ciao a tutti ,ho bisogno di un aiuto,non riesco piu ad installare un antivirus,da quello che ho capito dovrebbe essere un beagle,per favore aiutatemi,grazie
ciao a tutti ,ho bisogno di un aiuto,non riesco piu ad installare un antivirus,da quello che ho capito dovrebbe essere un beagle,per favore aiutatemi,grazie
Segui questa procedura:
http://forum.html.it/forum/showthrea...readid=1202672
inserendo questo script:
http://forum.html.it/forum/showthrea...readid=1203273
se è bagle, te ne rendi conto già dallo script, quindi dall'inizio, perchè non trova nessun file tra quelli indicati.
se ti mando il log di hijakthis tu mi puoi aiutare?
Logfile of HijackThis v1.99.1
Scan saved at 1.35.31, on 23/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\ltmoh\Ltmoh.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\ePM\EPM-DM.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\AP Service\Dati applicazioni\m\flec006.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\APSERV~1\IMPOST~1\Temp\Rar$EX03.344\Hi jackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_ 5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.1121 .2472\swg.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_ 5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programmi\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISTray] "C:\Programmi\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [plpmrhhj] C:\fmuhtijo.bat
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [feedreader.exe] "C:\Programmi\FeedReader30\feedreader.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &eBay Search - res://C:\Programmi\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.it
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F83CD9E-505E-4F87-BECE-0832A763E36F} (Image Uploader 3.0 Control) - http://www.mypixmania.com/importer/MypixUploader.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120591732609
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypix.com/importer/ImageUploader4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5BC716E-2650-4B08-9235-C110CF95017F} (Connessione Tiscali) - http://selfcare.tiscali.it/scripts/o...oneTiscali.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BAE4E07-B36C-4AC7-A472-6AB15BCF7328}: NameServer = 85.37.17.8 85.38.28.73
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
he ne dici?
si vede solo questo: O4 - HKLM\..\Run: [plpmrhhj] C:\fmuhtijo.bat
ma è poco per capire..credo sia Vundo. Comunque, fai questo:
Scarica Avenger
Eseguilo, seleziona l'opzione "Input Script Manually" e clicca sulla lente d'ingrandimento. Nel box bianco, copia/incolla:
Clicca sul pulsante "Done", poi sul semaforo verde. Rispondi 2 volte Yes.Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\hidrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\pci32.sys
C:\WINDOWS\system32\wintems.exe
c:\WINDOWS\system32\hlpuybtr.exe
C:\WINDOWS\system32\hldrrr.exe
folders to delete:
c:\WINDOWS\exefld
c:\WINDOWS\exefnd
registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\srosa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_SROSA
registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run | hldrrr
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il rapporto che trovi in c:\avenger
Per quanto riguarda quel file, invece, scarica SistemScan
Disconnettiti da internet => esegui sistemscan => spunta tutte le opzioni => clicca su "Scan Now".
Finita la scansione, carica il rapporto che trovi in C:\Suspectfile su www.sendmefile.com e posta il link ottenuto.
Se hai problemi con il SeDebug, scarica SeDebug-Restore.
esegui l'applicazione. Riavvia e riprova con SystemScan
ok ho fatt come hai detto e mi è uscito questo:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\pxdp^anw
*******************
Script file located at: \??\C:\iimlnued.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!
Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\hidrrr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidrrr.exe failed!
Could not process line:
C:\WINDOWS\system32\drivers\hidrrr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\hldrrr.exe deleted successfully.
File C:\WINDOWS\system32\drivers\srosa.sys deleted successfully.
File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034
File C:\WINDOWS\system32\wintems.exe deleted successfully.
File c:\WINDOWS\system32\hlpuybtr.exe not found!
Deletion of file c:\WINDOWS\system32\hlpuybtr.exe failed!
Could not process line:
c:\WINDOWS\system32\hlpuybtr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!
Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034
Folder c:\WINDOWS\exefld not found!
Deletion of folder c:\WINDOWS\exefld failed!
Could not process line:
c:\WINDOWS\exefld
Status: 0xc0000034
Folder c:\WINDOWS\exefnd not found!
Deletion of folder c:\WINDOWS\exefnd failed!
Could not process line:
c:\WINDOWS\exefnd
Status: 0xc0000034
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook failed!
Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook
Status: 0xc0000034
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32 failed!
Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32
Status: 0xc0000034
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\srosa deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK failed!
Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK
Status: 0xc0000034
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_SROSA deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Could not delete registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run|hldrrr
Deletion of registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run|hldrrr failed!
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
adesso che faccio?
ok c'e lo fatta ,grazie di cuore.
no no.. devi completare questa procedura (saltando avenger):
http://forum.html.it/forum/showthre...hreadid=1202672
e devi eseguire SystemScan
altrimenti tra un po' starai punto e a capo.. Non solo, avevi un .bat da eliminare.
si hai ragione,ma non riesco ad andare http://forum.html.it/forum/showthre...hreadid=1202672
mi dice che la pagina è stata spostata,comunque ho visto che in modalità provvisoria non mi fa entrare quindi presumo che sono ancora infettato,mi consigli di ripartire da capo?
ero convinta di averlo copiato direttamente dalla pagina aperta
eccola:
Scarica dal Toll_rimoz_Bagle Sophos BAGLEGUI, elibagla, CCleaner
Disattiva il ripristino configurazione di sistema: start -> pannello di controllo -> sistema -> ripristino configurazione di sistema -> spunta: disattiva ripristino configuraz. di sistema
Visualizza i file e cartelle nascoste
Apri il registro [start -> esegui -> regedit], esportane una copia [File -> esporta -> salva] e chiudi il registro.
Esegui BAGLEGUI, e inizia la scansione cliccando su "GO", poi esegui ELIGABLA e quindi CCleaner, con cui devi ripulire i file temporanei e cookie e il registro [eseguilo 2 volte].
Riesegui lo script di ieri (avenger).
Controlla che l'antivirus funzioni. Se non funziona disinstallalo e prova a reinstallarlo.
NB: I report rilasciati dalle scansioni vanno caricati su Sendmefile.
ok ho disattivato il ripristino
bablegui sono riuscito ma elibagla non rieso a capirlo,per cleaner rieso a fare la sansione e mi trova piu di 800 file infetti ma non mi fa la riparazione,dovrei avere il code per registrarmi.
Una prima di avviare avenger devo attivare il ripristino..ciao
Permessi di invio
Rispondi quotando