worm che prende i permessi di amministratore

**carlinojr** · 18-09-2007, 00:38

ciao tecnico, ti ringrazio per l'interessamento, ho fatto come mi hai detto, ho lanciato combofix sia in modalità provvisoria sia in modalità estesa ma non è cambiato niente, rimane tutto invariato, di seguito il log generato da combofix e grazie ancora.

************************************************** **************
ComboFix 07-09-18 - "Amministratore" 2007-09-18 2.22.04.2 - NTFSx86
.

((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-18 02:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-18 02:13 1,483,632 --a------ C:\ComboFix.exe
2007-09-18 01:50 268,435,456 C:\WINDOWS\system32\temppf.sys
2007-09-17 01:00 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dati applicazioni
2007-09-17 01:00 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Avvio
2007-09-17 01:00 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Risorse di stampa
2007-09-17 01:00 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Risorse di rete
2007-09-17 01:00 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Modelli
2007-09-17 01:00 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Impostazioni locali
2007-09-17 01:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Preferiti
2007-09-17 01:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Documenti
2007-09-16 22:40 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-09-11 21:40 <DIR> d-------- C:\tool
2007-08-26 22:31 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-12 03:53 --------- d-------- C:\Programmi\Google
2007-08-26 21:03 --------- d-------- C:\Programmi\Motive
2007-08-15 12:37 --------- d-------- C:\Programmi\Windows Media Connect 2
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-21 00:58 --------- d-------- C:\DOCUME~1\AMMINI~1\DATIAP~1\BlehMagsSoft
2007-06-26 08:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 15:30 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2006-11-12 19:17 94080 --a------ C:\DOCUME~1\AMMINI~1\DATIAP~1\ezplay.sys
2006-11-12 19:17 81920 --a------ C:\DOCUME~1\AMMINI~1\DATIAP~1\ezpinst.exe
2006-11-12 19:16 47360 --a------ C:\DOCUME~1\AMMINI~1\DATIAP~1\pcouffin.sys
2006-07-23 17:05 443774 --a------ C:\Programmi\ac3filter_1_01a_rc5.exe
2006-07-20 23:53 4677596 --a------ C:\Programmi\eMule0.47a-Installer.exe
2006-07-20 23:26 1110473 --a------ C:\Programmi\wrar360b6it.exe
2006-07-20 23:12 2855080 --a------ C:\Programmi\aawsepersonal.exe
2001-11-23 06:08 712704 --a------ C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^BTTray.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.dll,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CnxTrApp]
rundll32.exe "C:\Programmi\Pirelli\Access Gateway USB Network\CnxTrApp.dll",AppEntry -REG "Pirelli\Access Gateway USB"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Programmi\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAME PROC]
C:\DOCUME~1\AMMINI~1\DATIAP~1\BLEHMA~1\eachthat.ex e

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programmi\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_Hazafibb]

.
************************************************** ************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 02:23:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-09-18 2.24.06
C:\ComboFix-quarantined-files.txt ... 2007-09-18 02:23
C:\ComboFix2.txt ... 2007-09-18 02:15
.
--- E O F ---

Discussione: worm che prende i permessi di amministratore

Strumenti discussione

Ricerca discussione

Visualizza

Visualizzazione discussione

Permessi di invio