Nuovo Bagle?

[otoronco]

La scansione con Normanasa è in corso. Appena terminata, posterò il log.
Ora il livello CPU è praticamente a zero, ma Spybot e Aira ancora non ne vogliono sapere.
Comunque grazie.

[otoronco]

La scansione con Normanasa è in corso. Appena terminata, posterò il log.
Ora il livello CPU è praticamente a zero, ma Spybot e Aira ancora non ne vogliono sapere.
Comunque grazie.

[otoronco]

Allego log di Normanasa.

Norman Malware Cleaner
Version 1.5.0.5
Copyright © 1990 - 2009, Norman ASA. Built 2009/11/05 19:01:43

Norman Scanner Engine Version: 6.03.02
Nvcbin.def Version: 6.03.00, Date: 2009/11/05 19:01:43, Variants: 4338591

Scan started: 07/11/2009 12:49:47

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 3
Logged on user: ATHLON-X2-4200\Roberto



Scanning running processes and process memory...

Number of processes/threads found: 899
Number of processes/threads scanned: 899
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 18s


Scanning file system...

Scanning: C:\*.*

C:\Programmi\Total Video Converter\regsvr32.exe (Infected with W32/Smallworm.FMX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP142\A0039296.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP142\A0039407.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP143\A0039538.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP144\A0039558.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP145\A0039573.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP145\A0039594.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP145\A0039595.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP145\A0039707.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP145\A0039708.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP145\A0039731.sys (Infected with W32/Bagle.GEX)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP145\A0039732.sys (Infected with W32/Rootkit.gen7)
Deleted file

C:\System Volume Information\_restore{436F4E98-4AF4-481B-9380-677B285ADAEA}\RP145\A0041026.exe (Infected with W32/Smallworm.FMX)
Deleted file


Running post-scan cleanup routine:
Failed to locate shared service executable: C:\WINDOWS\system32\ivmozjvg.dll
Removed service: kpsyugo

Number of files found: 114015
Number of archives unpacked: 0
Number of files scanned: 113999
Number of files not scanned: 16
Number of files skipped due to exclude list: 0
Number of infected files found: 13
Number of infected files repaired/deleted: 13
Number of infections removed: 13
Total scanning time: 1h 2m 36s

[shel]

scusa ma ti ho forse detto di usare norman? perche' non segui le indicazioni?

fai anche la scansione con combofix, norman ha eliminato delle infezioni localizzate nei punti di ripristino

[otoronco]

Beh, comunque qualcosa ha trovato.
In ogni caso, ecco il log di Combifix.

ComboFix 09-11-06.03 - Roberto 07/11/2009 14.17.54.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2047.1653 [GMT 1:00]
Eseguito da: e:\dati\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {00000002-0002-0000-7C25-9E7C08000A00}
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Roberto\Dati applicazioni\drivers\downld
c:\documents and settings\Roberto\Documenti\cc_20091107_124523.reg
C:\Muestras
c:\muestras\WINUPGRO.EXE.Muestra EliBagle v13.10
c:\windows\system32\drivers\XLoader.sys

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_XLoader


((((((((((((((((((((((((( Files Creati Da 2009-10-07 al 2009-11-07 )))))))))))))))))))))))))))))))))))
.

2009-11-07 11:39 . 2009-11-07 11:39 -------- d-----w- c:\programmi\CCleaner
2009-11-07 11:19 . 2009-11-07 11:25 -------- d-----w- c:\programmi\FindyKill
2009-11-04 18:54 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-04 18:54 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-04 18:54 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-04 18:54 . 2009-11-04 18:54 -------- d-----w- c:\programmi\Avira
2009-11-04 18:54 . 2009-11-04 18:54 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Avira
2009-11-04 18:21 . 2009-11-07 13:23 -------- d--h--w- c:\documents and settings\Roberto\Dati applicazioni\drivers
2009-11-03 20:11 . 2009-11-03 20:11 -------- d-----w- c:\documents and settings\Roberto\Impostazioni locali\Dati applicazioni\Temp
2009-11-01 18:50 . 2009-11-01 18:50 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\NVIDIA Corporation
2009-11-01 18:50 . 2009-11-01 18:50 -------- d-----w- c:\programmi\NVIDIA Corporation
2009-11-01 10:29 . 2004-08-03 21:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2009-11-01 10:29 . 2004-08-03 21:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2009-11-01 08:31 . 2009-11-01 08:31 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\nView_Profiles
2009-10-31 18:43 . 2009-10-31 18:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-31 18:42 . 2009-10-31 18:42 152576 ----a-w- c:\documents and settings\Roberto\Dati applicazioni\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-25 17:04 . 2009-11-01 18:30 -------- d-----w- c:\programmi\Kyodai Mahjongg 2006
2009-10-18 15:48 . 2009-10-18 15:52 -------- d-----w- c:\programmi\jpegbook_050409

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 12:57 . 2006-03-02 12:00 84156 ----a-w- c:\windows\system32\perfc010.dat
2009-11-07 12:57 . 2006-03-02 12:00 489410 ----a-w- c:\windows\system32\perfh010.dat
2009-11-07 12:11 . 2008-01-26 17:45 -------- d-----w- c:\programmi\Total Video Converter
2009-11-07 11:44 . 2008-05-02 09:52 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-11-01 18:43 . 2008-01-31 20:59 -------- d-----w- c:\programmi\SystemRequirementsLab
2009-10-31 18:43 . 2007-12-26 12:34 -------- d-----w- c:\programmi\Java
2009-10-24 10:05 . 2008-12-29 21:30 -------- d-----w- c:\programmi\Xvid
2009-10-21 17:48 . 2007-12-26 12:47 -------- d-----w- c:\programmi\DivX
2009-10-21 17:46 . 2009-04-22 19:39 -------- d-----w- c:\programmi\VirtualDub-1.8.8
2009-10-19 17:09 . 2007-12-26 10:16 -------- d-----w- c:\programmi\File comuni\Adobe
2009-09-28 17:59 . 2007-12-26 11:44 -------- d-----w- c:\programmi\VLC
2009-09-27 17:19 . 2009-09-27 17:19 3674112 ----a-w- c:\windows\system32\nvwssr.dll
2009-09-27 15:12 . 2009-09-27 15:12 2194024 ----a-w- c:\windows\system32\nvcuvid.dll
2009-09-27 15:12 . 2009-09-27 15:12 1714792 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-09-27 15:12 . 2009-09-27 15:12 1604482 ----a-w- c:\windows\system32\nvdata.bin
2009-09-27 15:12 . 2008-05-02 20:46 888832 ----a-w- c:\windows\system32\nvapi.dll
2009-09-27 15:12 . 2008-05-02 20:46 2007040 ----a-w- c:\windows\system32\nvcuda.dll
2009-09-27 15:12 . 2008-05-02 20:46 170600 ----a-w- c:\windows\system32\nvcodins.dll
2009-09-27 15:12 . 2008-05-02 20:46 170600 ----a-w- c:\windows\system32\nvcod.dll
2009-09-27 15:12 . 2008-05-02 20:46 10756096 ----a-w- c:\windows\system32\nvoglnt.dll
2009-09-27 15:12 . 2007-12-23 14:06 490088 -c--a-w- c:\windows\system32\nvudisp.exe
2009-09-27 15:12 . 2007-12-23 13:47 490088 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-27 15:12 . 2007-12-23 12:43 7655872 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-09-27 15:12 . 2007-12-23 12:43 5900416 ----a-w- c:\windows\system32\nv4_disp.dll
2009-09-25 05:35 . 2006-03-02 12:00 669696 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:35 . 2006-03-02 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-14 09:32 . 2008-05-06 19:00 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\FLEXnet
2009-09-11 14:17 . 2006-03-02 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-03-02 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2006-03-02 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2007-12-26 12:53 . 2007-12-26 12:53 9801 -c--a-w- c:\programmi\uninstal.log
2007-01-28 16:12 . 2008-12-25 17:29 2493452 ----a-w- c:\programmi\FVP_SA.exe
2008-10-19 09:58 . 2008-10-19 09:58 49152 ----a-w- c:\programmi\mozilla firefox\components\SiteVacuumXPCOM.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2004-06-21 786432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\programmi\Diskeeper\DkIcon.exe" [2006-06-07 319488]
"amd_dc_opt"="c:\programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-07-23 77824]
"Acrobat Assistant 8.0"="c:\programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"LWBMOUSE"="c:\programmi\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe" [2001-04-20 429568]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-10-31 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-11-07 209153]
"combofix"="c:\combofix\CF24268.exe" [2009-11-07 398336]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"="c:\windows\system32\sti_ci.dll" [2008-04-14 137216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Programmi\\Internet Explorer\\iexplore.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Kyodai Mahjongg 2006\\kmj.exe"=

S2 gupdate1ca139e9d8102de;Servizio di Google Update (gupdate1ca139e9d8102de);c:\programmi\Google\Update\GoogleUpdate.exe [02/08/2009 19.25.29 133104]
S3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\drivers\modrc.sys [11/07/2007 18.06.22 13824]
S3 phil2vid;Fotocamera VGA USB Philip;c:\windows\system32\drivers\philcam2.sys [24/12/2007 14.25.14 173696]
S3 rockusb;Driver for rockusb Device;c:\windows\system32\drivers\rockusb.sys [22/03/2006 19.57.44 73984]
S3 rockusb27;Driver for rockusb27 Device;c:\windows\system32\drivers\rockusb27.sys [25/04/2009 20.50.08 35072]
S3 scsiscan;Driver scanner SCSI;c:\windows\system32\drivers\scsiscan.sys [23/12/2007 21.50.38 11520]
S3 Slnt7554;USB Soft Modem Driver;c:\windows\system32\drivers\slnt7554.sys [23/12/2007 22.35.10 223184]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - MBR
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
kpsyugo
.
Contenuto della cartella 'Scheduled Tasks'

2009-11-07 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-02 18:24]

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-08-02 18:25]

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programmi\Google\Update\GoogleUpdate.exe [2009-08-02 18:25]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: Aggiungi a PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti destinazione link in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in Adobe PDF - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - c:\programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Roberto\Dati applicazioni\Mozilla\Firefox\Profiles\5lzs3l62.default\
FF - prefs.js: browser.search.selectedEngine - Google Search Community
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - component: c:\programmi\Mozilla Firefox\components\SiteVacuumXPCOM.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\programmi\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\programmi\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-PMCRemote - (no file)
HKLM-Run-<NO NAME> - (no file)
AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\programmi\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 14:23
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spwm.sys >>UNKNOWN [0x8A612938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0x0 0x0 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xB7DFFB40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xB7DFFB40 atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\programmi\Diskeeper\DkService.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Ora fine scansione: 2009-11-07 14.26.30 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-11-07 13:26

Pre-Run: 220 173 463 552 byte disponibili
Post-Run: 220 040 007 680 byte disponibili

- - End Of File - - 5A4B22043BA5AFC3D678D523E8DC60E7

[shel]

esegui queste pulizie

scarica http://www.filehippo.com/download_ccleaner/

1) per il download dell'ultima versione clicca a destra in alto sotto la freccia verde
2) installalo (senza la toolbar aggiuntiva)
3) clicca su "avvia pulizia", ripeti il procedimento 2 volte

poi


scarica http://www.atribune.org/ccount/click.php?id=1


Avvia ATFCleaner.exe con un doppio click

1.1) seleziona la casella Select All
2.1) clicca sul pulsante Empty selected
3.1) aspetta l'avviso Done Cleaning
(se usi opera o firefox,spunta anche le loro sezioni)


controlla se riesci ad installare l'antivirus


esegui questa scansione


scaricare Malwarebytes http://www.malwarebytes.org/mbam/program/mbam-setup.exe
1) lo installi
2) lo aggiorni
3) fai una scansione scegliendo la modalità completa
4) NON eliminare per ora le ventuali minacce che rileva
5) finita la scansione seleziona il tabellino log, apri il file di testo e postalo sul forum

[otoronco]

OK, posto il log; comunque, ora tutto funziona meglio di prima.
Grazie 1000000000000000000
Malwarebytes' Anti-Malware 1.41
Versione del database: 3116
Windows 5.1.2600 Service Pack 3

07/11/2009 16.46.36
mbam-log-2009-11-07 (16-46-33).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi scansionati: 236746
Tempo trascorso: 41 minute(s), 7 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 1
File infetti: 2

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
C:\Documents and Settings\Roberto\Dati applicazioni\drivers\downld (Worm.Bagle) -> No action taken.

File infetti:
C:\Documents and Settings\Roberto\Documenti\Software\WinRAR 3.80 iTALiAN Final\winrar.v3.xx.rar.slayer.v.1.1-icu\RAR Slayer v1.1.exe (Malware.Tool) -> No action taken.
C:\Programmi\WinRAR\WinRAR Keygen.exe (Trojan.Agent) -> No action taken.

[Luke57]

Ciao, nel report di combofix la cartella downld era stata eliminata e poi successivamente intercettata da malwarebytes. Nonn vorrei che si fosse riformata.
Evidenzia gli elementi trovati da malwarebyts e premi "Rimuovi elementi selezionati". Riavvia ed esegui nuovamente malwarebytes.

[otoronco]

Aiutatemi, il virus è ricomparso!
Non so cosa sia successo, ma, dopo la scansione con mlware bytes, al riavvio è comparsa di nuovo la finestra di dialogo con caratteri stranissimi che si era presentata la prima volta che avevo preso il virus.
Ora sono daccapo: AVIRA e SPYBOT fuori uso, processore che lavora parecchio, e non solo: se uso Findykill, questo trova e rimuove i files infetti, ma al riavvio questi si rigenerano!
Non so più cosa fare!

[Luke57]

Ciao, se non si eliminano tutti i file qulli, l'infezione si rigenera sempre come un mostro a due teste, scarica SystemScan, disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now".
http://www.suspectfile.com/systemscan
Finita la scansione, riattiva l'antivirus, carica il rapporto (file .zip) che trovi sul desktop su wikifortio e posta il link ottenuto.
http://www.wikifortio.com/
Nota: systemscan viene riconosciuto come infetto per il tipo di scansione effettuata, ovviamente non lo è.

[otoronco]

Fatto, posto il link, ma non sembra abbia trovato nulla.
http://www.wikifortio.com/759390/08_11_ ... report.zip

[Luke57]

Ciao, nel report di systemscan non si notano file riconducibili al bagle, utilizza findykill premendo l'opzione 2 per rimuovere i files e allega il report.

[otoronco]

###################### [ FindyKill V4.714 ]

# User: Roberto - ATHLON-X2-4200
# Executed from : C:\Programmi\FindyKill
# Update on 19/01/09 by Chiquitine29
# Start at 11:39:12 the 14/11/2009
# Windows XP - Internet Explorer 6.0.2900.2180

# [ FindyKill V4.714 - Scan ] ##############

\\\\\\\\\\\\\\\\\\ [ Active Processes ] ///////////////////


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programmi\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe

\\\\\\\\\\\\\\\\\\ [ Infected files / folders ] ///////////////////


################## [ C:\ ]


################## [ C:\WINDOWS ]


################## [ C:\WINDOWS\Prefetch ]

Found ! - C:\WINDOWS\Prefetch\DELKEYS.EXE-2423ED17.pf

################## [ C:\WINDOWS\system32 ]


################## [ C:\WINDOWS\system32\drivers ]


################## [ C:\Documents and Settings\Roberto\Dati applicazioni ]

Found ! [14/11/2009 11.33] - "C:\Documents and Settings\Roberto\Dati applicazioni\drivers"

################## [ C:\DOCUME~1\Roberto\IMPOST~1\Temp ]


\\\\\\\\\\\\\\\\\\ [ Registry / Startup ] ///////////////////

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
SpybotSD TeaTimer=C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
DiskeeperSystray="C:\Programmi\Diskeeper\DkIcon.exe"
amd_dc_opt=C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe
Acrobat Assistant 8.0="C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
LWBMOUSE=C:\Programmi\Trust\AMI MOUSE 250SP WIRELESS OPTICAL\lwbwheel.exe
BluetoothAuthenticationAgent=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HP Software Update=C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
Adobe ARM="C:\Programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe"
SunJavaUpdateSched="C:\Programmi\Java\jre6\bin\jusched.exe"
NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
Malwarebytes Anti-Malware (reboot)="C:\Programmi\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
avgnt="C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents=
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL=
Installed=1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI=
Installed=1
NoChange=1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS=
Installed=1

[HKEY_CURRENT_USER\software\local appwizard-generated applications\GoogleToolbarNotifier]

\\\\\\\\\\\\\\\\\\ [ Registry / Infected keys ] ///////////////////




\\\\\\\\\\\\\\\\\\ [ States / Services ] ///////////////////


# Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - # Type of startup = 3

EapHost - # Type of startup = 2

Ip6Fw - # Type of startup = 2

SharedAccess - # Type of startup = 2

wuauserv - # Type of startup = 2

wscsvc - # Type of startup = 2


\\\\\\\\\\\\\\\\\\ [ Searching in removable drives ] ///////////////////


# Informations :

C: - Unit… fissa


# Presence of files :



\\\\\\\\\\\\\\\\\\ [ Registry / Mountpoint2 ] ///////////////////


-> Not found !


################## [ ! End of report # FindyKill V4.714 ! ]


Ecco, postato.
Scusa il ritardo, ma ho avuto problemi di lavoro.
Grazie

[Luke57]

Ciao, in effetti nessuna traccia del bagle.