pc si blocca lanciando hijack - Sicurezza VIRUS

Benvenuto Ospite

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » pc si blocca lanciando hijack

2 pages: 1 [2]

pc si blocca lanciando hijack

Opzioni

Topic Precedente · Topic Sucessivo

alfa19811983

Inviato: Tuesday, March 11, 2008 7:44:04 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

Scusa l'ignoranza.... ma che intendi per ADS?? Lanciando quel controllo ha rilevato circa dieci voci, ma riconducono tutte a file personali presenti sul pc.

Torna in alto

r16

Inviato: Wednesday, March 12, 2008 1:53:38 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Grazie per la fiducia.
Leggi bene a cosa servono,e a cosa potrebbero servire.(sopratutto ai troyan.)
Stai attento alle istruzioni che ti ho dato. Quando hai finito,(sempre tu lo faccia) rimetti le spunte dove erano prima.
E non ti preoccupare per i tuoi file personali,non verranno cancellati.

http://sicurezza.html.it/articoli/leggi/1046/alternate-data-streams-i-file-invisibili-di-window/

Torna in alto

alfa19811983

Inviato: Wednesday, March 12, 2008 6:59:46 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

r16 ha scritto:

Grazie per la fiducia.

Non compriendo!!
Per quanto riguarda gli ADS ho dato un'occhiata veloce, stasera provvederò a cancellarli. Grazie ancora per la disponibilità! Dancing

Torna in alto

alfa19811983

Inviato: Wednesday, March 12, 2008 7:58:01 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

La storia infinita....
Su msconfig manca safeboot (per ripartire in modalità provvisoria)

Torna in alto

r16

Inviato: Wednesday, March 12, 2008 9:10:16 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Scarica questo file: SafeBoot https://www.didierstevens.com/files/data/SafeBoot.zip
Scompattarlo ,avviare il file .reg all'interno e accettare la richiesta di unirlo al registro di sistema.
Riavvia il pc.

dopo fai una scansione con elibagla in M.P.

Torna in alto

alfa19811983

Inviato: Friday, March 14, 2008 2:11:47 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

Ho provato.... niente da fare. Mi sa che è il caso di formattare :-( Piano piano vengono fuori altri problemi, per esempio tentando la scansione di spybot, mi dice "disco non presente". Provo a reinstallarlo, ma ho paura che col passare del tempo possano venire fuori altri problemi.

Torna in alto

r16

Inviato: Friday, March 14, 2008 5:55:43 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Aspetta formattare.
Prova cosi:
Disattiva il ripristino configurazione di sistema http://guide.aiutamici.com/guide?C1=7&C2=68&ID=80121

Scarica di nuovo questo file: SafeBoot https://www.didierstevens.com/files/data/SafeBoot.zip
Scompattarlo ,avviare il file .reg all'interno e accettare la richiesta di unirlo al registro di sistema.

Fai un'altra scansione con Elibagla
Assicurati che la casella "Eliminar Ficheros Automaticamente" sia spuntata,dopo la scansione riavvia il pc, e posta il log che si trova in: C:\InfoSat.txt
Usa Elibagla in modalità provvisoria,se funziona.
Scarica Avenger (NON SUL DESKTOP) : http://swandog46.geekstogo.com/avenger2/download.php Scompattalo, avvialo,copia- incolla il seguente script (quello in rosso) e clicca su execute,clicca poi su OK

Files to delete:
%UserProfile%\DATI APPLICAZIONI\M\LIST.OCT
%SystemDrive%\WINDOWS\SYSTEM32\BAN_LIST.TXT
%SystemDrive%\WINDOWS\system32\drivers\hidr.exe
%SystemDrive%\WINDOWS\system32\drivers\srosa.sys
%SystemDrive%\WINDOWS\system32\wintems.exe
%SystemDrive%\WINDOWS\system32\hldrrr.exe
%SystemDrive%\WINDOWS\system32\trusted.exe
%SystemDrive%\WINDOWS\system32\drivers\pci32.sys
%UserProfile%\Dati applicazioni\hidires\hidr.exe
%UserProfile%\Dati applicazioni\hidires\rosa.sys
%UserProfile%\Dati applicazioni\m\data.oct
%UserProfile%\Dati applicazioni\m\flec006.exe
%UserProfile%\Dati applicazioni\hidires\m_hook.sys
%SystemDrive%\WINDOWS\system32\drivers\hldrrr.exe
%SystemDrive%\WINDOWS\system32\drivers\hldrrr.ex_
%SystemDrive%\WINDOWS\system32\mdelk.exe
%SystemDrive%\WINDOWS\system32\drivers\pci32.sys
%SystemDrive%\WINDOWS\SYSTEM32\EDLM.EXE
%SystemDrive%\WINDOWS\SYSTEM32\EDLM2.EXE
%SystemDrive%\Windows\system32\LDR64.DLL
%SystemDrive%\WINDOWS\system32\german.exe
C:\WINDOWS\system32\drivers\srosa.sys.XXX
C:\WINDOWS\system32\mdelk.exe.XXX
C:\WINDOWS\system32\wintems.exe.XXX

folders to delete:
%SystemDrive%\WINDOWS\exefnd
%SystemDrive%\WINDOWS\exefld
%UserProfile%\Dati applicazioni\hidires
%SystemDrive%\WINDOWS\System32\drivers\down\

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
HKLM\SYSTEM\CurrentControlSet\Services\rosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | drvsyskit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | german.exe

Il log sarà salvato nella cartella C:\avenger ed il file del log è avenger.txt, postalo QUI
Fai una pulizia con CCleaner.
Se Avenger non dovesse funzionare,devo cambiarti lo script,(ho bisogno del NOME UTENTE della cartella C:\Documents and Settings\nomeutente)

e poi riproviamo.

Ti arrendi in fretta tu.

Torna in alto

alfa19811983

Inviato: Saturday, March 15, 2008 1:29:23 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

Al riavvio dopo la scansione con avenger mi ha dato lo stesso errore che mi da spybot, ossia disco non presente.
Ho riaggiunto la chiave di registro (ricordo che ho xp home),ma safeboot manca ancora.
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at H:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not open file "H:\Documents and Settings\Utente\DATI APPLICAZIONI\M\LIST.OCT"
Deletion of file "H:\Documents and Settings\Utente\DATI APPLICAZIONI\M\LIST.OCT" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: file "H:\WINDOWS\SYSTEM32\BAN_LIST.TXT" not found!
Deletion of file "H:\WINDOWS\SYSTEM32\BAN_LIST.TXT" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\drivers\hidr.exe" not found!
Deletion of file "H:\WINDOWS\system32\drivers\hidr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "H:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\wintems.exe" not found!
Deletion of file "H:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\hldrrr.exe" not found!
Deletion of file "H:\WINDOWS\system32\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\trusted.exe" not found!
Deletion of file "H:\WINDOWS\system32\trusted.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\drivers\pci32.sys" not found!
Deletion of file "H:\WINDOWS\system32\drivers\pci32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "H:\Documents and Settings\Utente\Dati applicazioni\hidires\hidr.exe"
Deletion of file "H:\Documents and Settings\Utente\Dati applicazioni\hidires\hidr.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: could not open file "H:\Documents and Settings\Utente\Dati applicazioni\hidires\rosa.sys"
Deletion of file "H:\Documents and Settings\Utente\Dati applicazioni\hidires\rosa.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: could not open file "H:\Documents and Settings\Utente\Dati applicazioni\m\data.oct"
Deletion of file "H:\Documents and Settings\Utente\Dati applicazioni\m\data.oct" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: could not open file "H:\Documents and Settings\Utente\Dati applicazioni\m\flec006.exe"
Deletion of file "H:\Documents and Settings\Utente\Dati applicazioni\m\flec006.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: could not open file "H:\Documents and Settings\Utente\Dati applicazioni\hidires\m_hook.sys"
Deletion of file "H:\Documents and Settings\Utente\Dati applicazioni\hidires\m_hook.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: file "H:\WINDOWS\system32\drivers\hldrrr.exe" not found!
Deletion of file "H:\WINDOWS\system32\drivers\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\drivers\hldrrr.ex_" not found!
Deletion of file "H:\WINDOWS\system32\drivers\hldrrr.ex_" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\mdelk.exe" not found!
Deletion of file "H:\WINDOWS\system32\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\drivers\pci32.sys" not found!
Deletion of file "H:\WINDOWS\system32\drivers\pci32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\SYSTEM32\EDLM.EXE" not found!
Deletion of file "H:\WINDOWS\SYSTEM32\EDLM.EXE" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\SYSTEM32\EDLM2.EXE" not found!
Deletion of file "H:\WINDOWS\SYSTEM32\EDLM2.EXE" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\Windows\system32\LDR64.DLL" not found!
Deletion of file "H:\Windows\system32\LDR64.DLL" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "H:\WINDOWS\system32\german.exe" not found!
Deletion of file "H:\WINDOWS\system32\german.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not open file "C:\WINDOWS\system32\drivers\srosa.sys.XXX"
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys.XXX" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\mdelk.exe.XXX"
Deletion of file "C:\WINDOWS\system32\mdelk.exe.XXX" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\wintems.exe.XXX"
Deletion of file "C:\WINDOWS\system32\wintems.exe.XXX" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: folder "H:\WINDOWS\exefnd" not found!
Deletion of folder "H:\WINDOWS\exefnd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "H:\WINDOWS\exefld" not found!
Deletion of folder "H:\WINDOWS\exefld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: folder "H:\Documents and Settings\Utente\Dati applicazioni\hidires" not found!
Deletion of folder "H:\Documents and Settings\Utente\Dati applicazioni\hidires" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "H:\WINDOWS\System32\drivers\down" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\pci32" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\pci32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\rosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\rosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\m_hook" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\m_hook" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA" deleted successfully.

Error: registry key "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|drvsyskit"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|drvsyskit" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|german.exe"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|german.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Torna in alto

r16

Inviato: Saturday, March 15, 2008 1:51:16 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Mi dai il percorso completo della cartella utente (es C:\Documents and Settings\nomeutente
Mi serve solo cosa c'è scritto su "nome utente",se c'è scritto il tuo nome .o altro.
Ti compilo un'altro script,se non funziona ti lascio in pace.
Dimmi anche la lettera in cui hai installato il SO. (C,D.E,F,etcc)

Torna in alto

alfa19811983

Inviato: Saturday, March 15, 2008 1:53:53 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

esce come UTENTE, anche se all'avvio di windows devo scegliere tra "gli altri" e "alex"

Torna in alto

r16

Inviato: Saturday, March 15, 2008 2:06:43 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Copia-incolla su Avenger.
Spero sia Alex. e spero che il SO sia in C.

Files to delete:
C:\Documents and Settings\alex\DATI APPLICAZIONI\M\LIST.OCT
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\Documents and Settings\alex\Dati applicazioni\hidires\hidr.exe
C:\Documents and Settings\alex\Dati applicazioni\hidires\rosa.sys
C:\Documents and Settings\alex\Dati applicazioni\m\data.oct
C:\Documents and Settings\alex\Dati applicazioni\m\flec006.exe
C:\Documents and Settings\alex\Dati applicazioni\hidires\m_hook.sys
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\WINDOWS\SYSTEM32\EDLM.EXE
C:\WINDOWS\SYSTEM32\EDLM2.EXE
C:\Windows\system32\LDR64.DLL
C:\WINDOWS\system32\german.exe
C:\WINDOWS\system32\drivers\srosa.sys.XXX
C:\WINDOWS\system32\mdelk.exe.XXX
C:\WINDOWS\system32\wintems.exe.XXX

folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
C:\Documents and Settings\alex\Dati applicazioni\hidires
C:\WINDOWS\System32\drivers\down\

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
HKLM\SYSTEM\CurrentControlSet\Services\rosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | drvsyskit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | german.exe

Torna in alto

alfa19811983

Inviato: Saturday, March 15, 2008 2:27:57 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

Ho corretto lo sript, o almeno credo, ma senza risultati
http://dl.sendmefile.com/get/88dc4f3fcb0dd0de78211f08d9a475d9/Q/avenger.txt
http://www.freefilehosting.net/show/3df1a
http://www.freefilehosting.net/show/3df1b

Torna in alto

r16

Inviato: Saturday, March 15, 2008 2:50:38 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Prova a fare una scansione con Elibagle, perchè nel frattempo il tool si è aggiornato,(versione 11.15)
Fallo In M.O.
Poi scarica combofix http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Doppio click su combofix.exe,
Digita 1, premi Invio e segui le indicazioni.
Al termine, verrà creato un file log chiamato C:\ComboFix.txt.
Postalo qui.

Durante l'operazione di scansione è importante non usare il PC e attendere pazientemente la fine delle operazioni

Torna in alto

alfa19811983

Inviato: Saturday, March 15, 2008 3:18:24 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

Sto facendo la scansione con elibagla e mi ha rilevato altri due files uno corrisponde a quello da cui penso sia partito tutto e l'altro è googletoolbarnotifier.exe
Finita questa scansione lancio combofix e ti faccio sapere.

Torna in alto

alfa19811983

Inviato: Saturday, March 15, 2008 3:23:23 PM

Rank: AiutAmico

Iscritto dal : 1/23/2006
Posts: 219

ComboFix 08-03-14.4 - Utente 2008-03-15 15.21.25.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1754 [GMT 1:00]
Eseguito da: H:\Documents and Settings\Utente\Desktop\varie\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-02-15 al 2008-03-15 )))))))))))))))))))))))))))))))))))
.

2008-03-11 19:51 . 2008-03-11 19:51 <DIR> d-------- H:\Programmi\CCleaner
2008-03-11 19:48 . 2008-03-14 15:11 <DIR> d-------- H:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-03-11 19:38 . 2008-03-11 19:38 <DIR> d-------- H:\Programmi\Trend Micro
2008-03-11 00:37 . 2008-03-11 00:37 250 --a------ H:\WINDOWS\gmer.ini
2008-03-10 23:04 . 2008-03-12 19:35 <DIR> d-------- H:\VEXPLITE
2008-03-10 23:04 . 2008-02-14 21:04 39,808 --a------ H:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-03-10 22:42 . 2007-11-16 22:15 <DIR> d--h----- H:\Documents and Settings\Administrator\Risorse di stampa
2008-03-10 22:42 . 2007-11-16 22:15 <DIR> d--h----- H:\Documents and Settings\Administrator\Risorse di rete
2008-03-10 22:42 . 2007-11-16 22:15 <DIR> d-------- H:\Documents and Settings\Administrator\Preferiti
2008-03-10 22:42 . 2007-11-16 21:20 <DIR> d--h----- H:\Documents and Settings\Administrator\Modelli
2008-03-10 22:42 . 2007-11-16 22:15 <DIR> dr------- H:\Documents and Settings\Administrator\Menu Avvio
2008-03-10 22:42 . 2008-03-15 15:05 <DIR> d--h----- H:\Documents and Settings\Administrator\Impostazioni locali
2008-03-10 22:42 . 2007-11-16 22:15 <DIR> d-------- H:\Documents and Settings\Administrator\Documenti
2008-03-10 22:42 . 2007-11-16 22:15 <DIR> dr-h----- H:\Documents and Settings\Administrator\Dati applicazioni
2008-03-10 22:23 . 2008-03-10 22:25 <DIR> d-------- H:\WINDOWS\BDOSCAN8
2008-03-07 22:44 . 2008-03-12 20:45 116 --a------ H:\WINDOWS\NeroDigital.ini
2008-03-07 21:09 . 2008-03-07 21:09 <DIR> d-------- H:\Documents and Settings\Utente\Dati applicazioni\Ahead
2008-03-07 21:07 . 2008-03-07 21:07 <DIR> d-------- H:\Programmi\Nero
2008-03-07 21:07 . 2008-03-07 21:07 <DIR> d-------- H:\Programmi\File comuni\Ahead
2008-03-05 19:46 . 2008-03-01 14:44 35,610,387 --a------ H:\biglvisita.rtf
2008-03-01 13:32 . 2008-03-01 13:32 <DIR> dr------- H:\Documents and Settings\Utente\Dati applicazioni\Brother
2008-03-01 13:29 . 2008-03-01 13:29 <DIR> d-------- H:\Programmi\Softinterface, Inc
2008-02-21 20:06 . 2008-02-21 21:23 77 --a------ H:\WINDOWS\Preview.ini
2008-02-21 19:58 . 2008-02-21 21:24 <DIR> d-------- H:\WSIOTEMP
2008-02-21 19:58 . 2004-06-21 13:48 188,416 --a------ H:\WINDOWS\system32\tx_png32.flt
2008-02-21 19:58 . 2004-06-21 13:48 172,032 --a------ H:\WINDOWS\system32\tx_jpg32.flt
2008-02-21 19:58 . 2004-06-21 13:48 61,440 --a------ H:\WINDOWS\system32\tx_tif32.flt
2008-02-21 19:58 . 2004-06-21 13:48 53,248 --a------ H:\WINDOWS\system32\tx_bmp32.flt
2008-02-21 19:58 . 2007-07-20 11:49 49,152 --a------ H:\WINDOWS\system32\wkiconf.new
2008-02-21 19:58 . 2004-06-21 13:48 49,152 --a------ H:\WINDOWS\system32\tx_wmf32.flt
2008-02-21 19:58 . 2000-10-10 16:42 24,064 --a------ H:\WINDOWS\system32\tx_gif32.flt
2008-02-21 19:58 . 2004-06-21 13:48 466 --a------ H:\WINDOWS\system32\ic32.ini
2008-02-21 19:58 . 2008-02-21 19:58 0 --a------ H:\WINDOWS\system32\wkiconf.770
2008-02-21 19:53 . 2008-02-21 19:58 <DIR> d-------- H:\Programmi\WKICosimi
2008-02-21 19:42 . 2002-10-15 17:29 98,304 --a------ H:\WINDOWS\system32\skeylink.dll
2008-02-21 19:42 . 2002-09-25 15:58 10,286 --a------ H:\WINDOWS\system32\drivers\keyp.sys
2008-02-21 19:41 . 1996-10-16 11:49 301,568 --a------ H:\WINDOWS\unin0410.exe
2008-02-21 19:41 . 2008-02-21 19:45 14 --a------ H:\prog.bat
2008-02-21 19:40 . 2008-02-21 19:40 <DIR> d-------- H:\Programmi\SwiftView
2008-02-18 23:39 . 2008-03-11 19:54 <DIR> d-------- H:\Programmi\Briscola

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 14:08 --------- d-----w H:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2008-03-11 18:54 --------- d-----w H:\Programmi\Java
2008-03-07 20:04 --------- d-----w H:\Programmi\Ahead
2008-03-07 19:48 --------- d-----w H:\Documents and Settings\Utente\Dati applicazioni\LimeWire
2008-03-01 12:18 196,608 ----a-w H:\WINDOWS\system32\drivers\aStandard.bin
2008-02-28 14:18 --------- d-----w H:\Programmi\Windows Live
2008-02-12 18:38 --------- d-----w H:\Documents and Settings\All Users\Dati applicazioni\DVD Shrink
2008-02-12 18:37 --------- d-----w H:\Programmi\DVD Shrink
2008-02-12 00:03 --------- d-----w H:\Programmi\Video DVD Maker
2008-02-12 00:03 --------- d-----w H:\Documents and Settings\Utente\Dati applicazioni\Video DVD Maker FREE
2008-02-11 23:51 --------- d-----w H:\Programmi\DVDStyler
2008-02-11 21:00 --------- d-----w H:\Documents and Settings\Utente\Dati applicazioni\Wireshark
2008-02-11 20:58 --------- d-----w H:\Programmi\Wireshark
2008-02-11 20:43 --------- d-----w H:\Programmi\NAI
2008-02-11 20:03 --------- d-----w H:\Documents and Settings\Utente\Dati applicazioni\gtk-2.0
2008-02-11 20:01 --------- d-----w H:\Programmi\WinPcap
2008-02-11 20:01 --------- d-----w H:\Programmi\Nmap
2008-02-05 19:20 --------- d-----w H:\Programmi\File comuni\Adobe
2008-02-05 17:34 --------- d-----w H:\Programmi\MSXML 6.0
2008-02-04 22:55 --------- d-----w H:\Programmi\BIAS
2008-02-04 21:55 --------- d-----w H:\Programmi\mp3DirectCut
2008-02-04 20:55 --------- d-----w H:\Programmi\SureThing Express Labeler
2008-02-04 20:52 --------- d-----w H:\Programmi\File comuni\SureThing Shared
2008-02-04 20:51 --------- d--h--w H:\Programmi\InstallShield Installation Information
2008-02-04 20:51 --------- d-----w H:\Programmi\proDAD
2008-02-04 20:51 --------- d-----w H:\Programmi\Pinnacle
2008-02-04 20:51 --------- d-----w H:\Documents and Settings\Utente\Dati applicazioni\proDAD
2008-02-04 19:30 --------- d-----w H:\Programmi\LimeWire
2008-02-03 13:45 --------- d-----w H:\Programmi\Direct MIDI to MP3 Converter
2008-02-02 12:22 --------- d-----w H:\Programmi\MSXML 4.0
2008-02-01 20:22 --------- d-----w H:\Documents and Settings\All Users\Dati applicazioni\Pinnacle
2008-02-01 20:15 --------- d-----w H:\Documents and Settings\All Users\Dati applicazioni\Pinnacle Studio
2008-02-01 20:12 --------- d-----w H:\Documents and Settings\Utente\Dati applicazioni\InstallShield
2008-02-01 10:17 586,752 ----a-w H:\WINDOWS\WLXPGSS.SCR
2008-01-31 19:08 --------- d-----w H:\Programmi\SWiSHmax
2008-01-31 14:28 --------- d-----w H:\Documents and Settings\Utente\Dati applicazioni\dvdcss
2008-01-30 23:51 --------- d-----w H:\Programmi\Windows Media Connect 2
2008-01-29 18:46 --------- d-----w H:\Programmi\WinHTTrack
2008-01-24 19:46 --------- d-----w H:\Programmi\FileZilla
2008-01-23 21:04 --------- d-----w H:\Documents and Settings\Gli altri\Dati applicazioni\ATI
2008-01-22 13:00 765,952 ----a-w H:\WINDOWS\system32\tx14.dll
2008-01-22 00:00 1,056,768 ----a-w H:\WINDOWS\system32\tx14_dox.dll
2008-01-21 04:20 552,960 ----a-w H:\WINDOWS\system32\tx14_rtf.dll
2008-01-18 01:36 249,856 ----a-w H:\WINDOWS\system32\tx14_htm.dll
2008-01-17 19:55 --------- d-----w H:\Programmi\Macromedia
2008-01-17 19:53 --------- d-----w H:\Programmi\File comuni\Macromedia
2008-01-17 19:34 --------- d-----w H:\Programmi\Microsoft.NET
2008-01-17 19:26 --------- d---a-w H:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-01-15 04:10 667,648 ----a-w H:\WINDOWS\system32\tx14_doc.dll
2008-01-15 02:31 131,072 ----a-w H:\WINDOWS\system32\tx14_ic.dll
2008-01-15 02:01 217,088 ----a-w H:\WINDOWS\system32\tx14_tls.dll
2008-01-05 09:56 1 ----a-w H:\Documents and Settings\Utente\SI.bin
.

((((((((((((((((((((((((((((( snapshot@2008-03-15_15.04.56,40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-15 13:22:24 58,732 ----a-w H:\WINDOWS\system32\perfc009.dat
+ 2008-03-15 14:19:54 58,596 ----a-w H:\WINDOWS\system32\perfc009.dat
- 2008-03-15 13:22:24 69,790 ----a-w H:\WINDOWS\system32\perfc010.dat
+ 2008-03-15 14:19:55 69,568 ----a-w H:\WINDOWS\system32\perfc010.dat
- 2008-03-15 13:22:24 392,432 ----a-w H:\WINDOWS\system32\perfh009.dat
+ 2008-03-15 14:19:55 392,296 ----a-w H:\WINDOWS\system32\perfh009.dat
- 2008-03-15 13:22:24 437,644 ----a-w H:\WINDOWS\system32\perfh010.dat
+ 2008-03-15 14:19:55 437,272 ----a-w H:\WINDOWS\system32\perfh010.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"swg"="H:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"LaunchList"="H:\Programmi\Pinnacle\Studio 11\LaunchList2.exe" [2007-03-21 15:41 145496]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="H:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 08:28 16126464 H:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2007-04-04 10:22 1822720 H:\WINDOWS\SkyTel.exe]
"ATICCC"="H:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 09:12 90112]
"Sunkist2k"="H:\Programmi\Multimedia Card Reader\shwicon2k.exe" [2005-02-25 16:54 131072]
"avast!"="H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"iKeyWorks"="H:\PROGRA~1\Keyboard\Ikeymain.exe" [2002-11-22 11:22 73728]
"Adobe Reader Speed Launcher"="H:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="H:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="H:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

H:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Google Updater.lnk - H:\Programmi\Google\Google Updater\GoogleUpdater.exe [2007-12-16 00:58:46 124400]
Microsoft Office.lnk - H:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"H:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"H:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"H:\\Programmi\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"H:\\Programmi\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"H:\\Programmi\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"H:\\Programmi\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"H:\\Programmi\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20:TCP"= 20:TCP:filezilla tcp 20
"20:UDP"= 20:UDP:filezilla udp 20
"21:TCP"= 21:TCP:filezilla tcp 21
"21:UDP"= 21:UDP:filezilla udp 21

S2 KeyP;KeyP;H:\WINDOWS\system32\DRIVERS\KeyP.sys [2002-09-25 15:58]
S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;H:\WINDOWS\system32\DRIVERS\l251x86.sys [2007-06-21 03:44]
S3 Video3D;ASUS Video3D Service;H:\WINDOWS\system32\Drivers\Video3D32.sys [2006-09-29 10:06]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 15:22:17
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-03-15 15.22.52
ComboFix-quarantined-files.txt 2008-03-15 14:22:44
ComboFix2.txt 2008-03-15 14:05:06
.
2008-03-11 22:21:36 --- E O F ---

Torna in alto

r16

Inviato: Saturday, March 15, 2008 9:59:26 PM

Rank: AiutAmico

Iscritto dal : 8/7/2007
Posts: 11,016

Ciao
Vorrei sapere cosa Non ti funziona.
Se HJT ti funziona posta un log.
Per quanto riguarda il malfunzionamento delle difese (antivirus,antispyware ecc..) è normale.
Il Bagle è la prima cosa che attacca.
Li devi disistallare (tutti, compreso SpyBot) e reistallarli.
Scarica GMER http://www.gmer.net/gmer.zip
Fai 2 scansioni,la prima, clicca su Autostart, metti il segno di spunta a Show All, clicca su Scan .

Poi clicca su Rootkit
clicca su Scan .
Elimina con il tasto destro Tutte le voci che trovi di colore rosso.
Per ripristinare SafeBoot (se non ha funzionato il procedimento che ti ho segnalato,a proposito,spero che tu abbia cliccato sulla chiave giusta,per saperlo clicca con il tasto destro sopra le chiavi, Proprietà,e vedi il S:O a cui devono essere inserite)prova usare questa copia delle chiavi mancanti, prelevate da un pc "sano":
http://www.p2pforum.it/forum/attachment.php?attachmentid=14506&d=1168521677

Torna in alto

Utenti presenti in questo topic

Guest

2 pages: 1 [2]

Aiutamici Forum » FORUM - Istruzioni e Guide » Sicurezza VIRUS » pc si blocca lanciando hijack

Salta al Forum

Aggiunta nuovi Topic disabilitata in questo forum.
Risposte disabilitate in questo forum.
Eliminazione tuoi Post disabilitata in questo forum.
Modifica dei tuoi post disabilitata in questo forum.
Creazione Sondaggi disabilitata in questo forum.
Voto ai sondaggi disabilitato in questo forum.

Invia topic via Email

RSS Feed

Watch this topic

Stampa topic

Normale

Threaded