Applicazioni sospette - service32/spoolw/igfxsvc/imfe.exe

[shenandoa]

Vi chiedo conferma se le applicazioni in oggetto sono sospette e la procedura per rimuoverle.

Grazie mille per l'aiuto




Allego GMER Rootkit scan e log HijackThis.

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-05 14:21:11
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.13 ----

Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CREATE [F7B11C98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CLOSE [F7B11C98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_DEVICE_CONTROL [F7B114A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B113D2] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_POWER [F7B11386] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SYSTEM_CONTROL [F7B114A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_PNP [F7B11E88] SMBCLASS.SYS

---- EOF - GMER 1.0.13 ----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.01.11, on 05/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
c:\windows\system32\winlogon.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\Programmi\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\sysnet32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\Programmi\Citrix\PNAgent\pnagent.exe
C:\Programmi\Citrix\PNAgent\Wfcrun32.exe
C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE
C:\Documents and Settings\taitpid1\Documenti\ANDREA\SOFT\# Security\HijackThis 2.0.2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intra/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [BgInfo] c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKLM\..\Policies\Explorer\Run: [4F27V1D89M] C:\WINDOWS\service32.exe
O4 - HKLM\..\Policies\Explorer\Run: [Service] C:\WINDOWS\sysnet32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: imfe.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsintra.network
O17 - HKLM\Software\..\Telephony: DomainName = mtsintra.network
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsintra.network
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 4628 bytes

[edo_aol]

ciao,avvia hijackthis,spunta a sinistra su queste voci:


O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsintra.network
O17 - HKLM\Software\..\Telephony: DomainName = mtsintra.network
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsintra.network
O4 - Startup: imfe.exe
O4 - HKLM\..\Policies\Explorer\Run: [Service] C:\WINDOWS\sysnet32.exe
O4 - HKLM\..\Policies\Explorer\Run: [4F27V1D89M] C:\WINDOWS\service32.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe

e clicca sotto su FIX CHECKED.



poi Scarica The Avenger
http://swandog46.geekstogo.com/avenger.zip

estrai l’archivio nel desktop.

Poi avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno dello spazio bianco copia ed incolla questo script in blu:


files to delete:
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\sysnet32.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\spoolw.exe



Clicca sul pulsante Done
Adesso clicca sul semaforo con la luce verde
Rispondi Yes 2 volte
Il pc si dovrebbe riavviare,se non si riavvia,riavvialo manualmente

Al riavvio collegati e posta il contenuto del file C:\Avenger.txt

[shenandoa]

Ti posto il log Avenger e il nuovo HijackThis.
Gli O17 sono ok (rete nota) e non li ho cancellati (era cmq necessario?).
... mi sembra che il problema persiste però....


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\abnuxhoi

*******************

Script file located at: \??\C:\WINDOWS\system32\hnegwydv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\igfxsvc.exe deleted successfully.
File C:\WINDOWS\system32\spoolw.exe deleted successfully.
File C:\WINDOWS\sysnet32.exe deleted successfully.
File C:\WINDOWS\service32.exe deleted successfully.


File C:\WINDOWS\system32\igfxsvc.exe not found!
Deletion of file C:\WINDOWS\system32\igfxsvc.exe failed!

Could not process line:
C:\WINDOWS\system32\igfxsvc.exe
Status: 0xc0000034



File C:\WINDOWS\system32\spoolw.exe not found!
Deletion of file C:\WINDOWS\system32\spoolw.exe failed!

Could not process line:
C:\WINDOWS\system32\spoolw.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8.53.12, on 06/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
c:\windows\system32\services.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\Programmi\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\Programmi\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Programmi\Citrix\PNAgent\pnagent.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\...\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [BgInfo] c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Programmi\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsintra.network
O17 - HKLM\Software\..\Telephony: DomainName = mtsintra.network
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsintra.network
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 4568 bytes

[Luke57]

Ciao, ci sono sempre perchè l'infezione è più estesa e hijackthis ne evidenzia solo alcuni aspetti.

Scarica systemscan da qui http://www.suspectfile.com/systemscan
Avvialo, seleziona tutte le opzioni e premi "Scan now". L'esecuzione può anche durare molto tempo ma tu lascialo lavorare.
Alla fine della scansione,cerca il file data+ora+.zip, lo trovi nella cartella c:\suspectfile.
Carica questo file .zip su
http://www.easy-share.com/
scrivi qui il link che ti sarà fornito (il primo) per poterlo scaricare.

[edo_aol]

ciao,probabilmnte si sono rigenerate perche non abbiamo disattivato il ripristino,quindi disabilitiamolo.disabilita il ripristino configurazione di sistema(start-proprieta risorse del computer-ripristino conf.di sistema.metti la crocetta su disattiva e su OK.)


riavvia hijackthis e fixa queste voci:

O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe


poi scarica di nuovo avenger
http://swandog46.geekstogo.com/avenger.zip

estrai l’archivio nel desktop.

Poi avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno dello spazio bianco copia ed incolla questo script in blu:



files to delete:
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\spoolw.exe




Clicca sul pulsante Done
Adesso clicca sul semaforo con la luce verde
Rispondi Yes 2 volte
Il pc si dovrebbe riavviare,se non si riavvia,riavvialo manualmente

Al riavvio collegati e posta il contenuto del file C:\Avenger.txt


dopo scarica SmitFraudfix e decomprimilo in una cartella a tua scelta estraendo tutti i file:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Apri la cartella che contiene SmitfraudFix avvia smitfraudfix.cmd
Seleziona opzione #2 - Clean cliccando sul 2 e premi Invio.
Riceverai questo messaggio: Registry cleaning - Do you want to clean the registry ?
Rispondi Sì cliccando Y e premi invio.
Rispondi Sì (Y) ad eventuali altre domande
eseguita tutta la scansione dopo il riavvio del pc posta sul forum il rapporto del programma.

adesso puoi attivare il ripristino configurazione di sistema seguendo il percorso sopra pero togliendo la crocetta da disattiva.
dimmi come va.

[Luke57]

ciao,probabilmnte si sono rigenerate perche non abbiamo disattivato il ripristino,quindi disabilitiamolo.disabilita il ripristino configurazione di sistema(start-proprieta risorse del computer-ripristino conf.di sistema.metti la crocetta su disattiva e su OK.)

Aol, ma che cosa dici...... Lì sono innocue, si rigenerebbero solo se venisse fatto un ripristino.
Poi hai suggerito la stessa procedura e smitfraudfix, in questo caso, non c'entra niente.
E' chiaro che ci sono altri files e chiavi di registro infette non rilevate da hijackthis o no ?

[shenandoa]

http://w13.easy-share.com/4817141.html

[Luke57]

Ciao, riutilizza avenger, ma inserisci questo script:

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe


Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | gkrsda.exe

Folders to delete:
C:\DOCUME~1\xxxxxxxx\IMPOST~1\Temp
C:\Windows\temp

Files to delete:
C:\WINDOWS\w32dbg.exe
C:\WINDOWS\iexplore_32.exe
C:\WINDOWS\632114.exe
C:\WINDOWS\29048529.exe
C:\WINDOWS\24953591.exe
C:\WINDOWS\24952780.exe
C:\WINDOWS\870351.exe
C:\WINDOWS\872053.exe
C:\WINDOWS\859936.exe
C:\WINDOWS\865083.exe
C:\WINDOWS\8887749.exe
C:\WINDOWS\8892817.exe
C:\WINDOWS\4855902.exe
C:\WINDOWS\4856933.exe
C:\WINDOWS\8889432.exe
C:\WINDOWS\8890774.exe
C:\WINDOWS\1071060.exe
C:\WINDOWS\1070058.exe
C:\WINDOWS\6615272.exe
C:\WINDOWS\6618617.exe
C:\WINDOWS\svchost.dll
C:\WINDOWS\843232.exe
C:\WINDOWS\844454.exe
C:\WINDOWS\4881038.exe
C:\WINDOWS\4882250.exe
C:\WINDOWS\8920396.exe
C:\WINDOWS\8924472.exe
C:\Windows\tasks\zzlgjy.job


Poi al riavvio, posti il relativo report come hai già fatto in precedenza.
Inoltre, apri hijackthis, premi "do a system scan only", cerchi e spunti le voci seguenti:
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
premi fix checked.

[shenandoa]

Ho eseguito quanto da te suggerito con Avenger e HijackThis.
Essendoci un nomefile.exe errato ho rieseguito Avenger cancellando tutti gli exe "numerici" ancra esistenti in C:\Windows.
L'ulteriore scan con HijackThis non ha più evidenziato la presenza degli O4.
Dovrebbe essere ok credo adesso...
dimmi se devo effettuare altre verifiche...
Grazie mille !!!

PRIMO RUN

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fpqsmjqb

*******************

Script file located at: \??\C:\Documents and Settings\aauikvhh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\DOCUME~1\xxxxxxxx\IMPOST~1\Temp deleted successfully.
Folder C:\Windows\temp deleted successfully.
File C:\WINDOWS\w32dbg.exe deleted successfully.
File C:\WINDOWS\iexplore_32.exe deleted successfully.


File C:\WINDOWS\632114.exe not found!
Deletion of file C:\WINDOWS\632114.exe failed!

Could not process line:
C:\WINDOWS\632114.exe
Status: 0xc0000034

File C:\WINDOWS\29048529.exe deleted successfully.
File C:\WINDOWS\24953591.exe deleted successfully.
File C:\WINDOWS\24952780.exe deleted successfully.
File C:\WINDOWS\870351.exe deleted successfully.
File C:\WINDOWS\872053.exe deleted successfully.
File C:\WINDOWS\859936.exe deleted successfully.
File C:\WINDOWS\865083.exe deleted successfully.
File C:\WINDOWS\8887749.exe deleted successfully.
File C:\WINDOWS\8892817.exe deleted successfully.
File C:\WINDOWS\4855902.exe deleted successfully.
File C:\WINDOWS\4856933.exe deleted successfully.
File C:\WINDOWS\8889432.exe deleted successfully.
File C:\WINDOWS\8890774.exe deleted successfully.
File C:\WINDOWS\1071060.exe deleted successfully.
File C:\WINDOWS\1070058.exe deleted successfully.
File C:\WINDOWS\6615272.exe deleted successfully.
File C:\WINDOWS\6618617.exe deleted successfully.
File C:\WINDOWS\svchost.dll deleted successfully.
File C:\WINDOWS\843232.exe deleted successfully.
File C:\WINDOWS\844454.exe deleted successfully.
File C:\WINDOWS\4881038.exe deleted successfully.
File C:\WINDOWS\4882250.exe deleted successfully.
File C:\WINDOWS\8920396.exe deleted successfully.
File C:\WINDOWS\8924472.exe deleted successfully.
File C:\Windows\tasks\zzlgjy.job deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|gkrsda.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


SECONDO RUN

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\njnbcwve

*******************

Script file located at: \??\C:\Documents and Settings\cjadcxnx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\DOCUME~1\xxxxxxx\IMPOST~1\Temp deleted successfully.
Folder C:\Windows\temp deleted successfully.
File C:\WINDOWS\7632114.exe deleted successfully.
File C:\WINDOWS\20953709.exe deleted successfully.
File C:\WINDOWS\20957765.exe deleted successfully.


Completed script processing.

*******************

Finished! Terminate.

[Luke57]

Ciao, dovrebbe essere a posto, per adesso.

[shenandoa]

"per adesso"... ....

però c'è Luke57 che risolve tutto

Ri-grazie mille !!!
ciao

[edo_aol]

Ciao, dovrebbe essere a posto, per adesso.

ciao luke,forse non ci siamo chiariti bene,ma io ho detto "disattiva il ripristino" non fai un ripristino.siamo chiari

[Luke57]

Ciao, dovrebbe essere a posto, per adesso.

ciao luke,forse non ci siamo chiariti bene,ma io ho detto "disattiva il ripristino" non fai un ripristino.siamo chiari

Leggi bene quello che ho scritto, disattivare il ripristino serve solo a eliminare i file infetti che, in quella posizione, sono inoffensivi ma diventano pericolosi se fai un ripristino di sistema. Solo in quel caso.
Poi perchè vuoi fare il polemico su cose che non conosci tanto bene? E' chiaro che se dai consigli che non servono tanto al problema, io devo intervenire, cosa che non faccio quando dai suggerimenti utili. Morale della favola: più cose impari e meno io ti rompo le scatole

[edo_aol]

ok,non parlo piu'.