Pc probabilmente violato

**Roby_72** · 08-12-2007, 12:53

Innanzitutto grazie.

1) Fatto
2) Fatto, ecco il log:

codice:

SmitFraudFix v2.258

Scan done at 11.26.42,70, 08/12/2007
Run from C:\Documents and Settings\Roberto\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1       localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VM Network Connection - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E87076CD-BFAA-45FF-A368-428D7DE26A29}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS1\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E87076CD-BFAA-45FF-A368-428D7DE26A29}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F868D25-4997-49E6-94F6-75FFC4C7725A}: NameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{26FAC87A-6AA1-4692-9C5D-84D08A03BF8C}: NameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: DhcpNameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B9731F51-FD86-49E7-A68E-310BDFC6F0AD}: NameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E87076CD-BFAA-45FF-A368-428D7DE26A29}: NameServer=85.255.116.119,85.255.112.62
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="kdmaw.exe"

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\kdmaw.exe Deleted
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
 

»»»»»»»»»»»»»»»»»»»»»»»» End

3) Fatto, ecco il log:

codice:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\avwyosrm

*******************

Script file located at: \??\C:\jhschtpu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\ntos.exe not found!
Deletion of file C:\WINDOWS\system32\ntos.exe failed!

Could not process line:
C:\WINDOWS\system32\ntos.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

Roby

Discussione: Pc probabilmente violato

Strumenti discussione

Ricerca discussione

Visualizza

Visualizzazione discussione

Permessi di invio