Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Schermata all'avviocausa virus

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Schermata all'avviocausa virus

Messaggioda Pct » mar giu 16, 2009 5:43 pm

Ciao a tutti! tempo fa questo pc è stato infettato da quel virus che fa scomparire icone e barra start dal desktopp.. in pratica quello che "svuota" il desktop : http://www.MegaLab.it/2761/desktop-vuot ... i-un-virus

è una variante un po' diversa, ma mi è bastato cancellare voci di registro simili perché il desktop tornasse a funzionare (Questo a ottobre). Appena l'ho fatto però, spybot mi ha avvisato di alcune modifiche al registro, che io ho negato (mi sa che non avrei dovuto farlo XD).Adesso compare all'avvio di windows, prima dela comparsa della schermata degli utenti e dopo quella nera con la bandiera di windows xp, un scermataazzurra con scritta una cosa strana riguardo a una chiave di registro mi pare ; solo che questa schermata azzurra scompare subito, e non riesco a leggerla. non riesco a trovare informazioni a riguardo nemmeno nel visualizzatore d'eventi. Qualcuno sa come faccio a farla scomparire? Praticamente non avevo risolto questo problema a ottobre, e nno avevo nemmeno completato la pulizia ; adesso era di nuovo scomparso il desktop; allora ho di nuovo cancellato le chiavi di registro del virus, ma questo problema di quella schermata azzurra prima che si avvii windows continua a esserci, e non riesco a risolverlo. Qualcuno sa come fare a risolverlo? secondo voi è possibile che se elimino completamente il virus scomapre anche quella maledetta schermata azzurra? (la schermata azzurra è tipo quella di scandisk, solo che compare solamente per qualche frazione di secondo e ha dentro scritta sta chiave di registro.. [boh] )

Vi ringrazio anticipatamente per l'interesse [^]
È più facile spezzare un atomo che un pregiudizio - Albert Einstein
Avatar utente
Pct
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 1933
Iscritto il: dom set 09, 2007 4:38 pm

Re: Schermata all'avviocausa virus

Messaggioda crazy.cat » mar giu 16, 2009 5:46 pm

Nei programmi in avvio non trovi niente?
Prova a vedere con autoruns se trovi qualche voce strana e postala qui.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: Schermata all'avviocausa virus

Messaggioda Pct » mar giu 16, 2009 7:11 pm

Ciao crazy, scusa il ritardo.Autoruns non riesco a capirlo.. son riuscito a leggere solo l'inizio di quella chiave che mi segnala in quella schermata azzurra, e incomincia per : \systemroot\ se non sbaglio... mi pare di averl letto anche boot execute, ma non ne sono sicuro.. [boh] .

ho controllato l'avvio con ccleaner, e di voci che non conosco c'è : ShowWnd.exe , il percorso non è specificato.

Adesso stavo scansionandocon malwarebytes, e perora è ha14 elementi infetti.. grazie per l'aiuto! [^] .hai qualche altra idea?

P.S. Aggiungo il log di malwarebytes antimalware :

Malwarebytes' Anti-Malware 1.37
Versione del database: 2288
Windows 5.1.2600 Service Pack 3

16/06/2009 21.24.38
mbam-log-2009-06-16 (21-24-38).txt

Tipo di scansione: Scansione completa (A:\|C:\|D:\|E:\|)
Elementi scansionati: 207590
Tempo trascorso: 2 hour(s), 31 minute(s), 23 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 14
Valori di registro infetti: 9
Elementi dato del registro infetti: 1
Cartelle infette: 15
File infetti: 21

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\CLSID\{8aa4410f-a3ee-4279-8f2c-4bfab8ceb231} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8aa4410f-a3ee-4279-8f2c-4bfab8ceb231} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db893839-10f0-4af9-92fa-b23528f530af} (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000020040000} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Quarantined and deleted successfully.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Cartelle infette:
c:\documents and settings\Alice\Dati applicazioni\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Programmi\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\programmi\shoppingreport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\programmi\shoppingreport\Bin\2.0.26 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Programmi\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Programmi\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Programmi\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
c:\programmi\bitdownload\ZM (Trojan.Lop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

File infetti:
C:\WINDOWS\system32\krmnat.dll (Trojan.Banker) -> Quarantined and deleted successfully.
c:\programmi\multi_media_italy\tbMul0.dll (Adware.Shopper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{47290b63-9d6c-4e8c-8225-76fbb744187f}\RP512\A0626320.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{47290b63-9d6c-4e8c-8225-76fbb744187f}\RP512\A0629479.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\programmi\bitdownload\BitDownload.TRC (Trojan.Lop) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\q1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pis (Malware.Trace) -> Quarantined and deleted successfully.
È più facile spezzare un atomo che un pregiudizio - Albert Einstein
Avatar utente
Pct
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 1933
Iscritto il: dom set 09, 2007 4:38 pm


Re: Schermata all'avviocausa virus

Messaggioda crazy.cat » mer giu 17, 2009 6:50 am

Hai questa tastiera?
Pct ha scritto:di voci che non conosco c'è : ShowWnd.exe

showwnd.exe is included with the Chicony keyboard software and is used by the software to stop the keyboard driver's taskbar entry from reappearing.

Ci vorrebbe il messaggio d'errore completo per capire di cosa si tratta.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: Schermata all'avviocausa virus

Messaggioda Pct » mer giu 17, 2009 2:47 pm

crazy.cat ha scritto:Hai questa tastiera?
Pct ha scritto:di voci che non conosco c'è : ShowWnd.exe

showwnd.exe is included with the Chicony keyboard software and is used by the software to stop the keyboard driver's taskbar entry from reappearing.

Ci vorrebbe il messaggio d'errore completo per capire di cosa si tratta.


Ok. Oggi non sono da quel pc (in compenso sono andato da un altro a formattarlo, e non gli prende i cd della scheda video.. che sfiga! scaricati anche i driver da internet e niente, apre il setup, dice che sta preparando install shield ecc. ma poi si chiude la schemrata e non installa niente..ma questa è "un altra storia" [:D] ) ; se riesco la prossima volta che vado leggo piano piano pezzo per pezzo l'errore e lo riporto qua! Grazie per l'aiuto [^]
È più facile spezzare un atomo che un pregiudizio - Albert Einstein
Avatar utente
Pct
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 1933
Iscritto il: dom set 09, 2007 4:38 pm

Re: Schermata all'avviocausa virus

Messaggioda Mikleman » mer giu 24, 2009 10:06 am

Pct ha scritto:Ciao crazy, scusa il ritardo.Autoruns non riesco a capirlo.. son riuscito a leggere solo l'inizio di quella chiave che mi segnala in quella schermata azzurra, e incomincia per : \systemroot\ se non sbaglio... mi pare di averl letto anche boot execute, ma non ne sono sicuro.. [boh] .

ho controllato l'avvio con ccleaner, e di voci che non conosco c'è : ShowWnd.exe , il percorso non è specificato.

Adesso stavo scansionandocon malwarebytes, e perora è ha14 elementi infetti.. grazie per l'aiuto! [^] .hai qualche altra idea?

P.S. Aggiungo il log di malwarebytes antimalware :

Malwarebytes' Anti-Malware 1.37
Versione del database: 2288
Windows 5.1.2600 Service Pack 3

16/06/2009 21.24.38
mbam-log-2009-06-16 (21-24-38).txt

Tipo di scansione: Scansione completa (A:\|C:\|D:\|E:\|)
Elementi scansionati: 207590
Tempo trascorso: 2 hour(s), 31 minute(s), 23 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 14
Valori di registro infetti: 9
Elementi dato del registro infetti: 1
Cartelle infette: 15
File infetti: 21

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\CLSID\{8aa4410f-a3ee-4279-8f2c-4bfab8ceb231} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8aa4410f-a3ee-4279-8f2c-4bfab8ceb231} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db893839-10f0-4af9-92fa-b23528f530af} (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000020040000} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Quarantined and deleted successfully.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Cartelle infette:
c:\documents and settings\Alice\Dati applicazioni\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Programmi\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\programmi\shoppingreport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\programmi\shoppingreport\Bin\2.0.26 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Programmi\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Programmi\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Programmi\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
c:\programmi\bitdownload\ZM (Trojan.Lop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

File infetti:
C:\WINDOWS\system32\krmnat.dll (Trojan.Banker) -> Quarantined and deleted successfully.
c:\programmi\multi_media_italy\tbMul0.dll (Adware.Shopper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{47290b63-9d6c-4e8c-8225-76fbb744187f}\RP512\A0626320.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{47290b63-9d6c-4e8c-8225-76fbb744187f}\RP512\A0629479.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\programmi\bitdownload\BitDownload.TRC (Trojan.Lop) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\q1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pis (Malware.Trace) -> Quarantined and deleted successfully.


mmmh /systemroot/bootexecute eh sai... un file vitale per l'avvio di windows niente di che xD
Avatar utente
Mikleman
Aficionado
Aficionado
 
Messaggi: 87
Iscritto il: lun mar 30, 2009 10:37 pm

Re: Schermata all'avviocausa virus

Messaggioda Pct » mer giu 24, 2009 9:18 pm

Mikleman ha scritto:
Pct ha scritto:Ciao crazy, scusa il ritardo.Autoruns non riesco a capirlo.. son riuscito a leggere solo l'inizio di quella chiave che mi segnala in quella schermata azzurra, e incomincia per : \systemroot\ se non sbaglio... mi pare di averl letto anche boot execute, ma non ne sono sicuro.. [boh] .

ho controllato l'avvio con ccleaner, e di voci che non conosco c'è : ShowWnd.exe , il percorso non è specificato.

Adesso stavo scansionandocon malwarebytes, e perora è ha14 elementi infetti.. grazie per l'aiuto! [^] .hai qualche altra idea?

P.S. Aggiungo il log di malwarebytes antimalware :

Malwarebytes' Anti-Malware 1.37
Versione del database: 2288
Windows 5.1.2600 Service Pack 3

16/06/2009 21.24.38
mbam-log-2009-06-16 (21-24-38).txt

Tipo di scansione: Scansione completa (A:\|C:\|D:\|E:\|)
Elementi scansionati: 207590
Tempo trascorso: 2 hour(s), 31 minute(s), 23 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 14
Valori di registro infetti: 9
Elementi dato del registro infetti: 1
Cartelle infette: 15
File infetti: 21

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\CLSID\{8aa4410f-a3ee-4279-8f2c-4bfab8ceb231} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8aa4410f-a3ee-4279-8f2c-4bfab8ceb231} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{db893839-10f0-4af9-92fa-b23528f530af} (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000020040000} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Downloader) -> Quarantined and deleted successfully.

Valori di registro infetti:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Quarantined and deleted successfully.

Elementi dato del registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Cartelle infette:
c:\documents and settings\Alice\Dati applicazioni\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Programmi\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\programmi\shoppingreport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\programmi\shoppingreport\Bin\2.0.26 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Programmi\ErrorKiller (Rogue.ErrorKiller) -> Quarantined and deleted successfully.
C:\Programmi\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Programmi\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
c:\programmi\bitdownload\ZM (Trojan.Lop) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

File infetti:
C:\WINDOWS\system32\krmnat.dll (Trojan.Banker) -> Quarantined and deleted successfully.
c:\programmi\multi_media_italy\tbMul0.dll (Adware.Shopper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{47290b63-9d6c-4e8c-8225-76fbb744187f}\RP512\A0626320.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{47290b63-9d6c-4e8c-8225-76fbb744187f}\RP512\A0629479.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\documents and settings\Alice\dati applicazioni\shoppingreport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\programmi\bitdownload\BitDownload.TRC (Trojan.Lop) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\shell31.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\q1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pis (Malware.Trace) -> Quarantined and deleted successfully.


mmmh /systemroot/bootexecute eh sai... un file vitale per l'avvio di windows niente di che xD


il fatto è che da stupido avevo negato la possibilità con spybot di creare una chive di registro, e da allora che fa così lol
È più facile spezzare un atomo che un pregiudizio - Albert Einstein
Avatar utente
Pct
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 1933
Iscritto il: dom set 09, 2007 4:38 pm


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 0 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising