| Precedente :: Successivo |
| Autore |
Messaggio |
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
 Inviato: 14 Set 2007 00:37 Oggetto: whataboutdog e whataboutrabbit |
 |
|
Ciao a tutti 
Problemi anche per me con il cane e il coniglio..
Vi spiego cosa è successo. AntiVir mi segnalava a ripetizione la presenza del virus heur-dblext/crypted, dandomi come possibilità solo ignorare o mettere in quarantena. Una volta messo in quarantena il file si ricrea dopo un tempo variabile (anche qualche ora). E' una serie di numeri con estensione .dat che si crea nella cartella Documents and Settings/nomeutente/Impostazioni Locali/Temp
Il log di HijackThis mi sembrava pulito (ma giudicate voi), eccetto le due voci come da titolo che ho fixato. Il cane sembra scomparso, ma il coniglio torna inesorabilmente.
Il virus aveva creato una serie di cartelle bak per diversi programmi (antivir, acrobat reader, messenger, console java e file system32/ctfmon)
Io con Avenger ho eliminato i file infetti e sostituiti con quelli presenti nelle cartelle di backup)
Ho disattivato il ripristino configurazione di sistema, ho riavviato in modalità provvisoria e ho controllato se c'era linkoptimizer con il tool fixlinkopt: c'era e il tool lo ha rimosso.
Ho riavviato ma si sono ripresentati gli stessi problemi: creazione del file con numeri.dat nella cartella temp e il coniglio nella trusted zone..
Potete aiutarmi? 
Grazie mille |
|
| Top |
|
 |
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 00:38 Oggetto: |
|
|
Grem Autostart: link
Grem Rootkit: link
Logfile of HijackThis v1.99.1
Scan saved at 0.33.57, on 14/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mapiicon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\CCleaner\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inter-calcio.it/indice.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4841/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89C3E837-CAFF-4AB6-8721-B4E67D4D2BD2}: NameServer = 213.205.36.70 213.205.32.70
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe |
|
| Top |
|
|
Orange
Dio maturo
Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
|
| Inviato: 14 Set 2007 09:02 Oggetto: |
|
|
benvenuta/o hallie
si vedono le tracce di LO, ma penso che è stato sconfitto. vediamo...
potresti postare anche un log di FindAWF?
intanto proviamo a sistemare la Trusted zone:
scarica DelDomains e salvalo sul desktop (clic con destro sul link > salva oggetto)
poi clic con destro sul file e scegli Installa.
aspettiamo il log FindAWF. |
|
| Top |
|
|
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 09:36 Oggetto: |
|
|
Ciao Orange, grazie per il benvenuto
Allora, ho fatto come mi hai detto per la trusted zone, ma non sono in grado di postare il log di FindAWF perchè rimane per ore la scritta "Searching for bak folders Please Wait" e non va avanti.
In più da stamattina compare questo messaggio link |
|
| Top |
|
|
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 09:45 Oggetto: |
|
|
Come non detto
Find AWF report by noahdfear ©2006
Version 1.40
bak folders found
~~~~~~~~~~~
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1866-2D71
Directory di C:\PROGRA~1\ANTIVI~1\BAK
13/12/2006 06.47 262.184 avgnt.exe
1 File 262.184 byte
2 Directory 11.386.388.480 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1866-2D71
Directory di C:\WINDOWS\SYSTEM32\BAK
19/08/2004 16.39 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 11.386.388.480 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 1866-2D71
Directory di C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
12/07/2007 04.00 132.496 jusched.exe
1 File 132.496 byte
2 Directory 11.386.384.384 byte disponibili
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
249896 14 Sep 2007 "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe"
262184 13 Dec 2006 "C:\Programmi\AntiVir PersonalEdition Classic\bak\avgnt.exe"
327720 20 Apr 2007 "C:\Documents and Settings\All Users\Dati applicazioni\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_4627f49c\winwks\en\basic-nt\avgnt.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
36975 10 Nov 2005 "C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe"
49263 9 Nov 2006 "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
49263 12 Oct 2006 "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
24592 13 Sep 2007 "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
132496 12 Jul 2007 "C:\Programmi\Java\jre1.6.0_02\bin\bak\jusched.exe"
end of report |
|
| Top |
|
|
Orange
Dio maturo
Registrato: 18/02/07 13:20
Messaggi: 2224
Residenza: Roma
|
| Inviato: 14 Set 2007 12:35 Oggetto: |
|
|
però è strano: tutti i logs sono praticamente puliti. inoltre quel messaggio d'errore non mi piace per niente... 
ma sì facciamolo!  segui le indicazioni di questo topic e posta il log di SystemScan. |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 14 Set 2007 12:37 Oggetto: |
|
|
Ciao hallie
Scarica Avenger e mettilo in una sua cartella in C:\
http://swandog46.geekstogo.com/avenger.zip
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
Files to delete:
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
Files to move:
C:\Programmi\Java\jre1.6.0_02\bin\bak\jusched.exe | C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato con un log aggiornato di hijackthis. |
|
| Top |
|
|
Sante62
Dio maturo
Registrato: 27/06/07 17:55
Messaggi: 3477
Residenza: Floridia
|
| Inviato: 14 Set 2007 12:41 Oggetto: |
|
|
| Orange ha scritto: | però è strano: tutti i logs sono praticamente puliti. inoltre quel messaggio d'errore non mi piace per niente...
|
Mi hai battuto sul tempo!
Comunque il mio post dovrebbe essere corretto... |
|
| Top |
|
|
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 13:16 Oggetto: |
|
|
grazie mille a tutti e due, sto facendo tutto, appena finisco posto.
Nel frattempo vi preannuncio che è tornato anche il cane, che non manchi |
|
| Top |
|
|
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 13:40 Oggetto: |
|
|
Log di systemscan: link
Dopo riavvio questo è il messaggio di avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sryykjft
*******************
Script file located at: \??\C:\WINDOWS\cxhwxwdp.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe deleted successfully.
File move operation C:\Programmi\Java\jre1.6.0_02\bin\bak\jusched.exe|C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe completed successfully.
Completed script processing.
*******************
Finished! Terminate.
Logfile of HijackThis v1.99.1
Scan saved at 13.38.46, on 14/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mapiicon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\CCleaner\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4841/mcfscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 14 Set 2007 15:09 Oggetto: |
|
|
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | Drivers to unload:
sryykjft
Files to delete:
C:\ptletxnu.bat
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\drivers\epdmpytc.sys
C:\WINDOWS\Tasks\pbbrn.job
C:\WINDOWS\Tasks\qmzelpad.job
C:\WINDOWS\Tasks\luifocfc.job
C:\WINDOWS\Tasks\bwwzup.job
C:\WINDOWS\Tasks\njknbfu.job
C:\WINDOWS\Tasks\gbu.job
C:\WINDOWS\Tasks\jtryzx.job
C:\WINDOWS\Tasks\dtexcnhh.job
C:\WINDOWS\Tasks\hoeasrt.job
C:\WINDOWS\Tasks\ioonpop.job
C:\WINDOWS\Tasks\fajraa.job
C:\WINDOWS\Tasks\vom.job
C:\WINDOWS\Tasks\cbitjgv.job
C:\WINDOWS\Tasks\sjhnaki.job
C:\WINDOWS\Tasks\ltbnv.job
C:\WINDOWS\Tasks\nndqvoxz.job
C:\WINDOWS\Tasks\gfhp.job
C:\WINDOWS\Tasks\jaixut.job
C:\WINDOWS\Tasks\zeviwckx.job
C:\WINDOWS\Tasks\jllnrl.job
C:\WINDOWS\Tasks\kjcn.job
C:\WINDOWS\Tasks\ubmzb.job
C:\WINDOWS\Tasks\zvexht.job
C:\WINDOWS\Tasks\lnolrjh.job
C:\WINDOWS\Tasks\ychdva.job
C:\WINDOWS\Tasks\vrlcj.job
C:\WINDOWS\Tasks\snhieobl.job
C:\WINDOWS\Tasks\ivzfh.job
C:\WINDOWS\Tasks\cnjlvk.job
C:\WINDOWS\Tasks\wxec.job
C:\WINDOWS\Tasks\bqyhnf.job
C:\WINDOWS\Tasks\xjklst.job
C:\WINDOWS\Tasks\fydse.job
C:\WINDOWS\Tasks\etthl.job
C:\WINDOWS\Tasks\mltfwd.job
C:\WINDOWS\Tasks\vpbg.job
C:\WINDOWS\Tasks\vggk.job
C:\WINDOWS\Tasks\anucpe.job
C:\WINDOWS\Tasks\dkz.job
C:\WINDOWS\Tasks\wplzlrp.job
C:\WINDOWS\Tasks\sbwws.job
C:\WINDOWS\Tasks\bylwc.job
C:\WINDOWS\Tasks\mvljks.job
C:\WINDOWS\Tasks\isucnsxn.job
C:\WINDOWS\Tasks\iqd.job
C:\WINDOWS\Tasks\zea.job
C:\WINDOWS\Tasks\bqcrbzaj.job
C:\WINDOWS\Tasks\hrs.job
C:\WINDOWS\Tasks\zuhtahpi.job
C:\WINDOWS\Tasks\ixkcb.job
C:\WINDOWS\Tasks\mhbz.job
C:\WINDOWS\Tasks\ioifgka.job
C:\WINDOWS\Tasks\yoonetg.job
C:\WINDOWS\Tasks\koiqwjsl.job
C:\WINDOWS\Tasks\qmmxk.job
C:\WINDOWS\Tasks\wxkb.job
C:\WINDOWS\Tasks\ixcqn.job
C:\WINDOWS\Tasks\ssk.job
C:\WINDOWS\Tasks\cjkqpjnn.job
C:\WINDOWS\Tasks\dpagl.job
C:\WINDOWS\Tasks\ubend.job
C:\WINDOWS\Tasks\chb.job
C:\WINDOWS\Tasks\fvzzd.job
C:\WINDOWS\Tasks\wdbbcyo.job
C:\WINDOWS\Tasks\ipphbr.job
C:\WINDOWS\Tasks\itexpxr.job
C:\WINDOWS\Tasks\wah.job
C:\WINDOWS\Tasks\eau.job
C:\WINDOWS\Tasks\pktvqq.job
C:\WINDOWS\Tasks\pemwrnle.job
registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | sxpedkat
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run | 5T19I3B27A |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato.
Rifai l'operazione con DelDomains come ti aveva suggerito Orange. |
|
| Top |
|
|
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 15:25 Oggetto: |
|
|
Ho rifatto l'operazione con deldomains.
Ecco il risultato:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lkbshcis
*******************
Script file located at: \??\C:\Program Files\noyydwfx.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Registry key \Registry\Machine\System\CurrentControlSet\Services\sryykjft not found!
Unload of driver sryykjft failed!
Could not process line:
sryykjft
Status: 0xc0000034
File C:\ptletxnu.bat not found!
Deletion of file C:\ptletxnu.bat failed!
Could not process line:
C:\ptletxnu.bat
Status: 0xc0000034
File C:\WINDOWS\svchost.exe not found!
Deletion of file C:\WINDOWS\svchost.exe failed!
Could not process line:
C:\WINDOWS\svchost.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\epdmpytc.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\epdmpytc.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\epdmpytc.sys
Status: 0xc0000034
File C:\WINDOWS\Tasks\pbbrn.job deleted successfully.
File C:\WINDOWS\Tasks\qmzelpad.job deleted successfully.
File C:\WINDOWS\Tasks\luifocfc.job deleted successfully.
File C:\WINDOWS\Tasks\bwwzup.job deleted successfully.
File C:\WINDOWS\Tasks\njknbfu.job deleted successfully.
File C:\WINDOWS\Tasks\gbu.job deleted successfully.
File C:\WINDOWS\Tasks\jtryzx.job deleted successfully.
File C:\WINDOWS\Tasks\dtexcnhh.job deleted successfully.
File C:\WINDOWS\Tasks\hoeasrt.job deleted successfully.
File C:\WINDOWS\Tasks\ioonpop.job deleted successfully.
File C:\WINDOWS\Tasks\fajraa.job deleted successfully.
File C:\WINDOWS\Tasks\vom.job deleted successfully.
File C:\WINDOWS\Tasks\cbitjgv.job deleted successfully.
File C:\WINDOWS\Tasks\sjhnaki.job deleted successfully.
File C:\WINDOWS\Tasks\ltbnv.job deleted successfully.
File C:\WINDOWS\Tasks\nndqvoxz.job deleted successfully.
File C:\WINDOWS\Tasks\gfhp.job deleted successfully.
File C:\WINDOWS\Tasks\jaixut.job deleted successfully.
File C:\WINDOWS\Tasks\zeviwckx.job deleted successfully.
File C:\WINDOWS\Tasks\jllnrl.job deleted successfully.
File C:\WINDOWS\Tasks\kjcn.job deleted successfully.
File C:\WINDOWS\Tasks\ubmzb.job deleted successfully.
File C:\WINDOWS\Tasks\zvexht.job deleted successfully.
File C:\WINDOWS\Tasks\lnolrjh.job deleted successfully.
File C:\WINDOWS\Tasks\ychdva.job deleted successfully.
File C:\WINDOWS\Tasks\vrlcj.job deleted successfully.
File C:\WINDOWS\Tasks\snhieobl.job deleted successfully.
File C:\WINDOWS\Tasks\ivzfh.job deleted successfully.
File C:\WINDOWS\Tasks\cnjlvk.job deleted successfully.
File C:\WINDOWS\Tasks\wxec.job deleted successfully.
File C:\WINDOWS\Tasks\bqyhnf.job deleted successfully.
File C:\WINDOWS\Tasks\xjklst.job deleted successfully.
File C:\WINDOWS\Tasks\fydse.job deleted successfully.
File C:\WINDOWS\Tasks\etthl.job deleted successfully.
File C:\WINDOWS\Tasks\mltfwd.job deleted successfully.
File C:\WINDOWS\Tasks\vpbg.job deleted successfully.
File C:\WINDOWS\Tasks\vggk.job deleted successfully.
File C:\WINDOWS\Tasks\anucpe.job deleted successfully.
File C:\WINDOWS\Tasks\dkz.job deleted successfully.
File C:\WINDOWS\Tasks\wplzlrp.job deleted successfully.
File C:\WINDOWS\Tasks\sbwws.job deleted successfully.
File C:\WINDOWS\Tasks\bylwc.job deleted successfully.
File C:\WINDOWS\Tasks\mvljks.job deleted successfully.
File C:\WINDOWS\Tasks\isucnsxn.job deleted successfully.
File C:\WINDOWS\Tasks\iqd.job deleted successfully.
File C:\WINDOWS\Tasks\zea.job deleted successfully.
File C:\WINDOWS\Tasks\bqcrbzaj.job deleted successfully.
File C:\WINDOWS\Tasks\hrs.job deleted successfully.
File C:\WINDOWS\Tasks\zuhtahpi.job deleted successfully.
File C:\WINDOWS\Tasks\ixkcb.job deleted successfully.
File C:\WINDOWS\Tasks\mhbz.job deleted successfully.
File C:\WINDOWS\Tasks\ioifgka.job deleted successfully.
File C:\WINDOWS\Tasks\yoonetg.job deleted successfully.
File C:\WINDOWS\Tasks\koiqwjsl.job deleted successfully.
File C:\WINDOWS\Tasks\qmmxk.job deleted successfully.
File C:\WINDOWS\Tasks\wxkb.job deleted successfully.
File C:\WINDOWS\Tasks\ixcqn.job deleted successfully.
File C:\WINDOWS\Tasks\ssk.job deleted successfully.
File C:\WINDOWS\Tasks\cjkqpjnn.job deleted successfully.
File C:\WINDOWS\Tasks\dpagl.job deleted successfully.
File C:\WINDOWS\Tasks\ubend.job deleted successfully.
File C:\WINDOWS\Tasks\chb.job deleted successfully.
File C:\WINDOWS\Tasks\fvzzd.job deleted successfully.
File C:\WINDOWS\Tasks\wdbbcyo.job deleted successfully.
File C:\WINDOWS\Tasks\ipphbr.job deleted successfully.
File C:\WINDOWS\Tasks\itexpxr.job deleted successfully.
File C:\WINDOWS\Tasks\wah.job deleted successfully.
File C:\WINDOWS\Tasks\eau.job deleted successfully.
File C:\WINDOWS\Tasks\pktvqq.job deleted successfully.
File C:\WINDOWS\Tasks\pemwrnle.job deleted successfully.
Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|sxpedkat
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|sxpedkat failed!
Status: 0xc0000034
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|5T19I3B27A deleted successfully.
Completed script processing.
*******************
Finished! Terminate. |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 14 Set 2007 15:29 Oggetto: |
|
|
| Per cortesia, posta un log aggiornato di hjackthis. |
|
| Top |
|
|
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 15:31 Oggetto: |
|
|
Certo:
Logfile of HijackThis v1.99.1
Scan saved at 15.31.08, on 14/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Mixer.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mapiicon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\CCleaner\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ADSL_A2] A2Installed
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4841/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89C3E837-CAFF-4AB6-8721-B4E67D4D2BD2}: NameServer = 213.205.36.70 213.205.32.70
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 14 Set 2007 16:33 Oggetto: |
|
|
Il log di hijackthis sembra ok.
Appena puoi, rifai la scansione con SystemScan e posta i logs su http://www.freefilehosting.net come indicato qui. |
|
| Top |
|
|
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 17:06 Oggetto: |
|
|
| Ecco: link |
|
| Top |
|
|
bdoriano
Amministratore
Registrato: 02/04/07 12:05
Messaggi: 14391
Residenza: 3° pianeta del sistema solare...
|
| Inviato: 14 Set 2007 17:45 Oggetto: |
|
|
Ah! Ok, ci sono. Il primo log di systemscan l'hai fatto mentre stavi impostando la prima azione con Avenger (quella consigliata da Sante62). Ecco perché non trovava alcune voci da eliminare. 
C'è da cancellare ancora un file, giusto per sicurezza:
Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:
| Citazione: | Files to delete:
C:\WINDOWS\system32\ctfmon.exe.tmp |
Clicca su Done
Clicca sul semaforo
Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
Al termine dell'operazione, posta qui il risultato.
Dopo questo dovresti essere a posto, spero! 
Rilevi ancora problemi? |
|
| Top |
|
|
hallie
Mortale pio
Registrato: 14/09/07 00:05
Messaggi: 21
|
| Inviato: 14 Set 2007 17:59 Oggetto: |
 |
|
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\eqpbmiac
*******************
Script file located at: \??\C:\mtxdpgwu.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\ctfmon.exe.tmp deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Mi sembra che sia tutto a posto, non si è più ricreato il file in temp
Grazie per tutto il vostro tempo e l'aiuto, siete stati grandi
Senza di voi non ce l'avrei mai fatta  |
|
| Top |
|
|
|
FAQ
Cerca
Lista utenti
Gruppi
Registrati
Profilo
Messaggi privati
Log in
