www.MegaLab.it

[NrgRigo]

Un'altra volta...ancora lui e stavolta è ancora più cattivo...mi aveva bloccato la modalità provvisoria e non so come dopo circa due ore di smanettamenti l'ho fatta partire.

i problemi principali :

CPU 100 %
Dopo 10-15 minuti il sistema va in crash ---> bsod e mi tocca riavviare.
In nessun modo parte HijachThis...dice che non è un'applicazione di win32 valida...e così come per qualsiasi altro programma che voglio installare.

Mi parte solo avenger in modalità provvisoria e gmer...


il primo log fatto con Elibagle :

Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\DRIVERS\SROSA.SYS Bagle(rootkit) Acceso Denegado.
C:\WINDOWS\SYSTEM32\DRIVERS\HLDRRR.EXE Bagle.dldr Acceso Denegado.
C:\DOCUMENTS AND SETTINGS\RIGO\DATI APPLICAZIONI\M\FLEC006.EXE Bagle.dldr Acceso Denegado.
Eliminada Carpeta "%WinSys%\Drivers\Downld"
Reinicie para Completar la Limpieza.

questo invece è il log di gmer fatto poco fa.

http://www.mediafire.com/?sharekey=4de1 ... eea4ee457b

se qualche buona anima potesse gentilmente costruirmi lo script per eliminare tutte queste schifezze glie ne sarei molto grato...se no tocca formattare...non mi pesa molto..però preferisco evitare...grazie

[ste_95]

Scarica FindyKill (by Chiquitine29)ed installalo.
Una volta installato chiudi tutte le applicazioni attive e disconnettiti dal internet, poi clicca sull'icona di FindyKill e nella finestra dos che si aprirà scrivi 2 e premi Invio. Attendi il termine della scansione e posta qui il log che trovi in C:\FindyKill.txt

Poi scarica ComboFix, salvandolo sul PC con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG.

[NrgRigo]

Questo è il log di findykill

----------------- FindyKill V4.711 ------------------

* User : Rigo - RIG0
* executed from : C:\Programmi\FindyKill
* Update on 05/01/09 par Chiquitine29
* Start at 0:46:59 the 14/01/2009
* Windows XP - Internet Explorer 6.0.2900.5512


((((((((((((((( *** deleting *** ))))))))))))))))))


--------------- [ Active Processes ] ----------------


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe

--------------- [ Infected files / folders ] ----------------


»»»» Supression files in C:

Deleted ! - C:\InfoSat.txt

»»»» Supression files in C:\WINDOWS


»»»» Supression files in C:\WINDOWS\Prefetch

Deleted ! - C:\WINDOWS\prefetch\62734.EXE-0F703C3A.pf
Deleted ! - C:\WINDOWS\prefetch\FLEC006.EXE-13B64440.pf
Deleted ! - C:\WINDOWS\prefetch\HLDRRR.EXE-106798BB.pf

»»»» Supression files in C:\WINDOWS\system32


»»»» Supression files in C:\WINDOWS\system32\drivers

Deleted ! - C:\WINDOWS\system32\drivers\srosa.sys
Deleted ! - C:\WINDOWS\system32\drivers\hldrrr.exe

»»»» Supression files in C:\Documents and Settings\Rigo\Dati applicazioni

Deleted ! - "C:\Documents and Settings\Rigo\Dati applicazioni\m\flec006.exe"
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\006.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\14.Š­¾„÷?.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\4t Web Camera 1.2.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\642-502 Practice Exam Testing Engine Software 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\9L0-607 Practice Exam Testing Engine Software 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\AAA BLUR OPTIONS 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Admin Report Kit for Exchange Server (ARKXchange) 4.7.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Admin's bar toolbar for IE 4.5.132.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Adriana Lima 35 Screensaver 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\AdWords ROI Calculator 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Aid Backup Master 2.3.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Aiseesoft Total Video Converter 3.1.22.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Analog CPU & MEM Display 1.6.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\ari.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Autorun Maestro 7.0.0.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\AutorunMagick Studio 3.3.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Autumn Daze Screensaver 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Avast!.4.Antivirus.Protection.Server.Edition.v4[1].1.63.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\AVG.Antivirus.Professional.7.0.289.+.Serial.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\AVI Joiner 1.22.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Beef Cattle Record Keeping System 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Beyond TV Link 4.9.0 Build 6073.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\BitDefender.Antivirus.Plus.v10.0.+.Keygen.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Blat PHP Example 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\BlueLive 3.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\BringWndTop 1.0.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\CARTEL 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Civil Netizen Beta 8.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Clippings 3.0.2.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Colasoft MSN Monitor 2.0 build 320.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\CompoChess 2.5.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Contotom 1.2.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Cricket Scores 1.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\CryptoMailer Reader 4.08.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Daily Illustration Slide Gadget 1.0.0.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\DDClip SE 3.51.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Deep in the Forest - Animated Wallpaper 5.07.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\DentistsLog 6.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Digital Photo Recovery 2.0.3.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Display mail route 0.2.2.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\DivX Author 1.5.2.180.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\do-Organizer 3.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Drive Browser 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\DVD to iPhone Converter 4.01.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\EasyExif 1.6.2.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Easykeys 1.36.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Edit Buddy 2.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\eMusic Store 0.8.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Engineering Power Tools 1.9.8.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\EsbDecimals 1.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Essential Freebies 1.4.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\exeJ 1.01.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\eXLookupNS 1.0.0.8.830.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\EZ Unit Converter Wizard 2002 4.00.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\EZ-Quick for Excel 7.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\EzPhone Recorder 1.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\FutCalc - Futures Calculator 9.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\GMNotifier 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\GoogleHotKeys 1.01.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\GTDGmail 1.22.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Harrisburg Metro Traffic Cameras 1.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\HispreadVIEW 2.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\HPS Easy Image Converter 1.2.8.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\ID Startup Cleaner 1.2.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\IdeaCart 0.01.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Internet Tweak 4.90.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Kaspersky_Anti_Virus_Personal_Pro_v5.0.20-BLACKSTAR.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Konvertor tif2xxx DLL 1.12.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\LingoMaster Turkish 1.10.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\LingvoSoft Picture Dictionary 2008 English - German 1.2.25.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\LingvoSoft Picture Dictionary 2008 German - Arabic 1.2.26.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\LingvoSoft Talking Dictionary 2008 English - Thai 4.1.29.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Mesa Park Audio Editor 1.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\MI NetZip 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Micro-IDE 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Mio Nasa TV 1.0 Beta.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Mo's Search++ 1.0.6.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Mobile Icq.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Moffsoft Calculator 2.1.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Mouse and Key Recorder 6.4.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\MR Tech ClockAlign 1.1 Beta 5.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\MSPlotter 3.0.8.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\MSSQL-to-Excel 1.5.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Musical Discovery 1.1.17.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Muslim Explorer 2007.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\MySpeed PC VoIP 2.0d Build 687.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Mystic Forest Screensaver.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Natural Fat Loss 2.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Netspring Data Recovery 3.7.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Network Share Brute Forcer 3.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\NOD32.2.7.12.RC1.beta.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\NOD32.AntiVirus.v2.70.9.BETA.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\NORTON_SYSTEM_WORKS_2006_KEYGEN_KASSARFILES.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Okoker DVD to 3GP Converter 4.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Outlook Express Accounts Password Recovery 2.1.8.5.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Page Scavanger 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\PointCapture 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Professional Fishing Board 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Proxy Log Analyzer 2.60.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\RADlab 1.02 Beta.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Rapid DJ 1.0.0.0 Beta.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\ScanSpyware 3.8.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Schematics 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Series Matching Calculator 1.01.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Shadow 2.0.25.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\shoot some wood 1.2.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Simulated Annealing Demonstration 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Smartcell Standard 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Snipshot 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\SpaceMan 99 3.3.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\STL Export for IntelliCAD 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Subtitle Processor 7.7.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Tetris 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\The River Screensaver.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\The Sims Mobile Nokia 6230i.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\uCertify Collection for test 70-215 70-228 70-229 6.10.04.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\UCStatusbarAutofeed 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\VB Colour Picker 2.0.1.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\VBScript reference.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\VideoVista Professional Edition 3.0.4.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Virtual Desktop 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Water for After Effects 1.03.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Website Block 3.15.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\WinHandles 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\WordPefect Corrupt Dcument Troubleshooter 1.0.zip
Deleted ! - C:\Documents and Settings\Rigo\Dati applicazioni\m\shared\Xilisoft Video Cutter 1.0.32.1015.zip
Deleted ! - "C:\Documents and Settings\Rigo\Dati applicazioni\m\shared"
Deleted ! - "C:\Documents and Settings\Rigo\Dati applicazioni\m"
Deleted ! - "C:\Documents and Settings\Rigo\Dati applicazioni\hidires\flec003.exe"
Deleted ! - "C:\Documents and Settings\Rigo\Dati applicazioni\hidires"

»»»» Supression files in C:\DOCUME~1\Rigo\IMPOST~1\Temp


»»»» Supression files in C:\Documents and Settings\Rigo\Local Settings\Temporary Internet Files\Content.IE5


--------------- [ Registry / Infected keys ] ----------------

Deleted ! - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdelk.exe
Deleted ! - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wintems.exe
Deleted ! - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\flec006.exe
Deleted ! - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hldrrr.exe
Deleted ! - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winfilse.exe
Deleted ! - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupgro.exe
Deleted ! - HKEY_USERS\S-1-5-21-583907252-2000478354-725345543-1004\Software\Local AppWizard-Generated Applications\hldrrr
Deleted ! - HKEY_USERS\S-1-5-21-583907252-2000478354-725345543-1004\Software\Local AppWizard-Generated Applications\nideiect
Deleted ! - HKEY_USERS\S-1-5-21-583907252-2000478354-725345543-1004\Software\MuleAppData

--------------- [ States / Restarting of services ] ----------------


+- Showing of hidden files has been repaired !



+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

EapHost - Type of startup = 2

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2


--------------- [ Cleaning removable drives ] ----------------

+- Informations :

C: - Unit… fissa


+- deleting files :


--------------- [ Registry / Mountpoint2 ] ----------------

Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{96d6f747-c203-11dd-bec3-0015f24cd45f}\Shell\AutoRun\command
Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{96d6f747-c203-11dd-bec3-0015f24cd45f}\Shell\explore\Command
Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{96d6f747-c203-11dd-bec3-0015f24cd45f}\Shell\open\Command

--------------- [ Searching Other Infections ] ----------------


Références de comparaison Bagle MD5 :

ddafc33c50b84dc1ddbf2b9f32e4ca40 C:\WINDOWS\system32\drivers\hldrrr.exe

Suspect ! - ddafc33c50b84dc1ddbf2b9f32e4ca40 C:\System Volume Information\_restore{D8CE11C9-6E78-4868-B392-FEB351593011}\RP1\A0000004.exe
Suspect ! - 51584f8933afd492af006c6ca546be7b C:\System Volume Information\_restore{D8CE11C9-6E78-4868-B392-FEB351593011}\RP1\A0001004.exe
Suspect ! - ddafc33c50b84dc1ddbf2b9f32e4ca40 C:\System Volume Information\_restore{D8CE11C9-6E78-4868-B392-FEB351593011}\RP1\A0001008.exe
Suspect ! - ddafc33c50b84dc1ddbf2b9f32e4ca40 C:\System Volume Information\_restore{D8CE11C9-6E78-4868-B392-FEB351593011}\RP1\A0001015.exe
Suspect ! - ddafc33c50b84dc1ddbf2b9f32e4ca40 C:\System Volume Information\_restore{D8CE11C9-6E78-4868-B392-FEB351593011}\RP1\A0003080.exe
Suspect ! - ddafc33c50b84dc1ddbf2b9f32e4ca40 C:\System Volume Information\_restore{D8CE11C9-6E78-4868-B392-FEB351593011}\RP1\A0003081.exe

--------------- [ Searching Cracks / Keygen ] ----------------

C:\Documents and Settings\Rigo\Desktop\Desktop\Emule\Incoming\empires2 crack v2.0a NO-CD [Age of Empires II-AOE 2] Multilanguage.zip
C:\Documents and Settings\Rigo\Desktop\Desktop\Emule\Incoming\Lavalys.EVEREST.Ultimate.Edition.v4.50.1330.Multilangages.Incl-Keygen.rar


---------------- ! End of report ! ------------------

[NrgRigo]

e questo quello di combofix

ComboFix 09-01-13.03 - Rigo 2009-01-14 1.01.03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1040.18.1023.658 [GMT 1:00]
Eseguito da: c:\documents and settings\Rigo\Desktop\salcazzo.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Creato nuovo punto di ripristino

ATENÃ+O - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÃ+O INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000006_.tmp.dll

.
((((((((((((((((((((((((( Files Creati Da 2008-12-14 al 2009-01-14 )))))))))))))))))))))))))))))))))))
.

2009-01-14 00:43 . 2009-01-14 00:49 <DIR> d-------- c:\programmi\FindyKill
2009-01-12 23:30 . 2009-01-12 23:30 <DIR> d-------- c:\documents and settings\Rigo\Pavark
2009-01-12 23:30 . 2009-01-12 23:30 23,552 --a------ c:\windows\system32\drivers\phooks.sys
2009-01-12 23:28 . 2009-01-12 23:28 61,440 --a------ c:\windows\system32\drivers\mcio.sys
2009-01-12 23:14 . 2008-12-02 20:45 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2009-01-12 23:14 . 2008-12-02 20:45 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2009-01-12 23:14 . 2008-12-02 20:45 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2009-01-12 23:14 . 2008-12-02 19:54 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2009-01-12 23:14 . 2008-12-02 20:45 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2009-01-12 23:14 . 2009-01-14 01:01 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2009-01-12 23:14 . 2008-12-02 20:45 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2009-01-12 23:14 . 2008-12-02 20:45 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2009-01-12 23:14 . 2009-01-12 23:14 <DIR> d-------- c:\documents and settings\Administrator
2009-01-12 20:26 . 2009-01-12 20:26 <DIR> d--h----- c:\windows\PIF
2009-01-12 19:53 . 2009-01-12 19:53 <DIR> d-------- c:\programmi\Spybot - Search & Destroy
2009-01-12 19:53 . 2009-01-12 19:53 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-12 19:41 . 2009-01-12 19:41 <DIR> d-------- c:\programmi\Trend Micro
2009-01-12 05:25 . 2009-01-14 00:43 <DIR> d-------- c:\documents and settings\Rigo\Dati applicazioni\FileZilla
2009-01-12 05:24 . 2009-01-12 05:24 <DIR> d-------- c:\programmi\FileZilla FTP Client
2009-01-12 04:15 . 2008-12-08 19:32 4,915,276 --a------ c:\windows\php5ts.dll
2009-01-12 03:36 . 2009-01-12 03:37 <DIR> d-------- c:\programmi\No-IP
2009-01-11 17:38 . 2009-01-11 18:24 202,352 --a------ c:\windows\system32\PnkBstrB.exe
2009-01-11 17:38 . 2009-01-11 18:24 138,624 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2009-01-11 17:37 . 2009-01-11 17:37 <DIR> d-------- c:\windows\system32\LogFiles
2009-01-11 17:37 . 2009-01-11 17:37 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2009-01-11 17:10 . 2009-01-11 17:10 <DIR> d-------- c:\programmi\America's Army
2009-01-11 13:39 . 2009-01-11 13:39 <DIR> d-------- c:\programmi\Kodeware
2009-01-11 13:39 . 2009-01-11 14:37 <DIR> d-------- c:\documents and settings\Rigo\Dati applicazioni\Osiris
2009-01-10 00:57 . 2001-08-30 23:07 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-01-10 00:57 . 2001-08-30 23:07 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2009-01-10 00:57 . 2001-08-30 23:07 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-01-10 00:57 . 2001-08-30 23:07 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2009-01-10 00:57 . 2008-04-14 03:12 6,144 --a------ c:\windows\system32\kbd106.dll
2009-01-10 00:57 . 2001-08-17 22:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-01-10 00:57 . 2001-08-17 22:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-01-10 00:57 . 2008-04-14 03:12 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-01-10 00:57 . 2001-08-17 22:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2009-01-10 00:57 . 2001-08-17 22:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2009-01-10 00:57 . 2001-08-17 22:55 5,632 --a------ c:\windows\system32\kbd103.dll
2009-01-10 00:57 . 2001-08-17 22:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2009-01-10 00:06 . 2009-01-11 17:15 <DIR> d-------- c:\programmi\America's Army Deploy Client
2009-01-10 00:06 . 2009-01-10 00:13 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\America's Army Deploy Client
2009-01-08 02:04 . 2009-01-08 02:04 <DIR> d-------- c:\programmi\SystemRequirementsLab
2009-01-08 02:04 . 2009-01-08 02:04 <DIR> d-------- c:\documents and settings\Rigo\SystemRequirementsLab
2009-01-07 04:54 . 2009-01-07 04:54 <DIR> d-------- c:\windows\system32\Adobe
2009-01-07 04:54 . 2008-11-24 14:01 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-01-05 09:39 . 2005-02-01 14:20 5,760,056 --a------ c:\windows\Darkstar.bmp
2009-01-05 09:38 . 2009-01-05 09:38 <DIR> d-------- c:\programmi\File comuni\Stardock
2009-01-05 09:38 . 2009-01-05 09:39 <DIR> d-------- c:\programmi\AlienGUIse
2009-01-05 09:38 . 2003-02-26 22:27 36,864 --a------ c:\windows\system32\wbsys.dll
2009-01-05 09:38 . 2009-01-05 09:38 52 --a------ c:\windows\wb.ini
2009-01-03 05:29 . 2009-01-04 21:34 <DIR> d-------- c:\programmi\MessengerDiscovery
2009-01-03 05:29 . 2004-03-09 01:00 609,824 --a------ c:\windows\system32\COMCTL32.ocx
2009-01-03 05:29 . 2004-03-08 23:00 152,848 --a------ c:\windows\system32\comdlg32.OCX
2009-01-03 05:29 . 2004-03-09 01:00 124,688 --a------ c:\windows\system32\MSWINSCK.ocx
2009-01-03 04:33 . 2009-01-03 04:33 <DIR> d-------- c:\programmi\Paint.NET
2009-01-03 04:13 . 2009-01-03 05:03 <DIR> d-------- c:\documents and settings\Rigo\Tracing
2009-01-03 04:07 . 2009-01-03 04:07 <DIR> d-------- c:\programmi\Windows Live SkyDrive
2009-01-03 04:04 . 2009-01-03 04:04 <DIR> d-------- c:\programmi\File comuni\Windows Live
2008-12-30 14:18 . 2008-12-30 14:18 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\EPSON
2008-12-30 14:18 . 2006-12-08 11:04 76,800 --a------ c:\windows\system32\E_FLBCAE.DLL
2008-12-30 14:18 . 2006-04-19 11:00 62,976 --a------ c:\windows\system32\E_FD4BCAE.DLL
2008-12-30 14:18 . 2004-09-11 05:12 49,152 --a------ c:\windows\system32\E_DCINST.DLL
2008-12-30 14:14 . 2008-12-30 14:14 <DIR> d-------- c:\programmi\EPSON
2008-12-30 14:12 . 2008-04-13 19:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-30 14:12 . 2008-04-13 19:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-12-27 11:04 . 2008-12-27 11:05 13 --a------ c:\windows\system32\OEMINFO.INI
2008-12-26 00:57 . 2008-04-14 03:13 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-25 00:53 . 2008-12-25 00:53 <DIR> d-------- c:\windows\Sun
2008-12-25 00:49 . 2008-12-25 00:48 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-25 00:49 . 2008-12-25 00:48 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-25 00:48 . 2008-12-25 00:48 <DIR> d-------- c:\programmi\Java
2008-12-24 01:45 . 2008-12-24 01:46 <DIR> d-------- c:\programmi\NeroPortable
2008-12-22 20:31 . 2008-12-22 20:31 <DIR> d-------- c:\programmi\uTorrent
2008-12-22 20:31 . 2009-01-03 06:42 <DIR> d-------- c:\documents and settings\Rigo\Dati applicazioni\uTorrent
2008-12-17 04:26 . 2008-12-17 04:26 <DIR> d-------- c:\programmi\CDBurnerXP
2008-12-17 04:26 . 2008-12-17 04:26 <DIR> d-------- c:\documents and settings\Rigo\Dati applicazioni\Canneverbe_Limited
2008-12-16 03:07 . 2008-12-16 03:07 <DIR> d-------- c:\programmi\SumatraPDF
2008-12-16 03:07 . 2008-12-16 03:07 <DIR> d-------- c:\documents and settings\Rigo\Dati applicazioni\SumatraPDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 04:23 --------- d-----w c:\programmi\Servizi in linea
2009-01-12 21:58 --------- d-----w c:\programmi\Winamp
2009-01-03 04:13 --------- d-----w c:\programmi\Messenger Plus! Live
2009-01-03 04:08 --------- d-----w c:\programmi\Windows Live
2009-01-03 03:22 --------- d-----w c:\programmi\CCleaner
2008-12-27 10:59 --------- d-----w c:\documents and settings\Rigo\Dati applicazioni\Auslogics
2008-12-27 09:57 --------- d-----w c:\programmi\Auslogics
2008-12-04 14:11 --------- d-----w c:\documents and settings\Rigo\Dati applicazioni\Winamp
2008-12-02 22:53 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Yahoo! Companion
2008-12-02 22:42 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-12-02 22:42 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-12-02 22:42 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-12-02 22:42 --------- d-----w c:\programmi\AVG
2008-12-02 22:42 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\avg8
2008-12-02 22:32 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2008-12-02 22:30 --------- d-----w c:\programmi\Yahoo!
2008-12-02 22:25 --------- d-----w c:\documents and settings\Rigo\Dati applicazioni\Media Player Classic
2008-12-02 22:22 --------- d-----w c:\programmi\K-Lite Codec Pack
2008-12-02 20:58 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller
2008-12-02 20:57 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-12-02 20:55 --------- d-----w c:\documents and settings\Rigo\Dati applicazioni\ATI
2008-12-02 20:55 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\ATI
2008-12-02 20:09 --------- d-----w c:\programmi\NVIDIA Corporation
2008-12-02 20:08 --------- d-----w c:\programmi\File comuni\InstallShield
2008-12-02 20:05 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-12-02 20:05 --------- d-----w c:\programmi\Telecom Italia
2008-12-02 19:18 --------- d-----w c:\programmi\World of Warcraft
2008-12-02 19:08 --------- d-----w c:\programmi\Realtek AC97
2008-12-02 19:06 --------- d-----w c:\programmi\ATI
2008-12-02 19:04 --------- d-----w c:\programmi\ATI Technologies
2008-12-02 18:57 --------- d-----w c:\programmi\microsoft frontpage
2008-10-29 02:23 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-10-29 02:22 314,880 ----a-w c:\windows\system32\ati2dvag.dll
2008-10-29 02:11 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-10-29 02:11 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-10-29 02:11 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-10-29 02:11 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-10-29 02:10 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-10-29 02:10 10,973,184 ----a-w c:\windows\system32\atioglxx.dll
2008-10-29 02:09 585,728 ----a-w c:\windows\system32\ati2evxx.exe
2008-10-29 02:07 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-10-29 01:57 4,041,472 ----a-w c:\windows\system32\ati3duag.dll
2008-10-29 01:49 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-10-29 01:41 2,472,832 ----a-w c:\windows\system32\ativvaxx.dll
2008-10-29 01:25 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-10-29 01:21 389,120 ----a-w c:\windows\system32\atikvmag.dll
2008-10-29 01:19 44,032 ----a-w c:\windows\system32\atiadlxx.dll
2008-10-29 01:19 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-10-29 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-10-29 01:12 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-10-28 20:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-21 17:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 668,672 ----a-w c:\windows\system32\wininet.dll
2008-10-15 16:36 337,408 ----a-w c:\windows\system32\SETF4.tmp
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1234712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-20 23:34 24576 c:\programmi\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll,wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 03:14 1695232 c:\programmi\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-08-29 16:11 61440 c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 577536 c:\windows\soundman.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Rigo\\Desktop\\Desktop\\Emule\\emule.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\America's Army Deploy Client\\AADeployClient.exe"=
"c:\\Programmi\\Kodeware\\Osiris\\osiris.exe"=
"c:\\Programmi\\America's Army\\System\\ArmyOps.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8590:TCP"= 8590:TCP:aa


--- Other Services/Drivers In Memory ---

*NewlyCreated* - EAPHOST
*NewlyCreated* - IP6FW

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c5d8fc9-c0a3-11dd-beba-cddf81f4a562}]
\Shell\AutoRun\command - E:\ClickMe.exe
.
- - - - ORF+OS REMOVIDOS - - - -

SafeBoot-sglfb.sys
SafeBoot-tga.sys
SafeBoot-wd.sys
SafeBoot-sacsvr
MSConfigStartUp-flec003 - c:\documents and settings\Rigo\Dati applicazioni\hidires\flec003.exe
MSConfigStartUp-WinampAgent - c:\programmi\Winamp\winampa.exe


.
------- Supplementare di scansione -------
.
TCP: {67A1D5F7-DC4A-4700-BEE8-1A185FF94363} = 85.37.17.10 85.38.28.86
FF - ProfilePath - c:\documents and settings\Rigo\Dati applicazioni\Mozilla\Firefox\Profiles\mdzzbrb1.default\
FF - prefs.js: browser.startup.homepage - www.google.it
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 01:01:49
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-2000478354-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
--------------------- DLLs Carregadas Sob os Processos em ExecuþÒo ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll
c:\programmi\AlienGUIse\fastload.dll

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\avgrsstx.dll
.
Ora fine scansione: 2009-01-14 1.02.34
ComboFix-quarantined-files.txt 2009-01-14 00:02:30

Pre-Run: 87.485.542.400 byte disponibili
Post-Run: 87,476,363,264 byte disponibili

242 --- E O F --- 2008-12-19 00:18:04

[ste_95]

Ora puoi riabilitare tutti i servizi disabilitati dal malware:
http://www.MegaLab.it/2657/4/bagle-un-w ... -antivirus