Olimpo Informatico

[miz86miz]

dove trovo combofix?

[bdoriano]

Segui le istruzioni di questo topic per postare il log di combofix.

[miz86miz]

ComboFix 08-01-23.1C - Alfieri 2008-01-26 16.16.53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.152 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Alfieri\Impostazioni locali\Temporary Internet Files\Content.IE5\TTIHP2D7\ComboFix[1].exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2007-12-26 al 2008-01-26 )))))))))))))))))))))))))))))))))))
.

2008-01-26 16:08 . 2008-01-26 16:08 <DIR> d-------- C:\Programmi\Avira
2008-01-26 14:11 . 2008-01-26 14:11 <DIR> d-------- C:\Muestras
2008-01-26 12:52 . 2008-01-26 12:52 <DIR> d-------- C:\WINDOWS\system32\AVGUARD_4810e71b
2008-01-25 22:49 . 2008-01-25 22:49 60,416 --a------ C:\WINDOWS\system32\drivers\emcwasux.sys
2008-01-25 22:41 . 2008-01-25 22:41 60,416 --a------ C:\WINDOWS\system32\drivers\nmjplquu.sys
2008-01-25 22:08 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 17:16 . 2008-01-25 17:16 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2008-01-25 16:32 . 2008-01-25 16:32 440,794 --a------ C:\WINDOWS\system32\prfh0410.dat
2008-01-25 16:32 . 2008-01-25 16:32 71,076 --a------ C:\WINDOWS\system32\prfc0410.dat
2008-01-01 23:09 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-01-01 23:09 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-12-29 20:25 . 2006-03-13 00:14 95,232 -ra------ C:\WINDOWS\system32\HPcam_03.dll
2007-12-29 20:09 . 2007-12-29 20:24 101,293 --a------ C:\WINDOWS\hpiins04.dat
2007-12-29 20:09 . 2006-11-28 08:34 0 --------- C:\WINDOWS\hpimdl04.dat
2007-12-29 20:03 . 2004-08-19 15:39 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-29 20:03 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-29 20:03 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-29 20:03 . 2001-08-30 23:07 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 12:24 --------- d-----w C:\Programmi\eMule
2008-01-25 17:08 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-05 16:22 --------- d-----w C:\Programmi\MSN Messenger
2008-01-05 16:22 --------- d-----w C:\Programmi\Messenger Plus! Live
2007-12-16 16:09 --------- d-----w C:\Programmi\MagicISO
2007-12-13 13:58 --------- d-----w C:\Programmi\File comuni\Nero
2007-12-13 13:54 --------- d-----w C:\Programmi\Nero
2007-12-13 13:43 --------- d-----w C:\Programmi\File comuni\Ahead
2007-12-09 14:20 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-12-09 13:18 --------- d-----w C:\Programmi\Windows Live Toolbar
2007-12-08 23:26 --------- d-----w C:\Programmi\Windows Live
2007-12-08 22:56 --------- d-----w C:\Programmi\Microsoft SQL Server Compact Edition
2007-12-08 22:50 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2007-12-07 10:52 --------- d-----w C:\Programmi\KONAMI
2007-12-07 10:31 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-02 11:44 --------- d-----w C:\Programmi\File comuni\Macrovision Shared
2007-12-02 11:44 --------- d-----w C:\Programmi\File comuni\Adobe
2007-12-01 20:23 290,816 ------w C:\WINDOWS\Setup1.exe
2007-11-16 15:09 65,536 ----a-w C:\WINDOWS\DUMP58be.tmp
2007-11-16 15:05 65,536 ----a-w C:\WINDOWS\DUMP6764.tmp
2007-07-01 12:36 88 --sh--r C:\WINDOWS\system32\E9514C1569.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="C:\Programmi\Microsoft Hardware\Keyboard\type32.exe" [2001-06-12 09:20 69632]
"POINTER"="point32.exe" []
"EPSON Stylus Photo R200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.exe" [2003-09-11 04:00 99840]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 10:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"Jet Detection"="C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00 28672]
"CTStartup"="C:\Programmi\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 00:00 28672]
"Motive SmartBridge"="C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe" [2006-04-21 14:41 438359]
"ISUSPM Startup"="C:\Programmi\File comuni\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30 249856]
"ISUSScheduler"="C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30 81920]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2007-07-24 19:15 180269]
"ncoOSCheck"="C:\Programmi\Norton Confidential\osCheck.exe" [ ]
"ALUAlert"="C:\Programmi\Symantec\LiveUpdate\ALuNotify.exe" [ ]
"WinampAgent"="C:\Programmi\Winamp\winampa.exe" [2007-10-10 06:28 36352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-07-22 10:29]
R3 axvbusx;axvbusx;C:\WINDOWS\system32\DRIVERS\axvbusx.sys [2003-01-31 20:43]
R3 axvscsi;axvscsi;C:\WINDOWS\system32\DRIVERS\axvscsi.sys [2003-01-31 20:43]
S0 rxljosbs;rxljosbs;C:\WINDOWS\system32\drivers\wmvumbsh.sys []
S3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 08:11]
S3 PPortJoystick;Parallel Port Joystick device driver;C:\WINDOWS\system32\drivers\PPortJoy.sys [2004-10-24 08:11]
S3 SpyFighter;SpyFighter Guard Device;C:\Programmi\SPYWAREfighter\spyfighter.sys []
S3 SPYWAREfighterRP;SPYWAREfighterRP;"C:\Programmi\SPYWAREfighter\spfprc.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61a2d7d6-95c0-11dc-8739-00507052436d}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70607b39-6b83-11dc-869f-00507052436d}]
\Shell\Auto\command - UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

*Newly Created Service* - AVGIO
*Newly Created Service* - WS2IFSL
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 16:20:34
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run???????h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4???P???d:2????wd??wP???????\???\??????????????w-??w\???\???????@6a??????C@?\???\??????sP???\??????s\???H:2?A??sH:2??C@?x???`|?w\?????@

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-26 16.21.24

[bdoriano]

scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[miz86miz]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ksywkbbb

*******************

Script file located at: \??\C:\Documents and Settings\xofokmyn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034



File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034



File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034



Could not open file C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\hidr.exe failed!

Could not process line:
C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\rosa.sys for deletion
Deletion of file C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\rosa.sys failed!

Could not process line:
C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\rosa.sys
Status: 0xc000003a



Could not open file C:\Documents and Settings\Alfieri\Dati applicazioni\m\data.oct for deletion
Deletion of file C:\Documents and Settings\Alfieri\Dati applicazioni\m\data.oct failed!

Could not process line:
C:\Documents and Settings\Alfieri\Dati applicazioni\m\data.oct
Status: 0xc000003a



Could not open file C:\Documents and Settings\Alfieri\Dati applicazioni\m\flec006.exe for deletion
Deletion of file C:\Documents and Settings\Alfieri\Dati applicazioni\m\flec006.exe failed!

Could not process line:
C:\Documents and Settings\Alfieri\Dati applicazioni\m\flec006.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
C:\Documents and Settings\Alfieri\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a



File C:\WINDOWS\system32\drivers\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hldrrr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\hldrrr.ex_ not found!
Deletion of file C:\WINDOWS\system32\drivers\hldrrr.ex_ failed!

Could not process line:
C:\WINDOWS\system32\drivers\hldrrr.ex_
Status: 0xc0000034



File C:\WINDOWS\system32\mdelk.exe not found!
Deletion of file C:\WINDOWS\system32\mdelk.exe failed!

Could not process line:
C:\WINDOWS\system32\mdelk.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\hIdrrr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hIdrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hIdrrr.exe
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\EDLM.EXE not found!
Deletion of file C:\WINDOWS\SYSTEM32\EDLM.EXE failed!

Could not process line:
C:\WINDOWS\SYSTEM32\EDLM.EXE
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\EDLM2.EXE not found!
Deletion of file C:\WINDOWS\SYSTEM32\EDLM2.EXE failed!

Could not process line:
C:\WINDOWS\SYSTEM32\EDLM2.EXE
Status: 0xc0000034



File C:\Windows\system32\LDR64.DLL not found!
Deletion of file C:\Windows\system32\LDR64.DLL failed!

Could not process line:
C:\Windows\system32\LDR64.DLL
Status: 0xc0000034



Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!

Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034



Folder C:\WINDOWS\exefld not found!
Deletion of folder C:\WINDOWS\exefld failed!

Could not process line:
C:\WINDOWS\exefld
Status: 0xc0000034



Folder C:\Documents and Settings\Alfieri\Dati applicazioni\hidires not found!
Deletion of folder C:\Documents and Settings\Alfieri\Dati applicazioni\hidires failed!

Could not process line:
C:\Documents and Settings\Alfieri\Dati applicazioni\hidires
Status: 0xc0000034

Folder C:\WINDOWS\System32\drivers\down deleted successfully.


Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA deleted successfully.


Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\rosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
Status: 0xc0000034

Registry key HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA deleted successfully.


Registry key HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA failed!

Could not process line:
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64 not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64 failed!
Status: 0xc0000034



Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[bdoriano]

C'è qualcosa che non mi quadra nel log che hai postato.
Fa riferimento a files che non ho inserito nello script precedente.

Da dove hai copiato lo script per avenger?

Fai queste scansioni con GMER e posta i logs su FreeFileHosting come indicato qui.

[miz86miz]

adex mi funziona tutto....ho usato eibeagla e avenger...
devo fare qualcosa?