvideo.htm
IE: Scarica selezionati con Free Download Manager - file://d:\programmi\Free Download Manager\dlselected.htm
IE: Scarica tutto con Free Download Manager - file://d:\programmi\Free Download Manager\dlall.htm
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\vitren\Dati applicazioni\Mozilla\Firefox\Profiles\1deqojia.def ault\
FF - prefs.js: browser.startup.homepage - hxxp://it.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://it.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_it&p=
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 21:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\M ySql]
"ImagePath"="C:/PROGRAMMI/MYSQL/bin/mysqld-opt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\I omega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\M ySql]
"ImagePath"="C:/PROGRAMMI/MYSQL/bin/mysqld-opt.exe"
.
Ora fine scansione: 2010-03-25 21:13:50
ComboFix-quarantined-files.txt 2010-03-25 20:13
ComboFix2.txt 2009-08-26 09:06
ComboFix3.txt 2009-08-26 08:04
ComboFix4.txt 2009-08-26 07:57
ComboFix5.txt 2010-03-25 20:01

Pre-Run: 1.385.447.424 byte disponibili
Post-Run: 1.354.244.096 byte disponibili

Current=7 Default=7 Failed=6 LastKnownGood=4 Sets=1,2,3,4,6,7
- - End Of File - - 456BF7E084BB3812A6200F1461061E6C