Condividi:        

Nuovo Bagle?

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Nuovo Bagle?

Postdi zagii » 11/10/09 10:32

Ciao a tutti,
ho un problema con il PC, devo essermi beccato una versione fetente di Bagle poichè facendo le stesse operazioni della volta scorsa(ott./08), questa volta non ne vengo fuori...e chiedo aiuto.
Cosa mi fa il PC? Non mi permette di caricare SW anivirus (come Avira e Hijackthis) e in più è molto lento con la CPU che viaggia vicino ai 100 all'ora.Premetto che il fatto è successo dopo che ho scaricato un file da eMule-
Ho fatto una scansione con Combi.fix che mi ha trivato due file (autoupdate32.exe e autoupdate33.exe) che ho eliminato come la volta scorsa.
Ho fatto una scansione con Malwarebites che mi ha trovato 320 infezioni! Eliminatele il problema si presenta ancora.
Chiedo è possibile fare qualche cosa o necessita formattare?Come faccio a salvare i dati ma essere sicuro che non siano infetti?
SO Windows XP con SP2 e 512 di RAM.
Ovvio che ringrazio anticipatamente a chi mi darà delle speranze....
Saluti cordiali a tutti
zagii
Utente Junior
 
Post: 96
Iscritto il: 06/10/05 21:32

Sponsor
 

Re: Nuovo Bagle?

Postdi shel » 11/10/09 11:00

ciao

invece di scaricare crack da emule, prova a scaricare questo programma

http://dc108.4shared.com/download/75022 ... 1-de3379fb

Una volta installato chiudi tutte le applicazioni attive e disconnettiti dal internet, poi clicca sull'icona di FindyKill e nella finestra dos che si aprirà scrivi 2 e premi Invio. Attendi il termine della scansione e posta qui il log che trovi in C:\FindyKill.txt

Esegui anche questo

scarica questo programmino... il download lo trovi in fondo alla pagina http://www.zonavirus.com/datos/descarga ... ibagla.asp

lancia il programma e spunta '' ELIMINAR FICHEROS AUTOMATICAMENTE''

clicca su EXPLORAR per avviare la scansione


quando avra' finito vai in C:\ e salva il log che posterai qui nel forum


scarica questo progr
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Nuovo Bagle?

Postdi zagii » 11/10/09 13:05

Come da richiesta posto i due file dopo scansione dei due programmi indicatomi(credo che siamo sulla buona strada poichè dopo la prima scansione la CPU ha cominciato a "respirare"!!)
:P :P



----------------- FindyKill V4.707 ------------------

* User : Zancanella - FALCO
* executed from : C:\Programmi\FindyKill
* Update on 06/12/08 par Chiquitine29
* Start at 12:34:14 the 2009-10-11
* Windows XP - Internet Explorer 6.0.2900.2180


((((((((((((((( *** deleting *** ))))))))))))))))))


--------------- [ Active Processes ] ----------------


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\Windows Live\Family Safety\fsssvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Programmi\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Programmi\PC Tools Firewall Plus\FWService.exe
C:\Programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

--------------- [ Infected files / folders ] ----------------


»»»» Supression files in C:


»»»» Supression files in C:\WINDOWS


»»»» Supression files in C:\WINDOWS\Prefetch

Deleted ! - C:\WINDOWS\prefetch\200277.EXE-2150B1FA.pf
Deleted ! - C:\WINDOWS\prefetch\206777.EXE-05DACD4B.pf
Deleted ! - C:\WINDOWS\prefetch\234176.EXE-2A51930D.pf
Deleted ! - C:\WINDOWS\prefetch\244832.EXE-16A8EA7C.pf
Deleted ! - C:\WINDOWS\prefetch\247205.EXE-37292888.pf
Deleted ! - C:\WINDOWS\prefetch\348180.EXE-31CF8344.pf
Deleted ! - C:\WINDOWS\prefetch\353838.EXE-1C775297.pf
Deleted ! - C:\WINDOWS\prefetch\366907.EXE-37CFAFC5.pf
Deleted ! - C:\WINDOWS\prefetch\374959.EXE-04FC8859.pf
Deleted ! - C:\WINDOWS\prefetch\377472.EXE-059E35D4.pf
Deleted ! - C:\WINDOWS\prefetch\384502.EXE-12E2CBAA.pf
Deleted ! - C:\WINDOWS\prefetch\399143.EXE-15316CE1.pf
Deleted ! - C:\WINDOWS\prefetch\411301.EXE-0E07C91B.pf
Deleted ! - C:\WINDOWS\prefetch\420164.EXE-0BD0B10B.pf
Deleted ! - C:\WINDOWS\prefetch\451208.EXE-38572A21.pf
Deleted ! - C:\WINDOWS\prefetch\FLEC006.EXE-006D0A93.pf
Deleted ! - C:\WINDOWS\prefetch\MDELK.EXE-36F88B27.pf
Deleted ! - C:\WINDOWS\prefetch\WINTEMS.EXE-340A47D1.pf

»»»» Supression files in C:\WINDOWS\system32

Deleted ! - C:\WINDOWS\system32\mdelk.exe
Deleted ! - C:\WINDOWS\system32\wintems.exe

»»»» Supression files in C:\WINDOWS\system32\drivers

Deleted ! - C:\WINDOWS\system32\drivers\srosa.sys
Deleted ! - C:\WINDOWS\system32\drivers\srosa2.sys

»»»» Supression files in C:\Documents and Settings\Zancanella\Dati applicazioni

Deleted ! - "C:\Documents and Settings\Zancanella\Dati applicazioni\m\flec006.exe"
Deleted ! - "C:\Documents and Settings\Zancanella\Dati applicazioni\m\list.oct"
Deleted ! - "C:\Documents and Settings\Zancanella\Dati applicazioni\m\data.oct"
Deleted ! - "C:\Documents and Settings\Zancanella\Dati applicazioni\m\srvlist.oct"
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\.NET Document 2 Text Converter DLL 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\1 Smart PDF Converter Pro 4.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\1-ACT_Computer_Spy_2006_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\3D Eagle Mountain Lake 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\3DRotationMenu 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\3D_Bunnies_and_Jelly_Beans_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\4D Keeper 1.4.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\4t_Calendar_Reminder_MP3_2.21_Serial.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Abassis_Finance_Manager_1.3.0.108.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\AdeptSQL Diff 1.96 Build 95.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Advanced RSS Publisher Professional 3.1.67.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Aplus DVD Ripper 8.87.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Arts_PDF_Stamper_3.0_[Crack].zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\AutoPlay me for Word 2.0.4.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\AVG.Antivirus.Pro.v7.0.240(Incl.Working.SN).zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Barcelona Traffic 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Bats 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Battlefield_1942_-_Huey_v1.3_mod.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\BC_Excel_Server_2006_Complete_Standard_Edition_with_MSDE2000_6.7.8_Serial.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Birthday Agent 1.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Buy Estate toolbar for Firefox 1.5.0.6.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\BYOJeopardy 1.2.12.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Canada Map Locator 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\CESLogFile_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Chinese_Symbol_Studio_2.3.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\ClipCount Cut and Paste Word Count 2.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Create_A_Quiz_5.16.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\CSS_Design_Lab_0.3_Beta.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\CTI Data Connector 2.4.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Cup_o'_Joe_Factor_calculator_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\dotXSL_3.0.6.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Dr. DivX (Three Step DivX Encoding App) 2.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Dreadlock Privacy 5.0 [Serial].zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Driv3r_demo.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Driver Magician 3.45.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\DVW Search 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\EdgeSounds_RatHole_Media_Archiver_3.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Email_Investigator_Lite_1.0.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\EMS SQL Management Studio for SQL Server 1.2.0.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\EMS_Data_Generator_2005_for_DB2_2.3.0.3_[Patch].zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Engraver 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Envelopes From Outlook 1.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Excel_Switch_First_Last_Name_Order_Software_7.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\FileSalvage 5.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\FileSpy NT 2.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Firefox Preloader 1.0 build 366.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Font Generator 1-50d.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\FrAid_1.4.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Freebyte Task Scheduler 1.4.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Freestyle 2.2.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Global Trade Poster 5.1.1.808.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\habanaim 1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Half-Life_2_Empires_mod_1.0_beta.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\HandyFind_2.0.6.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Harley Davidson 1.6.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\HDC_Pop_1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Hockey_Pro_2006_2.2.2684.29688_[KeyGen].zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\How_To_Do_It_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\HTML_Executable_3.2.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Hyperprism_Free_Plug-Ins_2.5.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\iCarousels_Visual_Web_01.02.08.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\IconLab.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Icon_Tray_9.0.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\iDoc Writer 1.2.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\inBookmarks 1.57 Build 207.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Internet_Optimizer_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\iView Catalog Reader 3.1.2 Build 42D5.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\JEXECreator_1.9.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Joy DVD Ripper 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Keno_Expert_USA_2.0.97.28.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Kodak_DX6440_Firmware_Update_1.0.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Leithauser_Research_EBook_Reader_-_The_Forbidden_Gospels_and_Epistles_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\LingvoSoft Suite 2008 English - Hungarian 2.1.28.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Live Backyard Birdcam 2.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\LoopBe1_1.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Mareblu_1.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\MeetingSense_2.0_[Cracked].zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Merge Cells Wizard 2.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\MetriScope_(with_Windows_Pack)_3.2.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\MixPad Audio Mixer 1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Motion_1.0.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\MotoBlaze 1.42.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\MovieShop Framer 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\NewView_Graphics'_File_Viewer_7.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Nox_-_Deathtrap_map.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Obsidian_Menu_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\OlapX Application 3.3.0.156.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PCL_Logo_Fonts.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PDF_Split_Merge_ActiveX_2.0.2007.718_[Patch].zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PEST 3.12.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PGA_Championship_Golf_1999_demo.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PhotoFiltre_9.0.0_(Patch).zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Pic-Matic_1.0_(Key+Serial).zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PointCapture_1.0_[KeyGen].zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PointeCast_Publisher_4.7.0.298.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Polaroid Picture 1.6.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PowerPoint Password Recovery 2.1.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Presentation Pointer 0.1 alpha.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PresSTORE 2.3.123.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\PrivacySafer_2007_(Key+Serial).zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Prochain RER 2.3.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\ProjectTracking.NET_2.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\RandTag_1.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\RBTray 3.3.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\RepView_1.50.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\RiffMaster Pro 3.0.19.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Shuffle Radio Tuner 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Site Watcher 1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\SourceSafe Reporter 2.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Supervisor_Plus_1.7_Serial.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\SWExplorerAutomation 1.9.1.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\TeamTrack 5.8.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Twin_Files_(Lite)_1.3.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Unique Filer 2.01b.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Unreal_Tournament_2004_Deathball_mod_2.1.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Validator_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Videocharge Express 3.16.5.7.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\VideoODwak 1.6.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Virtual_Sandbox_2.0_Build_209_(Patch).zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Wadja_Mobile_Editor_1.0.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\WAPT 5.0 (Patch).zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\WebNews.TV 1.0.6.20 (Serial).zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Western_Digital_Data_Lifeguard_Tools_11.2.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Winamp Essentials Pack 5.55.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\WOL_1.0.3.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Wondershare Ripper Pack Platinum 3.0.19.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\xSQL Object Command Line 3.0.1.5.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\YASA AVI WMV MOV VOB to WMA Converter 3.2.44.1939.zip
Deleted ! - C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared\Zune conversion tool 3.35.zip
Deleted ! - "C:\Documents and Settings\Zancanella\Dati applicazioni\m\shared"
Deleted ! - "C:\Documents and Settings\Zancanella\Dati applicazioni\m"
Deleted ! - "C:\Documents and Settings\Zancanella\Dati applicazioni\hidires\flec003.exe"
Deleted ! - "C:\Documents and Settings\Zancanella\Dati applicazioni\hidires"

»»»» Supression files in C:\DOCUME~1\ZANCAN~1\IMPOST~1\Temp


»»»» Supression files in C:\Documents and Settings\Zancanella\Local Settings\Temporary Internet Files\Content.IE5

Deleted ! - C:\Documents and Settings\All Users\Dati applicazioni\Skype\Plugins\Local Cache\D3987B641C134048B815DB578D607F42_more.jpg

--------------- [ Registry / Infected keys ] ----------------

Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Deleted ! - HKEY_USERS\S-1-5-21-1085031214-507921405-839522115-1004\Software\Local AppWizard-Generated Applications\flec006
Deleted ! - HKEY_USERS\S-1-5-21-1085031214-507921405-839522115-1004\Software\Local AppWizard-Generated Applications\hldrrr
Deleted ! - HKEY_USERS\S-1-5-21-1085031214-507921405-839522115-1004\Software\Local AppWizard-Generated Applications\install_patch
Deleted ! - HKEY_USERS\S-1-5-21-1085031214-507921405-839522115-1004\Software\Local AppWizard-Generated Applications\mdelk
Deleted ! - HKEY_USERS\S-1-5-21-1085031214-507921405-839522115-1004\Software\Local AppWizard-Generated Applications\nideiect

--------------- [ States / Restarting of services ] ----------------

+- Safe boot mode restored !


+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2


--------------- [ Cleaning removable drives ] ----------------

+- Informations :

C: - Unit… fissa
+- deleting files :


--------------- [ Registry / Mountpoint2 ] ----------------


-> Not found !


--------------- [ Searching Cracks / Keygen ] ----------------

C:\Documents and Settings\Zancanella\Recent\crack.lnk
C:\Documents and Settings\All Users\Dati applicazioni\IncrediMail\Data\Sound\tchaikovsky_the_nutcracker.imw


---------------- ! End of report ! ------------------


E questo è il secondo report del secondo programma(per intenderci, quello spagnolo)


(11-10-2009 11:38:22)
EliBagle v12.98 (c)2009 S.G.H. / Satinfo S.L. (Actualizado el 7 de Octubre del 2009)
----------------------------------------------
Lista de Acciones (por Acción Directa):
Por favor, envienos una muestra del fichero
C:\Muestras\WINUPGRO.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\WINUPGRO.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\SROSA2.SYS --> Eliminado Bagle(rootkit)
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\WFSINTWQ.SYS --> Eliminado Bagle(rootkit)
Por favor, envienos una muestra del fichero
C:\Muestras\1419060.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\1419060.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\1421934.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\1421934.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\1436105.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\1443545.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\1450505.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\1450505.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\1455362.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\1455362.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\146029.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\146029.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\149374.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\149374.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\163034.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\181841.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\186027.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\186027.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\188881.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\188881.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\198795.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\198795.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\208890.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\211884.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\211884.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\217763.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\217763.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\225454.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\230301.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\230301.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\242358.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\246644.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\246644.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\252322.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\252322.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\255717.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\258521.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\258521.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\261145.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\270589.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\273863.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\273863.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\454173.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\454173.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\457778.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\457778.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\467752.EXE --> Eliminado Bagle
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\474131.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\479249.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\479249.EXE --> Eliminado Bagle
Por favor, envienos una muestra del fichero
C:\Muestras\492748.EXE.Muestra EliBagle v12.98
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ZANCANELLA\DATI APPLICAZIONI\DRIVERS\DOWNLD\492748.EXE --> Eliminado Bagle

(11-10-2009 11:39:52)
EliBagle v12.98 (c)2009 S.G.H. / Satinfo S.L. (Actualizado el 7 de Octubre del 2009)
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando "C:\"
C:\Qoobox\Quarantine\C\Documents and Settings\Zancanella\Dati applicazioni\m\DATA.OCT.VIR --> Eliminado Bagle.dldr
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\HLDRRR.EXE.VIR --> Eliminado Bagle.dldr
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\MDELK.EXE.VIR --> Eliminado Bagle.dldr
C:\unzipped\CAD6_Studio_2006(2)\INSTALL_PATCH.EXE --> Eliminado Bagle.dldr

Nº Total de Directorios: 9540
Nº Total de Ficheros: 66548
Nº de Ficheros Analizados: 14577
Nº de Ficheros Infectados: 4
Nº de Ficheros Limpiados: 4

In attesa di un riscontro porgo distinti saluti
zagii
Utente Junior
 
Post: 96
Iscritto il: 06/10/05 21:32

Re: Nuovo Bagle?

Postdi shel » 11/10/09 14:47

avevi una tonnellata di infezioni

Scarica ed installa CCleaner: clicca qui per il download
http://www.filehippo.com/download_ccleaner/
Una volta installato configuralo in questo modo:
lancia il programma, nel menu di sinistra portati alla voce Opzioni e nella finestra successiva clicca su:
Impostazioni, e spunta la voce Cancellazione sicura (lenta)
poi clicca su:
Avanzate, togli la spunta alla voce Cancella solo file più vecchi di 48 ore
alla voce Pulizia, nella sezione Avanzate spunta le voci Vecchi dati Prefetch e Disinstallatori aggiornamenti di WinUpdate
nel menu a sinistra, clicca sulla voce Pulizia
clicca su tasto Avvia pulizia per eseguire la scansione
finita la scansione, sempre nel menu a sinistra, clicca sulla voce Registro e spunta tutte le voci comprese nella sezione meno la voce estensioni file non usate
clicca sul tasto Trova problemi ed avvia una scansione
al termine della scansione clicca sulla voce Ripara selezionati e prosegui con la riparazione (questo ultimo passaggio ripetilo più volte, fino a quando non verranno rilevati più problemi da correggere)

Vai in modalita' provvisoria ed esegui
http://normanasa.vo.llnwd.net/o29/publi ... leaner.exe
Finita la scansione, rimuovi i files infetti trovati e posta il log che viene generato sul desktop.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Nuovo Bagle?

Postdi zagii » 11/10/09 18:18

Eccomi qua,
ho fatto la pulizia con ccleaner, poi ho scaricato normanasa, quindi ho spento il pc scollegandomi anche da internet, quindi ho riacceso il pc in modalità provvisoria, lanciato l'eseguibile, fatto scansione(1h e 33min), alla fine mi ha cancellato i file infetti(circa 90). Riacceso il pc in modalità normale ho visto il file generato che posto:


Norman Malware Cleaner
Version 1.5.0.5
Copyright © 1990 - 2009, Norman ASA. Built 2009/10/11 09:44:37

Norman Scanner Engine Version: 6.01.09
Nvcbin.def Version: 6.01.00, Date: 2009/10/11 09:44:37, Variants: 4027015

Scan started: 11/10/2009 17:21:12

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600(Safe mode) Service Pack 2
Logged on user: FALCO\Zancanella

Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000
Removed registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -> NoDrives = 0x00000000


Scanning running processes and process memory...

Number of processes/threads found: 984
Number of processes/threads scanned: 984
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 40s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\All Users\Dati applicazioni\{567066F5-4167-42EB-91E3-FC7889D390C7}\offline\CA95430D\AA2AC949\SearchTheWeb.exe (Infected with W32/DLoader.XZMP)
Deleted file

C:\Documents and Settings\Zancanella\Dati applicazioni\Techno Design IP\LiveSearch Notification.exe (Infected with W32/Malware.IUJR)
Deleted file

C:\Muestras\1419060.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\1455362.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\146029.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\186027.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\188881.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\211884.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\230301.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\246644.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\273863.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\454173.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\492748.EXE.Muestra EliBagle v12.98 (Infected with W32/Bagle.GIG)
Deleted file

C:\Muestras\WINUPGRO.EXE.Muestra EliBagle v12.98 (Infected with W32/Packed_B)
Deleted file

C:\Programmi\eMule\Uninstall.exe (Infected with W32/Wintrim!gens.18703008)
Deleted file

C:\Programmi\Games-Attack\Uninstall.exe (Infected with W32/FakeAV.P!genr)
Deleted file

C:\Programmi\Iminent\IMBooster\SearchTheWeb.exe (Infected with W32/DLoader.XZMP)
Deleted file

C:\Programmi\IObit\IObit SmartDefrag\language\Lietuviu.lng (Error opening file: Not found)

C:\Programmi\Microsoft ActiveSync\wcescomm.exe (Infected with W32/Packed_B)
Removed registry value: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> C:\Programmi\Microsoft ActiveSync\wcescomm.exe = "C:\Programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
Removed registry value: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> C:\Programmi\Microsoft ActiveSync\wcescomm.exe = "C:\Programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
Removed registry value: HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> C:\Programmi\Microsoft ActiveSync\wcescomm.exe = "C:\Programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
Removed registry value: HKLM\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> C:\Programmi\Microsoft ActiveSync\wcescomm.exe = "C:\Programmi\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
Deleted file

C:\Programmi\Philips\Intelligent Agent\Languages\Language_PL.dll (Infected with W32/Banload.ASNJ)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0005983.exe (Infected with W32/Delf.BZCT)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0014978.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0014984.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0014985.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0014991.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0014992.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0014993.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0014994.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0014995.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0015002.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0015003.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0015006.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP34\A0015007.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015039.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015040.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015041.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015138.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015139.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015141.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015142.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015148.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0015149.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016148.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016149.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016151.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016152.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016170.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016171.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016185.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016186.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016187.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016188.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016191.exe (Infected with W32/Packed_B)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016192.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016193.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016194.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016196.exe (Infected with W32/Packed_B)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016197.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016199.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016200.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016202.exe (Infected with W32/Packed_B)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016203.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016204.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016205.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016207.exe (Infected with W32/Packed_B)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016208.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016210.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016211.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016212.exe (Infected with W32/Packed_B)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016213.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016215.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016217.exe (Infected with W32/Packed_B)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016218.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016219.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016220.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016222.exe (Infected with W32/Packed_B)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016223.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016225.exe (Infected with W32/Bagle.GIG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016401.exe (Infected with W32/Malware.EKXG)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016459.exe (Infected with W32/DLoader.POHA)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016469.exe (Infected with W32/DLoader.XZMP)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016470.exe (Infected with W32/Malware.IUJR)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016471.exe (Infected with W32/Wintrim!gens.18703008)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016472.exe (Infected with W32/FakeAV.P!genr)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016473.exe (Infected with W32/DLoader.XZMP)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016474.exe (Infected with W32/Packed_B)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016475.dll (Infected with W32/Banload.ASNJ)
Deleted file

C:\WINDOWS\system32\kungsfetalnkgp.dll (Infected with W32/DNSChanger.ETDR)
Deleted file

C:\WINDOWS\system32\kungsfginrtaqe.dll (Infected with W32/Vundo.HAN)
Deleted file

Scanning: C:\System Volume Information\*.*

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016476.dll (Infected with W32/DNSChanger.ETDR)
Deleted file

C:\System Volume Information\_restore{F7EDB22F-7751-4F8B-815C-F10CCDDE9425}\RP35\A0016477.dll (Infected with W32/Vundo.HAN)
Deleted file


Running post-scan cleanup routine:

Number of files found: 70272
Number of archives unpacked: 0
Number of files scanned: 70253
Number of files not scanned: 19
Number of files skipped due to exclude list: 0
Number of infected files found: 90
Number of infected files repaired/deleted: 90
Number of infections removed: 90
Total scanning time: 1h 33m 36s

Ti ho voluto descrivere la sequenza per capire se per caso ho fatto qualche errore.
Non so come ringraziarti della disponibilità, veramente encomiabile!!
Fammi sapere se devo fare altre manovre

Grazie ancora!
zagii
Utente Junior
 
Post: 96
Iscritto il: 06/10/05 21:32

Re: Nuovo Bagle?

Postdi Luke57 » 11/10/09 18:33

Ciao, ho visto che normancleaner ha eliminato anche file infetti dal vundo, scarica combofix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Disconnetiti da internet
Disattiva l'antivirus.
Avvia il file ComboFix.exe

Segui le istruzioni (non fare nulla durante la scansione, se spariscono le icone dal desktop è normale, rispondi no alla proposta di installare la recovery console)) e alla fine verrà generato un log.
Finito, posta il log che trovi in C:\Combofix.txt
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Re: Nuovo Bagle?

Postdi zagii » 11/10/09 19:55

Ecco il file richiesto

ComboFix 09-10-10.02 - Zancanella 2009-10-11 20:32.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.446.120 [GMT 2:00]
Eseguito da: c:\documents and settings\Zancanella\Desktop\ComboFix.exe
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ZANCAN~1\IMPOST~1\Temp\catchme.dll
c:\documents and settings\Zancanella\Dati applicazioni\drivers\downld
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\agykekq.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\agykekq.exe
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\agykekq_nav.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\agykekq_navps.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\bmfsmft.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\bmfsmft.exe
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\bmfsmft_nav.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\bmfsmft_navps.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ehijb.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ehijb_nav.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ehijb_navps.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ggkigce.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ggkigce_nav.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ggkigce_navps.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\kcosyow.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\kcosyow.exe
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\kcosyow_nav.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\kcosyow_navps.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ugywk.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ugywk.exe
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ugywk_nav.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\ugywk_navps.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\wcesg.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\wcesg_nav.dat
c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\wcesg_navps.dat
c:\documents and settings\Zancanella\Impostazioni locali\temp\catchme.dll
C:\InfoSat.txt
C:\Muestras
c:\muestras\1421934.EXE.Muestra EliBagle v12.98
c:\muestras\1450505.EXE.Muestra EliBagle v12.98
c:\muestras\149374.EXE.Muestra EliBagle v12.98
c:\muestras\198795.EXE.Muestra EliBagle v12.98
c:\muestras\217763.EXE.Muestra EliBagle v12.98
c:\muestras\252322.EXE.Muestra EliBagle v12.98
c:\muestras\258521.EXE.Muestra EliBagle v12.98
c:\muestras\457778.EXE.Muestra EliBagle v12.98
c:\muestras\479249.EXE.Muestra EliBagle v12.98
c:\programmi\QUAD Utilities
c:\programmi\Search Settings
c:\programmi\Search Settings\kb127\SearchSettingsRes409.dll
c:\programmi\Search Settings\SearchSettings.exe
c:\windows\Installer\199c057.msi
c:\windows\Installer\1a0557.msi
c:\windows\Installer\2542b.msi
c:\windows\Installer\297a2a8.msi
c:\windows\Installer\35646.msi
c:\windows\Installer\3c4593.msi
c:\windows\Installer\41034.msp
c:\windows\Installer\6446a.msi
c:\windows\Installer\f85a05.msi
c:\windows\system32\AGihQqss.ini
c:\windows\system32\AGihQqss.ini2
c:\windows\system32\drivers\kungsflltpdwqe.sys
c:\windows\system32\kungsffxhoobvp.dat
c:\windows\system32\kungsflog.dat
c:\windows\system32\teakfitq.ini

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kungsfqxovmphx
-------\Service_kungsfqxovmphx


((((((((((((((((((((((((( Files Creati Da 2009-09-11 al 2009-10-11 )))))))))))))))))))))))))))))))))))
.

2009-10-11 10:26 . 2009-10-11 10:38 -------- d-----w- c:\programmi\FindyKill
2009-10-10 23:20 . 2009-10-10 23:20 1001707 ----a-w- C:\R6252_XA14.zip
2009-10-10 21:23 . 2009-10-11 18:42 -------- d-----w- c:\documents and settings\Zancanella\Dati applicazioni\drivers
2009-10-07 16:36 . 2009-10-07 16:46 -------- d-----w- C:\CURRICULUM VITAE
2009-10-06 21:02 . 2009-10-09 15:20 -------- d-----w- C:\ALIM+12-12
2009-10-05 17:38 . 2009-10-05 17:38 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-05 17:38 . 2009-10-09 10:32 -------- d-----w- c:\documents and settings\Zancanella\Dati applicazioni\skypePM
2009-10-05 17:35 . 2009-10-09 11:00 -------- d-----w- c:\documents and settings\Zancanella\Dati applicazioni\Skype
2009-10-05 17:33 . 2009-10-05 17:33 -------- d-----w- c:\programmi\File comuni\Skype
2009-10-05 17:33 . 2009-10-05 17:34 -------- d-----r- c:\programmi\Skype
2009-10-05 17:33 . 2009-10-05 17:33 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Skype
2009-10-04 13:24 . 2009-10-09 00:13 -------- d-----w- C:\AFFITTO
2009-10-01 15:56 . 2009-10-01 17:26 -------- d-----w- C:\immagini
2009-10-01 15:48 . 2009-10-01 15:48 -------- d--h--w- c:\documents and settings\All Users\Dati applicazioni\{043AF2C6-8F13-4D97-B13C-0ECF538281D9}
2009-10-01 15:46 . 2009-10-01 15:46 -------- d--h--w- c:\documents and settings\All Users\Dati applicazioni\{567066F5-4167-42EB-91E3-FC7889D390C7}
2009-09-30 17:38 . 2004-08-04 05:07 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-09-30 17:38 . 2004-08-04 05:07 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-09-28 18:29 . 2009-09-28 18:29 -------- d-----w- c:\programmi\iPod
2009-09-28 18:28 . 2009-09-28 18:30 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-28 18:11 . 2009-09-28 18:12 -------- d-----w- c:\programmi\Safari
2009-09-28 11:49 . 2009-09-28 11:49 -------- d-----w- c:\programmi\Edibas
2009-09-25 20:37 . 2009-04-24 02:55 176235 ----a-w- c:\windows\system32\Primomonnt.dll
2009-09-25 20:37 . 2009-09-25 21:03 -------- d-----w- c:\programmi\Nitro PDF
2009-09-24 16:32 . 2009-09-25 20:52 -------- d-----w- c:\programmi\Parsic
2009-09-24 16:32 . 2009-09-25 20:52 -------- d-----w- c:\windows\uninstall
2009-09-24 16:13 . 2009-09-26 10:34 -------- d-----w- C:\VISUAL PARSIC
2009-09-24 14:01 . 2009-09-24 14:02 -------- d-----w- C:\INSTALLA
2009-09-22 09:22 . 2009-09-27 09:26 -------- d-----w- C:\MODELLO F24

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 18:45 . 2008-11-11 22:25 -------- d---a-w- c:\documents and settings\All Users\Dati applicazioni\TEMP
2009-10-11 17:09 . 2003-04-08 19:00 84702 ----a-w- c:\windows\system32\perfc010.dat
2009-10-11 17:09 . 2003-04-08 19:00 489980 ----a-w- c:\windows\system32\perfh010.dat
2009-10-11 15:58 . 2008-12-17 23:37 -------- d-----w- c:\programmi\Microsoft ActiveSync
2009-10-11 15:45 . 2009-08-17 14:49 -------- d-----w- c:\programmi\Games-Attack
2009-10-11 15:42 . 2008-11-10 08:56 -------- d-----w- c:\programmi\eMule
2009-10-11 15:30 . 2009-03-24 21:38 -------- d-----w- c:\documents and settings\Zancanella\Dati applicazioni\Techno Design IP
2009-10-11 14:57 . 2008-11-10 17:13 -------- d-----w- c:\programmi\CCleaner
2009-10-11 08:07 . 2008-11-12 21:57 -------- d-----w- c:\programmi\SUPERAntiSpyware
2009-10-10 23:28 . 2008-11-11 12:44 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2009-10-05 22:04 . 2008-11-07 23:21 -------- d-----w- c:\programmi\DipTrace
2009-10-01 16:41 . 2009-01-24 19:58 339968 ----a-w- c:\windows\system32\pythoncom25.dll
2009-10-01 16:41 . 2009-01-24 19:58 114688 ----a-w- c:\windows\system32\pywintypes25.dll
2009-10-01 16:41 . 2009-01-24 19:58 2117632 ----a-w- c:\windows\system32\python25.dll
2009-10-01 15:48 . 2009-04-17 19:42 -------- d-----w- c:\programmi\Iminent
2009-10-01 15:47 . 2009-04-17 19:42 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Iminent
2009-09-28 18:37 . 2009-04-16 21:13 -------- d-----w- c:\documents and settings\Zancanella\Dati applicazioni\Apple Computer
2009-09-28 18:30 . 2009-06-22 10:32 -------- d-----w- c:\programmi\iTunes
2009-09-28 18:29 . 2009-06-22 10:31 -------- d-----w- c:\programmi\File comuni\Apple
2009-09-28 18:23 . 2008-11-21 21:13 -------- d-----w- c:\programmi\QuickTime
2009-09-25 20:54 . 2009-09-01 20:52 -------- d-----w- c:\programmi\PCB123 V2
2009-09-25 20:48 . 2008-11-07 08:02 -------- d--h--w- c:\programmi\InstallShield Installation Information
2009-09-10 12:54 . 2008-11-11 12:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 12:53 . 2008-11-11 12:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 11:54 . 2008-11-08 17:37 21072 ----a-w- c:\documents and settings\Zancanella\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-09-09 17:46 . 2009-02-08 14:26 -------- d-----w- c:\programmi\Microsoft Silverlight
2009-09-08 19:47 . 2008-11-17 00:15 -------- d-----w- c:\programmi\OpenOffice.org 3
2009-09-08 17:11 . 2009-09-08 17:10 -------- d-----w- c:\programmi\PDFCreator
2009-08-30 18:36 . 2009-07-16 13:11 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Idle Skip Clock Knob
2009-08-28 11:09 . 2009-01-25 19:33 -------- d-----w- c:\programmi\Metin2_Italiano
2009-08-20 16:01 . 2008-11-12 21:57 -------- d-----w- c:\documents and settings\Zancanella\Dati applicazioni\SUPERAntiSpyware.com
2009-08-17 14:49 . 2009-08-17 14:49 -------- d-----w- c:\documents and settings\Zancanella\Dati applicazioni\Games-Attack
2009-08-17 14:48 . 2009-08-17 14:48 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Games-Attack
2009-08-05 09:05 . 2003-04-08 19:00 205312 ------w- c:\windows\system32\mswebdvd.dll
2009-07-31 16:36 . 2008-12-25 20:18 230432 ----a-w- C:\SPC230NC.DAT
2009-07-25 22:53 . 2008-11-23 00:53 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-17 18:56 . 2003-04-08 19:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 21:43 . 2004-08-19 22:39 286208 ------w- c:\windows\system32\wmpdxm.dll
2003-06-19 10:05 . 2003-06-19 10:05 431888 --s-a-w- c:\programmi\File comuni\riched20.dll
2005-10-12 14:04 . 2005-10-12 14:04 131072 ----a-w- c:\programmi\internet explorer\plugins\LV80ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\programmi\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-05-20 177464]
"{84FF7BD6-B47F-46F8-9130-01B2696B36CB}"= "c:\programmi\Iminent\SearchTheWeb\Iminent.BHO.NavigationError.dll" [2009-06-05 104448]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_CLASSES_ROOT\clsid\{84ff7bd6-b47f-46f8-9130-01b2696b36cb}]
[HKEY_CLASSES_ROOT\IminentBHONavigationError.CHelperBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{59E6E159-57CC-4DA5-8700-2AD17DC31DD1}]
[HKEY_CLASSES_ROOT\IminentBHONavigationError.CHelperBHO]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}]
2009-06-05 14:33 104448 ----a-w- c:\programmi\Iminent\SearchTheWeb\Iminent.BHO.NavigationError.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E9BAAF-53CD-4575-967B-2AF710A7D21F}]
2009-08-13 13:39 99840 ----a-w- c:\programmi\Iminent\IMBooster\Iminent.LinkToContent.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2009-05-20 12:36 1258808 ----a-w- c:\programmi\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\programmi\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-05-20 1258808]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\programmi\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2009-05-20 1258808]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Microsoft Find Fast.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^NETGEAR WG111T Smart Wizard.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\NETGEAR WG111T Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111T Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^TrayMin230.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\TrayMin230.lnk
backup=c:\windows\pss\TrayMin230.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\programmi\Microsoft ActiveSync\rapimgr.exe"= c:\programmi\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\programmi\Microsoft ActiveSync\WCESMgr.exe"= c:\programmi\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Programmi\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Programmi\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Programmi\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-06-08 130936]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2008-11-12 159600]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2008-11-23 93544]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-02-08 55152]
R2 fsssvc;Windows Live Family Safety;c:\programmi\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2008-12-29 44928]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2008-11-07 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2008-11-07 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2003-07-17 28280]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2008-12-29 55936]
S1 SASKUTIL;SASKUTIL;\??\c:\programmi\SUPERAntiSpyware\SASKUTIL.sys --> c:\programmi\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 gbxsvc;gbxsvc;g:\gerber\GerbMagic\gbxsvc.exe --> g:\gerber\GerbMagic\gbxsvc.exe [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-11-07 17149]
S3 FWAuth;FWAuth Driver;\??\c:\windows\system32\drivers\FWAuthDriver.sys --> c:\windows\system32\drivers\FWAuthDriver.sys [?]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [2008-12-25 8576]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2008-11-12 95384]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\programmi\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\programmi\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programmi\Spyware Doctor\pctsAuxs.exe [2009-06-08 348752]
S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [2008-12-25 461056]
.
Contenuto della cartella 'Scheduled Tasks'

2009-10-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Scansione supplementare -------
.
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Search
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/ ... ontrol.cab
FF - ProfilePath - c:\documents and settings\Zancanella\Dati applicazioni\Mozilla\Firefox\Profiles\nbl0qpxd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.libero.it/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&o ... &gfns=1&q=
FF - component: c:\documents and settings\Zancanella\Dati applicazioni\Mozilla\Firefox\Profiles\nbl0qpxd.default\extensions\{7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}\components\NativeComponent.dll
FF - component: c:\documents and settings\Zancanella\Dati applicazioni\Mozilla\Firefox\Profiles\nbl0qpxd.default\extensions\{b2e293ee-fd7e-4c71-a714-5f4750d8d7b7}\components\FFAlert.dll
FF - component: c:\documents and settings\Zancanella\Dati applicazioni\Mozilla\Firefox\Profiles\nbl0qpxd.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\programmi\Mozilla Firefox\extensions\linkcontent@iminent\components\Iminent.LinkToContentFF.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\programmi\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\programmi\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

AddRemove-bmfsmft - c:\documents and settings\zancanella\impostazioni locali\dati applicazioni\bmfsmft.exe
AddRemove-eMule - c:\programmi\eMule\Uninstall.exe
AddRemove-Games-Attack - c:\programmi\Games-Attack\Uninstall.exe
AddRemove-GerbMagic_is1 - g:\gerber\GerbMagic\unins000.exe
AddRemove-LTspice IV - g:\lt_switcher\scad3.exe
AddRemove-McCAD GView - g:\gerber\INSTAL~1\UNWISE.EXE
AddRemove-Techno Design IP Notify - c:\programmi\Techno Design IP\LiveSearch Notification.exe



**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-1085031214-507921405-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{58F3E2B2-69B5-960C-5642-0F4B696A36B8}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iajgbodobkgofnkbfo"=hex:6a,61,69,68,66,6b,68,65,6c,62,6f,6e,64,69,6e,6d,70,62,
65,6b,00,05
"halfhmihgjenkakc"=hex:6b,61,69,68,65,6b,67,69,6d,6d,62,62,61,61,68,67,6f,6a,
6e,64,6a,64,00,00
"handnbmobfmjeobf"=hex:61,61,00,00
"handnbmoddggfalf"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-1085031214-507921405-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FD525FAE-E2B4-196E-C6D7-4032C5E298AF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hakibclcchjffpka"=hex:61,61,00,00
"hakibclcihdgnmmh"=hex:61,61,00,00
"iagkaihejienclcmbk"=hex:6a,61,65,6e,66,63,68,63,6d,6a,63,64,67,65,65,65,65,64,
70,6a,00,53
"haajoonlbbpgikmp"=hex:6a,61,66,6e,67,62,64,68,67,61,6e,6f,6a,6e,61,6a,6e,68,
69,6b,00,07

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{58F3E2B2-69B5-960C-5642-0F4B696A36B8}\InProcServer32*]
"jahgkplegnilfeedbkoj"=hex:6a,61,69,68,66,6b,68,65,6c,62,6f,6e,64,69,6e,6d,70,
62,65,6b,00,05
"iahgeanjfpchaigdnf"=hex:6a,61,69,68,6d,6b,6d,63,69,68,6e,70,6a,6c,68,6e,63,70,
6e,64,00,15
"iahggbdkmidhgmpmmj"=hex:61,61,00,00
"iahggbdkmibcaconcg"=hex:61,61,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FD525FAE-E2B4-196E-C6D7-4032C5E298AF}\InProcServer32*]
"iamjjmnhbhccmmeage"=hex:61,61,00,00
"iamjjmnhbhmckmmped"=hex:61,61,00,00
"jamjfjpkfmbhgiejkimc"=hex:6a,61,65,6e,66,63,68,63,6d,6a,63,64,67,65,65,65,65,
64,70,6a,00,53
"iamjhjbjfddmdamfmd"=hex:6b,61,6b,6d,6d,61,6c,68,70,61,64,70,6b,70,6c,6e,67,64,
62,6d,6e,6d,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="61348F5CA0437D5FDDC0430B92428426BCA35422294F4793E9E1483A082EDEB929CF4C4EBD3BA89E6A874EE6BF66D431766F6952BE48B1CDE2CD21F3C1B8D54AE07172981E839021CDE9AA67B0FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407A9C6AECB7A5D1407A2D97226D213B555A4385A05A68F1AE2DC9CA10CC82198F31959BC5383B8ABA2713C8AE8B11DEDD427A08BFD20558AC156688AFB41822F3533B9CB6B758EFE9B5795502F61A5256924BF290C54856A402C6F577FBD19DEFD3655C46C36629700C8EE3D8F123E794BC8AD874A0CE40FFA2CE6093879D4F701B09EF01D11F2DFB433968316C00E0CB60735E32B952A7420E7B8019C3399ED80F6BD7D96D56FE2324D91B6A2EDB623F813585B7143003A72358108F5ACC058D5200B7849D7FDD2070E9552671EC6287467CB7038E80521C92F93C761AD94736D0616D8F66F3683D3318FB3EE59C6AA203FF789EA614C92913475515180D69F4648A1F43678A66F4EB79D1B122E2FD9859D77F04A895E17C865DD178CF139E0F6CBA30B735150313FE594AD822BEE8D42C59DD5EB44335F02A9BC71AAD766DDA5B4C6BAEBDEA60C83C2FBF5C2E6E7BF89436E49B875BD3EE6ABB29B9B8679E30F71E808B20814E38D1B0F602C77EF0DA1E121C16B88DDA830D7163420D9806184AD9EDAAEB875C0E280BBBFE87CD0B8E432A29B96EA6CBB2E616FBECDAF826C69DFAD819BDF1C519A4528C7FA944928C00B14131F0D33B5443E7C238F6B763AB53D8EAA06724C65E3012B93B3640B643983C9CB3DE5F279E829AEAC217247A8F54072EB53E6BE728012CE9EBA95BB9C627ACBCA7EEDDC8D299F2C8A16315637CB2B3ABC38B921904396D34C8ED476226810D67CC2A3981D2264CD505394F689E87D7CFA40EA15FC97F3ADE0FB52C66B882A5C2EBE8841F6887CA2759390F167188005E44AFCAE1AF95284052AC2B21195F17E91FA22E50EA3B369D4E31C823DB4BF519F88F8F7E97C1D32488D5E2C52F4D399BED57A0A7A4D9799AFA530D81AAD8915358368EB174285471A73E22090218136AEFE9E24F477F85DA610CB98B20970348F145D7D6F087E0851FA90EA51A96F97C0FA9F9EDDA2EE90C32BF35BDEDECBCB80E96912E197C0E926192BDE3FAF583136A29459376755C5EFD5AC2B995BB72A3D87A5008354491B3694FB43A7E9372CB62317282871C6417C40010A053E9350DCC2AC970F33D6788309CFD07D23CE63CB7EC3CFFCFE297D9B7380E962DB80F5DA492098603D6D97F2677736D4B7A36A6406BC8D23E42028E5C5BC341A9CE7051A96A036770F56BE4FF2C694E99BFE8253E5A80FAC0896A356674D453AFDF21D5DFE581C7ADA1EE9C342978218D4EE264D"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programmi\Bonjour\mDNSResponder.exe
c:\windows\system32\Crypserv.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\File comuni\LightScribe\LSSrvc.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\programmi\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\programmi\PC Tools Firewall Plus\FWService.exe
c:\programmi\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Ora fine scansione: 2009-10-11 20:49 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-10-11 18:49
ComboFix2.txt 2008-11-11 11:52

Pre-Run: 12,881,637,376 byte disponibili
Post-Run: 12,708,564,992 byte disponibili

344 --- E O F --- 2009-09-09 15:13

Grazie...
Saluti cordiali
zagii
Utente Junior
 
Post: 96
Iscritto il: 06/10/05 21:32

Re: Nuovo Bagle?

Postdi shel » 11/10/09 20:11

ciao


avevi piu' infezioni che applicazioni, mai visto niente del genere


riattiva i Servizi che il virus ha disattivato.
fai in questo modo:
Start\Esegui\SERVICES.MSC
Cerca questi Servizi:
Centro sicurezza PC.
Aggiornamenti automatici.
Connessioni di rete.
Zero Configuration reti senza fili.
Windows Firewall/ Condivisione connessione Internet (ICS).
Se ne trovi qualcuno disattivato lo devi riattivare cosi:
Clicca con il tasto destro sul Servizio,Proprietà\Tipo di avvio: Automatico\ Ok\ Avvia\ Ok.
DEVI RIAVVIARE IL PC perchè le modifiche vengano confermate.
Una volta riattivati i servizi che troverai disabilitati >>>>> reinstalla il tuo antivirus


disinstalla ComboFix in questa maniera:
Start\Esegui

nella casella di dlialogo copia ed incolla questo comando: combofix /u


2) vai in Disco Locale C: ed elimina la cartella QooBox

3) elimina l'eventuale cartella che avevi creato sul Desktop in cui avevi posizionato Combofix.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Nuovo Bagle?

Postdi zagii » 11/10/09 20:21

Il file che ho scaricato da eMule era del tutto insospettabile, non dico il nome perchè non so se ciò è lecito, ma se mi dici che non ci sono problemi lo posso dire tranquillamente.
Credo che senza questi forum, internet non potrebbe esistere!!!
Se sei di Torino, ti offro volentieri un pranzo...
Grazie e
Saluti cordiali
zagii
Utente Junior
 
Post: 96
Iscritto il: 06/10/05 21:32

Re: Nuovo Bagle?

Postdi shel » 11/10/09 20:42

ciao

meglio non pubblicizzare niente e nessuno ;)

ti ringrazio per il pranzo , ma sono a dieta :)

mi raccomando, attenzione a cio' che scarichi e......in bocca al lupo
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Nuovo Bagle?

Postdi zagii » 11/10/09 20:43

Scusa se mi faccio ancora avanti, ma non trovo la cartella QooBox da eliminare da C:\
Saluti cordiali
zagii
Utente Junior
 
Post: 96
Iscritto il: 06/10/05 21:32

Re: Nuovo Bagle?

Postdi shel » 11/10/09 20:47

controlla bene, la cartella qoobox contiene i file infetti

semmai prova ad usare il ''cerca'' di windows
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Nuovo Bagle?

Postdi zagii » 11/10/09 21:41

Scusami, ma anche usando il "cerca" di windows non lo trovo, non per caso che sia stato cancellato in automatico?
Saluti cordiali
zagii
Utente Junior
 
Post: 96
Iscritto il: 06/10/05 21:32

Re: Nuovo Bagle?

Postdi shel » 11/10/09 21:56

ciao

probabilmente e' stata eliminata durante le scansioni avendo riconosciuto le infezioni che conteneva

se non l'ha trovata il ''cerca'' stai tranquillo
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Nuovo Bagle?

Postdi otoronco » 06/11/09 18:29

shel ha scritto:http://dc108.4shared.com/download/75022994/b07bff/FindyKill.exe?tsid=20090209-102651-de3379fb

Buonasera a tutti. Questo è il mio primo messaggio su questo forum, e temo di aver beccato lo stesso virus da Emule. Vorrei quindi procedere con la rimozione, e ho cominciato a scaricare i tools richiesti su un altro PC sicuramente pulito e con l'antivirus aggiornato, per poi trasferirli cin una pendrive sul PC da disinfestare.
Ho solo una perplessità: AVIRA mi rileva che Findykill, scaricato dal link citato, contiene un certo tipo di tool. Siccome non vorrei infettare anche l'altro PC, prima di proseguire, vorrei sapere se questo è normale e se posso momentaneamente disattivare l'antivirus ed andare avanti.
Grazie
otoronco
Utente Junior
 
Post: 11
Iscritto il: 06/11/09 17:45

Re: Nuovo Bagle?

Postdi shel » 06/11/09 19:36

ciao

ovviamente findykill e' riconosciuto come una minaccia

disattiva l'antivirus e fai la scansione postando il report qui nel forum
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Nuovo Bagle?

Postdi otoronco » 07/11/09 12:25

Posto il report di Findykill



----------------- FindyKill V4.707 ------------------

* User: Roberto - ATHLON-X2-4200
* Executed from : C:\Programmi\FindyKill
* Update on 06/12/08 by Chiquitine29
* Start at 12:19:50 the 07/11/2009
* Windows XP - Internet Explorer 6.0.2900.2180

((((((((((((((((( *** Searching *** ))))))))))))))))))


--------------- [ Active Processes ] ----------------


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Programmi\Diskeeper\DkService.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programmi\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

--------------- [ Infected files / folders ] ----------------


»»»» Presence Files in C:


»»»» Presence Files in C:\WINDOWS


»»»» Presence Files in C:\WINDOWS\Prefetch


»»»» Presence Files in C:\WINDOWS\system32

Found ! [04/11/2009 21.43] - C:\WINDOWS\system32\ban_list.txt

»»»» Presence Files in C:\WINDOWS\system32\drivers


»»»» Presence Files in C:\Documents and Settings\Roberto\Dati applicazioni

Found ! [04/11/2009 22.46] - "C:\Documents and Settings\Roberto\Dati applicazioni\hidires"

»»»» Presence Files in C:\DOCUME~1\Roberto\IMPOST~1\Temp


»»»» Presence Files in C:\Documents and Settings\Roberto\Local Settings\Temporary Internet Files\Content.IE5


--------------- [ Registry / Startup ] ----------------

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer=C:\Programmi\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
PMCRemote=
swg=C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
flec003.exe=C:\Documents and Settings\Roberto\Dati applicazioni\hidires\flec003.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
DiskeeperSystray="C:\Programmi\Diskeeper\DkIcon.exe"
amd_dc_opt=C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe
Acrobat Assistant 8.0="C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
<NO NAME>=
LWBMOUSE=C:\Programmi\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
BluetoothAuthenticationAgent=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HP Software Update=C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
TkBellExe="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
Adobe ARM="C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
SunJavaUpdateSched="C:\Programmi\Java\jre6\bin\jusched.exe"
nwiz=C:\Programmi\NVIDIA Corporation\nView\nwiz.exe /install
NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
avgnt="C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
Installed=1
NoChange=1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1

[HKEY_CURRENT_USER\software\local appwizard-generated applications\DestComp]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\GoogleToolbarNotifier]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\hprbui]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\install_crack]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\key_gen]
[HKEY_CURRENT_USER\software\local appwizard-generated applications\winupgro]

--------------- [ Registry / Infected keys ] ----------------


Found ! - HKEY_USERS\S-1-5-21-2000478354-1343024091-725345543-1003\Software\Local AppWizard-Generated Applications\install_crack
Found ! - HKEY_USERS\S-1-5-21-2000478354-1343024091-725345543-1003\Software\bisoft
Found ! - HKEY_USERS\S-1-5-21-2000478354-1343024091-725345543-1003\Software\DateTime4
Found ! - HKEY_USERS\S-1-5-21-2000478354-1343024091-725345543-1003\Software\MuleAppData
Found ! - HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\install_crack
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\srosa
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
Found ! - HKEY_CURRENT_USER\Software\bisoft
Found ! - HKEY_CURRENT_USER\Software\DateTime4
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SK9OU0S
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sK9Ou0s
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sK9Ou0s
Found ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sK9Ou0s

--------------- [ States / Services ] ----------------

Missing key : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

- boot mode not available !!

Missing key : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

- boot mode not available !!

Missing key : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

- boot mode not available !!



+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

EapHost - Type of startup = 3

/!\ Ip6Fw - Type of startup = 4

/!\ SharedAccess - Type of startup = 4

/!\ wuauserv - Type of startup = 4

/!\ wscsvc - Type of startup = 4



--------------- [ Searching in removable drives ] ----------------


+- Informations :

C: - Unit… fissaE: - Unit… rimovibile
+- Presence of files :



--------------- [ Registry / Mountpoint2 ] ----------------


-> Not found !


------------------- ! End of report ! --------------------
otoronco
Utente Junior
 
Post: 11
Iscritto il: 06/11/09 17:45

Re: Nuovo Bagle?

Postdi shel » 07/11/09 12:36

lancia nuovamente findykill ed usa solo l'opzione 2 per la pulizia


Scarica Combofix
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
(non installare la recovery console)
disconnettiti da internet e disattiva l'antivirus (se ora fnziona)
Lascia lavorare il programma senza interferire (non installare la recovery console)
Allega il rapporto C:\ComboFix.txt nella tua risposta.
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Re: Nuovo Bagle?

Postdi otoronco » 07/11/09 12:37

Posto anche il report di Elibagla


(7-11-2009 11:29:47)
EliBagle v13.10 (c)2009 S.G.H. / Satinfo S.L. (Actualizado el 5 de Noviembre del 2009)
----------------------------------------------
Lista de Acciones (por Acción Directa):
Por favor, envienos una muestra del fichero
C:\Muestras\WINUPGRO.EXE.Muestra EliBagle v13.10
a "virus@satinfo.es". Gracias.
C:\DOCUMENTS AND SETTINGS\ROBERTO\DATI APPLICAZIONI\DRIVERS\WINUPGRO.EXE --> Eliminado Bagle
C:\WINDOWS\SYSTEM32\SROSA2.SYS --> Eliminado Bagle(rootkit)
C:\WINDOWS\SYSTEM32\WFSINTWQ.SYS --> Eliminado Bagle(rootkit)

(7-11-2009 11:30:13)
EliBagle v13.10 (c)2009 S.G.H. / Satinfo S.L. (Actualizado el 5 de Noviembre del 2009)
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando "C:\"

Nº Total de Directorios: 8035
Nº Total de Ficheros: 110040
Nº de Ficheros Analizados: 15819
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0
otoronco
Utente Junior
 
Post: 11
Iscritto il: 06/11/09 17:45

Re: Nuovo Bagle?

Postdi shel » 07/11/09 12:47

probabilmente lo hai preso allo stato iniziale

prova ad eseguire quello suggerito nel post precedente
shel
Utente Senior
 
Post: 1326
Iscritto il: 29/08/08 21:56

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "Nuovo Bagle?":

Nuovo notebook
Autore: Tony2
Forum: Consigli per gli acquisti
Risposte: 4

Chi c’è in linea

Visitano il forum: Nessuno e 84 ospiti