virus

[nerviano]

ciao a tutti ho un prooblema che non riesco a risolvere credo che sia un rootkit o roba del genere che non mi lascia operare in rete ..ho lanciato gmer vi listo il risultato del tab rootkit

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-17 16:57:19
Windows 5.0.2195 Service Pack 3


---- System - GMER 1.0.10 ----

INT 0x31 ? FCEB2DC4
INT 0x33 ? FCEAF204
INT 0x34 ? FCEB4324
INT 0x35 ? FCE85CE4
INT 0x39 ? FD02EDC4
INT 0x3B ? FD01DD44
INT 0x3C ? FCEB51A4
INT 0x3E ? FD019D24
INT 0x3F ? FD019204

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\WINNT\juhkp1.dll
File C:\WINNT\system32\nul.ugs
File D:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----
qualcuno mi può aiutare??
Grazie

[holifay]

Ciao, è linkoptimizer. Guarda la guida in cima al forum e posta le altre informazioni richieste.

[nerviano]

non funziona,il virus o quello che è non viene debellato....

Grazie

[Simeon]

Sicuro di aver eseguito correttamente tutta la procedura?

Perchè non posti un paio di log? (iniziamo con quello di Avenger così vediamo cosa hai cancellato)

[nerviano]

questo è il log di avenger


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\bhwnotnm

*******************

Script file located at: \??\C:\hbqajlpw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\programmi\xyz.exe altri file eventualmente trovati not found!
Deletion of file C:\programmi\xyz.exe altri file eventualmente trovati failed!

Could not process line:
C:\programmi\xyz.exe altri file eventualmente trovati
Status: 0xc0000034



Folder c:\documents and settings\dkc eventuale cartella utente trovata not found!
Deletion of folder c:\documents and settings\dkc eventuale cartella utente trovata failed!

Could not process line:
c:\documents and settings\dkc eventuale cartella utente trovata
Status: 0xc0000034

Deletion of file c:\windows\hyqtt1.dll la dll nascosta trovata nel vostro log di RKR failed!
Status: 0xc000014f
Deletion of file c:\windows\system32\com4.igp il rootkit con nome riservato trovato nel vostro log di RKR failed!
Status: 0xc000014f

Deletion of folder c:\windows\temp cartella di sistema dove si può annidare il virus, si ricrea all'avvio failed!
Status: 0xc000014f



Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs riga che serve a disattivare il rootkit
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs riga che serve a disattivare il rootkit failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[holifay]

Ehm, ma come faccio a dirtelo?

Le righe in rosso nella procedura tipo: altri file eventualmente trovati, rootkit con nome riservato trovato nel vostro log di RKR... NON erano ovviamente da mettere nello script, erano solo i commenti per far capire meglio all´utente che legge, cosa mettere all´interno dello script!!

Se vuoi, posta questi log e le altre informazioni richieste, che ti scrivo io o qualcun altro lo script giusto da usare http://forum.html.it/forum/showthrea...04#post9562904

Ciao

[nerviano]

ciao
ho aggiustato il tiro,
ho messo i riferimenti giusti rilevati da rootkit revealer e gmer

posto il log di avenger


ogfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\fanhngbx

*******************

Script file located at: \??\C:\Documents and Settings\nitoohig.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\System Volume Information\tracking.log deleted successfully.
File D:\System Volume Information\tracking.log deleted successfully.
Folder c:\winnt\temp deleted successfully.
Deletion of file c:\windows\juhkp1.dll failed!
Status: 0xc000014f
Deletion of file c:\windows\system32\nul.ugs failed!
Status: 0xc000014f

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.


dopo ho lanciato regSrch.vbs ma mi restituisce un errore di wsscript.exe

si è verificato l'errore di exception (0x00000fd) nell'applicazione alla posizione 0x784ac114.


il problema rimane comunque.

[Simeon]

Diciamo che anche questa volta li hai mancati

Posta:
- un nuovo log di Gmer di Rootkit;
- un log di Gmer di Autostart.

Abilita la visualizzazione dei file nascosti:
Strumenti => Opzioni cartella => Visualizzazione => Visualizza cartelle e file nascosti.

Vai in c:\document and setting e segnala il nome delle cartelle presenti con le relative date di creazione.

Se ti è possibile, non riavviare il pc fino a quando qualcuno non ti fornisce il giusto script da lanciare con The Avenger.

[nerviano]

scusa ma che significa

Posta:
- un nuovo log di Gmer di Rootkit;
- un log di Gmer di Autostart.


Se ti è possibile, non riavviare il pc fino a quando qualcuno non ti fornisce il giusto script da lanciare con The Avenger.

??????????????????????????????????????????

[nerviano]

LOG GMER AUTOSTART


GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-07-21 09:39:13
Windows 5.0.2195 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = C:\WINNT\system32\userinit.exe,
Windows@AppInit_DLLs = \\?\C:\WINNT\system32\nul.ugs

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
bdss /*BitDefender Scan Server1*/@ = c:\programmi\file comuni\softwin\bitdefender scan server\bdss.exe /service /*file not found*/
ecomoplus /*Eventi COM avanzati*/@ = C:\WINNT\downlo~1\amak\koiy91sd.exe /*file not found*/
LIVESRV /*BitDefender Desktop Update Service*/@ = c:\programmi\file comuni\softwin\bitdefender update service\livesrv.exe /service /*file not found*/
McShield /*McAfee.com McShield*/@ = c:\PROGRA~1\mcafee.com\vso\mcshield.exe
McTskshd.exe /*McAfee Task Scheduler*/@ = c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
SBService /*ScriptBlocking Service*/@ = C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
SNMP /*Servizio SNMP*/@ = %SystemRoot%\System32\snmp.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
TrcBoot@ = %SystemRoot%\System32\drivers\trcboot.exe
UpdLla /*UpdLla*/@ = "C:\Programmi\File comuni\Microsoft Shared\fzZ.exe" /*file not found*/
VSSERV /*BitDefender Virus Shield*/@ = c:\programmi\softwin\bitdefender9\vsserv.exe /service /*file not found*/
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
winvnc /*VNC Server*/@ = "C:\Programmi\RealVNC\WinVNC\WinVNC.exe" -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@SiS TrayC:\WINNT\System32\sistray.EXE = C:\WINNT\System32\sistray.EXE
@SiS KHookerC:\WINNT\System32\khooker.exe = C:\WINNT\System32\khooker.exe
@WinVNC"C:\Programmi\RealVNC\WinVNC\WinVNC.exe" -servicehelper = "C:\Programmi\RealVNC\WinVNC\WinVNC.exe" -servicehelper
@Client Access Service"C:\Programmi\IBM\Client Access\cwbsvstr.exe" = "C:\Programmi\IBM\Client Access\cwbsvstr.exe"
@Client Access Help Update"C:\Programmi\IBM\Client Access\cwbinhlp.exe" = "C:\Programmi\IBM\Client Access\cwbinhlp.exe"
@Client Access Check Version"C:\Programmi\IBM\Client Access\cwbckver.exe" LOGIN = "C:\Programmi\IBM\Client Access\cwbckver.exe" LOGIN
@Client Access Express Welcome"C:\Programmi\IBM\Client Access\cwbwlwiz.exe" = "C:\Programmi\IBM\Client Access\cwbwlwiz.exe"
@VSOCheckTask"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr. exe" /checktask = "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
@VirusScan OnlineC:\Programmi\McAfee.com\VSO\mcvsshld.exe = C:\Programmi\McAfee.com\VSO\mcvsshld.exe
@OASClntC:\Programmi\McAfee.com\VSO\oasclnt.exe = C:\Programmi\McAfee.com\VSO\oasclnt.exe
@MCAgentExec:\PROGRA~1\mcafee.com\agent\mcagent.ex e = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
@MCUpdateExec:\PROGRA~1\mcafee.com\agent\mcupdate. exe = c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
@jrph1.exeC:\WINNT\TEMP\jrph1.exe /*file not found*/ = C:\WINNT\TEMP\jrph1.exe /*file not found*/
@CleanUpC:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup = C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
RunOnce@wextract_cleanup0 = C:\Documents and Settings\larosio\Desktop\W95ws2setup.exe /D:C:\Documents and Settings\larosio\Desktop\MSE000\
ShellServiceObjectDelayLoad@WebCheck =

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved >>>
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandler s@{CFC7205E-2792-4378-9591-3879CC6C9022} = c:\progra~1\mcafee.com\vso\mcvsshl.dll

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers@{CFC7205E-2792-4378-9591-3879CC6C9022} = c:\progra~1\mcafee.com\vso\mcvsshl.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects@{9652016C-5329-3FBA-9DFA-ED81CE17C7D2} = C:\WINNT\juhkp1.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\Webshots.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=hom e
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINNT\System32\blank.htm = C:\WINNT\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DL L
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{018234E8-8ECE-4956-9C34-6ECD92F26CB4} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.63 = 192.168.0.63
@NameServer151.1.1.1,151.99.125.2 = 151.1.1.1,151.99.125.2
@DefaultGateway192.168.0.5 = 192.168.0.5
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{24C96865-7E76-4C63-A752-F30948F5F12B} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.63 = 192.168.0.63
@NameServer151.1.1.1 = 151.1.1.1
@DefaultGateway192.168.0.5 = 192.168.0.5
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = C:\WINNT\System32\wspwsp.dll
000000000002@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = C:\WINNT\System32\wspwsp.dll
000000000002@PackedCatalogItem = C:\WINNT\System32\wspwsp.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000004@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000005@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\All Users.WINNT\Menu Avvio\Programmi\Esecuzione automatica = EPSON Status Monitor 3 Environment Check.lnk

---- EOF - GMER 1.0.10 ----


GMER ROOTKIT LOG

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-21 10:17:30
Windows 5.0.2195 Service Pack 3


---- System - GMER 1.0.10 ----

INT 0x31 ? FCEB2B44
INT 0x33 ? FCEB1D44
INT 0x34 ? FCEB3044
INT 0x35 ? FCE83DC4
INT 0x39 ? FD03FD04
INT 0x3B ? FCFF4044
INT 0x3C ? FCEB2DC4
INT 0x3E ? FCFF2B24
INT 0x3F ? FD02B044
---- Processes - GMER 1.0.10 ----

Library C:\WINNT\juhkp1.dll (*** hidden *** ) @ C:\WINNT\Explorer.EXE [832] 0x02040000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\tracking.log
File C:\WINNT\juhkp1.dll
File C:\WINNT\juhkp1.upd
File C:\WINNT\system32\nul.ugs
File D:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----