mirtillo25
11-12-2006, 23:57
Ciao ragazzi non so' come fare ad eliminare un probabile virus o rootkit che si e' impossessato del mio computer. :mc:
I sintomi sono che il pc parte regolarmente avvia windows ma poi si resetta e cosi' sempre. :muro:
In modalita' provvisoria funziona tutto.. ho provato vari antivirus tra cui kiss e ashampo ma non trovano nulla.
Ho fatto una scansione con germ e mi ha trovato un root ma non so' come eliminarlo .
file allegato:
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-11 23:12:48
Windows 5.1.2600 Service Pack 2
---- Registry - GMER 1.0.12 ----
Reg \Registry\USER\S-1-5-21-606747145-706699826-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{03758C57-71AF-F4DA-397D-76002AC448AE}@kanolhjbafnbiocnolnmnm 0x62 0x61 0x64 0x6E ...
---- EOF - GMER 1.0.12 ----
GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2006-12-11 23:14:22
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon@DLLName = C:\WINDOWS\system32\klogon.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVP /*Kaspersky Anti-Virus 6.0*/@ = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r
Diskeeper /*Diskeeper*/@ = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZONELABS\vsmon.exe -service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@kav"C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
@ /*file not found*/ = /*file not found*/
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@DiskeeperSystray"C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe" = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@PrevxRootkitRemovalTool"C:\Documents and Settings\pippo\Desktop\52442A8.exe" -scan = "C:\Documents and Settings\pippo\Desktop\52442A8.exe" -scan
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@Windows Registry Repair ProC:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 /*file not found*/ = C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus*/C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{B33DE746-DEFE-4D7A-87DB-900864B1D3A9} = C:\Programmi\Ashampoo\Ashampoo AntiSpyWare\ContextHandler.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageE:\MY-Programm\ss2-428\428TS-en\Install\Components\Web\blank.htm = E:\MY-Programm\ss2-428\428TS-en\Install\Components\Web\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52F9F401-84D4-4858-BBA4-0AF9A61CAE41} /*Connessione rete senza fili 4*/ >>>
@IPAddress192.168.0.2 = 192.168.0.2
@NameServer192.168.0.1 = 192.168.0.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
NETGEAR WG111v2 Smart Wizard.lnk = NETGEAR WG111v2 Smart Wizard.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
---- EOF - GMER 1.0.12 ----
con regedit riesco a trovare la chiave incriminata ma non la fa' cancellare ne modificare .
Come fare????
:banned:
I sintomi sono che il pc parte regolarmente avvia windows ma poi si resetta e cosi' sempre. :muro:
In modalita' provvisoria funziona tutto.. ho provato vari antivirus tra cui kiss e ashampo ma non trovano nulla.
Ho fatto una scansione con germ e mi ha trovato un root ma non so' come eliminarlo .
file allegato:
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-11 23:12:48
Windows 5.1.2600 Service Pack 2
---- Registry - GMER 1.0.12 ----
Reg \Registry\USER\S-1-5-21-606747145-706699826-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{03758C57-71AF-F4DA-397D-76002AC448AE}@kanolhjbafnbiocnolnmnm 0x62 0x61 0x64 0x6E ...
---- EOF - GMER 1.0.12 ----
GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2006-12-11 23:14:22
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon@DLLName = C:\WINDOWS\system32\klogon.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVP /*Kaspersky Anti-Virus 6.0*/@ = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r
Diskeeper /*Diskeeper*/@ = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZONELABS\vsmon.exe -service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@kav"C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
@ /*file not found*/ = /*file not found*/
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@DiskeeperSystray"C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe" = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@PrevxRootkitRemovalTool"C:\Documents and Settings\pippo\Desktop\52442A8.exe" -scan = "C:\Documents and Settings\pippo\Desktop\52442A8.exe" -scan
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@Windows Registry Repair ProC:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 /*file not found*/ = C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus*/C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{B33DE746-DEFE-4D7A-87DB-900864B1D3A9} = C:\Programmi\Ashampoo\Ashampoo AntiSpyWare\ContextHandler.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageE:\MY-Programm\ss2-428\428TS-en\Install\Components\Web\blank.htm = E:\MY-Programm\ss2-428\428TS-en\Install\Components\Web\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52F9F401-84D4-4858-BBA4-0AF9A61CAE41} /*Connessione rete senza fili 4*/ >>>
@IPAddress192.168.0.2 = 192.168.0.2
@NameServer192.168.0.1 = 192.168.0.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
NETGEAR WG111v2 Smart Wizard.lnk = NETGEAR WG111v2 Smart Wizard.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
---- EOF - GMER 1.0.12 ----
con regedit riesco a trovare la chiave incriminata ma non la fa' cancellare ne modificare .
Come fare????
:banned: