www.MegaLab.it

da **clandestino** » gio giu 28, 2007 11:18 pm

salve.bagle mi ha acchiappato.ho fatto il rootkit con gmer .poi cosa devo mettere su avanger?sono inespertessimo.scusate

da **crazy.cat** » ven giu 29, 2007 8:29 am

Sostituisci a nomeutente il nome del tuo user, altrimenti posta qui il log di gmer
http://www.MegaLab.it/forum/viewtopic.p ... 147#262147

Poi segui le istruzioni dell'articolo per ripristinare i servizi danneggiati
http://www.MegaLab.it/2657

da **clandestino** » ven giu 29, 2007 12:26 pm

questo mi esce dall'autostart:

Files to delete:
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\m_hook.sys
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\rosa.sys
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires\hidr.exe
c:\WINDOWS\system32\wintems.exe
c:\WINDOWS\system32\hldrrr.exe

folders to delete:
C:\Documents and Settings\nomeutente\Dati applicazioni\hidires
c:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr

da **crazy.cat** » ven giu 29, 2007 2:54 pm

clandestino ha scritto:questo mi esce dall'autostart:

Questo è l'esempio di script, non il log di gmer

da **clandestino** » ven giu 29, 2007 3:05 pm

GMER 1.0.13.12540 - http://www.gmer.net
Autostart scan 2001-12-16 14:01:07
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgwlntf@DLLName = avgwlntf.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe /*file not found*/
RichVideo /*Cyberlink RichVideo Service(CRVS)*/@ = "C:\Programmi\CyberLink\Shared files\RichVideo.exe" ??????????????????????????????????????????????????
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@WINDVDPatchCTHELPER.EXE = CTHELPER.EXE
@UpdRegC:\WINDOWS\UpdReg.EXE = C:\WINDOWS\UpdReg.EXE
@Jet DetectionC:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe = C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
@NeroFilterCheckC:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe = C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
@SunJavaUpdateSched"C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe" = "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe"
@LaunchPDeviceConn"C:\Programmi\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe" = "C:\Programmi\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe"
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@DataLayerC:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe = C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
@PCSuiteTrayApplicationC:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray /*file not found*/
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime /*file not found*/ = "C:\Programmi\QuickTime\qttask.exe" -atboottime /*file not found*/
@SecureWebC:\WINDOWS\system32\0R1y5l4H.exe = C:\WINDOWS\system32\0R1y5l4H.exe
@hldrrrC:\WINDOWS\system32\hldrrr.exe = C:\WINDOWS\system32\hldrrr.exe
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@LanguageShortcutC:\Programmi\CyberLink\PowerDVD\Language\Language.exe = C:\Programmi\CyberLink\PowerDVD\Language\Language.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@PcSyncC:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog /*file not found*/
@german.exeC:\WINDOWS\system32\wintems.exe = C:\WINDOWS\system32\wintems.exe
@hldrrrC:\WINDOWS\system32\hldrrr.exe = C:\WINDOWS\system32\hldrrr.exe
@drvsyskitC:\Documents and Settings\giuanns\Dati applicazioni\hidires\hidr.exe = C:\Documents and Settings\giuanns\Dati applicazioni\hidires\hidr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} /*PhoneBrowser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll = C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
@(null) =
@{bd0e4d83-654e-4213-965b-fcbe887061f4}C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCool.dll = C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCool.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = Avvio veloce di Adobe Reader.lnk

---- EOF - GMER 1.0.13 ----

da **clandestino** » ven giu 29, 2007 3:07 pm

questo sopra va bene ?oppura spiaegami per favore cosa devo copiarti

da **crazy.cat** » sab giu 30, 2007 8:44 am

Questo è il tuo script giusto.
Alla fine ti esce un txt di report postalo qui che vediamo come è andata.

Codice: Seleziona tutto: Files to delete: C:\Documents and Settings\giuanns\Dati applicazioni\hidires\m_hook.sys C:\Documents and Settings\giuanns\Dati applicazioni\hidires\rosa.sys C:\Documents and Settings\giuanns\Dati applicazioni\hidires\hidr.exe c:\WINDOWS\system32\wintems.exe C:\WINDOWS\system32\0R1y5l4H.exe c:\WINDOWS\system32\hldrrr.exe folders to delete: C:\Documents and Settings\giuanns\Dati applicazioni\hidires c:\WINDOWS\exefld registry keys to delete: HKLM\SYSTEM\CurrentControlSet\Services\m_hook HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa registry values to delete: HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr

da **clandestino** » sab giu 30, 2007 10:43 am

salve.grazie mille.il txt che mi è uscito è questo:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jbtdblcy

*******************

Script file located at: \??\C:\WINDOWS\vhgysrxi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\giuanns\Dati applicazioni\hidires\m_hook.sys not found!
Deletion of file C:\Documents and Settings\giuanns\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
C:\Documents and Settings\giuanns\Dati applicazioni\hidires\m_hook.sys
Status: 0xc0000034

File C:\Documents and Settings\giuanns\Dati applicazioni\hidires\rosa.sys deleted successfully.
File C:\Documents and Settings\giuanns\Dati applicazioni\hidires\hidr.exe deleted successfully.

File c:\WINDOWS\system32\wintems.exe not found!
Deletion of file c:\WINDOWS\system32\wintems.exe failed!

Could not process line:
c:\WINDOWS\system32\wintems.exe
Status: 0xc0000034

File C:\WINDOWS\system32\0R1y5l4H.exe deleted successfully.

File c:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file c:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
c:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034

Folder C:\Documents and Settings\giuanns\Dati applicazioni\hidires deleted successfully.

Folder c:\WINDOWS\exefld not found!
Deletion of folder c:\WINDOWS\exefld failed!

Could not process line:
c:\WINDOWS\exefld
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_rosa deleted successfully.

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

ORA QUALE OPERAZIONI DEVO FARE NEL REGISTRO DI SISTEMA?ESPANDERE?CIOè?

da **crazy.cat** » sab giu 30, 2007 12:13 pm

Reinstalla l'antivirus e poi leggi l'articolo per sistemare la modalità provvisoria e quello che ti manca.
http://www.MegaLab.it/2657

da **clandestino** » sab giu 30, 2007 12:27 pm

Espandete le voci fino ad arrivare a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

cioè tutti i +li devo aprire?ma ci vuole un casino di tempo.o sbaglio?c'è una soluzione rapida?

da **crazy.cat** » sab giu 30, 2007 12:32 pm

No, non ci vuole poi così tanto tempo.
E' il modo più sicuro.

www.MegaLab.it

bagle

bagle

Chi c’è in linea