Pagina 1 di 1

Aiuto per script da passare ad Avenger

MessaggioInviato: lun feb 04, 2008 9:32 am
da redmilion
Buongiorno, ho fatto la scansione del portatile con kaspersky e questo è il report. Potete aiutarmi con lo script da passare ad Avenger?! Grazie


KASPERSKY ONLINE SCANNER REPORT
Monday, February 04, 2008 9:30:22 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 545848
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 101359
Number of viruses found 7
Number of infected objects 24
Number of suspicious objects 0
Duration of the scan process 05:05:52

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Emiliano\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\m\data.oct Infected: Trojan-Downloader.Win32.Bagle.jd skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\call256.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\chat512.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\index2.dat Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\profile4096.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\user1024.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\user16384.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\user256.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\user4096.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Dati applicazioni\Skype\next01-mobile\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\4HQR8H6F\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\CLMN096F\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\G9A3G96V\b64[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\G9A3G96V\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\RLYFGDIF\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\Emiliano\ntuser.dat Object is locked skipped
C:\Documents and Settings\Emiliano\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Download\GESTIONALI\installcontabilitapmi614.exe Infected: not-a-virus:AdWare.Win32.DealHelper.aj skipped
C:\LAVORI\WEB\NEXT01.IT\wwwroot\public\OCC\useredit.asp Infected: Backdoor.ASP.Small.c skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP55\A0007719.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP55\A0007720.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP55\A0007721.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP55\A0007722.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP55\A0007723.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP56\A0007995.sys Infected: Trojan-Downloader.Win32.Bagle.ii skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP56\A0007996.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP56\A0007997.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP56\A0008004.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{168565D9-C705-4320-9CE3-1770EBCB5036}\RP56\change.log Object is locked skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\drivers\down\14719828.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\WINDOWS\system32\drivers\down\17053343.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\WINDOWS\system32\drivers\down\17063593.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\2527234.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\down\2535390.exe Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\WINDOWS\system32\drivers\down\2541265.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
Scan process completed.

MessaggioInviato: lun feb 04, 2008 9:42 am
da ste_95
Disabilita il ripristino configurazione di sistema.

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:

Files to delete:
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\windows\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\4HQR8H6F\b64_1[1].jpg
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\CLMN096F\b64_2[1].jpg
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\G9A3G96V\b64[1].jpg
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\G9A3G96V\b64_3[1].jpg
C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\RLYFGDIF\b64_1[1].jpg
C:\LAVORI\WEB\NEXT01.IT\wwwroot\public\OCC\useredit.asp

Folders to delete:
C:\WINDOWS\system32\drivers\down
C:\Documents and Settings\Emiliano\Dati applicazioni\m

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA


Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Riscarica gli installer dei programmi di sicurezza e prova a reinstallare un antivirus.

MessaggioInviato: lun feb 04, 2008 9:52 am
da redmilion
Ho fatto ma al riavvio mi compare questo log di Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xyytyjvh

*******************

Script file located at: tjjcuoiq

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!


cosa devo fare ora?

MessaggioInviato: lun feb 04, 2008 10:06 am
da ste_95
Sei sicura di includere anche le diciture

Files to delete:
Folders to delete:
Registry key do delete:

?

MessaggioInviato: lun feb 04, 2008 10:16 am
da redmilion
Si, scusa.... mi ero scordato di disattivare il ripristino! Ora è andato tutto a posto. Alla fine il ripristino bisogna riattivarlo?

MessaggioInviato: lun feb 04, 2008 10:21 am
da redmilion
questo il log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cwoqxbva

*******************

Script file located at: \??\C:\WINDOWS\rquwukpn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\srosa.sys deleted successfully.
File C:\WINDOWS\system32\wintems.exe deleted successfully.
File C:\windows\system32\drivers\hldrrr.exe deleted successfully.
File C:\WINDOWS\system32\mdelk.exe deleted successfully.
File C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\4HQR8H6F\b64_1[1].jpg deleted successfully.
File C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\CLMN096F\b64_2[1].jpg deleted successfully.
File C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\G9A3G96V\b64[1].jpg deleted successfully.
File C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\G9A3G96V\b64_3[1].jpg deleted successfully.
File C:\Documents and Settings\Emiliano\Impostazioni locali\Temporary Internet Files\Content.IE5\RLYFGDIF\b64_1[1].jpg deleted successfully.
File C:\LAVORI\WEB\NEXT01.IT\wwwroot\public\OCC\useredit.asp deleted successfully.
Folder C:\WINDOWS\system32\drivers\down deleted successfully.
Folder C:\Documents and Settings\Emiliano\Dati applicazioni\m deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

MessaggioInviato: lun feb 04, 2008 10:49 am
da ste_95
Prova a reinstallare un antivirus.