Esegui Leggendo sui forum ho visto che devo fare la scansione con GMER, l'ho fatta e l'ho postata.
Qualcuno può darmi una mano?
-
- Annuncio Pubblicitario
PROBLEMA CON hldrrr.exe & wintems.exe
11 messaggi
• Pagina 1 di 1
PROBLEMA CON hldrrr.exe & wintems.exe
da antoloi » mer gen 16, 2008 10:13 pm
Leggendo sui forum ho visto che devo fare la scansione con GMER, l'ho fatta e l'ho postata.
Qualcuno può darmi una mano?
-
antoloi - Neo Iscritto
- Messaggi: 7
- Iscritto il: mer gen 16, 2008 10:09 pm
da ste_95 » gio gen 17, 2008 8:08 am
Strano,visto che diciamo esplicitamente che è necessaria la scansione con kaspersky.
Nel tuo caso però , non avendo ancora il malware preso il controllo del tuo pc, prova ed eseguire quanto segue e vedi se gli allarmi cessano:
Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:
Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\windows\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\mdelk.exe
folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
C:\WINDOWS\system32\drivers\down
registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.
Nel tuo caso però , non avendo ancora il malware preso il controllo del tuo pc, prova ed eseguire quanto segue e vedi se gli allarmi cessano:
Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:
Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\windows\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\mdelk.exe
folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
C:\WINDOWS\system32\drivers\down
registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
-
ste_95 - Membro Ufficiale (Gold)
- Messaggi: 17271
- Iscritto il: lun ago 06, 2007 11:19 am
da antoloi » gio gen 17, 2008 9:07 am
Scusa ma non sono riuscito a copiare il primo file .text non so perché ma si è chiuso. Ho rifatto la pocedura e nel file ho trovato questo:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hmsodbdq
*******************
Script file located at: iwoolclb
Could not open script file! Error
Could not open script file! Status: 0xc000003b Abort!
Conta che non riesco ad usare il wireless e che comodo rileva ancora la presenza di quei due wintems e hkdrrr
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hmsodbdq
*******************
Script file located at: iwoolclb
Could not open script file! Error
Could not open script file! Status: 0xc000003b Abort!
Conta che non riesco ad usare il wireless e che comodo rileva ancora la presenza di quei due wintems e hkdrrr
-
antoloi - Neo Iscritto
- Messaggi: 7
- Iscritto il: mer gen 16, 2008 10:09 pm
da ste_95 » gio gen 17, 2008 9:26 am
ste_95 ha scritto:Diciamo esplicitamente che è necessaria la scansione con kaspersky.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
-
ste_95 - Membro Ufficiale (Gold)
- Messaggi: 17271
- Iscritto il: lun ago 06, 2007 11:19 am
da antoloi » gio gen 17, 2008 12:20 pm
Questo è il log di kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 17, 2008 12:22:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/01/2008
Kaspersky Anti-Virus database records: 513742
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\
Scan Statistics:
Total number of scanned objects: 39651
Number of viruses found: 5
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 00:37:37
Infected Object Name / Virus Name / Last Action
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/backup.reg Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/down/5833062.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/Muestras/HLDRRR.EXE.Muestra EliBagle v10.87 Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/wmpnscfg.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Antonio\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Adobe\Acrobat\7.0\Updater\udlog.txt Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\cert8.db Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\history.dat Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\key3.db Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\parent.lock Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Cronologia\History.IE5\MSHist012008011720080118\index.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Identities\{D956AD59-F2A7-463F-BF55-2A04EAE624AF}\Microsoft\Outlook Express\Posta eliminata.dbx/[From "Bob Corbin" <finickiestqtl551@rhs-inside.com>][Date Wed, 8 Jan 2008 15:14:50 -0500]/UNNAMED/foto/foto.scr Infected: Trojan.Win32.Pakes.bxi skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Identities\{D956AD59-F2A7-463F-BF55-2A04EAE624AF}\Microsoft\Outlook Express\Posta eliminata.dbx/[From "Bob Corbin" <finickiestqtl551@rhs-inside.com>][Date Wed, 8 Jan 2008 15:14:50 -0500]/UNNAMED/foto Infected: Trojan.Win32.Pakes.bxi skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Identities\{D956AD59-F2A7-463F-BF55-2A04EAE624AF}\Microsoft\Outlook Express\Posta eliminata.dbx/[From "Bob Corbin" <finickiestqtl551@rhs-inside.com>][Date Wed, 8 Jan 2008 15:14:50 -0500]/UNNAMED Infected: Trojan.Win32.Pakes.bxi skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Identities\{D956AD59-F2A7-463F-BF55-2A04EAE624AF}\Microsoft\Outlook Express\Posta eliminata.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temp\~DF1023.tmp Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\AEI8CKXJ\b64_2[1].jpg Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\RREIDGOD\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Antonio\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Antonio\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd1725.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 17, 2008 12:22:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/01/2008
Kaspersky Anti-Virus database records: 513742
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\
Scan Statistics:
Total number of scanned objects: 39651
Number of viruses found: 5
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 00:37:37
Infected Object Name / Virus Name / Last Action
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/backup.reg Infected: Trojan-Downloader.Win32.Bagle.hp skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/down/5833062.exe Infected: Trojan.Win32.Pakes.bwy skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/Muestras/HLDRRR.EXE.Muestra EliBagle v10.87 Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip/avenger/wmpnscfg.exe Infected: Trojan-Downloader.Win32.Bagle.ig skipped
C:\avenger\backup-16.01.2008-21.40.32,37.zip ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Antonio\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Adobe\Acrobat\7.0\Updater\udlog.txt Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\cert8.db Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\history.dat Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\key3.db Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\parent.lock Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Antonio\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Cronologia\History.IE5\MSHist012008011720080118\index.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Identities\{D956AD59-F2A7-463F-BF55-2A04EAE624AF}\Microsoft\Outlook Express\Posta eliminata.dbx/[From "Bob Corbin" <finickiestqtl551@rhs-inside.com>][Date Wed, 8 Jan 2008 15:14:50 -0500]/UNNAMED/foto/foto.scr Infected: Trojan.Win32.Pakes.bxi skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Identities\{D956AD59-F2A7-463F-BF55-2A04EAE624AF}\Microsoft\Outlook Express\Posta eliminata.dbx/[From "Bob Corbin" <finickiestqtl551@rhs-inside.com>][Date Wed, 8 Jan 2008 15:14:50 -0500]/UNNAMED/foto Infected: Trojan.Win32.Pakes.bxi skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Identities\{D956AD59-F2A7-463F-BF55-2A04EAE624AF}\Microsoft\Outlook Express\Posta eliminata.dbx/[From "Bob Corbin" <finickiestqtl551@rhs-inside.com>][Date Wed, 8 Jan 2008 15:14:50 -0500]/UNNAMED Infected: Trojan.Win32.Pakes.bxi skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Identities\{D956AD59-F2A7-463F-BF55-2A04EAE624AF}\Microsoft\Outlook Express\Posta eliminata.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\ezagzq5b.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temp\~DF1023.tmp Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\AEI8CKXJ\b64_2[1].jpg Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\RREIDGOD\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Antonio\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Antonio\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd1725.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
-
antoloi - Neo Iscritto
- Messaggi: 7
- Iscritto il: mer gen 16, 2008 10:09 pm
da ste_95 » gio gen 17, 2008 12:23 pm
La scansione andava fatta estesa, ma proviamolo stesso:
Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:
Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\windows\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\mdelk.exe
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\RREIDGOD\b64_3[1].jpg
folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
C:\WINDOWS\system32\drivers\down
registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.
Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:
Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\windows\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\mdelk.exe
C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\RREIDGOD\b64_3[1].jpg
folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
C:\WINDOWS\system32\drivers\down
registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
-
ste_95 - Membro Ufficiale (Gold)
- Messaggi: 17271
- Iscritto il: lun ago 06, 2007 11:19 am
da antoloi » gio gen 17, 2008 12:33 pm
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qtfrasop
*******************
Script file located at: \??\C:\Documents and Settings\wyigiolo.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!
Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034
File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!
Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034
File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!
Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!
Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034
File C:\windows\system32\drivers\hldrrr.exe not found!
Deletion of file C:\windows\system32\drivers\hldrrr.exe failed!
Could not process line:
C:\windows\system32\drivers\hldrrr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\hldrrr.ex_ not found!
Deletion of file C:\WINDOWS\system32\drivers\hldrrr.ex_ failed!
Could not process line:
C:\WINDOWS\system32\drivers\hldrrr.ex_
Status: 0xc0000034
File C:\WINDOWS\system32\mdelk.exe not found!
Deletion of file C:\WINDOWS\system32\mdelk.exe failed!
Could not process line:
C:\WINDOWS\system32\mdelk.exe
Status: 0xc0000034
File C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet
Files\Content.IE5\RREIDGOD\b64_3[1].jpg deleted successfully.
Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!
Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034
Folder C:\WINDOWS\exefld not found!
Deletion of folder C:\WINDOWS\exefld failed!
Could not process line:
C:\WINDOWS\exefld
Status: 0xc0000034
Folder C:\WINDOWS\system32\drivers\down not found!
Deletion of folder C:\WINDOWS\system32\drivers\down failed!
Could not process line:
C:\WINDOWS\system32\drivers\down
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qtfrasop
*******************
Script file located at: \??\C:\Documents and Settings\wyigiolo.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!
Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034
File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!
Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034
File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!
Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!
Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034
File C:\windows\system32\drivers\hldrrr.exe not found!
Deletion of file C:\windows\system32\drivers\hldrrr.exe failed!
Could not process line:
C:\windows\system32\drivers\hldrrr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\hldrrr.ex_ not found!
Deletion of file C:\WINDOWS\system32\drivers\hldrrr.ex_ failed!
Could not process line:
C:\WINDOWS\system32\drivers\hldrrr.ex_
Status: 0xc0000034
File C:\WINDOWS\system32\mdelk.exe not found!
Deletion of file C:\WINDOWS\system32\mdelk.exe failed!
Could not process line:
C:\WINDOWS\system32\mdelk.exe
Status: 0xc0000034
File C:\Documents and Settings\Antonio\Impostazioni locali\Temporary Internet
Files\Content.IE5\RREIDGOD\b64_3[1].jpg deleted successfully.
Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!
Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034
Folder C:\WINDOWS\exefld not found!
Deletion of folder C:\WINDOWS\exefld failed!
Could not process line:
C:\WINDOWS\exefld
Status: 0xc0000034
Folder C:\WINDOWS\system32\drivers\down not found!
Deletion of folder C:\WINDOWS\system32\drivers\down failed!
Could not process line:
C:\WINDOWS\system32\drivers\down
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
-
antoloi - Neo Iscritto
- Messaggi: 7
- Iscritto il: mer gen 16, 2008 10:09 pm
11 messaggi
• Pagina 1 di 1
Chi c’è in linea
Visitano il forum: Nessuno e 36 ospiti
megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising