Eliminare Kiave

mirtillo25 · 11-12-2006, 22:57

Ciao ragazzi non so' come fare ad eliminare un probabile virus o rootkit che si e' impossessato del mio computer.

I sintomi sono che il pc parte regolarmente avvia windows ma poi si resetta e cosi' sempre.

In modalita' provvisoria funziona tutto.. ho provato vari antivirus tra cui kiss e ashampo ma non trovano nulla.
Ho fatto una scansione con germ e mi ha trovato un root ma non so' come eliminarlo .

file allegato:
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-11 23:12:48
Windows 5.1.2600 Service Pack 2

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-606747145-706699826-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{03758C57-71AF-F4DA-397D-76002AC448AE}@kanolhjbafnbiocnolnmnm 0x62 0x61 0x64 0x6E ...

---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2006-12-11 23:14:22
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon@DLLName = C:\WINDOWS\system32\klogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVP /*Kaspersky Anti-Virus 6.0*/@ = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r
Diskeeper /*Diskeeper*/@ = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZONELABS\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@kav"C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
@ /*file not found*/ = /*file not found*/
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@DiskeeperSystray"C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe" = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@PrevxRootkitRemovalTool"C:\Documents and Settings\pippo\Desktop\52442A8.exe" -scan = "C:\Documents and Settings\pippo\Desktop\52442A8.exe" -scan

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@Windows Registry Repair ProC:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 /*file not found*/ = C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus*/C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{B33DE746-DEFE-4D7A-87DB-900864B1D3A9} = C:\Programmi\Ashampoo\Ashampoo AntiSpyWare\ContextHandler.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageE:\MY-Programm\ss2-428\428TS-en\Install\Components\Web\blank.htm = E:\MY-Programm\ss2-428\428TS-en\Install\Components\Web\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52F9F401-84D4-4858-BBA4-0AF9A61CAE41} /*Connessione rete senza fili 4*/ >>>
@IPAddress192.168.0.2 = 192.168.0.2
@NameServer192.168.0.1 = 192.168.0.1
@DefaultGateway192.168.0.1 = 192.168.0.1
@Domain =

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
NETGEAR WG111v2 Smart Wizard.lnk = NETGEAR WG111v2 Smart Wizard.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk

---- EOF - GMER 1.0.12 ----

con regedit riesco a trovare la chiave incriminata ma non la fa' cancellare ne modificare .

Come fare????

FOXYLADY · 12-12-2006, 20:20

Sono poco pratico nell'analizzare i log di gmer, ma questo che hai postato mi sembra pulito.
Prova a fare una scansione con questo tool
http://www.sophos.it/products/free-t...i-rootkit.html

e posta anche un log di hijackthis
http://www.hwupgrade.it/forum/showthread.php?t=937676

Se sei sicuro della chiave infetta puoi provare (se non l'hai già fatto) ad eliminarla in modalità provvisoria.

11-12-2006, 22:57	#1
mirtillo25 Junior Member Iscritto dal: Sep 2006 Messaggi: 10	Eliminare Kiave Ciao ragazzi non so' come fare ad eliminare un probabile virus o rootkit che si e' impossessato del mio computer. I sintomi sono che il pc parte regolarmente avvia windows ma poi si resetta e cosi' sempre. In modalita' provvisoria funziona tutto.. ho provato vari antivirus tra cui kiss e ashampo ma non trovano nulla. Ho fatto una scansione con germ e mi ha trovato un root ma non so' come eliminarlo . file allegato: GMER 1.0.12.12011 - http://www.gmer.net Rootkit scan 2006-12-11 23:12:48 Windows 5.1.2600 Service Pack 2 ---- Registry - GMER 1.0.12 ---- Reg \Registry\USER\S-1-5-21-606747145-706699826-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{03758C57-71AF-F4DA-397D-76002AC448AE}@kanolhjbafnbiocnolnmnm 0x62 0x61 0x64 0x6E ... ---- EOF - GMER 1.0.12 ---- GMER 1.0.12.12011 - http://www.gmer.net Autostart scan 2006-12-11 23:14:22 Windows 5.1.2600 Service Pack 2 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe, HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon@DLLName = C:\WINDOWS\system32\klogon.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> AVP /Kaspersky Anti-Virus 6.0/@ = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r Diskeeper /Diskeeper/@ = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe" ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys Spooler /Spooler di stampa/@ = %SystemRoot%\system32\spoolsv.exe vsmon /TrueVector Internet Monitor/@ = C:\WINDOWS\system32\ZONELABS\vsmon.exe -service HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @kav"C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" @ /file not found/ = /file not found/ @Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe @RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe @DiskeeperSystray"C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe" = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe" @KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k @PrevxRootkitRemovalTool"C:\Documents and Settings\pippo\Desktop\52442A8.exe" -scan = "C:\Documents and Settings\pippo\Desktop\52442A8.exe" -scan HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>> @CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe @Windows Registry Repair ProC:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 /file not found/ = C:\Programmi\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 /file not found/ HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{42071714-76d4-11d1-8b24-00a0c9068ff3} /Estensione panoramica video del Pannello di controllo/deskpan.dll /file not found/ = deskpan.dll /file not found/ @{32683183-48a0-441b-a342-7c2a440a9478} /Media Band/(null) = @{596AB062-B4D2-4215-9F74-E9109B0A8153} /Previous Versions Property Page/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /Previous Versions/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /Extensions Manager Folder/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll @{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /Web Anti-Virus/C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll HKLM\Software\Classes\\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{B33DE746-DEFE-4D7A-87DB-900864B1D3A9} = C:\Programmi\Ashampoo\Ashampoo AntiSpyWare\ContextHandler.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\logon.scr HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main >>> @Start Pagehttp://www.google.it/ = http://www.google.it/ @Local PageE:\MY-Programm\ss2-428\428TS-en\Install\Components\Web\blank.htm = E:\MY-Programm\ss2-428\428TS-en\Install\Components\Web\blank.htm HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll its@CLSID = C:\WINDOWS\System32\itss.dll lid@CLSID = C:\WINDOWS\System32\msvidctl.dll mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll ms-its@CLSID = C:\WINDOWS\System32\itss.dll tv@CLSID = C:\WINDOWS\system32\msvidctl.dll wia@CLSID = C:\WINDOWS\System32\wiascr.dll HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{52F9F401-84D4-4858-BBA4-0AF9A61CAE41} /Connessione rete senza fili 4*/ >>> @IPAddress192.168.0.2 = 192.168.0.2 @NameServer192.168.0.1 = 192.168.0.1 @DefaultGateway192.168.0.1 = 192.168.0.1 @Domain = C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>> NETGEAR WG111v2 Smart Wizard.lnk = NETGEAR WG111v2 Smart Wizard.lnk Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk ---- EOF - GMER 1.0.12 ---- con regedit riesco a trovare la chiave incriminata ma non la fa' cancellare ne modificare . Come fare????

12-12-2006, 20:20	#2
FOXYLADY Senior Member Iscritto dal: Oct 2004 Città: Milano Messaggi: 2641	Sono poco pratico nell'analizzare i log di gmer, ma questo che hai postato mi sembra pulito. Prova a fare una scansione con questo tool http://www.sophos.it/products/free-t...i-rootkit.html e posta anche un log di hijackthis http://www.hwupgrade.it/forum/showthread.php?t=937676 Se sei sicuro della chiave infetta puoi provare (se non l'hai già fatto) ad eliminarla in modalità provvisoria. __________________ FOXYLADY è un MASCHIO!! Un amico è una persona che sa tutto di te e nonostante questo gli piaci Ultima modifica di FOXYLADY : 12-12-2006 alle 20:29.

Strumenti
Mostra una versione stampabile Invia questa pagina per email