Aiuto ogni volta che accendo il PC l'antivirus AVG mi dice di aver trovato un Trojan Horse Backdoor ntrootkit.J nella casella C:\windows\sistem32\bkernel.sys.....Lo cancello e faccio scansione....sparito; riavvio il PC e mi ritorna...
Come faccio arimuoverlo definitivamente?????
Grazie
posta il log di hijakchtis.per vedere come si fa legi 'articolo rimozione del malware punto 4.
mi sa che con il solo log di hiajckthis non risolveremo...
fai ANCHE una scansione antivirus online con kaspersky... e poi postane il relativo log generato da essa....
Ho monitorato il pc con vari antivirus..Killbox, Sysclean ,Virit (questo scansiona il file bkernel.sys ma non lo fa sospetto) ecc...Ho rimosso il file manualmente ma al riavvio mi esce il messaggio dellāntivirus AVG...Anche se il file non fosse dannoso l'uscita di quella finestra é una rottura...Non si puó fare ancora qualcosa????
Comunque vorrei spedirvi il log generato con HijackThis ma accetta solo file grafici.....
Grazie
ripeto:
fai una scansione online con kaspersky e poi postane il relativo log...
Ok....il mio problema é postare il log....
Grazie
devi fare copia e incolla di tutte le scritte del log e metterle nel post...
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:30:54, on 29.06.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programme\CPUCooL\CooLSrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Pwrchute\ups.exe
C:\VEXPLITE\viritsvc.exe
C:\Programme\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Iomega\AutoDisk\ADUserMon.exe
C:\Programme\Iomega\DriveIcons\ImgIcon.exe
C:\Programme\ScreenPrint32 v3\ScreenPrint32.exe
C:\Programme\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\D-Tools\daemon.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programme\Art Plus\EasyNoter 2.14\easynoter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
C:\Programme\ATI Technologies\ATI.ACE\CLI.exe
C:\Programme\3M\PDNotes\PDNotes.exe
C:\Programme\WinZip\WZQKPICK.EXE
C:\Programme\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Programme\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Programme\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\JUE395.EXE
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Trend Micro\Client Server Security Agent\PCCNTMON.EXE
C:\WINDOWS\system32\svchost.exe
C:\totalcmd_pp\totalcmd.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\totalcmd_pp\totalcmd.exe
D:\Alte Disk\user1\zip\HIJACK\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.0.301. 7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Programme\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Programme\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ScreenPrint32] C:\Programme\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [MMTray] "C:\Programme\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programme\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [mmtask] "C:\Programme\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msupdate] c:\windows\system32\msvcrt.exe
O4 - HKLM\..\Run: [vztiaa.exe] C:\DOKUME~1\User2\LOKALE~1\Temp\vztiaa.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [easynoter.exe] C:\Programme\Art Plus\EasyNoter 2.14\easynoter.exe /a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Iomega Quick Tools NT.lnk = C:\Iomg_NT\Quick.exe
O4 - Startup: Opzioni d'avvio Iomega .lnk = C:\Iomg_NT\startnt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ATI CATALYST-Infobereich.lnk = C:\Programme\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Post-itŪ Digital Notes.lnk = ?
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programme\Gemeinsame Dateien\Autodesk Shared\acstart17.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: http://*.alice.it
O15 - Trusted Zone: http://*.alicemessenger.alice.it
O15 - Trusted Zone: http://*.messenger-wizard.rossoalice.alice.it
O15 - Trusted Zone: http://*.server
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://212.162.68.213/rainet02/Rawflow.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/ConnectComputer/nshelp.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Programme\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crepaz.local
O17 - HKLM\Software\..\Telephony: DomainName = crepaz.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = crepaz.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = crepaz.local
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Programme\CPUCooL\CooLSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Trend Micro Client-Server Security Agent Echtzeitsuche (ntrtscan) - Trend Micro Inc. - C:\Programme\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: DirectX Service (Nujup) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: Trend Micro Client-Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programme\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\Gemeinsame Dateien\PCSuite\Services\ServiceLayer.exe
O23 - Service: Trend Micro Client-Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Programme\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Unterbrechungsfreie Stromversorgung (UPS) - APC - C:\Programme\Pwrchute\ups.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programme\Iomega\AutoDisk\ADService.exe
--
End of file - 10798 bytes
Spero che riusciate a risolvere il mio caso.....
Avvia hijakcthis,spunta a sinistra sulla seguente voce:
O4 - HKLM\..\Run: [vztiaa.exe] C:\DOKUME~1\User2\LOKALE~1\Temp\vztiaa.exe
e sotto su fix checked.il file dato da te in questione secondo me e un falso driver che confonde l'ativirus e non permette l'eliminazione anche se lo dice avg.
scansiona il file C:\WINDOWS\system32\bkernel.sys su www.virustotal.com oppure su http://scanner.virus.org
se e un virus procedi cosi':
scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento
Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte:
files to delete:
C:\WINDOWS\system32\bkernel.sys
poi
Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se cosė non fosse riavvialo manualmente
Il programma rilascia un log con le operazioni eseguite.
Posta il log di Avenger (C:/avenger.txt) con līesito dello script.
posta il log anche su www.hijackthis.de e posta il log nel sito.ti diranno subito se c'e qualcosa di infetto che non ho visto nel log.
Ho fatto l'operazione con Hijackthis come mi hai suggerito...Poi sono andato a scansionare il file bkernel.sys su entrambi i programmi ma sul primo quando seleziono il file e faccio send mi esce la solita finestra di avviso del AVG e poi mi si apre una finestra che il file non esiste..Idem con l'altro programma...enter sul file ..finestra AVG e po mi dice per inglese che non ho selezionato nessun file....
Permessi di invio
Rispondi quotando