|
|||||||
|
|
|
 |
|
|
Strumenti |
23-08-2006, 17:18
|
#1 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
idem problema di memoria iperattiva...
come nel post precedente scritto ho un problema di memoria iper attiva con nulla acceso del tipo 350 mb... ... .
cmq ho scaricato avs , un antispyware faccio scansioni su scansioni ma mi trova sempre sti Trojian: win32agent.rk che non riesce a togliere... ... win32agent.rl che apparentemente ha tolto qualcuno ha un 'idea di come si possano risolvere questi problemi? |
|
|
|
23-08-2006, 17:24
|
#2 |
|
Senior Member
Iscritto dal: Aug 2005
Messaggi: 1267
|
Ciao
 Scarica gmer sul desktop http://www.gmer.net/gmer110.zip - decomprimi l'archivio sul desktop - avvi gmer.exe - clicca sul tab "Autostart" ed esegui la scansione e clicca su "Scan" - finita la scansione clicca su "Copy", apri il Notepad ed incolla il risultato, salvalo sul desktop - esegui nuovamente gmer.exe, clicca sul tab "Rootkit" clicca su Scan - finita la scansione clicca su "Copy", apri il Notepad ed incolla il risultato, salvalo sul desktop Gentilmente posta entrambi i log |
|
|
|
|
23-08-2006, 17:54
|
#3 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
autostart
tanto che quello va... io posto il risultato di auto start...
premetto avs ha forse eliminato qualcosa di importante perchè magicamente il tutto ha ricominciato ad andare a utilizzo consono (220 mb e non 350/400mb), ora non so se è stato 1) l'antivirus 2) il pugno che gli ho tirato  3)il fatto che ad un certo punto ha deciso di spegnersi e io ho rifiutato in avvio lo scandisk.. ... cmq auto start : GMER 1.0.10.10122 - http://www.gmer.net Autostart 2006-08-23 17:45:43 Windows 5.1.2600 Service Pack 2 HKLM\Software\Microsoft\Windows\CurrentVersion\Run@ = /*file not found*/ HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/ = HKLM\SYSTEM\CurrentControlSet\Services\WebKbt /*WebKbt*/@ = "\\?\C:\Programmi\File comuni\System\com4.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @PowerKey"C:\Program Files\Launch Manager\PowerKey.exe" = "C:\Program Files\Launch Manager\PowerKey.exe" @Wbutton"C:\Program Files\Launch Manager\Wbutton.exe" = "C:\Program Files\Launch Manager\Wbutton.exe" @aol"C:\Programmi\AOL\Active Virus Shield\avp.exe" = "C:\Programmi\AOL\Active Virus Shield\avp.exe" HKLM\SYSTEM\CurrentControlSet\Services\AVP /*Active Virus Shield*/@ = "C:\Programmi\AOL\Active Virus Shield\avp.exe" -r HKLM\Software\Microsoft\Windows\CurrentVersion\Run@!ewido = "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized HKCU\Software\Microsoft\Windows\CurrentVersion\Run@MSMSGS = "C:\Programmi\Messenger\msmsgs.exe" /background HKLM\Software\Microsoft\Internet Explorer\Main@Local Page = %SystemRoot%\system32\blank.htm HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows\CurrentVersion\Run@KernelFaultCheck = %systemroot%\system32\dumprep 0 -k HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/ = %SystemRoot%\system32\extmgr.dll HKLM\SYSTEM\CurrentControlSet\Services\Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe HKLM\Software\Classes\PROTOCOLS\Handler\mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\lpt5.vnv HKLM\SYSTEM\CurrentControlSet\Services\anbmService /*Notebook Manager Service*/@ = C:\Acer\eManager\anbmServ.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @CtrlVolC:\Program Files\Launch Manager\CtrlVol.exe = C:\Program Files\Launch Manager\CtrlVol.exe @LManagerC:\Program Files\Launch Manager\HotkeyApp.exe = C:\Program Files\Launch Manager\HotkeyApp.exe @LaunchApC:\Program Files\Launch Manager\LaunchAp.exe = C:\Program Files\Launch Manager\LaunchAp.exe @LMgrOSDC:\Program Files\Launch Manager\OSDCtrl.exe = C:\Program Files\Launch Manager\OSDCtrl.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>> @{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll @{311F9DE8-6126-4eee-B15F-65CBB3B4F9F6}C:\Programmi\AOL Security Toolbar\AOL_security_toolbar.dll = C:\Programmi\AOL Security Toolbar\AOL_security_toolbar.dll HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\AOL\Active Virus Shield\shellex.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\AOL\Active Virus Shield\shellex.dll HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll HKLM\SYSTEM\CurrentControlSet\Services\ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll @{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Programmi\Synaptics\SynTP\SynTPCpl.dll = C:\Programmi\Synaptics\SynTP\SynTPCpl.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @SynTPEnhC:\Programmi\Synaptics\SynTP\SynTPEnh.exe = C:\Programmi\Synaptics\SynTP\SynTPEnh.exe @SynTPLprC:\Programmi\Synaptics\SynTP\SynTPLpr.exe = C:\Programmi\Synaptics\SynTP\SynTPLpr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/ = C:\Programmi\WinRAR\rarext.dll HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll HKLM\Software\Classes\PROTOCOLS\Handler\ >>> mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Run@preload = C:\Windows\RUNXMLPL.exe HKCU\Software\Microsoft\Internet Explorer\Main@Local Page = C:\WINDOWS\system32\blank.htm HKCU\Software\Microsoft\Windows\CurrentVersion\[email protected] = C:\WINDOWS\system32\ctfmon.exe HKLM\Software\Classes\PROTOCOLS\Handler\ >>> its@CLSID = C:\WINDOWS\system32\itss.dll ms-its@CLSID = C:\WINDOWS\system32\itss.dll HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon@DLLName = C:\WINDOWS\system32\klogon.dll HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll tv@CLSID = C:\WINDOWS\system32\msvidctl.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll @{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll @{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll @{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll @{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll HKCU\Control Panel\[email protected] = C:\WINDOWS\system32\ssmypics.scr HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe, HKLM\SYSTEM\CurrentControlSet\Services\UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/ = deskpan.dll /*file not found*/ HKLM\Software\Microsoft\Internet Explorer\Main@Default_Page_URL = http://global.acer.com/ HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.libero.it/ HKLM\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @nwiznwiz.exe /install = nwiz.exe /install @NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup @VTTimerVTTimer.exe = VTTimer.exe @VTTraypVTtrayp.exe = VTtrayp.exe ---- EOF - GMER 1.0.10 ---- |
|
|
|
|
23-08-2006, 17:58
|
#4 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
ed ecco root
come non detto avs ha trovato ancora win agent rk, e non lo toglie...
cmq ecco l'altra nota GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-08-23 17:56:19 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2 SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey SSDT kl1.sys ZwOpenFile SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295] SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296] ---- Devices - GMER 1.0.10 ---- Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8135B688 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 81361698 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE FFA51A88 Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 81361698 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA FF8A5EB0 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP FF8A5EB0 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE FFA51A88 Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 81361698 Device \Driver\NetBT \Device\NetBT_Tcpip_{E3427CB2-9F8E-4A1A-8E61-47E34B6EAAA1} IRP_MJ_CREATE FFB29748 Device \Driver\00000048 \Device\00000076 IRP_MJ_SYSTEM_CONTROL [F905AF68] sptd.sys Device \Driver\00000048 \Device\00000076 IRP_MJ_DEVICE_CHANGE [F906FA70] sptd.sys Device \Driver\00000048 \Device\00000076 IRP_MJ_PNP_POWER [F9068728] sptd.sys Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE FFB29748 Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE FFB29748 Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 8135B940 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 812A33D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 812A33D0 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 8120DE48 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 8120DE48 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 8120DE48 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 8120DE48 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 8120DE48 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 8120DE48 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 8120DE48 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 81361698 Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE FFB14EB0 Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE FFAE30E8 Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE FFAE30E8 Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8135B688 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 812A7770 ---- EOF - GMER 1.0.10 ---- |
|
|
|
|
23-08-2006, 18:05
|
#5 | |
|
Senior Member
Iscritto dal: Aug 2005
Messaggi: 1267
|
Disattiva momentaneamente la protezione in tempo reale di Ewido e Active Virus Shield
scarica avenger sul desktop http://swandog46.geekstogo.com/avenger.zip Decomprimi l'archivio Avvia il file avenger.exe Seleziona l'opzione "Input Script Manually" Clicca sulla lente di ingrandimento Ti si apre una finestra "View/edit script" All'interno del box bianco,copia e incolla le scritte in rosso Quote:
Clicca sull'icona del semaforo verde Rispondi Yes Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente Una volta riavviato il pc,collegati e posta il contenuto del file C:\Avenger.txt Una volta riavviato,apri il prompt dos(start>esegui digita cmd nella casella e clicca ok) digita: cd C:\programmi\file comuni\system <----dai l'invio dir > c:\files.txt <----dai l'invio cd C:\Programmi\File comuni\Microsoft Shared <----dai l'invio dir > c:\files1.txt <----dai l'invio Apri C:\ dovresti avere il file files.txt e files1.txt per piacere posta il contenuto dei 2 files ciao |
|
|
|
|
|
23-08-2006, 18:24
|
#6 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
avenger txt
Logfile of The Avenger version 1, by Swandog46
Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\xskqjtnl ******************* Script file located at: \??\C:\WINDOWS\system32\emomehrq.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKLM\SYSTEM\CurrentControlSet\Services\WebKbt deleted successfully. File C:\Programmi\File comuni\System\com4.exe deleted successfully. File C:\WINDOWS\system32\lpt5.vnv not found! Deletion of file C:\WINDOWS\system32\lpt5.vnv failed! Could not process line: C:\WINDOWS\system32\lpt5.vnv Status: 0xc0000034 Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully. Completed script processing. ******************* Finished! Terminate. |
|
|
|
|
23-08-2006, 18:31
|
#7 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
file
file
Il volume nell'unit… C Š ACER Numero di serie del volume: 0C4A-12F2 Directory di C:\Programmi\File comuni\System 14/09/2004 11.58 <DIR> . 14/09/2004 11.58 <DIR> .. 14/09/2004 11.58 <DIR> msadc 14/09/2004 11.58 <DIR> ado 14/09/2004 11.58 <DIR> Ole DB 19/08/2004 20.00 81.408 directdb.dll 19/08/2004 20.00 254.976 wab32res.dll 17/03/2006 11.11 510.464 wab32.dll 3 File 846.848 byte 5 Directory 6.333.595.648 byte disponibili |
|
|
|
|
23-08-2006, 18:32
|
#8 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
file1
Il volume nell'unit… C Š ACER
Numero di serie del volume: 0C4A-12F2 Directory di C:\Programmi\File comuni\Microsoft Shared 14/09/2004 11.52 <DIR> . 14/09/2004 11.52 <DIR> .. 14/09/2004 11.52 <DIR> Speech 14/09/2004 11.58 <DIR> TextConv 14/09/2004 11.58 <DIR> Triedit 14/09/2004 11.58 <DIR> DAO 14/09/2004 11.58 <DIR> VGX 14/09/2004 11.58 <DIR> MSInfo 14/09/2004 11.58 <DIR> Elementi decorativi 14/09/2004 12.00 <DIR> web server extensions 14/09/2004 12.05 <DIR> Web Folders 16/08/2006 10.35 <DIR> GRPHFLT 16/08/2006 10.35 <DIR> Smart Tag 16/08/2006 10.35 <DIR> MODI 16/08/2006 10.35 <DIR> OFFICE11 16/08/2006 10.35 <DIR> THEMES11 16/08/2006 10.35 <DIR> EURO 16/08/2006 10.35 <DIR> VBA 16/08/2006 10.35 <DIR> MSORUN 16/08/2006 10.35 <DIR> DW 16/08/2006 10.35 <DIR> PROOF 16/08/2006 10.35 <DIR> Portal 16/08/2006 10.36 <DIR> Web Components 16/08/2006 10.36 <DIR> MSDesigners7 16/08/2006 10.36 <DIR> Visual Database Tools 16/08/2006 10.36 <DIR> INK 16/08/2006 10.36 <DIR> MSClientDataMgr 16/08/2006 10.36 <DIR> Source Engine 0 File 0 byte 28 Directory 6.333.579.264 byte disponibili |
|
|
|
|
23-08-2006, 18:36
|
#9 |
|
Senior Member
Iscritto dal: Aug 2005
Messaggi: 1267
|
clicca su start>esegui nella casellina digita control userpasswords2 clicca su ok
Ti si apre una schermata,mi dici i nomi presenti(aspnet,administrator ecc) Avvia il pc in modalità provvisoria ed effettua una scansione con Ewido e l'altro antivirus,elimina gli eventuali valori infetti Ciao |
|
|
|
|
23-08-2006, 18:38
|
#10 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
come faccio ad avviare xp in mopdalità provvisoria?
|
|
|
|
|
23-08-2006, 18:41
|
#11 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
Administrator (che in teoria non dovrebbe esserci) (Gruppo administrator)
Kko (ossia io che dovrei essere amministratore)(Gruppo administrator) kYBNh (ma chi c...o è?)(Gruppo administrator) Simo (utente) |
|
|
|
|
23-08-2006, 18:41
|
#12 |
|
Senior Member
Iscritto dal: Aug 2005
Messaggi: 1267
|
Clicca su Start>riavvia
Il pc si riavvia,appena intravedi il calcolo della ram(prime scritte)premi in continuazione il tasto F8,attendi pochi instanti e ti si aprirà un menù,da questo menù scegli l'opzione "Avvia in modalità provvisoria" loggati con il tuo account ed entra in windows(nota che la grafica sarà + spartana è normale) Ciao |
|
|
|
|
23-08-2006, 18:43
|
#13 |
|
Senior Member
Iscritto dal: Aug 2005
Messaggi: 1267
|
tu,hai un account limitato
non di amministratoreApri il prompt dos che nome vedi dopo documenti and setting? |
|
|
|
|
24-08-2006, 01:16
|
#14 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
allora dopo il document...\kko (che è il mio)
ora la velocità del cpu si è regolarizzata... ma Avast al riavvio segna questi due e non riesce a toglierli, -not found: Trojan program Trojan.Win32.Agent.rk File: c:\programmi\file comuni\system\com4.exe -not found: Trojan program Trojan.Win32.Agent.rk File: C:\Avenger\com4.exe due che generano altri 5 : deleted: Trojan program Trojan.Win32.Agent.rl File: c:\windows\downloaded program files\freeaccess.ocx deleted: Trojan program Trojan.Win32.Agent.rl File: c:\windows\downloaded program files\conflict.1\freeaccess.ocx deleted: Trojan program Trojan.Win32.RKDice.a File: C:\WINDOWS\System32\LPT5.VNV deleted: Trojan program Trojan.Win32.Small.jm File: C:\WINDOWS\Temp\rsym1.exe/PE_Patch.UPX/UPX deleted: Trojan program Trojan.Win32.Agent.rl File: C:\WINDOWS\system32\eraa.dll che però elimina regolarmente... e per l'ennesima volta... che ne pensi? (ps cmq grazie per la consulenza ... ottima  )
|
|
|
|
|
24-08-2006, 12:26
|
#15 |
|
Junior Member
Iscritto dal: Aug 2006
Messaggi: 21
|
allora dopo il document...\kko (che è il mio)
ora la velocità del cpu si è regolarizzata... ma Avast al riavvio segna questi due e non riesce a toglierli, -not found: Trojan program Trojan.Win32.Agent.rk File: c:\programmi\file comuni\system\com4.exe -not found: Trojan program Trojan.Win32.Agent.rk File: C:\Avenger\com4.exe due che generano altri 5 : deleted: Trojan program Trojan.Win32.Agent.rl File: c:\windows\downloaded program files\freeaccess.ocx deleted: Trojan program Trojan.Win32.Agent.rl File: c:\windows\downloaded program files\conflict.1\freeaccess.ocx deleted: Trojan program Trojan.Win32.RKDice.a File: C:\WINDOWS\System32\LPT5.VNV deleted: Trojan program Trojan.Win32.Small.jm File: C:\WINDOWS\Temp\rsym1.exe/PE_Patch.UPX/UPX deleted: Trojan program Trojan.Win32.Agent.rl File: C:\WINDOWS\system32\eraa.dll che però elimina regolarmente... e per l'ennesima volta... che ne pensi? (ps cmq grazie per la consulenza ... ottima ) |
|
|
|
|
04-09-2006, 12:10
|
#16 |
|
Member
Iscritto dal: Nov 2002
Messaggi: 227
|
Ho cercato info online su questi virus ma niente...
Ultima modifica di Exus83 : 04-09-2006 alle 12:13. |
|
|
|
|
04-09-2006, 12:35
|
#17 |
|
Senior Member
Iscritto dal: Aug 2006
Città: Riviera del Brenta
Messaggi: 2052
|
sie infetto da LinkOptimizer
http://www.hwupgrade.it/forum/showthread.php?t=1271721 |
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 04:20.
