| Precedente :: Successivo |
| Autore |
Messaggio |
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
 Inviato: 22 Ott 2007 15:03 Oggetto: * AVG si è disattivato e la modalità provvisoria non va |
 |
|
Salve, credo di avere un virus poichè il Resident Shield di AVG mi si è di colpo disattivato e la sua icona non compare più nella barra delle applicazioni, inoltre non si avvia più la modalità provvisoria (quando tento mi si riavvia il computer). Vi posto il mio log di Hijack, ditemi dove sta l'intruso e come posso rimuoverlo. Grazie a tutti
Logfile of HijackThis v1.99.1
Scan saved at 14.57.03, on 22/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Desktop Search\WindowsSearch.exe
E:\PROGRAMMI\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
E:\Programmi\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [WatchDog] E:\Programmi\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - e:\Programmi\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - e:\Programmi\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Advantage Database Server (Advantage) - Unknown owner - C:\Advantage\ADS.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Programmi\File comuni\BOONTY Shared\Service\Boonty.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - E:\PROGRAMMI\VEXPLITE\viritsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programmi\Windows Live\installer\WLSetupSvc.exe |
|
| Top |
|
 |
ste_95
Dio maturo
Registrato: 03/08/07 14:41
Messaggi: 1920
Residenza: Italy
|
| Inviato: 22 Ott 2007 15:12 Oggetto: |
|
|
problema comune ormai...segui questa guida:
[url]link rimosso come da regolamento[/url]
| Citazione: | Ecco il tool che ci aiuterà nella rimozione forzata, scaricatelo:
The Avenger
Procedete così:
Siete sicuri di essere stati infettati dal malware dopo aver aperto un file scaricato dalle reti P2P? Allora fate così:
Per prima cosa, assicuratevi di disabilitare il Ripristino Configurazione di Sistema
Aprite il tool sopracitato (The Avenger), selezionate la scritta "Input script Manually", andate poi a cliccare sulla lente d'ingrandimento, a questo punto vi apparirà una finestrella bianca, copiate in essa queste righe:
Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
Folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Dopodichè, cliccate sul pulsante Done, poi andate sul semaforino verde, acconsentite, a questo punto il computer dovrebbe riavviarsi, se così non fosse è importante che lo facciate voi.
Per coloro che pensano di essere stati inefettati in altri modi, ecco la procedura per voi:
Ovviamente con The Avenger, apritelo, selezionate la scritta "Input script Manually", andate poi a cliccare sulla lente d'ingrandimento, a questo punto vi apparirà una finestrella bianca, copiate in essa queste righe:
Files to delete:
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires\m_hook.sys
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires\hidr.exe
%SystemDrive%:\WINDOWS\system32\wintems.exe
%SystemDrive%:\WINDOWS\system32\hldrrr.exe
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires\rosa.sys
Folders to delete:
%SystemDrive%:\Documents and Settings\%UserProfile%\Dati applicazioni\hidires
%SystemDrive%:\WINDOWS\exefld
Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
HKLM\SYSTEM\CurrentControlSet\Services\rosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr
Dopodichè, cliccate sul pulsante Done, poi andate sul semaforino verde, acconsentite, a questo punto il computer dovrebbe riavviarsi, se così non fosse è importante che lo facciate voi.
NB: E' importante che, dopo che avete incollato le righe adatte a voi, sostituiate la scritta %SystemDrive% con la vostra unità di sistema, la quale molto spesso è C e che al posto della scritta %UserProfile% scriviate il vostro nome utente.
Se ancora ci sono problemi fate una scansione con Kaspersky.
Per ripristinare la possibilità di andare in Modalità Provvisoria scaricate il file che trovate allegato qui, eseguitelo, acconsentite, e a questo punto dovrebbe tornare tutto come prima. |
|
|
| Top |
|
|
Smjert
Dio maturo
Registrato: 01/04/06 18:19
Messaggi: 1619
Residenza: Perso nella rete
|
| Inviato: 22 Ott 2007 15:42 Oggetto: |
|
|
Segui la guida messa da ste_95 ma prima di fare la scansione con Kaspersky fai ancora questo:
Avvia HijackThis e premi Do a system scan only, spunta queste voci e poi premi Fix Checked:
| Citazione: | O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O23 - Service: Boonty Games - BOONTY - C:\Programmi\File comuni\BOONTY Shared\Service\Boonty.exeO20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll |
Dopodichè seguendo le istruzioni della guida riutilizza The Avenger ma metti queste linee:
| Citazione: | Files to delete:
C:\WINDOWS\system\smss.exe
C:\WINDOWS\SYSTEM32\ldr64.dll
Folders to delete:
C:\Programmi\File comuni\BOONTY Shared\ |
Dopodichè posta il contenuto del log di avenger (dovrebbe chiamarsi avenger.txt). |
|
| Top |
|
|
ste_95
Dio maturo
Registrato: 03/08/07 14:41
Messaggi: 1920
Residenza: Italy
|
| Inviato: 22 Ott 2007 19:07 Oggetto: |
|
|
| ste_95 ha scritto: | problema comune ormai...segui questa guida:
[url]link rimosso come da regolamento[/url]
|
mi scuso...  |
|
| Top |
|
|
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
| Inviato: 03 Nov 2007 13:24 Oggetto: |
|
|
Ragazzi ho fatto tutto quello che mi avete detto ma non è cambiato assolutamente nulla. AVG continua a non partire e la modalità provvisoria a non avviarsi. Ho fatto lo scan con Avenger nelle due modalità (vedendo che con una non cambiava nulla) datemi da ste_95, poi ho fixato le voci con Hijackthis e ho scannato con la dicitura di Avenger datami da Smjert, poi ho fatto lo scan con Kaspersky e mi ha rilevato una serie di file infetti, ma non me li elimina, e io ho paura ad eliminarli manualmente, perchè ci sono anche parecchi file di sistema su C:, a dire il vero non so se sono infetti, perchè compare la dicitura "object is locked" anzichè il nome del virus. E poi ci sono una serie di virus all'interno di file .zip, ma quelli credo che siano innocui se non li si apre. Non esiste un tool di rimozione del Bagle che rilevi automaticamente il virus e lo elimini lui? Comunque vi posto i log di Avengere un nuovo log di Hijackthis.
LOG DI AVENGER (MODALITA' 1)
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bkfqkirb
*******************
Script file located at: \??\C:\urtpcumn.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!
Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034
File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!
Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034
File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!
Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!
Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034
Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!
Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034
Folder C:\WINDOWS\exefld deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
LOG DI AVENGER (MODALITA' 2)
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jovjascr
*******************
Script file located at: \??\C:\WINDOWS\nnjtmlve.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Could not open file C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\m_hook.sys failed!
Could not process line:
C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a
Could not open file C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\hidr.exe failed!
Could not process line:
C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a
Could not open file C::\WINDOWS\system32\wintems.exe for deletion
Deletion of file C::\WINDOWS\system32\wintems.exe failed!
Could not process line:
C::\WINDOWS\system32\wintems.exe
Status: 0xc000003a
Could not open file C::\WINDOWS\system32\hldrrr.exe for deletion
Deletion of file C::\WINDOWS\system32\hldrrr.exe failed!
Could not process line:
C::\WINDOWS\system32\hldrrr.exe
Status: 0xc000003a
Could not open file C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\rosa.sys for deletion
Deletion of file C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\rosa.sys failed!
Could not process line:
C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires\rosa.sys
Status: 0xc000003a
Could not open folder C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires for deletion
Deletion of folder C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires failed!
Could not process line:
C::\Documents and Settings\Rocco.HOME\Dati applicazioni\hidires
Status: 0xc000003a
Could not open folder C::\WINDOWS\exefld for deletion
Deletion of folder C::\WINDOWS\exefld failed!
Could not process line:
C::\WINDOWS\exefld
Status: 0xc000003a
Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\rosa failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\rosa
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
Status: 0xc0000034
Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
LOG DI AVENGER (DICITURA DI SMJERT)
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dxcsbjxx
*******************
Script file located at: \??\C:\Documents and Settings\oksswent.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system\smss.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ldr64.dll deleted successfully.
Folder C:\Programmi\File comuni\BOONTY Shared deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
LOG DI HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 12.21.01, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRAMMI\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
C:\Programmi\iPod\bin\iPodService.exe
D:\Programmi\Mozilla Firefox\firefox.exe
E:\Programmi\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - e:\Programmi\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - e:\Programmi\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Advantage Database Server (Advantage) - Unknown owner - C:\Advantage\ADS.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - E:\PROGRAMMI\VEXPLITE\viritsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programmi\Windows Live\installer\WLSetupSvc.exe |
|
| Top |
|
|
ste_95
Dio maturo
Registrato: 03/08/07 14:41
Messaggi: 1920
Residenza: Italy
|
| Inviato: 03 Nov 2007 13:42 Oggetto: |
|
|
| scarica elibagle, fai la scansione e poi posta il log... |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 03 Nov 2007 15:09 Oggetto: |
|
|
Scarica il programma EliBaglA.
Lo trovi in fondo alla pagina, clicca sulla voce Descarga ElibaglA.
Avvia il programma.
Metti il segno di spunta a eliminar ficheros automaticamente.
Dovrai riavviare il pc al termine della scansione.
Al riavvio, dovresti trovare il log C:\InfoSat.txt
Postalo qui insieme a un log aggiornato di hijackthis. |
|
| Top |
|
|
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
| Inviato: 03 Nov 2007 16:04 Oggetto: |
|
|
Ho scaricato Elibagla e avviato lo scan, ma dopo qualche minuto mi compare un messaggio che dice "Acceso negado a la carpeta C:\Windows\System32\? ¼ (16)" dopodichè lo scan si interrompe. Ho provato una seconda volta e succede la stessa cosa. Ecco il log dei due scan (uno alle 13:59 e uno alle 14.51).
Sat Nov 03 13:59:20 2007
EliBagle v10.66 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Renombrado a .VIR
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\EDLM.EXE --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\EDLM2.EXE --> Eliminado Bagle
Eliminada Carpeta "%WinDir%\exefld"
Restaurada Clave: "SafeBoot\Minimal y Network"
Sat Nov 03 13:59:49 2007
EliBagle v10.66 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
Sat Nov 03 14:00:39 2007
EliBagle v10.66 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
Nº Total de Directorios: 5426
Nº Total de Ficheros: 67413
Nº de Ficheros Analizados: 10402
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 0
Sat Nov 03 14:51:18 2007
EliBagle v10.66 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
Sat Nov 03 14:51:40 2007
EliBagle v10.66 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
Nº Total de Directorios: 5419
Nº Total de Ficheros: 60837
Nº de Ficheros Analizados: 10402
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 0 |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
|
| Top |
|
|
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 03 Nov 2007 19:19 Oggetto: |
|
|
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | files to delete:
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\WINTEMS.EXE.VIR
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\dr.exe
C:\WINDOWS\system32\wunauclt.exe
C:\WINDOWS\user32.exe
Registry keys to delete:
HKLM\system\currentcontrolset\services\Boonty Games
registry values to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\WINDOWS\system32\jdniqhmj.exe |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato. |
|
| Top |
|
|
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
| Inviato: 03 Nov 2007 19:27 Oggetto: |
|
|
Log di Avenger in arrivo.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\magqhcty
*******************
Script file located at: \??\C:\WINDOWS\rlnmcpai.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!
Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034
File C:\WINDOWS\system32\WINTEMS.EXE.VIR deleted successfully.
File C:\WINDOWS\Tasks\At3.job deleted successfully.
File C:\WINDOWS\Tasks\At11.job deleted successfully.
File C:\WINDOWS\Tasks\At1.job deleted successfully.
File C:\WINDOWS\Tasks\At12.job deleted successfully.
File C:\WINDOWS\Tasks\At7.job deleted successfully.
File C:\WINDOWS\Tasks\At2.job deleted successfully.
File C:\WINDOWS\Tasks\At6.job deleted successfully.
File C:\WINDOWS\Tasks\At8.job deleted successfully.
File C:\WINDOWS\Tasks\At9.job deleted successfully.
File C:\WINDOWS\Tasks\At10.job deleted successfully.
File C:\WINDOWS\Tasks\At4.job deleted successfully.
File C:\WINDOWS\Tasks\At5.job deleted successfully.
File C:\WINDOWS\dr.exe not found!
Deletion of file C:\WINDOWS\dr.exe failed!
Could not process line:
C:\WINDOWS\dr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\wunauclt.exe not found!
Deletion of file C:\WINDOWS\system32\wunauclt.exe failed!
Could not process line:
C:\WINDOWS\system32\wunauclt.exe
Status: 0xc0000034
File C:\WINDOWS\user32.exe not found!
Deletion of file C:\WINDOWS\user32.exe failed!
Could not process line:
C:\WINDOWS\user32.exe
Status: 0xc0000034
Registry key HKLM\system\currentcontrolset\services\Boonty Games deleted successfully.
Registry value HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|C:\WINDOWS\system32\jdniqhmj.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate. |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 03 Nov 2007 19:33 Oggetto: |
|
|
C'è una cosa che non mi quadra... wintems.exe c'è nel log, ma non si fa cancellare. 
Intanto che mi rivedo il log di systemscan, fai quest'altro passaggio:
Scaricati Combofix da qui o da qui.
Salvalo sul desktop.
1. Doppio click su combofix.exe, comparirà la seguente videata:
2. Digita 1, premi Invio e segui le indicazioni.
3. Al termine, verrà creato un file log chiamato C:\ComboFix.txt.
4. Posta il log creato insieme a un log aggiornato di hijackthis.
Nota: Durante l'operazione di scansione è importante non usare il PC e attendere pazientemente la fine delle operazioni.
Nota: ComboFix non funziona in modalità provvisoria. |
|
| Top |
|
|
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
| Inviato: 03 Nov 2007 19:39 Oggetto: |
|
|
Intervengo subito sulla questione wintems.exe per evitare che magari ti scervelli troppo per niente  Quello è un file che ho visto durante lo scan con Elibagla in cui, una volta rilevato, mi ha detto che era stato rinominato con estensione .vir, suppongo per renderlo inattivo, quindi magari è per quello che avenger non lo riconosce, in quanto l'estensione non è più .exe ma .vir (semplice supposizione).
Ora procedo con lo scan con Combofix. Ci aggiorniamo. Grazie per la tua assistenza  |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 03 Nov 2007 19:48 Oggetto: |
|
|
Dubbio: dopo aver usato EliBaglA, avevi riavviato il pc?  |
|
| Top |
|
|
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
| Inviato: 03 Nov 2007 19:58 Oggetto: |
|
|
No, infatti dopo che ho riavviato con lo scan di Avenger (con la tua dicitura) era comparso un messaggio di Elibagla (probabilmente per la precedente operazione in sospeso) con scritto "eliminado Burgeno" o qualcosa di simile, dopodichè si era aperto Elibagla, però quel messaggio mi si era aperto anche all'inizio quando ancora dovevo iniziare a fare lo scan con Elibagla.
Comunque qui ci sono il log di Combofix e di Hijackthis.
LOG DI COMBOFIX
ComboFix 07-11-01.1** - Casa 2007-11-03 18.44.58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.275 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Rocco.HOME\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Creati Da 2007-10-03 al 2007-11-03 )))))))))))))))))))))))))))))))))))
.
2007-11-03 18:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 11:06 114,688 --a------ C:\WINDOWS\system32\netlogun.exe
2007-10-27 20:12 <DIR> d-------- C:\Programmi\Borland
2007-10-24 18:10 <DIR> d-------- C:\Documents and Settings\Rocco.HOME\Dati applicazioni\Creative
2007-10-24 17:27 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-10-24 17:24 178,913 -ra------ C:\WINDOWS\system32\drivers\V0330Vid.sys
2007-10-24 17:24 126,976 -ra------ C:\WINDOWS\system32\V0330Vfw.dll
2007-10-24 17:24 90,112 -ra------ C:\WINDOWS\CtDrvIns.exe
2007-10-24 17:24 36,864 -ra------ C:\WINDOWS\system32\V0330Pin.dll
2007-10-24 17:24 36,864 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2007-10-24 17:24 32,768 -ra------ C:\WINDOWS\system32\V0330Hwx.dll
2007-10-24 17:24 24,875 -ra------ C:\WINDOWS\system32\drivers\V0330Cmd.sys
2007-10-24 17:24 20,480 -ra------ C:\WINDOWS\V0330Cfg.exe
2007-10-24 17:24 20,480 -ra------ C:\WINDOWS\system32\V0330Srv.exe
2007-10-24 17:21 327,168 --a------ C:\WINDOWS\IsUn0410.exe
2007-10-24 17:19 <DIR> d-------- C:\Programmi\Creative
2007-10-24 13:41 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2007-10-24 13:39 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-22 13:27 <DIR> d-------- C:\WINDOWS\system32\?¼
2007-10-21 19:57 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2007-10-21 19:57 52,224 --a------ C:\WINDOWS\system32\Crypserv.exe
2007-10-21 19:57 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2007-10-21 19:57 24,608 --a------ C:\WINDOWS\system32\Ckldrv.sys
2007-10-21 19:57 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2007-10-21 19:57 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2007-10-21 19:56 <DIR> d-------- C:\Advantage
2007-10-21 19:41 299,520 --a------ C:\WINDOWS\uninst.exe
2007-10-21 09:24 162,816 --a------ C:\WINDOWS\system32\drivers\RT25USBAP.SYS
2007-10-13 01:34 524 --a------ C:\WINDOWS\bpfdat.dat
2007-10-10 17:28 585,216 --a------ C:\WINDOWS\WLXPGSS.SCR
2007-10-10 06:25 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-07 13:54 <DIR> d-------- C:\Program FilesRBuilder
2007-10-06 21:26 <DIR> d-------- C:\Documents and Settings\Rocco.HOME\Dati applicazioni\Windows Live Writer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 10:49 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\avg7
2007-11-03 10:37 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-11-02 11:19 --------- d-----w C:\Documents and Settings\Rocco.HOME\Dati applicazioni\Skype
2007-10-30 15:18 --------- d-----w C:\Programmi\Windows Live Safety Center
2007-10-29 10:30 --------- d-----w C:\Programmi\BitTorrent Fastest Tool
2007-10-06 07:51 --------- d-----w C:\Programmi\Microsoft Works
2007-09-30 14:57 --------- d-----w C:\Documents and Settings\Rocco.HOME\Dati applicazioni\7Wonders
2007-09-29 17:44 4,096 ----a-w C:\WINDOWS\system32\drivers\nocashio.sys
2007-09-29 06:46 --------- d-----w C:\Documents and Settings\Rocco.HOME\Dati applicazioni\Windows Desktop Search
2007-09-24 17:53 --------- d-----w C:\Programmi\Windows Live
2007-09-24 17:48 --------- d-----w C:\Programmi\Windows Desktop Search
2007-09-24 17:45 --------- d-----w C:\Programmi\Microsoft SQL Server Compact Edition
2007-09-24 17:32 --------- d-----w C:\Programmi\MSN Messenger
2007-09-24 17:15 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2007-09-21 19:15 --------- d--h--w C:\Programmi\FX Uninstall Information
2007-09-20 15:23 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Trymedia
2007-09-20 07:06 --------- d-----w C:\Programmi\iPod
2007-09-16 06:34 --------- d-----w C:\Programmi\MagicISO
2007-09-15 09:31 --------- d-----w C:\Programmi\Apple Software Update
2007-09-08 09:40 --------- d-----w C:\Programmi\File comuni\Apple
2007-09-08 09:40 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2007-09-08 09:35 --------- d-----w C:\Programmi\QuickTime
2007-09-08 08:05 --------- d-----w C:\Programmi\File comuni\Adobe
2007-09-08 08:03 --------- d-----w C:\Programmi\File comuni\Adobe Systems Shared
2007-09-07 16:22 --------- d-----w C:\Documents and Settings\Rocco.HOME\Dati applicazioni\AVG7
2007-09-07 13:43 --------- d-----w C:\Programmi\Zylom Games
2007-09-05 09:30 --------- d-----w C:\Documents and Settings\LocalService\Dati applicazioni\AVG7
2007-09-05 08:05 --------- d-----w C:\Documents and Settings\Rocco.HOME\Dati applicazioni\Zylom
2007-09-05 07:55 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Zylom
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-31 10:22]
"nwiz"="nwiz.exe" [2003-07-31 10:22 C:\WINDOWS\system32\nwiz.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 02:34]
"Adobe Reader Speed Launcher"="D:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 06:16]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="E:\Programmi\iTunes\iTunesHelper.exe" [2007-09-14 09:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Windows Desktop Search.lnk - C:\Programmi\Windows Desktop Search\WindowsSearch.exe [2007-02-05 14:40:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programmi\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
R2 athsgt;athsgt;C:\WINDOWS\system32\DRIVERS\athsgt.sys
R2 limsgt;limsgt;C:\WINDOWS\system32\DRIVERS\limsgt.sys
R2 viritsvclite;Virit eXplorer Lite;E:\PROGRAMMI\VEXPLITE\viritsvc.exe
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys
S3 V0330VID;WebCam Vista;C:\WINDOWS\system32\DRIVERS\V0330Vid.sys
.
Contenuto della cartella 'Scheduled Tasks'
"2007-11-01 07:45:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 18:49:59
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2007-11-03 18:51:34 - machine was rebooted
.
--- E O F ---
LOG DI HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 19.02.08, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
E:\PROGRAMMI\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
C:\Programmi\Windows Desktop Search\WindowsSearch.exe
C:\Programmi\iPod\bin\iPodService.exe
D:\Programmi\Mozilla Firefox\firefox.exe
E:\Programmi\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - e:\Programmi\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - e:\Programmi\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game10.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Advantage Database Server (Advantage) - Unknown owner - C:\Advantage\ADS.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - E:\PROGRAMMI\VEXPLITE\viritsvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programmi\Windows Live\installer\WLSetupSvc.exe |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 03 Nov 2007 20:15 Oggetto: |
|
|
Ah! Ecco! 
Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.
Giusto per vedere se ci sono rimasugli.  |
|
| Top |
|
|
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
| Inviato: 03 Nov 2007 20:38 Oggetto: |
|
|
| Ma quindi ora posso riprovare a fare lo scan con Elibagla (che prima mi si interrompeva)? Oppure devo prima fare lo scan con Kaspersky (perchè l'avevo già fatto prima, anche se con la scansione standard)? Per la cronaca ora la modalità provvisoria funziona, ma AVG no. |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 03 Nov 2007 20:56 Oggetto: |
|
|
Ri-esegui EliBaglA e riavvia il pc al termine della scansione.
Esegui la scansione estesa di Kaspersky.
Ri-prova a installare AVG. |
|
| Top |
|
|
Blax
Eroe in grazia degli dei
Registrato: 02/03/07 19:34
Messaggi: 97
|
| Inviato: 13 Nov 2007 18:12 Oggetto: |
 |
|
Scusa il ritardo ma ci ha messo un po' per fare lo scan.
Ecco il link con i risultati. kaspersky_test_c-d-e.zip
Comunque Elibagla continua a non funzionare e a dare l'errore di cui sopra ("Acceso denegado a la carpeta C:\WINDOWS\System32\? ¼ (16)"), anche perchè non ho ancora eliminato niente con Kaspersky, quindi è tutto come prima. Se ad esempio provassi con un tool diverso da Elibagla (ad esempio FxBeagle della Symantec)? |
|
| Top |
|
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
