Originariamente inviato da czdan
Buonasera a tutti sono stato evidentemente infettato da un maledetto trojan in azienda, il quale, simultaneamente appare su alcuni PC e su altri no. Ma cominciamo da questo il quale è l' unico ad avere W2k+sp4.
L' antivirus è McAfee Ver.5.0.0 Patch 003
Compaiono i seguenti due messaggi:
"File eliminato - jrinckqx.iku
Artemis! D0E0C049ED70
C:\Winnt\System32\jrinckqx.iku"
"File eliminato - at1.job
W32/Conflicker.worm!job
C:\Winnt\Tasks\At1.job"
Premesso che ho seguito le istruzioni indicate nel seguente link
http://forum.html.it/forum/showthre...threadid=811189
Ho inoltre il problema che, tra l' altro non riesco ad aggiornare W2k tramite Windows Update.
Dice che è impossibile visualizzare la pagina richiesta a causa di un errore, dopo aver premuto il pulsante di ricerca aggiornamenti necessari.
allego il log di hijack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.23.52, on 25/11/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\system32\CRYPSERV.EXE
C:\Programmi\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Programmi\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe
C:\Programmi\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Programmi\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Programmi\File comuni\Rockwell\RNADiagnosticsSrv.exe
C:\WINNT\Explorer.EXE
C:\Programmi\File comuni\Siemens\S7IEPG\s7oiehsx.exe
C:\WINNT\system32\MSTask.exe
C:\Programmi\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
C:\Programmi\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programmi\File comuni\Siemens\sws\almsrv\almsrvx.exe
C:\Programmi\File comuni\Siemens\S7ubtoox\s7ubtstx.exe
C:\Programmi\McAfee\Managed VirusScan\DesktopUI\XTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\svchost.exe
C:\Programmi\File comuni\Siemens\Sqlany\dbsrv7.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S7UB Start] "C:\Programmi\File comuni\Siemens\S7ubtoox\s7ubtstx.exe" -StartDB
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MVS Splash] "C:\Programmi\McAfee\Managed VirusScan\DesktopUI\XTray.exe"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Programmi\McAfee\Managed VirusScan\Agent\StartMyagtTry.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone:
http://*.mcafee.com (HKLM)
O15 - Trusted Zone:
http://betavscan.mcafeeasap.com (HKLM)
O15 - Trusted Zone:
http://vs.mcafeeasap.com (HKLM)
O15 - Trusted Zone:
http://www.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone:
http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone:
http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone:
http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone:
http://www.mcafeeasap.com (HKLM)
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) -
http://vs.mcafeeasap.com/MC/ITA/VS40...0505013257.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/wind...?1259049548007
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsof...?1258974827961
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} -
http://www.exor-rd.com/uniop-service/designer/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ITCO.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD99FF08-4FC5-423E-B656-06D0EE185860}: NameServer = 192.168.0.1,213.140.2.43,213.140.2.49
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ITCO.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ITCO.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Programmi\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Automation License Manager Service (almservice) - SIEMENS AG - C:\Programmi\File comuni\Siemens\sws\almsrv\almsrvx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINNT\SYSTEM32\CRYPSERV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Programmi\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: EngineServer - McAfee, Inc. - C:\Programmi\McAfee\Managed VirusScan\VScan\EngineServer.exe
O23 - Service: Google Update Service (gupdate1c9ae37e455b3b7) (gupdate1c9ae37e455b3b7) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\rsobserv.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: Servizio di protezione antivirus e antispyware di McAfee (myAgtSvc) - McAfee, Inc. - C:\Programmi\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINNT\system32\OpcEnum.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Software - C:\Programmi\File comuni\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: SIMATIC IEPG Help Service (s7oiehsx) - SIEMENS AG - C:\Programmi\File comuni\Siemens\S7IEPG\s7oiehsx.exe
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Programmi\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - Unknown owner - C:\VEXPLITE\viritsvc.exe
--
End of file - 8751 bytes