Rimuovere Run.exe Virus Scaricato Da Emule

diabolerik · April 8, 2008

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: file "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ADSPIU06\b64_3[1].jpg" not found!

Deletion of file "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ADSPIU06\b64_3[1].jpg" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ADSPIU06\b64_3[2].jpg" not found!

Deletion of file "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ADSPIU06\b64_3[2].jpg" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CRHHSOD1\b64_1[1].jpg" not found!

Deletion of file "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CRHHSOD1\b64_1[1].jpg" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

File "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CRHHSOD1\b64_3[1].jpg" deleted successfully.

Error: file "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VE54TKDJ\b64_3[1].jpg" not found!

Deletion of file "C:\Users\VALE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VE54TKDJ\b64_3[1].jpg" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

diabolerik · April 8, 2008

Tue Apr 08 18:00:02 2008

----------------------------------------------

Lista de Acciones (por Acción Directa):

C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS --> Bagle (rootkit) Acceso Denegado.

C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE --> Bagle.dldr Acceso Denegado.

Reinicie para Completar la Limpieza.

Tue Apr 08 18:00:51 2008

----------------------------------------------

Lista de Acciones (por Exploración):

Explorando Unidad C:\

C:\Windows\System32\RTHDVCPL.EXE --> Eliminado Bagle.dldr

Nº Total de Directorios: 12437

Nº Total de Ficheros: 88154

Nº de Ficheros Analizados: 12750

Nº de Ficheros Infectados: 1

Nº de Ficheros Limpiados: 1

Duca Bianco · April 8, 2008

Riprova con avenger inserendo questo script nel box bianco

Files to delete:

C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS

C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE

Togli il segno di spunta dalla voce Scan for Rootkits

Clicca su Execute

Il pc dovrebbe riavviarsi ( se così non fosse, fallo tu)

Posta il log che verrà creato in C:\Avenger

Vedi come va

diabolerik · April 9, 2008

Logfile of The Avenger Version 2.0, by Swandog46

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: file "C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS" not found

Deletion of file "C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS" failed

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE" not found

Deletion of file "C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE" failed

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished Terminate.

diabolerik · April 9, 2008

il computer viaggia tranquillo il problema rimane sempre l'impossibilità nell'usare gli antivirus

diabolerik · April 10, 2008

come posso fare?? :sigh:

Duca Bianco · April 11, 2008

Scarica Combofix da uno dei seguenti links:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.techsupportforum.com/sect...s/ComboFix.exe

Salvalo sul desktop.

1. Doppio click su combofix.exe, comparirà la seguente videata:

http://img231.imageshack.us/img231/4...bofix01fn6.jpg

2. Digita 1, premi Invio e segui le indicazioni.

3. Al termine, verrà creato un file log chiamato C:\ComboFix.txt.

Esegui una scansione online con Kaspersky (su "my computer")ed allega il report in formato HTML

http://forum.wininizio.it/index.php?showtopic=36981&hl=

diabolerik · April 16, 2008

combofix non va...nessun antivirus parte...la faccio la stessa la scansione con kaspersky?

Duca Bianco · April 16, 2008

Certo falla

Che tipo di errore ti da combofix?

diabolerik · April 19, 2008

ComboFix 08-04-18.3 - VALE 2008-04-20 1.18.42.1 - NTFSx86

Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1040.18.953 [GMT 2:00]

Eseguito da: C:\Users\VALE\Desktop\ComboFix.exe

* Creato nuovo punto di ripristino

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\internetgamebox

C:\Program Files\internetgamebox\InternetGameBox.exe

C:\Program Files\internetgamebox\language

C:\Program Files\internetgamebox\Privacy Policy.url

C:\Program Files\internetgamebox\ressources\AttenteOff.html

C:\Program Files\internetgamebox\ressources\AttenteOn.html

C:\Program Files\internetgamebox\ressources\configv2_en.xml

C:\Program Files\internetgamebox\ressources\configv2_es.xml

C:\Program Files\internetgamebox\ressources\configv2_fr.xml

C:\Program Files\internetgamebox\ressources\favoris\defaultv2.swf

C:\Program Files\internetgamebox\skins\skinv2.skn

C:\Program Files\internetgamebox\Terms and conditions.url

C:\Program Files\internetgamebox\uninst.exe

C:\Program Files\internetgamebox\Website.url

C:\Windows\system32\ACER.exe

C:\Windows\system32\drivers\downld

C:\Windows\system32\drivers\downld\112585.exe

C:\Windows\system32\drivers\downld\121165.exe

C:\Windows\system32\drivers\downld\123240.exe

C:\Windows\system32\drivers\downld\145455.exe

C:\Windows\system32\drivers\downld\15314602.exe

C:\Windows\system32\drivers\downld\15359515.exe

C:\Windows\system32\drivers\downld\15503426.exe

C:\Windows\system32\drivers\downld\15522239.exe

C:\Windows\system32\drivers\downld\1581506.exe

C:\Windows\system32\drivers\downld\1611615.exe

C:\Windows\system32\drivers\downld\167420.exe

C:\Windows\system32\drivers\downld\169838.exe

C:\Windows\system32\drivers\downld\1761750.exe

C:\Windows\system32\drivers\downld\1782077.exe

C:\Windows\system32\drivers\downld\182255.exe

C:\Windows\system32\drivers\downld\184829.exe

C:\Windows\system32\drivers\downld\1918125.exe

C:\Windows\system32\drivers\downld\196498.exe

C:\Windows\system32\drivers\downld\198714.exe

C:\Windows\system32\drivers\downld\252768.exe

C:\Windows\system32\drivers\downld\269850.exe

C:\Windows\system32\drivers\downld\294888.exe

C:\Windows\system32\drivers\downld\308585.exe

C:\Windows\system32\drivers\downld\310972.exe

C:\Windows\system32\drivers\downld\324934.exe

C:\Windows\system32\drivers\downld\441982.exe

C:\Windows\system32\drivers\downld\489874.exe

C:\Windows\system32\drivers\downld\510435.exe

C:\Windows\system32\drivers\downld\529404.exe

C:\Windows\system32\drivers\downld\645797.exe

C:\Windows\system32\drivers\downld\678604.exe

C:\Windows\system32\drivers\downld\79279.exe

C:\Windows\system32\drivers\downld\864323.exe

C:\Windows\system32\drivers\downld\882965.exe

C:\Windows\system32\drivers\downld\901202.exe

C:\Windows\system32\drivers\mdelk.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SROSA

((((((((((((((((((((((((( Files Creati Da 2008-03-19 al 2008-04-19 )))))))))))))))))))))))))))))))))))

.

2008-04-16 12:50 . 2008-04-16 12:50 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8

2008-04-13 01:25 . 2008-04-13 01:25 8 --a------ C:\Users\VALE\AppData\Roaming\NMM-MetaData.db

2008-04-10 13:07 . 2008-02-15 01:19 944,184 --a------ C:\Windows\System32\winload.exe

2008-04-10 13:07 . 2008-02-19 07:10 620,088 --a------ C:\Windows\System32\ci.dll

2008-04-10 13:07 . 2008-02-29 08:39 371,712 --a------ C:\Windows\System32\srcore.dll

2008-04-10 13:07 . 2008-02-29 08:38 313,856 --a------ C:\Windows\System32\rstrui.exe

2008-04-10 13:07 . 2008-02-29 08:39 40,960 --a------ C:\Windows\System32\srclient.dll

2008-04-10 13:07 . 2008-02-29 08:51 19,000 --a------ C:\Windows\System32\kd1394.dll

2008-04-10 13:07 . 2008-02-29 08:38 16,384 --a------ C:\Windows\System32\srdelayed.exe

2008-04-10 13:07 . 2008-02-29 08:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll

2008-04-10 13:07 . 2008-02-29 08:35 6,656 --a------ C:\Windows\System32\kbd106n.dll

2008-04-08 13:18 . 2008-04-08 13:18 <DIR> d-------- C:\Users\VALE\AppData\Roaming\PC Tools

2008-04-08 13:18 . 2008-04-08 13:18 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-04-08 13:18 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys

2008-04-08 13:18 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys

2008-04-08 13:18 . 2008-02-01 12:55 42,376 --a------ C:\Windows\System32\drivers\ikfilesec.sys

2008-04-08 13:18 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys

2008-04-08 13:12 . 2008-04-08 14:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-04-07 17:56 . 2008-04-07 17:56 <DIR> d-------- C:\Users\All Users\Kaspersky Lab

2008-04-07 17:56 . 2008-04-07 17:56 <DIR> d-------- C:\PROGRA~2\Kaspersky Lab

2008-04-06 17:01 . 2008-04-06 17:32 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-04-05 21:02 . 2008-04-07 17:56 <DIR> d-------- C:\Windows\System32\Kaspersky Lab

2008-04-05 20:52 . 2008-04-05 20:52 54,156 --ah----- C:\Windows\QTFont.qfn

2008-04-05 20:52 . 2008-04-05 20:52 1,409 --a------ C:\Windows\QTFont.for

2008-04-05 20:39 . 2008-04-05 20:39 <DIR> d--h----- C:\Windows\PIF

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-18 17:33 --------- d-----w C:\PROGRA~2\Microsoft Help

2008-04-18 17:26 12,978 ----a-w C:\Users\VALE\AppData\Roaming\nvModes.dat

2008-04-16 10:55 --------- d-----w C:\Program Files\MSBuild

2008-04-12 23:24 --------- d-----w C:\Users\VALE\AppData\Roaming\Nokia Multimedia Player

2008-04-08 11:00 322,820,683 ----a-w C:\Windows\DUMP5a20.tmp

2008-04-07 14:45 --------- d-----w C:\Program Files\Messenger Plus! Live

2008-04-06 13:52 --------- d-----w C:\Users\VALE\AppData\Roaming\Application Data

2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys

2008-03-17 14:03 --------- d-----w C:\Users\VALE\AppData\Roaming\Nokia

2008-03-17 14:01 --------- d-----w C:\Users\VALE\AppData\Roaming\DataLayer

2008-03-17 13:28 --------- d-----w C:\Users\VALE\AppData\Roaming\PC Suite

2008-03-17 13:28 --------- d-----w C:\Program Files\Common Files\PCSuite

2008-03-17 13:28 --------- d-----w C:\Program Files\Common Files\Nokia

2008-03-17 13:28 --------- d-----w C:\PROGRA~2\PC Suite

2008-03-17 13:27 --------- d-----w C:\Program Files\Nokia

2008-03-17 13:22 --------- d-----w C:\PROGRA~2\Downloaded Installations

2008-03-08 02:14 148,992 ----a-w C:\Windows\system32\drivers\ks.sys

2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys

2008-02-28 10:51 --------- d-----w C:\Program Files\Windows Live

2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll

2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll

2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll

2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll

2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe

2008-02-19 13:35 --------- d-----w C:\Program Files\Navilog1

2008-02-19 13:09 --------- d-----w C:\Program Files\Windows Live Toolbar

2008-02-19 13:06 --------- d-----w C:\Program Files\Yahoo!

2008-02-19 13:05 --------- d-----w C:\Program Files\VideoLAN

2008-02-17 14:53 737,280 ----a-w C:\Windows\iun6002.exe

2008-02-14 10:54 194,560 ----a-w C:\Windows\System32\WebClnt.dll

2008-02-14 10:50 24,064 ----a-w C:\Windows\System32\netcfg.exe

2008-02-14 10:50 22,016 ----a-w C:\Windows\System32\netiougc.exe

2008-02-14 10:50 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll

2008-02-11 07:39 253,952 ----a-w C:\Windows\System32\OnlineScannerDLLA.dll

2008-02-11 07:39 237,568 ----a-w C:\Windows\System32\OnlineScannerDLLW.dll

2008-02-08 11:53 110,592 ----a-w C:\Windows\System32\OnlineScannerLang.dll

2008-02-05 06:48 77,824 ----a-w C:\Windows\System32\OnlineScannerUninstaller.exe

2008-02-01 10:17 586,752 ----a-w C:\Windows\WLXPGSS.SCR

2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 11:12 1232896]

"Acer Tour Reminder"="" []

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]

"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-19 16:59 1449984]

"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 14:34 1004136]

"RtHDVCpl"="RtHDVCpl.exe" [2007-05-10 11:10 4468736 C:\Windows\RtHDVCpl.exe]

"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-04 06:36 86016]

"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-04 06:35 8429568]

"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-04 06:36 81920]

"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-04-15 02:06 700416]

"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [2007-04-26 17:54 1286144]

"Acer Tour"="" []

"PLFSet"="C:\Windows\PLFSet.dll" [2007-03-09 18:51 45056]

"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2007-05-04 06:23 502544]

"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-03 11:16 206952]

"eRecoveryService"="" []

"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-02-15 18:39 151552]

"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 22:48 57344]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 15:37 174872]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2006-06-15 13:36 229376]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 07:09 865840]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

C:\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\

Acer VCM.lnk - C:\Program Files\Acer\Acer VCM\AcerVCM.exe [2007-06-27 06:50:39 1208320]

BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-29 13:11:50 719664]

Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2007-05-11 00:42:07 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1811079826-2008730858-2584875191-1000]

"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{051651D7-A398-43B4-8CC9-93FCA7C8307B}"= C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe

"{A14F2DFF-7923-49EA-8D1F-F6073B23A69A}"= C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine

"{1AE7DF7E-5C4D-4359-9DE0-F971BBD5E84C}"= C:\Program Files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician

"{EE4065A3-F24C-4E21-A831-B3B51C82B46E}"= C:\Program Files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia

"{0D8F5A01-4A5E-4924-9AD4-D2736E744BE7}"= C:\Program Files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard

"{2A796E31-AF8E-426D-BEB7-5D10AE2C873D}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{6915E289-588B-48D1-A9B2-D64795CA1D8A}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{E50FFAA4-EB7F-46BC-8492-6929AD1F7F03}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie

"{0158C282-774C-42CB-95D0-F6ADBDAEAB77}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program

"{6E5EBB6D-C1BC-49B9-BCF0-43C8C1D96FE8}"= C:\Program Files\Acer\Acer VCM\VC.exe:Acer VCM

"{954579C6-4DA0-498B-AC92-956EB8039F07}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{4E70A245-F3DC-449E-B34F-65EA4FDFFC4A}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule

"UDP Query User{D5DC4A68-8B0E-4764-8C8C-0D85A48579A4}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule

"TCP Query User{EEFEE4F6-F99C-4F3A-9285-DF6B201BBE4B}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule

"UDP Query User{61C29205-8CEC-4F5F-B119-DCF5322F5241}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule

"{8C6EAF69-52B4-443B-88D0-8B68279ECCDE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]

"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 PSDFilter;PSDFilter;C:\Windows\system32\DRIVERS\psdfilter.sys [2007-04-12 17:43]

R0 PSDNServ;PSDNSERVER;C:\Windows\system32\drivers\PSDNServ.sys [2007-04-12 17:43]

R0 psdvdisk;psdvdisk;C:\Windows\system32\drivers\psdvdisk.sys [2007-04-12 17:43]

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 19:31]

R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 16:51]

R2 ALaunchService;ALaunch Service;C:\Acer\ALaunch\ALaunchSvc.exe [2007-01-26 14:24]

R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]

R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 19:32]

R2 eDataSecurity Service;eDSService.exe;"C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [2007-04-12 17:43]

R2 eSettingsService;eSettings Service;C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-05-10 14:05]

R2 MobilityService;MobilityService;C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 12:57]

R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-03-15 02:49]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 09:03]

R3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-04-19 09:09]

S3 btwaudio;Periferica audio Bluetooth;C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 21:46]

S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 08:20]

S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 08:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c957786-b72c-11dc-a7ac-c890a6798db1}]

\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe

\shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7106ebec-033e-11dd-9082-0013e831140d}]

\shell\AutoRun\command - E:\nideiect.com

\shell\explore\Command - E:\nideiect.com

\shell\open\Command - E:\nideiect.com

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-20 01:25:11

Windows 6.0.6000 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo

Files nascosti: 142

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Windows\System32\audiodg.exe

C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\Windows\System32\drivers\XAudio.exe

C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

C:\Windows\System32\wbem\unsecapp.exe

C:\Windows\System32\conime.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Launch Manager\QtZgAcer.EXE

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe

C:\Windows\ehome\ehmsas.exe

C:\Users\VALE\AppData\Local\Temp\RtkBtMnt.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Acer\Acer VCM\VC.exe

C:\Program Files\Acer\Acer VCM\acp2HID.exe

.

**************************************************************************

.

Ora fine scansione: 2008-04-20 1:27:42 - machine was rebooted

ComboFix-quarantined-files.txt 2008-04-19 23:27:32

13 Directory 46,793,609,216 byte disponibili

19 Directory 46,478,241,792 byte disponibili

271 --- E O F --- 2008-04-18 17:33:40

diabolerik · April 20, 2008

ecco il log kaspersy..combofix alla fine è partito usando il link tuo

log_kaspersky.html

Duca Bianco · April 21, 2008

Ciao diabolerik

Finalmente i log

Ripeti l'operazione con avenger, inserendo questo script

Files to delete:

C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe

Clicca su Execute

Il pc dovrebbe riavviarsi ( se così non fosse, fallo tu)

Posta il log che verrà creato in C:\Avenger

Scarica ATF Cleaner

http://www.atribune.org/ccount/click.php?id=1

Avvia ATF Cleaner.exe con un doppio click

- clicca sul menu main

- seleziona la casella Select All

- clicca sul pulsante Empty selected

- aspetta l'avviso Done Cleaning.

(se non vuoi eliminare le password togli la spunta)

(se usi opera o firefox,spunta anche le loro sezioni)

Prova a reinstallare il tuo Antivirus

diabolerik · April 21, 2008

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6000)

Mon Apr 21 09:53:30 2008

09:53:30: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6000)

Mon Apr 21 09:54:00 2008

09:54:00: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6000)

Mon Apr 21 09:54:31 2008

09:54:31: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6000)

Mon Apr 21 09:54:39 2008

09:54:39: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

Avenger Pre-Processor log

//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6000)

Mon Apr 21 09:54:44 2008

09:54:44: Error: Invalid script. A valid script must begin with a command directive.

Aborting execution!

//////////////////////////////////////////

http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File "C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

diabolerik · April 21, 2008

ho fatto tutto quello che hai detto.rinstallato avast è partita la scansione in modalità msdos.ha trovato 2 virus e a fine scansione il pc si è spento.l'ho riacceso e l'ho fatto partire con la funzione di riparazione errori di windows. avast non si apre.mi segnala errori diversi di script.non come prima. hijak inceve come prima non si apre e segnala lo stesso errore così come windows defensor appena si apre la finestra del desktop.

diabolerik · April 21, 2008

non so perchè ma la cpu è fissa al 100%

Duca Bianco · May 11, 2008

Ciao

Apri il "task manager" guarda nella finestra dove sono elencati i processi in esecuzione e controlla quale determina un maggiore utilizzo della cpu.

diabolerik · May 11, 2008

ciao scusatemi se ho aperto un altra discussione e rompo ma non so proprio che fare mi sa che lo farò formattare...

comunque nel task manager non compare nessun processo anomalo..quello che succhia più risorse è taskmgr.exe che suppongo sia appunto il task manager (si aggira attorno al 12-13 % mentre il contatore sul desktop segna cpu viaggiante sugli 80-100)

$angelique!? · May 11, 2008

Il contatore che citi è questo, vero??

Sicuro che non sia la RAM (contatore più piccolo)

(il contatore della CPU deve coincidere con quello complessivo che puoi vedere aprendo il task manager)

scarica sul desktop GMER: http://www.gmer.net/gmer.zip

scopatta, sempre sul desktop il file gmer.zip.

Esegui gmer.exe

Clicca sul Tab "Rootkit"

Clicca su "Scan"

finita la scansione clicca su "Copy"

Apri il Blocco Note salva il file ed allegalo qui

Esegui gmer.exe

Clicca sul Tab "Autostart"

Clicca su "Scan"

finita la scansione clicca su "Copy"

Apri il Blocco Note salva il file ed allegalo qui

Nota: Per disinstallare completamente Gmer dal vostro pc,

dovete utilizzare il file gmer_uninstall.cmd, che trovate nella cartella in cui avete installato Windows.

Disabilita il tuo antivirus.

Scarica Combofix

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://subs.geekstogo.com/ComboFix.exe

Salvalo sul desktop.

(se il file salvato dal primo link non dovesse funzionare, scaricalo dal secondo link)

1. Doppio click su combofix.exe, comparirà la seguente videata:

http://img293.imageshack.us/img293/8500/combofix01fn6zj1.jpg

2. Digita 1, premi Invio e segui le indicazioni.

3. Al termine, verrà creato un file log chiamato C:\ComboFix.txt.

4. Posta il log creato

Nota: Durante l'operazione di scansione è importante non usare il PC e attendere pazientemente la fine delle operazioni.

Nota: ComboFix non funziona in modalità provvisoria.

diabolerik · May 16, 2008

ciao scusa il ritardo..non mi parte nessun antivirus nè avast nè combofix nè hijackthis nè gmer...niente...mi compare ogni volta la finestra di errore...la cpu stranamente viaggia a ritmi bassi..

diabolerik · May 16, 2008

rettifica:la cpu viaggia di nuovo tra 80-100% nel task manager non compare nessuna voce rilevante...

lorenzomascherini · June 3, 2008

Io formatterei...

Apri il blocco note e scrivi:

format C: /autotest /q /u

poi lo salvi in .bat

QUESTO COMANDO SERVE PER FORMATTARE,QUINDI SE NON LO VUOI FARE NON FARLO(L'HO LETTO SU INTERNET)

Rimuovere Run.exe Virus Scaricato Da Emule

46 messaggi in questa discussione

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Condividi questo messaggio

Link di questo messaggio

Condividi su altri siti

Crea un account o accedi per lasciare un commento

Crea un account

Accedi