log di Hijackthis

[busher]

dunque io dovrei avere sia il rootkit che Lop.Ah se c'e' qualche anima pia che mi aiuta gli saro' grato! ciao

Logfile of HijackThis v1.99.1
Scan saved at 18.11.45, on 01/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\DAP\DAP.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\dio\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7DF18406-0B60-1B61-838F-B6DF4FC8E84A} - C:\WINDOWS\ckdih1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [tghy1.exe] C:\WINDOWS\TEMP\tghy1.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programmi\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebNwi - Unknown owner - C:\Programmi\File comuni\Services\nkd.exe (file missing)

[busher]

tramite pop up

C:\WINDOWS\scrss32.dll = Hacktool.Rootkit (visto da norton)
C:\Documents and Se...\it_0007.exe = BloodHound.Polycrypt (visto da norton)
C:\WINDOWS\ckdih1.dll = Lop.AH (visto da AVG)
C:\WINDOWS\scrss32.dll = Clicker.DHV (visto da AVG)


tramite scansione

it_0007.exe = BloodHound.Polycrypt (visto da norton)
yqsdu.ocx = Trojan.Linkoptimizer (visto da norton)

AVG niente -.-

[BilloKenobi]

fai girare questo tool

http://www.mytempdir.com/1012500

se non funziona, prova a cambiargli nome, tipo tavolo.exe. posta il log che rilascia in C:\gromozon_removal.log.

poi prova a far girare questa utility

Gmer --- http://www.gmer.net/files.php

scompatta l'archivio, fai girare il file gmer.exe, e posta il log dello scan della sezione autostart.

[busher]

gromozon_removal.log e' vuoto ma se riavvio "tavolo.exe" mi dice che non ho il virus.
il log del rootkit e' troppo lungo per postarlo ma a quanto ho capito serviva solo quello dell'autostart.

GMER 1.0.12.11867 - http://www.gmer.net
Autostart scan 2006-11-02 12:41:23
Windows 5.1.2600


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLN ame = Ati2evxx.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\System32\Ati2evxx.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe"
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "C:\Programmi\Norton AntiVirus\navapsvc.exe"
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SymWSC /*SymWMI Service*/@ = C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
SysXti /*SysXti*/@ = "C:\Programmi\File comuni\Services\vzY.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run@1 = C:\WINDOWS\service32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{5F327514-6C5E-4d60-8F16-D07FA08A78ED} /*Estensione finestra proprietà di aggiornamento automatico*/C:\WINDOWS\System32\wuaueng.dll = C:\WINDOWS\System32\wuaueng.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG7\avgse.dll = C:\Programmi\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG7\avgse.dll = C:\Programmi\Grisoft\AVG7\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG7\avgse.dll
DAP_Menu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ >>>
DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG7\avgse.dll
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=hom e
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

---- EOF - GMER 1.0.12 ----

[BilloKenobi]

scarica The Avenger

The Avenger --- http://swandog46.geekstogo.com/avenger.zip

Disattiva l'antivirus, il firewall, eventuali moduli hips

Ora estrai e avvia Avenger.exe

Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SysXti

Files to delete:
C:\WINDOWS\ckdih1.dll
C:\Programmi\File comuni\Services\vzY.exe
C:\Windows\service23.exe
C:\Windows\scrss32.dll

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run | 1

Clicca sul pulsante Done
Clicca 2 volte sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (che si trova in C:/avenger.txt) con l´esito dello script.

posta anche un log di hijackthis, dato che questo era incompleto... basterà quello di hijackthis per colmare il "buco"

[busher]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\jpbjvaqc

*******************

Script file located at: \??\C:\Documents and Settings\raorkret.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\SysXti deleted successfully.
File C:\WINDOWS\ckdih1.dll deleted successfully.
File C:\Programmi\File comuni\Services\vzY.exe deleted successfully.


File C:\Windows\service23.exe not found!
Deletion of file C:\Windows\service23.exe failed!

Could not process line:
C:\Windows\service23.exe
Status: 0xc0000034

File C:\Windows\scrss32.dll deleted successfully.


Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run|1 deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 15.21.40, on 02/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\dio\Desktop\HijackThis.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

[BilloKenobi]

che Dio mi fulmini, ho commesso un errore di battitura (seppur non grave)

per ovviare fai così:

premi Start -> Esegui -> digiti cmd e premi invio-> digiti dentro al prompt del C:\Windows\service32.exe poi premi invio. il file sopravvisuto sarà cancellato.

poi posta un log di hijackthis completo... il tuo non lo era.

[busher]

ti giuro che e' completo te lo rido' che lho appena rifatto dovo aver eseguito l'ultimo comando che mi hai dato.

Logfile of HijackThis v1.99.1
Scan saved at 17.00.21, on 03/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\service32.exe
C:\Documents and Settings\dio\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

ora che ci penso... sara incompleto perke ho messo il segnetto su tutti i componenti della lista e ho fatto fixchecked??? (prima di scaricare gromozon)

[BilloKenobi]

non credo saresti in grado di fare nulla se avessi ripulito del tutto il log... inoltre gmer ha un log completo... comunque pare che tu debba rifare lo script con Avenger... il virus è sopravvisuto...

ecco lo script corretto, la procedura è quella di prima:

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer

Files to delete:
C:\Windows\service32.exe
C:\Windows\scrss32.dll

poi vediamo se riesci a postare un log intero... magari è il trojan che non fa funzionare bene HJT

[busher]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\ryajbtue

*******************

Script file located at: \??\C:\Documents and Settings\wurwibsp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Windows\service32.exe deleted successfully.
File C:\Windows\scrss32.dll deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 21.14.45, on 03/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\dio\Desktop\HijackThis.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe