Condividi:        

virus bagle aiutatemi per favore.

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

virus bagle aiutatemi per favore.

Postdi robbyfire » 11/03/07 23:33

Vi prego, ormai è una settimana che combatto con questo virus, non mi fa aprire gli eseguibili dell'antivirus. Ho utilizzato hijackthis ma da solo non riesco ad identificare il problema. Questo è il mio log:

Logfile of HijackThis v1.99.1
Scan saved at 23.21.25, on 11/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
F:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
F:\Programmi\Telecom Italia Media\Fast 800-840 Tin.it\dslmon.exe
F:\Programmi\Internet Explorer\iexplore.exe
F:\PROGRA~1\WINZIP\winzip32.exe
F:\Documents and Settings\User\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - F:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programmi\google\googletoolbar4.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programmi\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: DSLMON.lnk = F:\Programmi\Telecom Italia Media\Fast 800-840 Tin.it\dslmon.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - F:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - F:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - F:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - F:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - F:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0B77BE-D381-45F1-9F0E-5B564032E881}: NameServer = 62.211.69.150 212.48.4.15
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - F:\WINDOWS\system32\btxppanel.dll
O23 - Service: Adobe LM Service - Unknown owner - F:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - F:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - F:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Sponsor
 

Postdi techdiscount » 12/03/07 00:36

Ciao robby,
il tuo log sembra pulito...
ma l'unico problema che hai è quello dell'antivirus? Se è solo questo il problema, potrebbe essere semplicemtne che l'installazione non è andata a buon fine o che qualche file importante per il software antivirus è stato cancellato...hai provato a cancellare completamente l'antivirus e reinstallarlo?Fammi sapere...
Ciao ciao e buona serata...
techdiscount
Utente Senior
 
Post: 244
Iscritto il: 29/01/07 12:49

Postdi robbyfire » 12/03/07 00:47

Ciao, ti ringrazio per avermi risposto....
Purtroppo temo proprio che si tratti di un virus in quanto non mi risultano firewall, l'antivirus non si riesce a rimuovere e anche se provo con altri antivirus non vedo il file eseguibile... oltretutto ho provato a lanciare la modalità provvisoria ma non mi ci fa andare.
provo a ripostare il log... (guardando i post ho letto che si deve "ripulire " il sistema, non sò la procedura però).
Grazie ancora x l'interessamento
Logfile of HijackThis v1.99.1
Scan saved at 0.46.21, on 12/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
F:\Programmi\Telecom Italia Media\Fast 800-840 Tin.it\dslmon.exe
F:\Programmi\Internet Explorer\iexplore.exe
F:\Documents and Settings\User\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - F:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\programmi\google\googletoolbar4.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\programmi\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: DSLMON.lnk = F:\Programmi\Telecom Italia Media\Fast 800-840 Tin.it\dslmon.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - F:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organizzatore ricerche - {9455301C-CF6B-11D3-A266-00C04F689C50} - F:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0B77BE-D381-45F1-9F0E-5B564032E881}: NameServer = 62.211.69.150 212.48.4.15
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - F:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - F:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - F:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi Luke57 » 12/03/07 08:25

Ciao scarica e utilizza elibagle da qui:
http://www.wininizio.it/forum/index.php ... t&id=13750
e posta il log che si trova in C:\InfoSat.txt
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi robbyfire » 12/03/07 13:14

Ti ringrazio luke, ora non sono davanti al mio pc questa sera appena torno a casa provo... Robby
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi techdiscount » 12/03/07 15:50

Ciao robby,
se non conosci questi indirizzi ip, fixa questa voce:
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0B77BE-D381-45F1-9F0E-5B564032E881}: NameServer = 62.211.69.150 212.48.4.15

Ciao ciao e buona giornata...
techdiscount
Utente Senior
 
Post: 244
Iscritto il: 29/01/07 12:49

Postdi robbyfire » 12/03/07 21:38

Ciao Luke
Ho eseguito la scansione con elibagla.
Ha trovato un file infetto: wintems.exe.vir bagle
solo che non me lo toglie in automatico....
Ieri ho provato anche a ripristinare i firewall, aggiornamenti, ecc.. ma dopo il riavvio ero al punto di partenza.
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi robbyfire » 12/03/07 21:45

Provo anche a fixare la seguente voce come consigliato da techdiscount
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF0B77BE-D381-45F1-9F0E-5B564032E881}: NameServer = 62.211.69.150 212.48.4.15
Grazie
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi Luke57 » 12/03/07 22:51

Ciao, scarica Gmer da qui:
http://www.majorgeeks.com/GMER_d5198.html
scompatta il file .zip e avvia gmer.exe, con tutte le altre applicazioni chiuse.
Per entrare in Avanzate premi il tab>>>>. Poi scegli il tab Rootkit, spunta anche la casella ADS , fai uno Scan completo. Al termine clicca Copy e incolla il report in un file di testo.
Ritorna su Gmer, premi il tab Autostart (non spuntare la casella show all) e premi Scan. Al termine click su Copy e incolla il report nel medesimo foglio di testo.
Poi, copia e incolla i due report in un post nel forum.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi robbyfire » 12/03/07 23:18

Dopo pochi seondi che avvio lo scan il pc fa un reset. Ho tutte le applicazioni chiuse... è grave?
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi techdiscount » 12/03/07 23:45

Ciao Robby,
hai provato anche a fare una scansione con adaware e con avg antivirus?
techdiscount
Utente Senior
 
Post: 244
Iscritto il: 29/01/07 12:49

Postdi Luke57 » 13/03/07 09:04

robbyfire ha scritto:Dopo pochi seondi che avvio lo scan il pc fa un reset. Ho tutte le applicazioni chiuse... è grave?

Ciao, esegui lo scan solamente dalla posizione Autostart non dovresti avere problemi e ci voglioo pochi secondi)
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi robbyfire » 13/03/07 10:22

Ciao Luke, questo è lo scan dalla posizione autostart:

@Local PageF:\WINDOWS\system32\blank.htm = F:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = F:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = F:\WINDOWS\system32\msvidctl.dll
its@CLSID = F:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = F:\WINDOWS\System32\itss.dll
ms-itss@CLSID = F:\Programmi\File comuni\Microsoft Shared\Information Retrieval\msitss.dll
msero@CLSID = F:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\MSERO.DLL
mso-offdap@CLSID = F:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = F:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
skype4com@CLSID = F:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
tv@CLSID = F:\WINDOWS\system32\msvidctl.dll
wia@CLSID = F:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll

F:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = DSLMON.lnk

---- EOF - GMER 1.0.12 ----
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi Luke57 » 13/03/07 10:49

Ciao, non appare niente, è talmente scarno.
Scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla (Ctrl+V) le scritte in neretto:

Files to delete:
F:\WINDOWS\system32\wintems.exe
F:\WINDOWS\system32\hldrrr.exe

folders to delete:
F:\Documents and Settings\User\Dati applicazioni\hidires
F:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr



Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi robbyfire » 13/03/07 12:20

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wrcsdrpp

*******************

Script file located at: \??\F:\eadwbfdu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:



File F:\WINDOWS\system32\wintems.exe not found!
Deletion of file F:\WINDOWS\system32\wintems.exe failed!

Could not process line:
F:\WINDOWS\system32\wintems.exe
Status: 0xc0000034



File F:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file F:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
F:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034



Folder F:\Documents and Settings\User\Dati applicazioni\hidires not found!
Deletion of folder F:\Documents and Settings\User\Dati applicazioni\hidires failed!

Could not process line:
F:\Documents and Settings\User\Dati applicazioni\hidires
Status: 0xc0000034



Folder F:\WINDOWS\exefld not found!
Deletion of folder F:\WINDOWS\exefld failed!

Could not process line:
F:\WINDOWS\exefld
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK deleted successfully.


Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi robbyfire » 13/03/07 12:32

Ho rieffettuato lo scan dalla posizione autostart visto che avevi constatato che c'erano poche notizie... Ora c'è qualcosa in più:

GMER 1.0.12.12086 - http://www.gmer.net
Autostart scan 2007-03-13 12:27:18
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = F:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
MDM /*Machine Debug Manager*/@ = "F:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\System32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = F:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = F:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NvCplDaemonRUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup = RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
@NvMediaCenterRUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
@EPSON Stylus Photo R200 SeriesF:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200" = F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/F:\WINDOWS\system32\nvcpl.dll = F:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/F:\WINDOWS\system32\nvshell.dll = F:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/F:\WINDOWS\system32\nvshell.dll = F:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/F:\WINDOWS\system32\nvshell.dll = F:\WINDOWS\system32\nvshell.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/F:\WINDOWS\System32\twext.dll = F:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/F:\WINDOWS\System32\twext.dll = F:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/F:\WINDOWS\System32\extmgr.dll = F:\WINDOWS\System32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/F:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = F:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/F:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = F:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/F:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = F:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/F:\Programmi\Microsoft Office\OFFICE11\msohev.dll = F:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{EA588C8B-066E-4220-91D5-F921AA603DF4} /*NOMAD MuVoShell Hook*/MuVoh.dll = MuVoh.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/(null) =
@{792F0537-F929-4eb7-AC1D-FB6334C71550} /*LG Phone*/(null) =
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/F:\Programmi\WinRAR\rarext.dll = F:\Programmi\WinRAR\rarext.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/F:\PROGRA~1\WINZIP\WZSHLSTB.DLL = F:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/F:\PROGRA~1\WINZIP\WZSHLSTB.DLL = F:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/F:\PROGRA~1\WINZIP\WZSHLSTB.DLL = F:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/F:\PROGRA~1\WINZIP\WZSHLSTB.DLL = F:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/F:\Programmi\Real\RealPlayer\rpshell.dll = F:\Programmi\Real\RealPlayer\rpshell.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/F:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = F:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/F:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = F:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/F:\WINDOWS\System32\nvcpl.dll = F:\WINDOWS\System32\nvcpl.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/F:\Programmi\Avast4\ashShell.dll = F:\Programmi\Avast4\ashShell.dll
@{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} /*PhoneBrowser*/F:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = F:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = F:\Programmi\Avast4\ashShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = F:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = F:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = F:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = F:\Programmi\Avast4\ashShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = F:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = F:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}F:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = F:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{22BF413B-C6D2-4d91-82A9-A0F997BA588C}F:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL = F:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
@{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}F:\Programmi\MegauploadToolbar\megauploadtoolbar.dll = F:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}f:\programmi\google\googletoolbar4.dll = f:\programmi\google\googletoolbar4.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = F:\WINDOWS\System32\scrnsave.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageF:\WINDOWS\system32\blank.htm = F:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = F:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = F:\WINDOWS\system32\msvidctl.dll
its@CLSID = F:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = F:\WINDOWS\System32\itss.dll
ms-itss@CLSID = F:\Programmi\File comuni\Microsoft Shared\Information Retrieval\msitss.dll
msero@CLSID = F:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\MSERO.DLL
mso-offdap@CLSID = F:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = F:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
skype4com@CLSID = F:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
tv@CLSID = F:\WINDOWS\system32\msvidctl.dll
wia@CLSID = F:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll

F:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = DSLMON.lnk

---- EOF - GMER 1.0.12 ----
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi Luke57 » 13/03/07 12:37

Ciao, riferibile al bagle era presente solo una voce eliminata da Avenger.
Puoi accedere alla modalità provvisoria?
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi robbyfire » 13/03/07 13:02

Si, posso andare in modalità provvisoria, ho controllato. Prima non riuscivo a meno che non lanciavo quel file che ripristina la modalità provvisoria. Avevo inserito anche un secondo post a riguardante gmer dalla modalità autostart, questa volta più lungo, non sò se l'hai visto... Luke non so come ringraziarti x l'interesse del mio problemaccio
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Postdi Luke57 » 13/03/07 13:12

Ciao, sì l'ho visto, mi sembra a posto senza traccia del Bagle.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi robbyfire » 13/03/07 13:23

Quindi ora devo fare altro?
robbyfire
Utente Junior
 
Post: 13
Iscritto il: 10/03/07 19:49
Località: bologna/roma

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "virus bagle aiutatemi per favore.":


Chi c’è in linea

Visitano il forum: Nessuno e 32 ospiti