Ciao a tutti, una collega qua lavoro da me ha un Pc con W2000 + Service Pack4 che (ne sono praticamente certo) è infestato da una qualche backdoor e non so che altro. Già in fase di accesso al sistema (dopo inserimento di username e password) appare una shell con scritto (circa perchè la scritta non ce l'ho davanti):
e tale shell rimane ferma a tale schermata. Poi la CPU viene occupata al 99-100% dal processo services.exe, che non riesco a killare poichè mi viene segnalato come processo critico.codice:PROMPT:cd drivers/etc Impossibile trovare il percorso PROMPT: hidden32.exe services32.exe
Ho eseguito scansioni con Spybot S&D e HJT (Kaspersky non lo voglio usare poichè mi rifiuto di attaccare un cavo di rete a tale pc, onde evitare diffusioni a macchia d'olio all'interno della mia azienda) e di quest'ultimo riporto il log:
Logfile of HijackThis v1.99.1
Scan saved at 14.36.35, on 14/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
codice:Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\WINNT\System32\Ati2evxx.exe C:\WINNT\System32\svchost.exe C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe C:\Programmi\F-Secure\Anti-Virus\FSGK32.EXE C:\Programmi\F-Secure\Anti-Virus\fssm32.exe C:\WINNT\system32\hidserv.exe C:\PROGRA~1\ADSLSE~1.IT\ADSLTI~1.IT\app\pppoeservice.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Programmi\F-Secure\Common\FSMA32.EXE C:\Programmi\F-Secure\Common\FSMB32.EXE C:\Programmi\F-Secure\Common\FCH32.EXE C:\Programmi\F-Secure\Common\FAMEH32.EXE C:\Programmi\F-Secure\Common\FNRB32.EXE C:\Programmi\F-Secure\Common\FIH32.EXE C:\Programmi\F-Secure\Anti-Virus\fsav32.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Programmi\Compaq\Compaq EAB Software\cpqek.exe C:\Programmi\Synaptics\SynTP\SynTPLpr.exe C:\Programmi\Synaptics\SynTP\SynTPEnh.exe C:\WINNT\system32\PRPCUI.exe C:\Programmi\Picasa\PicasaMediaDetector.exe C:\Programmi\F-Secure\Common\FSM32.EXE C:\WINNT\system32\services.exe C:\Programmi\Creative\Shared Files\CAMTRAY.EXE C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe C:\Programmi\Lexmark X1100 Series\lxbkbmon.exe C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE C:\WINNT\system32\internat.exe C:\Programmi\Skype\Phone\Skype.exe C:\Program Files\Exif Launcher\QuickDCF.exe C:\Programmi\winzip\WZQKPICK.EXE C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE C:\Programmi\HELPExpress\bin\mpbtn.exe C:\Programmi\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/2Q00CPT/0410/bF8.asp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [cpqek] C:\Programmi\Compaq\Compaq EAB Software\cpqek.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [Sysscan] C:\winnt\system32\drivers\etc\dll.bat O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Programmi\Picasa\PicasaMediaDetector.exe O4 - HKLM\..\Run: [DumpFaultCheck] C:\WINNT\system32\drivers\csrss.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmi\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programmi\Creative\Shared Files\CAMTRAY.EXE O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE O4 - HKLM\..\RunServices: [DumpFaultCheck] C:\WINNT\system32\drivers\csrss.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O4 - Global Startup: HELPExpress.lnk = C:\Programmi\HELPExpress\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\winzip\WZQKPICK.EXE O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesit.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesit.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmi\F-Secure\Common\FNRB32.EXE O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Programmi\F-Secure\Common\FSAA.EXE O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmi\F-Secure\Common\FSMA32.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\ADSLSE~1.IT\ADSLTI~1.IT\app\pppoeservice.exe
Consigli?
Edit:Ah, ovviamente ho usato la ricerca prima e ho visto che varie altre persone hanno avuto questo problema, ma penso che le voci da cancellare cambino di caso in caso...
Rispondi quotando