Programmi di sicurezza che non funzionano

**KILO** · 13-03-2008, 23:11

Credo si essere invaso da virus o simili, Antivir non parte e nemmeno i suddetti programmi

ccleaner
HijackThis
ATF-Cleaner

ho fatto una scansione con KASPERSKY allego il log, il problema e che sono partito a cancellare diversi file indicati dal log, forse ho fatto ancora peggio non saprei!!!

Aiuto, non so come muovermi!!

PS:winXp

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.da t Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.da t Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mattia\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\Content.IE5\055X3AYE\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\Content.IE5\055X3AYE\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\Content.IE5\055X3AYE\b64_31[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\Content.IE5\5YYAZ2RA\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\Content.IE5\5YYAZ2RA\b64_2[2].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\Content.IE5\I6ULPRO5\b64_1[1].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mattia\Impostazioni locali\Temporary Internet Files\Content.IE5\ZBN75RZP\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\Mattia\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mattia\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\Terragen\Terragen 0.9.43.exe Infected: Trojan-Downloader.Win32.Bagle.lc skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP158\A0037179.exe/data0009/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP158\A0037179.exe/data0009/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP158\A0037179.exe/data0009 Infected: not-a-virus:AdWare.Win32.TrafficSol.o skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP158\A0037179.exe/data0010/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.adj skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP158\A0037179.exe/data0010/stream/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ww skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP158\A0037179.exe/data0010/stream Infected: not-a-virus:AdWare.Win32.BHO.ww skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP158\A0037179.exe/data0010 Infected: not-a-virus:AdWare.Win32.BHO.ww skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP158\A0037179.exe NSIS: infected - 7 skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP182\A0040517.EXE Infected: Trojan-Downloader.Win32.Bagle.jm skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP182\A0040518.exe Infected: Trojan-Downloader.Win32.Bagle.jm skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP182\A0040519.EXE Infected: Trojan-Downloader.Win32.Bagle.jm skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043876.sys Infected: Trojan-Downloader.Win32.Bagle.ky skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043896.sys Infected: Trojan-Downloader.Win32.Bagle.ky skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043897.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043898.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043915.sys Infected: Trojan-Downloader.Win32.Bagle.ky skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043916.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043917.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043960.sys Infected: Trojan-Downloader.Win32.Bagle.ky skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043961.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0043962.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\A0044066.sys Infected: Trojan-Downloader.Win32.Bagle.ky skipped
C:\System Volume Information\_restore{F78EFCF3-E54F-4CF5-9199-3409ED7F35BC}\RP203\change.log Object is locked skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

**Habanero** · 13-03-2008, 23:20

Per favore facciamo attenzione alla scelta dei titoli.
http://forum.html.it/forum/showthrea...hreadid=997970

**KILO** · 13-03-2008, 23:25

Chiedo scusa, ho modificato il titolo spero vada meglio!

**Deifobe** · 14-03-2008, 02:05

ciao Kilo,
esegui una scansione anche con elibagla: eseguilo e clicca su Explorar. Riavvia il pc quando finisce e posta il rapporto (C:\Infosat.txt)

**KILO** · 14-03-2008, 11:58

Ciao, ho provato, il programma parte, arriva ad una directory e mi dice "accesso danneggiato alla cartella" e si spegne.
Se provo a cancellarla a mano mi dice che è in uso e che non la posso rimuovere(anche se riavvio)!!!

Che fare?

**KILO** · 14-03-2008, 14:02

Originariamente inviato da Deifobe
ciao Kilo,
esegui una scansione anche con elibagla: eseguilo e clicca su Explorar. Riavvia il pc quando finisce e posta il rapporto (C:\Infosat.txt)

Allora ho provato (dopo aver eliminato la directory bloccata) e la scansione va liscia, non trova niente... possibile???

**Deifobe** · 14-03-2008, 14:56

Scarica Avenger e CCleaner

Disattiva il ripristino configurazione di sistema : start -> pannello di controllo -> sistema -> ripristino configurazione di sistema -> spunta: disattiva ripristino configuraz. di sistema
Visualizza i file e cartelle nascoste

Esegui avenger e nel box bianco, copia/incolla:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\hidrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\klif.sys
C:\WINDOWS\system32\drivers\pci32.sys
C:\WINDOWS\system32\wintems.exe
c:\WINDOWS\system32\hlpuybtr.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\mdelk.exe
c:\Documents and Settings\user\Dati applicazioni\hidires\m_hook.sys
c:\Documents and Settings\user\Dati applicazioni\hidires\hidr.exe
c:\Documents and Settings\user\Dati applicazioni\hidires\srosa.sys
c:\Documents and Settings\user\Dati applicazioni\hidn\hidn2.exe
c:\Documents and Settings\user\Dati applicazioni\hidn\hldrrr.exe
c:\Documents and Settings\user\Dati applicazioni\m\data.oct
c:\Documents and Settings\user\Dati applicazioni\m\flec006.exe

folders to delete:
c:\WINDOWS\exefld
c:\WINDOWS\exefnd
C:\WINDOWS\exefqd
C:\WINDOWS\system32\drivers\down
c:\Documents and Settings\user\Dati applicazioni\hidires
c:\Documents and Settings\user\Dati applicazioni\hidn

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\m_hook
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\m _hook
HKEY_LOCAL_MACHINE\system\ControlSet002\Services\m _hook
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pci32
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\p ci32
HKEY_LOCAL_MACHINE\system\ControlSet002\Services\p ci32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\srosa
HKEY_LOCAL_MACHINE\system\ControlSet001\Services\s rosa
HKEY_LOCAL_MACHINE\system\ControlSet002\Services\s rosa
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_M_HOOK
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_SROSA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_PCI32

registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run | hldrrr

(Modifica mettendo al posto dello "user" (in rosso) il tuo user. Non lasciare spazi)
Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Carica il report rilasciato in C:\Avenger su Sendmefile e posta il link ottenuto.

esegui CCleaner, con cui devi ripulire i file temporanei e cookie [eseguilo 2 volte ].

Controlla che l'antivirus funzioni. Se non funziona disinstallalo e prova a reinstallarlo.

**KILO** · 14-03-2008, 16:19

Grazie! Sembra aver funzionato.
Però alcune cartelle il report mi dice che non esistevano, tutte quelle con il nome utente, sono andato a vedere a mano ed in effetti non c'erano nemmeno negli altri utenti.

Fatto sta che l'antivirus ora funziona ed anche i programmi come ccleaner.

Dovrei esseremene liberato, ma c'è un modo per aver conferma?

Grazie infinite!!

**Deifobe** · 14-03-2008, 18:19

no.. erano stati rilevati come infetti dei temp (non so se ccleaner li ha eliminati), il ripristino e C:\Programmi\Terragen\Terragen 0.9.43.exe.

Fai una scansione con Bitdefender, se li rimuove lui è ok.

**KILO** · 15-03-2008, 13:17

Ok, grazie tante.

Discussione: Programmi di sicurezza che non funzionano

Strumenti discussione

Ricerca discussione

Visualizza

Virus + file cancellati a caso dal log di KASPERSKY

Permessi di invio