avviso di zone alarm : ZeuS.Zbot.aoaq

**kayoshin** · 20-09-2010, 18:29

ho fatto girare combofix
ecco il risultato

ComboFix 10-09-19.04 - Administrator 20/09/2010 18.13.25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3583.2963 [GMT 2:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-7C25-9E7C08000A00}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\documents and settings\Administrator\Dati applicazioni\inst.exe

.
((((((((((((((((((((((((( Files Creati Da 2010-08-20 al 2010-09-20 )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.

------- Sigcheck -------

[-] 2010-02-14 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2010-02-14 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2004-08-03 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0a452a47-c5a8-4854-a237-4b9b06b376f0}"= "c:\programmi\Gossiper\tbGos1.dll" [2010-05-18 2515552]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\programmi\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{0a452a47-c5a8-4854-a237-4b9b06b376f0}]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0a452a47-c5a8-4854-a237-4b9b06b376f0}]
2010-05-18 22:16 2515552 ----a-w- c:\programmi\Gossiper\tbGos1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 17:22 333192 ----a-w- c:\programmi\AskBarDis\bar\bin\askBar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]
2010-05-09 09:50 2517088 ----a-w- c:\programmi\ZoneAlarm\tbZone.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\programmi\AskBarDis\bar\bin\askBar1.dll" [2008-10-16 333192]
"{0a452a47-c5a8-4854-a237-4b9b06b376f0}"= "c:\programmi\Gossiper\tbGos1.dll" [2010-05-18 2515552]
"{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}"= "c:\programmi\ZoneAlarm\tbZone.dll" [2010-05-09 2517088]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{0a452a47-c5a8-4854-a237-4b9b06b376f0}]

[HKEY_CLASSES_ROOT\clsid\{66f2e20d-0da8-4c11-a9c8-dd8477b88acd}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\programmi\AskBarDis\bar\bin\askBar1.dll" [2008-10-16 333192]
"{0A452A47-C5A8-4854-A237-4B9B06B376F0}"= "c:\programmi\Gossiper\tbGos1.dll" [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{0a452a47-c5a8-4854-a237-4b9b06b376f0}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-10-28 94208]
"RocketDock"="c:\programmi\RocketDock\RocketDock.e xe" [2007-09-02 495616]
"Google Update"="c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2008-12-17 133104]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"UnlockerAssistant"="c:\programmi\Unlocker\Unlocke rAssistant.exe" [2008-05-02 15872]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"AVG9_TRAY"="c:\progra~1\AVG\AVGLS9\avgtray.ex e" [2010-07-27 2065760]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"ISW"="c:\programmi\CheckPoint\ZAForceField\ForceF ield.exe" [2010-05-26 730600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\GIOCHI\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"=
"c:\\Programmi\\GameSpy Arcade\\Aphex.exe"=
"d:\\GIOCHI\\TmNationsForever\\TmForever.exe"=
"c:\\Programmi\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Programmi\\AVG\\AVGLS9\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVGLS9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-04-22 8704]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-04-22 3072]
R4 Vax347b;Vax347b;c:\windows\system32\DRIVERS\Vax347 b.sys [2005-04-25 159616]
S0 Vax347s;Vax347s;c:\windows\System32\Drivers\Vax347 s.sys [2004-04-30 5248]
S1 AvgLdx86;AVG LinkScanner® AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-07-27 134992]
S1 AvgTdiX;AVG LinkScanner® Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-07-27 243024]
S2 Active@ Disk Monitor;Active@ Disk Monitor;c:\programmi\LSoft Technologies Inc\Active@ Hard Disk Monitor\DiskMonitorService.exe [2009-09-02 1127944]
S2 ASKService;ASKService;c:\programmi\AskBarDis\bar\b in\AskService.exe [2008-10-16 464264]
S2 avg9wd;AVG LinkScanner®9 WatchDog;c:\programmi\AVG\AVGLS9\avgwdsvc.exe [2010-07-27 308136]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\programmi\CheckPoint\ZAForceField\ISWKL.s ys [2010-05-26 26352]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\programmi\CheckPoint\ZAForceField\IswSvc .exe [2010-05-26 493032]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l151x86.sys [2007-07-03 39424]

.
Contenuto della cartella 'Scheduled Tasks'

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1060284298-725345543-500Core.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-12-17 22:55]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1060284298-725345543-500UA.job
- c:\documents and settings\Administrator\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2008-12-17 22:55]

2010-05-16 c:\windows\Tasks\SmartDefrag.job
- c:\programmi\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-03-11 14:48]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1547340
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {F3CBF61A-66F8-4A18-B716-C3761475384A} = 212.216.112.222,212.216.172.162
DPF: Microsoft XML Parser for Java
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-HijackThis - c:\docume~1\ADMINI~1\IMPOST~1\Temp\Rar$EX00.547\Hi jackThis.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-20 18:22
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-682003330-1060284298-725345543-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:62,d8,de,e9,09,2b,63,0d,10,32,d5,4a,09,70 ,50,56,e0,8d,24,7d,84,8d,d5,
42,b9,3c,25,8a,7e,ae,22,99,95,42,16,88,47,dd,86,84 ,14,49,da,73,46,a3,59,cf,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33 ,8f,50

[HKEY_USERS\S-1-5-21-682003330-1060284298-725345543-500\Software\SecuROM\License information*]
"datasecu"=hex:de,ce,25,37,87,da,4e,78,dd,f3,d5,d2 ,b4,88,fa,ab,87,8b,02,52,36,
6b,2a,1a,82,6f,79,d1,9c,12,38,4b,03,44,2e,62,3f,6c ,69,d6,c5,bd,61,93,d2,bc,\
"rkeysecu"=hex:9f,34,4d,68,15,81,90,59,4f,ef,39,cb ,f1,5a,3d,2e
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
c:\programmi\CheckPoint\ZAForceField\Plugins\ISWSH EX.dll

- - - - - - - > 'lsass.exe'(828)
c:\programmi\CheckPoint\ZAForceField\Plugins\ISWSH EX.dll
.
Ora fine scansione: 2010-09-20 18:24:04
ComboFix-quarantined-files.txt 2010-09-20 16:24

Pre-Run: 25.868.156.928 byte disponibili
Post-Run: 26.071.617.536 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EC2D7B204ABA99034CA09A1DD6DA3549

Discussione: avviso di zone alarm : ZeuS.Zbot.aoaq

Strumenti discussione

Ricerca discussione

Visualizza

Visualizzazione discussione

Permessi di invio