Indice del forum Olimpo Informatico
I Forum di Zeus News
Leggi la newsletter gratuita - Attiva il Menu compatto
 
 FAQFAQ   CercaCerca   Lista utentiLista utenti   GruppiGruppi   RegistratiRegistrati 
 ProfiloProfilo   Messaggi privatiMessaggi privati   Log inLog in 

    Newsletter RSS Facebook Twitter Contatti Ricerca
worm TR/gorshok.A
Nuovo argomento   Rispondi    Indice del forum -> Pronto Soccorso Virus
Precedente :: Successivo  
Autore Messaggio
luca.b777
Mortale pio
Mortale pio


Registrato: 22/12/07 00:06
Messaggi: 18
Residenza: torino
MessaggioInviato: 22 Dic 2007 00:24    Oggetto: worm TR/gorshok.A Rispondi citando
Ciao a tutti, sono nuovo del forum.
L'altro giorno per problemi vari ho disinstallato l'antivirus Mcafee 8.0 per iinstallare Avira Antivir personal edition. Alla prima scansione del disco mi ha beccato circa una ventina e forse più di worm TR/gorshok.A . Subito dopo ho fatto una ulteriore scansione con Kaspersky on line poi una con Avast 0.47 (montato sul secondo disco) e una con HijackThis ed è risutato tutto pulito. Voi che ne dite?
Allego parte del log di AVIRA per rendere più chiara la cosa.


C:\pagefile.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\' <disco PRINCIPALE>
D:\Programmi\Alwil Software\Avast4\DATA\clnr0.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP103\A0009386.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP104\A0009426.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP107\A0010354.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP107\A0011358.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP108\A0011400.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP109\A0011625.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP110\A0011666.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP111\A0011682.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP111\A0011699.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP112\A0011767.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP114\A0011869.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP116\A0012115.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP118\A0012649.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP119\A0012697.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP120\A0012832.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP120\A0012860.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP121\A0012879.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP123\A0012968.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP124\A0012980.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP124\A0013031.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP125\A0013088.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP125\A0013235.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP126\A0013255.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP127\A0013279.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP128\A0013296.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP129\A0013542.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP129\A0013631.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP98\A0009239.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
D:\System Volume Information\_restore{E3AECDB5-A3E7-4D11-8472-D14940100A5C}\RP99\A0009306.dll
[DETECTION] Is the Trojan horse TR/Gorshok.A
[WARNING] The file was ignored!
Begin scan in 'E:\' <stoccaggio>
Top
Profilo Invia messaggio privato
ste_95
Dio maturo
Dio maturo


Registrato: 03/08/07 14:41
Messaggi: 1920
Residenza: Italy
MessaggioInviato: 22 Dic 2007 08:53    Oggetto: Rispondi citando
Ciao

Puoi per cortesia far scansionare questo file su www.virustotal.com e poi postarne i risultati:

D:\Programmi\Alwil Software\Avast4\DATA\clnr0.dll

Potresti postare anche un log di hijackthis? Smile
Top
Profilo Invia messaggio privato HomePage
bdoriano
Amministratore
Amministratore


Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
MessaggioInviato: 22 Dic 2007 10:16    Oggetto: Rispondi citando
Ciao luca.b777, Ciao

Come ti ha già detto ste_95, segui le istruzioni di questo topic per postare il log di hijackthis.

PS: se vuoi, puoi presentarti qui
Top
Profilo Invia messaggio privato
Orange
Dio maturo
Dio maturo


Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
MessaggioInviato: 22 Dic 2007 14:04    Oggetto: Rispondi citando
Per sicurezza riporto anche qui
Citazione:

C:\Programmi\Alwil Software\Avast4\DATA\clnr0.dll Infected: Trojan.Win32.Gorshok.a
clnr0.dll è parte di Avast: Virus/Worm Cleaner Application. Opterei per il falso allarme.

ho trovato queste informazioni a riguardo:
Citazione:
Trojan.Win32.Gorshok.a is a new warning message that introduced by a rogue anti-spyware program, which is a form of fake malicious software engineered by Internet hackers.

Da quando Avast è diventato un fake? potrebbe anche dipendere dall'euristica di quei 4 AV che lo segnalano come infetto...

Sono curiosa: i produttori di Avast sono al corrente?
Top
Profilo Invia messaggio privato
luca.b777
Mortale pio
Mortale pio


Registrato: 22/12/07 00:06
Messaggi: 18
Residenza: torino
MessaggioInviato: 22 Dic 2007 15:45    Oggetto: Rispondi citando
Virustotal. com mi ha dato:

Informazioni addizionali
File size: 70766 bytes
MD5: cc400dbd803bdd1a3ef5d65868bccf82
SHA1: 7a922decc2e61dc0215ef5532dfc688172d108fc
PEiD: -

e il log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 22.26.33, on 21/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\Comodo\Firewall\cmdagent.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://codecs.r8.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Top
Profilo Invia messaggio privato
Orange
Dio maturo
Dio maturo


Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
MessaggioInviato: 22 Dic 2007 21:25    Oggetto: Rispondi citando
luca.b777 ha scritto:
Virustotal. com mi ha dato:

Informazioni addizionali
File size: 70766 bytes
MD5: cc400dbd803bdd1a3ef5d65868bccf82
SHA1: 7a922decc2e61dc0215ef5532dfc688172d108fc
PEiD: -

Question
forse non hai copiato la risposta per intero...

Anche se rimango comunque dell'idea di un falso positivo, vista la posizione dove te lo rileva: D:\System Volume Information\_restore, basta disattivare il ripristino di configurazione del sistema e successivamente riattivarlo, per cancellare tutte le minacce Wink

Ah, il log HJT è pulito Smile
Top
Profilo Invia messaggio privato
luca.b777
Mortale pio
Mortale pio


Registrato: 22/12/07 00:06
Messaggi: 18
Residenza: torino
MessaggioInviato: 23 Dic 2007 13:33    Oggetto: Rispondi
Ti allego il log di virus total per intero:

File iNews.htm received on 12.22.2007 09:41:49 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.12.22.10 2007.12.21 -
AntiVir 7.6.0.46 2007.12.21 -
Authentium 4.93.8 2007.12.21 -
Avast 4.7.1098.0 2007.12.21 -
AVG 7.5.0.503 2007.12.21 -
BitDefender 7.2 2007.12.22 -
CAT-QuickHeal 9.00 2007.12.22 -
ClamAV 0.91.2 2007.12.22 -
DrWeb 4.44.0.09170 2007.12.21 -
eSafe 7.0.15.0 2007.12.20 -
eTrust-Vet 31.3.5395 2007.12.21 -
Ewido 4.0 2007.12.21 -
FileAdvisor 1 2007.12.22 -
Fortinet 3.14.0.0 2007.12.22 -
F-Prot 4.4.2.54 2007.12.21 -
F-Secure 6.70.13030.0 2007.12.21 -
Ikarus T3.1.1.15 2007.12.22 -
Kaspersky 7.0.0.125 2007.12.22 -
McAfee 5191 2007.12.21 -
Microsoft 1.3109 2007.12.22 -
NOD32v2 2740 2007.12.21 -
Norman 5.80.02 2007.12.21 -
Panda 9.0.0.4 2007.12.22 -
Prevx1 V2 2007.12.22 -
Rising 20.23.51.00 2007.12.22 -
Sophos 4.24.0 2007.12.22 -
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.22 -
TheHacker 6.2.9.167 2007.12.21 -
VBA32 3.12.2.5 2007.12.21 -
VirusBuster 4.3.26:9 2007.12.21 -
Webwasher-Gateway 6.6.2 2007.12.22 -
Additional information
File size: 70766 bytes
MD5: cc400dbd803bdd1a3ef5d65868bccf82
SHA1: 7a922decc2e61dc0215ef5532dfc688172d108fc
PEiD: -
Top
Profilo Invia messaggio privato
Mostra prima i messaggi di:   
Nuovo argomento   Rispondi    Indice del forum -> Pronto Soccorso Virus Tutti i fusi orari sono GMT + 2 ore
Pagina 1 di 1

 
Vai a:  
Non puoi inserire nuovi argomenti
Non puoi rispondere a nessun argomento
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi votare nei sondaggi