Olimpo Informatico

[bdoriano]

Per vedere il log delle ultime operazioni fatte da Avenger, clicca sul menù File e poi su Open log file.

Facciamo un altro tentativo:
Salva questo sul desktop.
Avvia il pc in modalità provvisoria.
Esegui il programma appena scaricato.
Al termine, riavvia il pc in modalità normale e posta qui il log generato.
Vediamo se c'entra qualcosa....

[MasterDdj]

Ok ho fatto.questo è il log:


[07/21/2007, 10:40:29] - VirtumundoBeGone v1.5 ( "D:\VirtumundoBeGone.exe" )
[07/21/2007, 10:40:33] - Detected System Information:
[07/21/2007, 10:40:33] - Windows Version: 5.1.2600, Service Pack 2
[07/21/2007, 10:40:33] - Current Username: Utente (Admin)
[07/21/2007, 10:40:33] - Windows is in SAFE mode with Networking.
[07/21/2007, 10:40:33] - Searching for Browser Helper Objects:
[07/21/2007, 10:40:33] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[07/21/2007, 10:40:33] - BHO 2: {323E945D-299A-400A-A874-11A10696B4EC} ()
[07/21/2007, 10:40:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/21/2007, 10:40:33] - Checking for HKLM\...\Winlogon\Notify\dazgfuik
[07/21/2007, 10:40:33] - Key not found: HKLM\...\Winlogon\Notify\dazgfuik, continuing.
[07/21/2007, 10:40:33] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/21/2007, 10:40:33] - BHO 4: {955BE0B8-BC85-4CAF-856E-8E0D8B610560} (Encarta Web Companion Oggetto helper)
[07/21/2007, 10:40:33] - BHO 5: {ABCDECF0-4B15-11D1-ABED-709549C10000} (IEHlprObj Class)
[07/21/2007, 10:40:33] - BHO 6: {B2C447B0-11E6-4E5F-9B60-1BD986E888C8} ()
[07/21/2007, 10:40:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/21/2007, 10:40:33] - Checking for HKLM\...\Winlogon\Notify\mafbmaf
[07/21/2007, 10:40:33] - Key not found: HKLM\...\Winlogon\Notify\mafbmaf, continuing.
[07/21/2007, 10:40:33] - BHO 7: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[07/21/2007, 10:40:33] - Finished Searching Browser Helper Objects
[07/21/2007, 10:40:33] - Finishing up...
[07/21/2007, 10:40:33] - Nothing found! Exiting...

[MasterDdj]

Ecco il log di avenger,dove ti dicevo che mi aveva dato alcuni errori prima di effettuarlo.Infatti non credo sia proprio corretto:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e15c6628-2d3a-11db-a033-0014858afdef}

[bdoriano]

Prova ad avviare avenger e a inserire queste istruzioni (ho tolto la riga incriminata):

[MasterDdj]

Mi da sempre un log di questo tipo:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not register cleanup batch.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ymemuein

*******************

Script file located at: \??\C:\Program Files\adittufi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\mafbmaf.dll.bak for deletion
Deletion of file C:\WINDOWS\system32\mafbmaf.dll.bak failed!

Could not process line:
C:\WINDOWS\system32\mafbmaf.dll.bak
Status: 0xc0000022

File C:\WINDOWS\system32\gdbirftr.dll deleted successfully.
File C:\WINDOWS\system32\ppkcebzr.dll deleted successfully.
File C:\WINDOWS\system32\peltdfln.dll deleted successfully.
File C:\WINDOWS\system32\syakjjah.dll deleted successfully.
File C:\WINDOWS\system32\dazgfuik.dll deleted successfully.


Could not open file C:\WINDOWS\system32\mafbmaf.dll for deletion
Deletion of file C:\WINDOWS\system32\mafbmaf.dll failed!

Could not process line:
C:\WINDOWS\system32\mafbmaf.dll
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\drivers\mydlduiz.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\mydlduiz.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\mydlduiz.sys
Status: 0xc0000022

File C:\WINDOWS\temp\123179607.exe deleted successfully.


File C:\WINDOWS\TEMP\kzlnaa.exe not found!
Deletion of file C:\WINDOWS\TEMP\kzlnaa.exe failed!

Could not process line:
C:\WINDOWS\TEMP\kzlnaa.exe
Status: 0xc0000034



File C:\WINDOWS\fvzilq.job not found!
Deletion of file C:\WINDOWS\fvzilq.job failed!

Could not process line:
C:\WINDOWS\fvzilq.job
Status: 0xc0000034

Folder C:\WINDOWS\Downloaded Program Files\KjMiYLN deleted successfully.
Folder C:\Documents and Settings\Utente\Dati applicazioni\semanatiba deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{323E945D-299A-400A-A874-11A10696B4EC} deleted successfully.


Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2C447B0-11E6-4E5F-9B60-1BD986E888C8} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2C447B0-11E6-4E5F-9B60-1BD986E888C8} failed!
Status: 0xc0000022

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|kzlnaa.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[bdoriano]

Sono questi da eliminare:

[bdoriano]

Solo per tirarmi via un dubbio:

[MasterDdj]

Log di Vundo:


VundoFix V6.5.6

Checking Java version...

Sun Java not detected
Scan started at 20.40.39 22/07/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

[MasterDdj]

Log di hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.43.45, on 22/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Softwin\BitDefender10\vsserv.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
D:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Oggetto helper - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtroll.dll
O2 - BHO: (no name) - {B2C447B0-11E6-4E5F-9B60-1BD986E888C8} - c:\windows\system32\mafbmaf.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Programmi\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = D:\BlueSoleil.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/230?a334552ccaa9449bbfa7a47275b7054c
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/229?a334552ccaa9449bbfa7a47275b7054c
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183657730609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183657677718
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: igpopqil - C:\WINDOWS\SYSTEM32\mafbmaf.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\BTNtService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Messenger MessengerWmiApSrv (MessengerWmiApSrv) - Unknown owner - C:\WINDOWS\TEMP\123179607.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Telefonia TapiSrv Hid Service (TapiSrv Hid Service) - Unknown owner - C:\WINDOWS\system32\AcSignExtResx.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Programmi\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8317 bytes

[MasterDdj]

questo è il risultato del log di VirIT:

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
23/07/2007 - 10:52:54

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Documents and Settings\Utente\Impostazioni locali\Temporary Internet Files\Content.IE5\460C899B\11679-23[1].exe Infetto da Trojan.Win32.Dialer.AB
* * * RIMOSSO * * *
C:\Documents and Settings\Utente\Impostazioni locali\Temporary Internet Files\Content.IE5\RXXITF26\11679-23[1].exe Infetto da Trojan.Win32.Dialer.AB
* * * RIMOSSO * * *
C:\WINDOWS\system32\AcSignExtResx.exe Infetto da Trojan.Win32.Agent.AZD
* * * RIMOSSO * * *
C:\WINDOWS\system32\WinAvX.exe Infetto da Trojan.Win32.Zlob.BB
* * * RIMOSSO * * *
C:\WINDOWS\Temp\zkwzba.exe Infetto da Trojan.Win32.Dialer.IH
* * * RIMOSSO * * *
C:\WINDOWS\Temp\zzdgaa.exe Infetto da Trojan.Win32.Dialer.IH
* * * RIMOSSO * * *

Chiavi Registro infette: 0.
Files Infetti: 6.
Files Sospetti: 0.
Files Analizzati: 57974.
Files Totali: 57974.
Chiavi Registro rimosse: 0.
Virus Rimossi: 6.

[MasterDdj]

VirIT sembra aver rimosso 6 file infetti,ma Trojan.Conhook.Y continua a fuoriuscire.

[holifay]

Il log di systemscan ormai è vecchio, ma ti riassumo cosa farei. Alcune cose le hai già eliminate, altre sono forse ancora lì.

1) winliayv.exe questo processo è iniettato in services.exe

2) file da eliminare:
c:\windows\system32\winliayv.exe
C:\WINDOWS\system32\mafbmaf.dll
C:\WINDOWS\system32\ppkcebzr.dll
C:\WINDOWS\system32\peltdfln.dll
C:\WINDOWS\system32\gdbirftr.dll
C:\WINDOWS\system32\syakjjah.dll
C:\WINDOWS\Downloaded Program Files\KjMiYLN
C:\WINDOWS\Downloaded Program Files\sni3n5
C:\WINDOWS\system32\dazgfuik.dll
C:\WINDOWS\system32\drivers\mydlduiz.sys
C:\WINDOWS\temp\123179607.exe
C:\WINDOWS\TEMP\kzlnaa.exe
C:\WINDOWS\tasks\fvzilq.job
C:\3.tmp
C:\WINDOWS\system32\AcSignExtResx.exe
C:\WINDOWS\system32\2023434879.dat

3) chiavi da eliminare:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\igpopqil
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\Ndhnd
KEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\Ndhnd
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TapiSrv Hid Service
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\wwhqcgyf
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{323E945D-299A-400A-A874-11A10696B4EC}
HKCR\CLSID\{323E945D-299A-400A-A874-11A10696B4EC}
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\e15c6628-2d3a-11db-a033-0014858afdef}

4) valori da cancellare
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|kzlnaa.exe


Prima di procedere però, sarebbe meglio avere il quadro completo aggiornato ed in ogni caso aspetta il consiglio di qualcun altro, dato che è un po' che non esamino più i log e probabilmente ho "perso un po' la mano"

In ogni caso, se hai ancora il link, cancellalo da Internet

[bdoriano]

Ciao mitica holifay!
Bentornata!

@Masterddj
Per il problema del trojan hai provato con questi passaggi?

Poi, rifai un log aggiornato con SystemScan:

[MasterDdj]

Log di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hbkiskcl

*******************

Script file located at: \??\C:\Program Files\eiqfgpow.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Windows\System32\sstts.dll not found!
Deletion of file C:\Windows\System32\sstts.dll failed!

Could not process line:
C:\Windows\System32\sstts.dll
Status: 0xc0000034



File C:\Windows\System\sstts.dll not found!
Deletion of file C:\Windows\System\sstts.dll failed!

Could not process line:
C:\Windows\System\sstts.dll
Status: 0xc0000034



Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sstts not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sstts failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[MasterDdj]

Link assegnati:

Direct Link: http://www.freefilehosting.net/download/NDIxNw==


report21.txt

[bdoriano]

Avvia avenger e inserisci queste righe:

[MasterDdj]

Ho fatto con Avenger ma su alcuni file mi dava qualcosa tipo errore di sintassi.Ma comunque nel log c'è scritto:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\Ndhnd


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCR\CLSID\{323E945D-299A-400A-A874-11A10696B4EC}


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e15c6628-2d3a-11db-a033-0014858afdef}


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hpqfbuau

*******************

Script file located at: \??\C:\Program Files\lydsuale.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\winliayv.exe deleted successfully.


Could not open file C:\WINDOWS\system32\mafbmaf.dll for deletion
Deletion of file C:\WINDOWS\system32\mafbmaf.dll failed!

Could not process line:
C:\WINDOWS\system32\mafbmaf.dll
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\mafbmaf.dll.bak for deletion
Deletion of file C:\WINDOWS\system32\mafbmaf.dll.bak failed!

Could not process line:
C:\WINDOWS\system32\mafbmaf.dll.bak
Status: 0xc0000022

File C:\WINDOWS\system32\ppkcebzr.dll deleted successfully.
File C:\WINDOWS\system32\peltdfln.dll deleted successfully.
File C:\WINDOWS\system32\gdbirftr.dll deleted successfully.
File C:\WINDOWS\system32\syakjjah.dll deleted successfully.
File C:\WINDOWS\system32\dazgfuik.dll deleted successfully.


File C:\WINDOWS\system32\AcSignExtResx.exe not found!
Deletion of file C:\WINDOWS\system32\AcSignExtResx.exe failed!

Could not process line:
C:\WINDOWS\system32\AcSignExtResx.exe
Status: 0xc0000034

File C:\WINDOWS\system32\2023434879.dat deleted successfully.


Could not open file C:\WINDOWS\system32\drivers\mydlduiz.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\mydlduiz.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\mydlduiz.sys
Status: 0xc0000022



File C:\WINDOWS\temp\123179607.exe not found!
Deletion of file C:\WINDOWS\temp\123179607.exe failed!

Could not process line:
C:\WINDOWS\temp\123179607.exe
Status: 0xc0000034



File C:\WINDOWS\TEMP\kzlnaa.exe not found!
Deletion of file C:\WINDOWS\TEMP\kzlnaa.exe failed!

Could not process line:
C:\WINDOWS\TEMP\kzlnaa.exe
Status: 0xc0000034

File C:\WINDOWS\tasks\fvzilq.job deleted successfully.
File C:\3.tmp deleted successfully.
File C:\DOCUME~1\Utente\IMPOST~1\Temp\nkiatkyh.sys deleted successfully.


Folder C:\WINDOWS\Downloaded Program Files\KjMiYLN not found!
Deletion of folder C:\WINDOWS\Downloaded Program Files\KjMiYLN failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\KjMiYLN
Status: 0xc0000034

Folder C:\WINDOWS\Downloaded Program Files\sni3n5 deleted successfully.


Folder C:\Documents and Settings\Utente\Dati applicazioni\semanatiba not found!
Deletion of folder C:\Documents and Settings\Utente\Dati applicazioni\semanatiba failed!

Could not process line:
C:\Documents and Settings\Utente\Dati applicazioni\semanatiba
Status: 0xc0000034

Registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MessengerWmiApSrv deleted successfully.
Registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TapiSrv Hid Service deleted successfully.
Registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\wwhqcgyf deleted successfully.


Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\igpopqil not found!
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\igpopqil failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\Ndhnd deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{323E945D-299A-400A-A874-11A10696B4EC} deleted successfully.


Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2C447B0-11E6-4E5F-9B60-1BD986E888C8} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2C447B0-11E6-4E5F-9B60-1BD986E888C8} failed!
Status: 0xc0000022



Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|kzlnaa.exe
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|kzlnaa.exe failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[bdoriano]

Ri-Avvia avenger e inserisci queste righe (ne ho corrette alcune):

[holifay]

In avenger solo HKLM e HKU sono riconosciute

[MasterDdj]

Log di avenger:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCU\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\Ndhnd


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CLASSES_ROOT\CLSID\{323E945D-299A-400A-A874-11A10696B4EC}


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e15c6628-2d3a-11db-a033-0014858afdef}


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cbxrdnqe

*******************

Script file located at: \??\C:\WINDOWS\system32\tcohurfh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\winliayv.exe not found!
Deletion of file C:\WINDOWS\system32\winliayv.exe failed!

Could not process line:
C:\WINDOWS\system32\winliayv.exe
Status: 0xc0000034



Could not open file C:\WINDOWS\system32\mafbmaf.dll for deletion
Deletion of file C:\WINDOWS\system32\mafbmaf.dll failed!

Could not process line:
C:\WINDOWS\system32\mafbmaf.dll
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\mafbmaf.dll.bak for deletion
Deletion of file C:\WINDOWS\system32\mafbmaf.dll.bak failed!

Could not process line:
C:\WINDOWS\system32\mafbmaf.dll.bak
Status: 0xc0000022



File C:\WINDOWS\system32\ppkcebzr.dll not found!
Deletion of file C:\WINDOWS\system32\ppkcebzr.dll failed!

Could not process line:
C:\WINDOWS\system32\ppkcebzr.dll
Status: 0xc0000034



File C:\WINDOWS\system32\peltdfln.dll not found!
Deletion of file C:\WINDOWS\system32\peltdfln.dll failed!

Could not process line:
C:\WINDOWS\system32\peltdfln.dll
Status: 0xc0000034



File C:\WINDOWS\system32\gdbirftr.dll not found!
Deletion of file C:\WINDOWS\system32\gdbirftr.dll failed!

Could not process line:
C:\WINDOWS\system32\gdbirftr.dll
Status: 0xc0000034



File C:\WINDOWS\system32\syakjjah.dll not found!
Deletion of file C:\WINDOWS\system32\syakjjah.dll failed!

Could not process line:
C:\WINDOWS\system32\syakjjah.dll
Status: 0xc0000034



File C:\WINDOWS\system32\dazgfuik.dll not found!
Deletion of file C:\WINDOWS\system32\dazgfuik.dll failed!

Could not process line:
C:\WINDOWS\system32\dazgfuik.dll
Status: 0xc0000034



File C:\WINDOWS\system32\AcSignExtResx.exe not found!
Deletion of file C:\WINDOWS\system32\AcSignExtResx.exe failed!

Could not process line:
C:\WINDOWS\system32\AcSignExtResx.exe
Status: 0xc0000034



File C:\WINDOWS\system32\2023434879.dat not found!
Deletion of file C:\WINDOWS\system32\2023434879.dat failed!

Could not process line:
C:\WINDOWS\system32\2023434879.dat
Status: 0xc0000034



Could not open file C:\WINDOWS\system32\drivers\mydlduiz.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\mydlduiz.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\mydlduiz.sys
Status: 0xc0000022



File C:\WINDOWS\temp\123179607.exe not found!
Deletion of file C:\WINDOWS\temp\123179607.exe failed!

Could not process line:
C:\WINDOWS\temp\123179607.exe
Status: 0xc0000034



File C:\WINDOWS\TEMP\kzlnaa.exe not found!
Deletion of file C:\WINDOWS\TEMP\kzlnaa.exe failed!

Could not process line:
C:\WINDOWS\TEMP\kzlnaa.exe
Status: 0xc0000034



File C:\WINDOWS\tasks\fvzilq.job not found!
Deletion of file C:\WINDOWS\tasks\fvzilq.job failed!

Could not process line:
C:\WINDOWS\tasks\fvzilq.job
Status: 0xc0000034



File C:\3.tmp not found!
Deletion of file C:\3.tmp failed!

Could not process line:
C:\3.tmp
Status: 0xc0000034



File C:\DOCUME~1\Utente\IMPOST~1\Temp\nkiatkyh.sys not found!
Deletion of file C:\DOCUME~1\Utente\IMPOST~1\Temp\nkiatkyh.sys failed!

Could not process line:
C:\DOCUME~1\Utente\IMPOST~1\Temp\nkiatkyh.sys
Status: 0xc0000034



Folder C:\WINDOWS\Downloaded Program Files\KjMiYLN not found!
Deletion of folder C:\WINDOWS\Downloaded Program Files\KjMiYLN failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\KjMiYLN
Status: 0xc0000034



Folder C:\WINDOWS\Downloaded Program Files\sni3n5 not found!
Deletion of folder C:\WINDOWS\Downloaded Program Files\sni3n5 failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\sni3n5
Status: 0xc0000034



Folder C:\Documents and Settings\Utente\Dati applicazioni\semanatiba not found!
Deletion of folder C:\Documents and Settings\Utente\Dati applicazioni\semanatiba failed!

Could not process line:
C:\Documents and Settings\Utente\Dati applicazioni\semanatiba
Status: 0xc0000034



Registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MessengerWmiApSrv not found!
Deletion of registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MessengerWmiApSrv failed!

Could not process line:
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MessengerWmiApSrv
Status: 0xc0000034



Registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TapiSrv Hid Service not found!
Deletion of registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TapiSrv Hid Service failed!

Could not process line:
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TapiSrv Hid Service
Status: 0xc0000034

Registry key HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\wwhqcgyf deleted successfully.


Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\igpopqil not found!
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\igpopqil failed!
Status: 0xc0000034

Registry key HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\Ndhnd deleted successfully.


Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{323E945D-299A-400A-A874-11A10696B4EC} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{323E945D-299A-400A-A874-11A10696B4EC} failed!
Status: 0xc0000034



Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2C447B0-11E6-4E5F-9B60-1BD986E888C8} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2C447B0-11E6-4E5F-9B60-1BD986E888C8} failed!
Status: 0xc0000022



Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|kzlnaa.exe
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|kzlnaa.exe failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.