[win XP] pagine che si aprono da sole...

[turbo974]

Codice:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ylqoeeyq

*******************

Script file located at: \??\C:\WINDOWS\adoelsxg.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.dat not found!
Deletion of file C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.dat failed!

Could not process line:
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.dat
Status: 0xc0000034



File C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.exe not found!
Deletion of file C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.exe failed!

Could not process line:
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.exe
Status: 0xc0000034



File C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_nav.dat not found!
Deletion of file C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_nav.dat failed!

Could not process line:
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_nav.dat
Status: 0xc0000034



File C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_navps.dat not found!
Deletion of file C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_navps.dat failed!

Could not process line:
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_navps.dat
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

[Nuz]

Non ci siamo, Avenger non ha avuto successo.

[turbo974]

[Nuz]

Visto che rootkit buster li aveva individuati allora rifai la scansione, poi li selezioni e clicca su delete select items.
I file sono questi:

C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.dat
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.exe
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_nav.dat
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_navps.dat

[turbo974]

Codice:

+----------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta. 
| Module version: 1.6.0.1052
+----------------------------------------------------


--== Dump Hidden File on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

[turbo974]

prima ci avevo capito poco...ora nulla

[Nuz]

Forse Avenger era comunque riuscito a fare tabula rasa.
A questo punto allega un altro log di HiJackThis.

[Chill-Out]

per favore riallega anche il log di Sysclean

[turbo974]

Codice:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.03.05, on 17/12/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\oodag.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\HPQ\shared\hpqwmi.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: RadioItalia Toolbar - {0aaeaede-aefd-4672-a764-5c5c037612a2} - C:\Programmi\RadioItalia\tbRad1.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RadioItalia Toolbar - {0aaeaede-aefd-4672-a764-5c5c037612a2} - C:\Programmi\RadioItalia\tbRad1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: RadioItalia Toolbar - {0aaeaede-aefd-4672-a764-5c5c037612a2} - C:\Programmi\RadioItalia\tbRad1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programmi\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programmi\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [PrevxCSI] "C:\Programmi\PrevxCSI\prevxcsi.exe" -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cgkvxqkf] c:\documents and settings\marco\impostazioni locali\dati applicazioni\cgkvxqkf.exe cgkvxqkf
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programmi\DAEMON Tools\daemon.exe"
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programmi\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23036DBD-56C0-47D9-9C82-D148F9FC6113}: NameServer = 213.205.32.70,213.205.36.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Programmi\Windows Live\installer\WLSetupSvc.exe

--
End of file - 7965 bytes

[turbo974]

Codice:

/--------------------------------------------------------------\
|                  Trend Micro System Cleaner                  |
|              Copyright 2006, Trend Micro, Inc.               |
|                   http://www.antivirus.com                   |
\--------------------------------------------------------------/


2007-12-17, 22:04:28,   Auto-clean mode specified.
2007-12-17, 22:04:28,   Running scanner "C:\Documents and Settings\Marco\Desktop\Nuova cartella\TSC.BIN"...
2007-12-17, 22:04:47,   Scanner "C:\Documents and Settings\Marco\Desktop\Nuova cartella\TSC.BIN" has finished running.
2007-12-17, 22:04:47,   TSC Log:

2007-12-17, 22:04:54,   An error was detected on "C:\System Volume Information\*.*": Accesso negato.
2007-12-17, 22:04:56,   Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/17/2007 22:04:56
VSAPI Engine Version : 8.500-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Marco\Desktop\Nuova cartella\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* 

2007-12-17, 22:04:56,   Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/17/2007 22:04:56
VSAPI Engine Version : 8.500-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Marco\Desktop\Nuova cartella\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* 

2007-12-17, 22:04:56,   Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 12/17/2007 22:04:56
VSAPI Engine Version : 8.500-1002
VSCANTM Version : 1.1-1001
Command Line: C:\Documents and Settings\Marco\Desktop\Nuova cartella\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* 

2007-12-17, 22:04:56,   Scanner "C:\Documents and Settings\Marco\Desktop\Nuova cartella\VSCANTM.BIN" has finished running.

[murack83pa]

questo cattivello proprio nn se ne vuole andare.....
ma il ripristino configurazione sistema è rimasto disattivato tutto il tempo,giusto?

[Nuz]

Non capisco come mai Trend Micro Rootkit Boster prima li vedeva e ora no. Puoi ricontrollare? Non serve allegare il log, mi devi solo dire se li vede.
Se non li vede prova con gmer o AVIRA Antirootkit o Panda antirootkit. A meno che tu non li abbia già usati.

[turbo974]

li ho usati tutti.ora riprovo Trend Micro Rootkit Boster

[turbo974]

nulla...
ma possibile mai

[Riverside]

Quote:

Originariamente inviato da Nuz

Non capisco come mai Trend Micro Rootkit Boster prima li vedeva e ora no. Puoi ricontrollare? Non serve allegare il log, mi devi solo dire se li vede.

Scusa Nuz, da profano di Avenger non è che lo script sia errato?

Quote:

Files to delete:
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.dat
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.exe
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_nav.dat
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_navps.dat

O, quello corretto è:

Quote:

Folders to delete:
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.dat
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf.exe
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_nav.dat
C:\Documents and Settings\Marco\Impostazioni locali\Dati applicazioni\cgkvxqkf_navps.dat

[Chill-Out]

Apri il notepad, e copia/incolla questo

Quote:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cgkvxqkf"=-

poi salva il file in C:\ col nome di fix.reg
N.B: importantissimo salvarlo in C:\

Inserisci questo script in Avenger

Quote:

Files to delete:
c:\documents and settings\marco\impostazioni locali\dati applicazioni\cgkvxqkf.exe

Programs to launch on reboot:
C:\fix.reg

al termine allega il log di Avenger + nuovo log di HijackThis

[Nuz]

River non credo puoi controllare qua:

http://alexsandra.wordpress.com/2007/04/25/90/

o qua:

http://forum.wininizio.it/index.php?...=post&id=15358

A meno che non ho letto male io.

[BEY0ND]

visto che si tratta di rootkit si potrebbe usare il tool della eset agvpfix?

[Riverside]

Nuz, come ho già detto con Avenger non mi ci metto neppure ma, da quel che vedo dalla Guida che hai linkato:

Quote:

Fatta questa introduzione ora parliamo dei comandi che possiamo usare, come già accennato possiamo cancellare file, cartelle, chiavi di registro e driver, pertanto vediamo questi comandi, tenendo presente che ogni operazione che eseguiremo The Avenger creerà una copia di backup di quanto cancellato nella cartella C:\Avenger.

Files to delete : Ci permette di eliminare i files, anche in casi ostinati dove le varie applicazioni nocive tendono a proteggere i loro files e cartelle
[esempio :]
Files to delete:
C:\Windows\virus.exe
Nota : Verrà eliminato il file virus.exe presente nella cartella C:\Windows

Folders to delete: E’ praticamente identico al precedente, solo che ci permette di cancellare intere cartelle compreso il loro contenuto
[esempio :]
Folders to delete:
C:\Documents and Settings\Alex\Dati applicazioni\virus
Nota : Verrà cancellata la cartella virus

Ed i file del nosto amico, sono localizzati proprio in C:\Documents and Settings\marco\Dati applicazioni\ NOME FILE, non in C:\Windows.

[turbo974]

Codice:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gdjnxfdi

*******************

Script file located at: \??\C:\stsumxus.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File c:\documents and settings\marco\impostazioni locali\dati applicazioni\cgkvxqkf.exe not found!
Deletion of file c:\documents and settings\marco\impostazioni locali\dati applicazioni\cgkvxqkf.exe failed!

Could not process line:
c:\documents and settings\marco\impostazioni locali\dati applicazioni\cgkvxqkf.exe
Status: 0xc0000034

Program C:\fix.reg successfully set up to run once on reboot.

Completed script processing.

*******************

Finished!  Terminate.