da Katia » lun gen 12, 2009 8:02 pm
Ho provato Findykill, ma posso usare soltanto il tasto 1 cioé quello per la ricerca dei processi e dei files infetti, mentre se provo ad usare il 2 per la rimozione mi appare la schermata blu che parla di un processo "srosa" che provoca il riavvio e che del resto è presente anche tra le infezioni.
Molte di queste non riesco proprio a trovarle, digitando il percorso indicato, altre, per esempio quelle presenti nel registro, invece non riesco a rimuoverle manualmente.
Che fare?
Comincio ad essere seriamente preoccupata.
Posto il risultato della scansione direttamente qui e me ne scuso, ma purtroppo non ricordo come fare
----------------- FindyKill V4.711 ------------------
* User: Katia - PC-KATIA
* Executed from : C:\Program Files\FindyKill
* Update on 05/01/09 by Chiquitine29
* Start at 19:47:04 the 12/01/2009
* Windows Vista - Internet Explorer 8.0.6001.18241
((((((((((((((((( *** Searching *** ))))))))))))))))))
--------------- [ Active Processes ] ----------------
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\drivers\CDAC11BA.EXE
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Katia\AppData\Roaming\drivers\winupgro.exe
C:\Windows\system32\conime.exe
C:\Program Files\IncrediMail\bin\ImLpp.exe
--------------- [ Infected processes stopped ] ----------------
"C:\Users\Katia\AppData\Roaming\drivers\winupgro.exe" (2096)
--------------- [ Infected files / folders ] ----------------
»»»» Presence Files in C:
»»»» Presence Files in C:\Windows
»»»» Presence Files in C:\Windows\Prefetch
»»»» Presence Files in C:\Windows\system32
Found ! [12/01/2009 18.44] - C:\Windows\system32\mdelk.exe
Found ! [12/01/2009 18.44] - C:\Windows\system32\wintems.exe
»»»» Presence Files in C:\Windows\system32\drivers
Found ! [01/05/2008 22.39] - "C:\Windows\system32\drivers\downld"
»»»» Presence Files in C:\Users\Katia\AppData\Roaming
Found ! [12/01/2009 18.39] - "C:\Users\Katia\AppData\Roaming\m\flec006.exe"
Found ! [12/01/2009 19.07] - "C:\Users\Katia\AppData\Roaming\m\shared"
Found ! [12/01/2009 19.37] - "C:\Users\Katia\AppData\Roaming\m"
Found ! [12/01/2009 19.47] - "C:\Users\Katia\AppData\Roaming\drivers"
Found ! [12/01/2009 19.47] - "C:\Users\Katia\AppData\Roaming\drivers\srosa.sys"
Found ! [12/01/2009 19.47] - "C:\Users\Katia\AppData\Roaming\drivers\srosa2.sys"
Found ! [22/06/2005 02.06] - "C:\Users\Katia\AppData\Roaming\drivers\winupgro.exe"
Found ! [12/01/2009 18.51] - "C:\Users\Katia\AppData\Roaming\drivers\downld"
»»»» Presence Files in C:\Users\Katia\AppData\Local\Temp
»»»» Presence Files in C:\Users\Katia\Local Settings\Temporary Internet Files\Content.IE5
Found ! [28/12/2006 03.42] - C:\Program Files\FileASSASSIN\License.txt
Found ! [12/01/2009 19.05] - C:\Users\Katia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\000GHA76\file[1].txt
Found ! [12/01/2009 18.46] - C:\Users\Katia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W6V5O1UX\b64_1[2].jpg
Found ! [07/09/2004 07.32] - C:\Windows\System32\DriverStore\FileRepository\d125u.inf_5fb2accd\D125USG\README.txt
--------------- [ Registry / Startup ] ----------------
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
WallpaperChanger=C:\Program Files\Wallpaper Master\Wallpaper.exe
Desktop Architect="C:\Program Files\Desktop Architect\datray.exe" -S
IncrediMail=C:\Program Files\IncrediMail\bin\IncMail.exe /c
ISUSPM="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
ehTray.exe=C:\Windows\ehome\ehTray.exe
swg=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Sidebar=C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
WMPNSCFG=C:\Program Files\Windows Media Player\WMPNSCFG.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
QPService="C:\Program Files\HP\QuickPlay\QPService.exe"
QlbCtrl=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
HP Health Check Scheduler=C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MsgCenterExe="C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
SpywareTerminator="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
hpqSRMon=C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
NvSvc=RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
NvCplDaemon=RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
NvMediaCenter=RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
SunJavaUpdateSched="C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
NoChange=1
Installed=1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1
[HKEY_CURRENT_USER\software\local appwizard-generated applications\AlgoLab Photo Vector]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\dfgdfgdfgghjkhjykhjykhjgfhgfhgfhgfh]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\ESApp]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\InstallerApp]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\install_patch]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\S_Merge]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\texture]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\Wallpaper]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\winupgro]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\WorldwideOnlineTV]
--------------- [ Registry / Infected keys ] ----------------
Found ! - HKEY_USERS\S-1-5-21-582597054-3730874547-1638457088-1000\Software\Local AppWizard-Generated Applications\install_patch
Found ! - HKEY_USERS\S-1-5-21-582597054-3730874547-1638457088-1000\Software\Local AppWizard-Generated Applications\winupgro
Found ! - HKEY_USERS\S-1-5-21-582597054-3730874547-1638457088-1000\Software\bisoft
Found ! - HKEY_USERS\S-1-5-21-582597054-3730874547-1638457088-1000\Software\DateTime4
Found ! - HKEY_USERS\S-1-5-21-582597054-3730874547-1638457088-1000\Software\FFC
Found ! - HKEY_USERS\S-1-5-21-582597054-3730874547-1638457088-1000\Software\MuleAppData
Found ! - HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\install_patch
Found ! - HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\winupgro
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_SK9OU0S
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sK9Ou0s
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sK9Ou0s
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sK9Ou0s
Found ! - HKEY_CURRENT_USER\Software\bisoft
Found ! - HKEY_CURRENT_USER\Software\DateTime4
Found ! - HKEY_CURRENT_USER\Software\MuleAppData
Found ! - HKEY_CURRENT_USER\Software\FFC
/!\ Infection active : HKLM\SYSTEM\...\Services\srosa -> Start = 0x1
/!\ Infection active : HKLM\SYSTEM\...\Services\sK9Ou0s -> Start = 0x1
--------------- [ States / Services ] ----------------
+- Services : [ Auto=2 / Request=3 / Disable=4 ]
/!\ Ndisuio - Type of startup = 4
EapHost - Type of startup = 3
Wlansvc - Type of startup = 2
/!\ SharedAccess - Type of startup = 4
/!\ wuauserv - Type of startup = 4
/!\ wscsvc - Type of startup = 4
/!\ WinDefend - Type of startup = 4
/!\ UAC is Disable
--------------- [ Searching in removable drives ] ----------------
+- Informations :
C: - Unit… fissa
D: - Unit… fissa
E: - Unit… fissa
+- Presence of files :
--------------- [ Registry / Mountpoint2 ] ----------------
-> Not found !
------------------- ! End of report ! --------------------