Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

Win32.Bagle.SUQ@mm

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

Re: Win32.Bagle.SUQ@mm

Postdi casconero » 27/03/10 11:27

Luke57 ha scritto:Ciao, scarica Combofix direttamente sul desktop dal link seguente:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

- disconnetti da internet
- disattiva il tuo antivirus
- esegui ComboFix.exe
- non installare la RECOVERY CONSOLE quando ti verrà chiesto
- non interferire con la scansione del programma
- a scansione ultimata vai in C:\ e copia/incolla qui sul forum il log contentuto nel file
Combofix.txt

CIAO
Innanzitutto vorrei chiedere scusa a Shel, ho messo due post perchè pensavo fossero due problemi separati :(
Ho fatto come hai detto tu Luke ecco il risultato che mi da :

ComboFix 09-05-06.05 - Elvira 27/03/2010 11.08.13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.3071.2469 [GMT 1:00]
Eseguito da: c:\documents and settings\Elvira\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -
.

((((((((((((((((((((((((( Files Creati Da 2010-02-27 al 2010-03-27 )))))))))))))))))))))))))))))))))))
.

2010-03-27 07:44 . 2010-03-27 07:44 -------- d-----w c:\windows\LastGood
2010-03-26 22:22 . 2010-03-26 22:22 -------- d-----w c:\windows\system32\KB905474
2010-03-26 22:17 . 2010-03-26 22:17 -------- d-----w c:\programmi\MSXML 4.0
2010-03-26 15:14 . 2009-12-09 10:07 2192896 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2010-03-26 15:14 . 2009-12-09 10:07 2148864 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2010-03-26 15:14 . 2009-12-09 10:07 2027520 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2010-03-26 14:54 . 2009-12-04 18:22 455424 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2010-03-26 14:02 . 2008-06-14 17:32 272768 -c----w c:\windows\system32\dllcache\bthport.sys
2010-03-26 14:02 . 2008-06-14 17:32 272768 ------w c:\windows\system32\drivers\bthport.sys
2010-03-25 15:43 . 2009-08-06 18:23 215920 ----a-w c:\windows\system32\muweb.dll
2010-03-25 15:43 . 2009-08-06 18:23 274288 ----a-w c:\windows\system32\mucltui.dll
2010-03-25 14:13 . 2010-03-25 14:13 -------- d-----w C:\Program Files
2010-03-25 10:31 . 2010-03-25 10:31 -------- d-----w c:\documents and settings\LocalService\Dati applicazioni\SACore
2010-03-25 10:23 . 2010-03-25 10:29 -------- d-----w c:\programmi\FindyKill
2010-03-25 10:14 . 2010-03-25 10:14 -------- d-----w c:\programmi\CCleaner
2010-03-25 09:35 . 2010-03-25 09:35 -------- d-----w c:\documents and settings\Elvira\Dati applicazioni\Malwarebytes
2010-03-25 09:35 . 2010-01-07 15:07 38224 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-25 09:35 . 2010-03-25 09:35 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-03-25 09:35 . 2010-01-07 15:07 19160 ----a-w c:\windows\system32\drivers\mbam.sys
2010-03-25 09:35 . 2010-03-25 09:35 -------- d-----w c:\programmi\Malwarebytes' Anti-Malware
2010-03-25 09:21 . 2010-03-25 09:21 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\SiteAdvisor
2010-03-25 09:18 . 2009-11-11 10:14 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2010-03-25 09:18 . 2009-11-11 10:14 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2010-03-25 09:18 . 2009-11-11 10:14 79816 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2010-03-25 09:17 . 2009-07-16 11:32 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2010-03-25 09:17 . 2010-03-25 09:18 -------- d-----w c:\programmi\File comuni\McAfee
2010-03-25 09:17 . 2010-03-25 09:17 -------- d-----w c:\programmi\McAfee.com
2010-03-25 09:17 . 2010-03-26 13:25 -------- d-----w c:\programmi\McAfee
2010-03-25 09:16 . 2009-11-11 10:14 34248 ----a-w c:\windows\system32\drivers\mferkdk.sys
2010-03-25 08:06 . 2010-03-25 08:06 130 ----a-w C:\fix.reg
2010-03-24 23:09 . 2010-03-24 07:40 231804 ----a-w c:\documents and settings\Elvira\Impostazioni locali\Dati applicazioni\qlvqav_nav.dat
2010-03-24 23:09 . 2010-03-25 10:24 3854 ----a-w c:\documents and settings\Elvira\Impostazioni locali\Dati applicazioni\qlvqav_navps.dat
2010-03-24 23:09 . 2010-03-25 10:24 3367 ----a-w c:\documents and settings\Elvira\Impostazioni locali\Dati applicazioni\qlvqav.dat
2010-03-24 21:27 . 2010-03-24 21:27 -------- d-----w c:\programmi\Panda Security
2010-03-24 21:10 . 2010-03-24 22:54 -------- d-----w c:\documents and settings\Elvira\Dati applicazioni\QuickScan
2010-03-24 20:19 . 2010-03-25 12:38 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\McAfee
2010-03-24 19:59 . 2010-03-24 20:59 -------- d-----w c:\programmi\ESET
2010-03-24 16:00 . 2010-03-25 10:08 -------- d--h--w c:\documents and settings\Elvira\Dati applicazioni\drivers
2010-03-20 13:15 . 2010-03-25 17:00 -------- d-----w c:\programmi\Easy Catalog
2010-03-15 09:39 . 2008-05-02 10:49 62976 -c----w c:\windows\system32\dllcache\cdrom.sys
2010-03-15 09:39 . 2008-05-02 13:25 466944 -c----w c:\windows\system32\dllcache\imapi2fs.dll
2010-03-15 09:39 . 2008-05-02 13:25 466944 ------w c:\windows\system32\imapi2fs.dll
2010-03-15 09:39 . 2008-05-02 13:25 318464 -c----w c:\windows\system32\dllcache\imapi2.dll
2010-03-15 09:39 . 2008-05-02 13:25 318464 ------w c:\windows\system32\imapi2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 07:44 . 2001-08-31 18:00 69568 ----a-w c:\windows\system32\perfc010.dat
2010-03-27 07:44 . 2001-08-31 18:00 437272 ----a-w c:\windows\system32\perfh010.dat
2010-03-25 17:00 . 2009-06-01 12:23 23568 ----a-w c:\documents and settings\Elvira\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2010-03-25 16:56 . 2009-09-19 21:47 -------- d-----w c:\programmi\Microsoft Silverlight
2010-03-25 12:07 . 2009-06-01 12:23 -------- d-----w c:\programmi\Mozilla Thunderbird
2010-03-25 11:33 . 2009-06-01 12:24 -------- d-----w c:\programmi\Windows Live
2010-01-30 18:43 . 2009-06-01 13:06 -------- d-----w c:\programmi\Google
2009-12-31 16:50 . 2008-04-13 12:15 353792 ----a-w c:\windows\system32\drivers\srv.sys
2009-12-31 11:32 . 2009-12-31 11:08 18030130 ----a-w c:\programmi\vlc-1.0.3-win32.exe
2009-06-21 08:01 . 2009-06-21 07:51 26165144 ----a-w c:\programmi\AdbeRdr910_it_IT.exe
.

------- Sigcheck -------

[-] 2009-06-01 12:33 510464 90F406811EE1EEE294792D00E21CA16C c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-01 39408]
"Mobile Partner"="c:\programmi\3 Internet\3 Internet.exe" [2009-06-03 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2010-03-25 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-30 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"CameraFixer"="c:\windows\CameraFixer.exe" [2005-12-06 20480]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"mcagent_exe"="c:\programmi\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-04-30 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\File comuni\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\programmi\McAfee\SiteAdvisor\McSACore.exe [25/03/2010 10.20.09 93320]
R2 SeaPort;SeaPort;c:\programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [19/05/2009 11.36.18 240512]
R2 uvnc_service;uvnc_service;c:\programmi\UltraVNC\winvnc.exe [01/06/2009 13.46.40 1519168]
R3 camfilt2;camfilt2;c:\windows\system32\drivers\camfilt2.sys [19/07/2009 18.36.20 98432]
R3 PAC7302;Hercules Classic Link;c:\windows\system32\drivers\PAC7302.SYS [19/07/2009 18.36.20 457984]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S2 gupdate1c9e2b9dc08b99a;Servizio di Google Update (gupdate1c9e2b9dc08b99a);c:\programmi\Google\Update\GoogleUpdate.exe [01/06/2009 14.07.04 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{012f3b38-748a-11de-8b5f-0021851af9d8}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{675ed55a-503e-11de-8b0a-0021851af9d8}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ad9c72b-4ed6-11de-8b02-0021851af9d8}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ad9c72c-4ed6-11de-8b02-0021851af9d8}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
.
Contenuto della cartella 'Scheduled Tasks'

2010-03-27 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-01 13:06]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-01 13:07]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-06-01 13:07]

2010-03-25 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-25 11:22]

2010-03-25 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-25 11:22]

2010-03-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-03-26 21:18]
.
.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {DC140413-1533-4B67-B532-013BC3F035B4} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Elvira\Dati applicazioni\Mozilla\Firefox\Profiles\652ua3z7.default\
FF - prefs.js: browser.startup.homepage - www.google.it
FF - component: c:\documents and settings\Elvira\Dati applicazioni\Mozilla\Firefox\Profiles\652ua3z7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\programmi\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Elvira\Dati applicazioni\Mozilla\Firefox\Profiles\652ua3z7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\programmi\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 11:08
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2440)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Ora fine scansione: 2010-03-27 11.09.16
ComboFix-quarantined-files.txt 2010-03-27 10:09

Pre-Run: 461.448.622.080 byte disponibili
Post-Run: 461.537.284.096 byte disponibili

199 --- E O F --- 2010-03-26 22:23


grazie mille per la collaborazione!!!!

Ciao a tutti (in particolare Shel e Luke :D )
casconero
Newbie
 
Post: 8
Iscritto il: 25/03/10 09:45

Sponsor
 

Re: Win32.Bagle.SUQ@mm

Postdi casconero » 27/03/10 11:33

Grandiiiiiiiiiiiiiiiiiiiiiii :)
dopo aver fatto tutto come hai detto tu Luke (e anche quello che mi aveva detto Shel nell'altro post) ho provato ad installare Windows live messenger....

SI è INSTALLATOO!!

Ora non so se ci sono altri problemi (magari tu riesci a capire dal file .txt che ho postato ) comunque...GRAZIE!!
Come si può fare per sdebitarsi???

Ciao e buona domenica!!!!
Michael
casconero
Newbie
 
Post: 8
Iscritto il: 25/03/10 09:45

Re: Win32.Bagle.SUQ@mm

Postdi Luke57 » 27/03/10 14:43

Ciao, un'ultima cosa Scarica NAVILOG:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

mettilo sul desktop e installalo. Una volta installato, chiudi tutte le applicazioni in uso e lancia il programma
Scegli la lingua (Inglese, visto che l’italiano non non è presente)
Premi diverse volte Invio prima di arrivare alla scelta di azione.
Scegli la voce n°1 – Search (tasto 1 della tastiera) e premi INVIO
Il tool scansionerà il Pc e verrà avviata la rimozione automatica delle voci maligne, di durata variabile a seconda del grado di infezione., creando un report sulle azioni svolte. Il computer potrebbe riavviarsi e dopo il riavvio potrebbe continuare l'eliminazione delle voci eventualmente infette.
Al termine posta il report creato in C:\fixnavi.txt.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Re: Win32.Bagle.SUQ@mm

Postdi casconero » 27/03/10 16:39

ecco ho fatto tutto come hai detto tu!

Fix Navipromo version 4.0.8 began on 27/03/2010 16.24.37,25

!!! Warning, this report may include legitimate files/programs!!!
!!! Post this report on the forum you are being helped !!!

Fix running from C:\navilog1

Updated on 09.03.2010 at 18h00 by IL-MAFIOSO

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Processore Intel Pentium III Xeon )
BIOS : Default System BIOS
USER : Elvira ( Administrator )
BOOT : Normal boot

Antivirus : McAfee VirusScan (Activated)
Firewall : McAfee Personal Firewall (Activated)

C:\ (Local Disk) - NTFS - Total:465 Go (Free:429 Go)
D:\ (CD or DVD)
F:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)
G:\ (USB)


Search done in normal mode

Cleanning stage done on Reboot


c:\docume~1\elvira\impost~1\datiap~1\qlvqav.dat deleted !
c:\docume~1\elvira\impost~1\datiap~1\qlvqav_nav.dat deleted !
c:\docume~1\elvira\impost~1\datiap~1\qlvqav_navps.dat deleted !


Cleaning of C:\WINDOWS\Temp done !
Cleaning of C:\Documents and Settings\Elvira\impost~1\Temp done !


*** Copy Registry to Safebackup folder ***

Backing up Registry done !

*** Cleaning Registry ***

Registry cleaned successfully




*** Scan completed 27/03/2010 16.35.30,62 ***


grazie mille!!! buona domenica!! ciao!
casconero
Newbie
 
Post: 8
Iscritto il: 25/03/10 09:45

Precedente

Torna a Sicurezza e Privacy


Topic correlati a "Win32.Bagle.SUQ@mm":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27
win32/sinowal.gen!y
Autore: diego78
Forum: Sicurezza e Privacy
Risposte: 15

Chi c’è in linea

Visitano il forum: Nessuno e 4 ospiti