virus: bagle.HU

[maryepucci]

Ciao ragazzi!!
Ogni mattina puntualmente mi esce la videata di nod con questo virus "bagle.HU".

Ho provato ha fare una scansione con hijackthis e mi esce:

Logfile of HijackThis v1.99.1
Scan saved at 9.37.30, on 05/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\BITWARE\NT\bwprnmon.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\Java\jre1.5.0_09\bin\jucheck.exe
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\zbianche\tuttomio\vari programmi utili\protezione\hjt (raffaele)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.infoimprese.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CDWCheckRubrica] C:\SEAT\CDItalia\Chkrub_cdi
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Programmi\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [CheckRubAnniversari] C:\Documents and Settings\amministratore\Documenti\SeatCDItalia\127_0_0_1\chkrub_cdi.exe "C:\Documents and Settings\amministratore\Documenti\SeatCDItalia\127_0_0_1\PB.rub" "I"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B76AAEB-55AC-4791-8617-449E45DC6705}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{4B76AAEB-55AC-4791-8617-449E45DC6705}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS2\Services\Tcpip\..\{4B76AAEB-55AC-4791-8617-449E45DC6705}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS3\Services\Tcpip\..\{4B76AAEB-55AC-4791-8617-449E45DC6705}: NameServer = 213.140.2.12,213.140.2.21
O17 - HKLM\System\CS4\Services\Tcpip\..\{4B76AAEB-55AC-4791-8617-449E45DC6705}: NameServer = 213.140.2.12,213.140.2.21
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas http://www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

Notate qualcosa di strano??? O comunque mi sapreste dire come eliminare questo virus??
Grazie e un saluto a tutti!!

[maryepucci]

Non mi abbandonate vi prego

[Luke57]

Non mi abbandonate vi prego

Ciao, scarica Gmer da qui:
http://www.majorgeeks.com/GMER_d5198.html
scompatta il file .zip e avvia gmer.exe, con tutte le altre applicazioni chiuse.
Per entrare in Avanzate premi il tab>>>>. Poi scegli il tab Rootkit, spunta anche la casella ADS , fai uno Scan completo. Al termine clicca Copy e incolla il report in un file di testo.
Ritorna su Gmer, premi il tab Autostart (non spuntare la casella show all) e premi Scan. Al termine click su Copy e incolla il report nel medesimo foglio di testo.
Poi, copia e incolla i due report in un post nel forum

[maryepucci]

ok grazie!!!
Ecco fatto:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-05 11:56:12
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT pxfsf.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT pxfsf.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT pxfsf.sys ZwCreatePort
SSDT pxfsf.sys ZwCreateProcess
SSDT pxfsf.sys ZwCreateProcessEx
SSDT pxfsf.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT pxfsf.sys ZwDeleteFile
SSDT pxfsf.sys ZwDeleteKey
SSDT pxfsf.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT pxfsf.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT pxfsf.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT pxfsf.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT pxfsf.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT pxfsf.sys ZwReplaceKey
SSDT pxfsf.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT pxfsf.sys ZwSetContextThread
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT pxfsf.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys

ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23B4 805010B8 24 Bytes [ 79,

38, 37, F7, 83, 38, 37, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23D0 805010D4 16 Bytes [ B5,

38, 37, F7, BF, 38, 37, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805010E8 12 Bytes [ DD,

38, 37, F7, E7, 38, 37, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23F4 805010F8 24 Bytes [ FB,

38, 37, F7, 05, 39, 37, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 24B0 805011B4 12 Bytes [ A5,

39, 37, F7, AF, 39, 37, ... ]
.text ...

---- EOF - GMER 1.0.12 ----


GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-03-05 11:58:49
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session

Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe

ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On

SubSystemType=Windows ServerDll=basesrv,1

ServerDll=winsrv:UserServerDllInitialization,3

ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off

MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit =

C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DLLName =

C:\Programmi\SUPERAntiSpyware\SASWINLO.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ =

C:\Programmi\ewido anti-spyware 4.0\guard.exe
LightScribeService /*LightScribeService Direct Disc Labeling Service*/@ =

"C:\Programmi\File comuni\LightScribe\LSSrvc.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft

Shared\VS7Debug\mdm.exe"
NOD32krn /*NOD32 Kernel Service*/@ = C:\Programmi\Eset\nod32krn.exe
PREVXAgent /*Prevx Agent*/@ = "C:\Programmi\Prevx1\PXAgent.exe" -f /*file not

found*/
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
StatusAgent4 /*Epson Printer Status Agent4*/@ =

C:\WINDOWS\system32\SAgent4.exe
UMWdf /*Windows User Mode Driver Framework*/@ =

C:\WINDOWS\system32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe =

C:\WINDOWS\system32\NeroCheck.exe
@AGRSMMSGAGRSMMSG.exe = AGRSMMSG.exe
@CDWCheckRubricaC:\SEAT\CDItalia\Chkrub_cdi =

C:\SEAT\CDItalia\Chkrub_cdi
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE =

"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe" =

"C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
@bwprnmon.exeC:\BITWARE\NT\bwprnmon.exe



= C:\BITWARE\NT\bwprnmon.exe




@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime =

"C:\Programmi\QuickTime\qttask.exe" -atboottime
@VTTimerVTTimer.exe = VTTimer.exe
@VTTraypVTtrayp.exe = VTtrayp.exe
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE =

C:\VEXPLITE\MONLITE.EXE
@HP Software Update"C:\Programmi\HP\HP Software

Update\HPWuSchd2.exe" = "C:\Programmi\HP\HP Software

Update\HPWuSchd2.exe"
@HP Component Manager"C:\Programmi\HP\hpcoretech\hpcmpmgr.exe" =

"C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
@PrevxOneC:\Programmi\Prevx1\PXConsole.exe /*file not found*/ =

C:\Programmi\Prevx1\PXConsole.exe /*file not found*/
@MessengerPlus3"C:\Programmi\MessengerPlus! 3\MsgPlus.exe" =

"C:\Programmi\MessengerPlus! 3\MsgPlus.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@1 =

C:\WINDOWS\service32.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe =

C:\WINDOWS\system32\ctfmon.exe
@NBJ"C:\Programmi\Ahead\Nero BackItUp\NBJ.exe" =

"C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
@SUPERAntiSpywareC:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.e

xe = C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
@CheckRubAnniversariC:\Documents and

Settings\amministratore\Documenti\SeatCDItalia\127_0_0_1\chkrub_cdi.exe

"C:\Documents and

Settings\amministratore\Documenti\SeatCDItalia\127_0_0_1\PB.rub" "I" /*file

not found*/ = C:\Documents and

Settings\amministratore\Documenti\SeatCDItalia\127_0_0_1\chkrub_cdi.exe

"C:\Documents and

Settings\amministratore\Documenti\SeatCDItalia\127_0_0_1\PB.rub" "I" /*file

not found*/
@swgC:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleTool

barNotifier.exe =

C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNot

ifier.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHook

s >>>
@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}C:\Programmi\SUPERAntiSpy

ware\SASSEH.DLL = C:\Programmi\SUPERAntiSpyware\SASSEH.DLL
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Programmi\ewido

anti-spyware 4.0\shellexecutehook.dll = C:\Programmi\ewido anti-spyware

4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

>>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video

del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not

found*/
@{88895560-9AA2-1069-930E-00AA0030EBC8} /*Estensione di icona di

HyperTerminal*/C:\WINDOWS\system32\hticons.dll /*file not found*/ =

C:\WINDOWS\system32\hticons.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni

precedenti*/%SystemRoot%\system32\twext.dll =

%SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni

precedenti*/%SystemRoot%\system32\twext.dll =

%SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for

SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager

Folder*/%SystemRoot%\system32\extmgr.dll =

%SystemRoot%\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle

Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL =

C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom

Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL =

C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon

Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll =

C:\Programmi\Microsoft Office\Office10\msohev.dll
@{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell

Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
@{E0D79304-84BE-11CE-9641-444553540000}

/*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL =

C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000}

/*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL =

C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000}

/*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL =

C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000}

/*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL =

C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell

extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{52B87208-9CCF-42C9-B88E-069281105805} /*Trojan Remover Shell

Extension*/C:\PROGRA~1\TROJAN~1\Trshlex.dll /*file not found*/ =

C:\PROGRA~1\TROJAN~1\Trshlex.dll /*file not found*/
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Periferiche Plug and Play

universali*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for

RealOne Player*/(null) =

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} =

C:\Programmi\ewido anti-spyware 4.0\context.dll
NOD32 Context Menu Shell

Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} =

C:\Programmi\Eset\nodshex.dll
Trojan Remover@{52B87208-9CCF-42C9-B88E-069281105805} =

C:\PROGRA~1\TROJAN~1\Trshlex.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =

C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} =

C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-4

67B-B348-90DD488DE003} =

C:\Programmi\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} =

C:\Programmi\ewido anti-spyware 4.0\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =

C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} =

C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-

5FBB-467B-B348-90DD488DE003} =

C:\Programmi\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell

Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} =

C:\Programmi\Eset\nodshex.dll
Trojan Remover@{52B87208-9CCF-42C9-B88E-069281105805} =

C:\PROGRA~1\TROJAN~1\Trshlex.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =

C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} =

C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects >>>
@{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}C:\Documents and

Settings\All Users\Dati applicazioni\Prevx\pxbho.dll = C:\Documents and

Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0

_09\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googlet

oolbar4.dll = c:\programmi\google\googletoolbar4.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location

= C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&a

r=msnhome =

http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start

Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CL

SID}&pver={SUB_PVER}&ar=home =

http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}

&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm =

%SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page =

http://www.infoimprese.it/

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web

Folders\PKMCDO.DLL
cetihpz@CLSID = C:\Programmi\HP\hpcoretech\comp\hpuiprot.dll
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information

Retrieval\MSITSS.DLL
msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
mso-offdap@CLSID =

C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4B76

AAEB-55AC-4791-8617-449E45DC6705} /*Connessione alla rete locale

(LAN)*/ >>>
@IPAddress192.168.10.37 = 192.168.10.37
@NameServer213.140.2.12,213.140.2.21 = 213.140.2.12,213.140.2.21
@DefaultGateway192.168.10.253 = 192.168.10.253
@Domain =

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione

automatica >>>
Acrobat Assistant.lnk = Acrobat Assistant.lnk
Adobe Gamma Loader.exe.lnk = Adobe Gamma Loader.exe.lnk
Avvio rapido di HP Image Zone.lnk = Avvio rapido di HP Image Zone.lnk
HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.12 ----

[Luke57]

Ciao, hai una voce di registro che va eliminata.

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 1



Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script.

scarica anche SystemScan
http://www.suspectfile.com/systemscan
aprilo ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verrà rilasciato in C:\suspectfile il file report.txt.
Vai su:
http://www.easy-share.com
carica il file (premendo Sfoglia e poi il tasto Upload) , ti sarà fornito l'URL per scaricarlo. Incolla in un post tale URL (il log è troppo lungo per inserirlo in un post).

[maryepucci]

Ciao, hai una voce di registro che va eliminata.

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 1



Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script.

fatto ma mi è uscito questo:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Fatal error: could not create new script file.
Error code: 0
Error logged to errorlog.txt. Aborting now!

ho copiato:

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 1

per intero esatto??
e non capisco perchè mi dà errore

[Luke57]

Ciao, ripeti l'operazione, e se non riesce ancora elimina la voce manualmente:
start>esegui>regedit lo digiti nello spazio)>OK
Aperto l'editor del registro, clicchi sul segno + accanto alle singole voci e segui questo percorso:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run click sulla cartella Run , sulla parte destra della finestra dovresti trovare:
1= C:\WINDOWS\service32.exe
click mouse dx sulla voce e scegli Elimina. Chiudi il registro.

[maryepucci]

scarica anche SystemScan
http://www.suspectfile.com/systemscan
aprilo ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verrà rilasciato in C:\suspectfile il file report.txt.

Non và mi dice che alcuni file sono danneggiati

[maryepucci]

Ciao, ripeti l'operazione, e se non riesce ancora elimina la voce manualmente:
start>esegui>regedit lo digiti nello spazio)>OK
Aperto l'editor del registro, clicchi sul segno + accanto alle singole voci e segui questo percorso:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run click sulla cartella Run , sulla parte destra della finestra dovresti trovare:
1= C:\WINDOWS\service32.exe
click mouse dx sulla voce e scegli Elimina. Chiudi il registro.

ok fatto!!!
Ma addesso dovrebbe essere risolto il problema?? Devo riavviare??

[maryepucci]

Ciao, ripeti l'operazione, e se non riesce ancora elimina la voce manualmente:
start>esegui>regedit lo digiti nello spazio)>OK
Aperto l'editor del registro, clicchi sul segno + accanto alle singole voci e segui questo percorso:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run click sulla cartella Run , sulla parte destra della finestra dovresti trovare:
1= C:\WINDOWS\service32.exe
click mouse dx sulla voce e scegli Elimina. Chiudi il registro.

ok fatto!!!
Ma addesso dovrebbe essere risolto il problema?? Devo riavviare??

Aiuto ragazzi!! La voce si è tolta ma non il virus quindi non era quello il problema i virus appare sempre che posso fare ancora??

[Luke57]

Ciao, scarica SystemScan se non l'hai
http://www.suspectfile.com/systemscan
aprilo ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verrà rilasciato in C:\suspectfile il file report.txt.
Invia il suddetto file su un sito tipo http://www.easy-share.com o http://www.sendmefiles.com e infine posta qua sul forum il link per scaricarlo.