Condividi:        

win32.Agent.bgy

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

win32.Agent.bgy

Postdi alessia84 » 29/03/08 13:51

Salve a tutti..facendo la scansione con spybot ho trovato un malware dal nome in oggetto. Non capisco come mai kaspersky non me l'abbia riconosciuto..cmq avrei bisogno di eliminarlo, ho registrato il log di hijackthis in modo da farvelo vedere...sono andata sul link per l'analisi automatica ma non riesco a capire bene quali stringhe devo eliminare...preferisco avere una vostra consulenza (piu' volte mi avete salvato il pc...)
Grazie anticipatamente, vi posto il log:
Logfile of HijackThis v1.99.1
Scan saved at 13.32.02, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\VM305_STI.EXE
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\utente\Desktop\Alessia\programmi per il pc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Encarta Web Companion Oggetto helper - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Anti-virus web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Barra di ricerca di Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1870833-29E8-4E2E-885C-8434EF0F371F}: NameServer = 192.168.1.1,192.168.1.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

p.s. Stamattina ho scaricato un programma per eliminare gli occhi rossi...sara' stato questo?
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Sponsor
 

Re: win32.Agent.bgy

Postdi Luke57 » 29/03/08 15:15

Ciao, nel report non si vede niente, scarica runscanner da qui:
http://www.ilsoftware.it/querydl.asp?ID=1054
lo avvii, selezioni l'opzione "expert mode", premi "start scan", al termine della scansione premi sulla barra dei menu "Save .log file", sarà creato un file di testo, copi e incolli il contenuto in un post successivo.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: win32.Agent.bgy

Postdi alessia84 » 30/03/08 10:22

Ciao, ti copio il log che ho salvato dopo aver fatto la scansione che mi hai consigliato, spybot search&destroy continua a trovarmi malware...Help..
Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

000 General info
----------------
Computer name : P-5FCEFEFBCF754
Creation time : 30/03/2008 11.19.26
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.11
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.6.1.0
User Language : Italiano (Italia)
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
c:\progra~1\nvidia~1\networ~1\bin\nsvcip.exe (NVIDIA Corporation)
c:\programmi\lavasoft\ad-aware 2007\aawservice.exe (Lavasoft AB)
c:\progra~1\nvidia~1\networ~1\apache group\apache2\bin\apache.exe (Apache Software Foundation)
c:\progra~1\nvidia~1\networ~1\apache group\apache2\bin\apache.exe (Apache Software Foundation)
* c:\windows\system32\alg.exe (Microsoft Corporation)
* c:\windows\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\system32\services.exe (Microsoft Corporation)
* c:\windows\system32\csrss.exe (Microsoft Corporation)
* c:\windows\system32\ctfmon.exe (Microsoft Corporation)
c:\programmi\emule\emule.exe (http://www.emule-project.net)
* c:\windows\explorer.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\windows\system32\svchost.exe (Microsoft Corporation)
* c:\programmi\internet explorer\iexplore.exe (Microsoft Corporation)
c:\programmi\kaspersky lab\kaspersky anti-virus 6.0\avp.exe (Kaspersky Lab)
c:\programmi\kaspersky lab\kaspersky anti-virus 6.0\avp.exe (Kaspersky Lab)
* c:\windows\system32\lsass.exe (Microsoft Corporation)
* c:\programmi\file comuni\microsoft shared\vs7debug\mdm.exe (Microsoft Corporation)
* c:\programmi\windows live\messenger\usnsvc.exe (Microsoft Corporation)
c:\programmi\file comuni\ahead\lib\nmindexstoresvr.exe (Nero AG)
c:\programmi\file comuni\ahead\lib\nmbgmonitor.exe (Nero AG)
c:\programmi\file comuni\ahead\lib\nmindexingservice.exe (Nero AG)
c:\progra~1\nvidia~1\networ~1\bin\nsvclog.exe (NVIDIA Corporation)
* c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
* c:\windows\rthdcpl.exe (Realtek Semiconductor Corp.)
* c:\documents and settings\utente\desktop\runscanner.exe (Runscanner.net)
* c:\windows\system32\spoolsv.exe (Microsoft Corporation)
c:\windows\vm305_sti.exe (Vimicro)
c:\programmi\intervideo\common\bin\wincinemamgr.exe (InterVideo Inc.)
* c:\programmi\windows live\messenger\msnmsgr.exe (Microsoft Corporation)
* c:\windows\system32\smss.exe (Microsoft Corporation)
* c:\windows\system32\wscntfy.exe (Microsoft Corporation)
* c:\programmi\file comuni\microsoft shared\windows live\wlloginproxy.exe (Microsoft Corporation)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\programmi\kaspersky lab\kaspersky anti-virus 6.0\avp.exe (Kaspersky Lab)
c:\windows\vm305_sti.exe (Vimicro)
c:\programmi\file comuni\ahead\lib\nerocheck.exe (Nero AG)
C:\WINDOWS\system32\nwiz.exe

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\programmi\file comuni\ahead\lib\nmbgmonitor.exe (Nero AG)
c:\programmi\emule\emule.exe (http://www.emule-project.net)

005 C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
----------------------------------------------------------------------------------
c:\progra~1\adobe\acroba~1.0\reader\reader~1.exe (Adobe Systems Incorporated)
c:\progra~1\interv~1\common\bin\wincin~1.exe (InterVideo Inc.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
c:\programmi\lavasoft\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service)
c:\progra~1\nvidia~1\networ~1\bin\nsvcip.exe (ForceWare IP service)
c:\progra~1\nvidia~1\networ~1\bin\nsvclog.exe (ForceWare user log service)
c:\progra~1\nvidia~1\networ~1\apache group\apache2\bin\apache.exe (Forceware Web Interface)
c:\programmi\kaspersky lab\kaspersky anti-virus 6.0\avp.exe (Kaspersky Anti-Virus 6.0)
c:\programmi\nero\nero 7\nero backitup\nbservice.exe (NBService)
c:\programmi\file comuni\ahead\lib\nmindexingservice.exe (NMIndexingService)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
c:\windows\system32\drivers\bios.sys (BIOS)
- c:\windows\system32\drivers\changer.sys (Changer)
- c:\windows\system32\drivers\i2omgmt.sys (i2omgmt)
* C:\WINDOWS\system32\drivers\kl1.sys (Kl1)
c:\windows\system32\drivers\klif.sys (Klif)
- c:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc)
C:\WINDOWS\system32\drivers\usbser.sys (Motorola USB Modem Driver)
- c:\windows\system32\drivers\pcidump.sys (PCIDump)
- c:\windows\system32\drivers\pdcomp.sys (PDCOMP)
- c:\windows\system32\drivers\pdframe.sys (PDFRAME)
- c:\windows\system32\drivers\pdreli.sys (PDRELI)
- c:\windows\system32\drivers\pdrframe.sys (PDRFRAME)
c:\windows\system32\drivers\prodrv06.sys (StarForce Protection Environment Driver v6)
C:\WINDOWS\system32\drivers\sfhlp01.sys (StarForce Protection Helper Driver)
C:\WINDOWS\system32\drivers\prohlp02.sys (StarForce Protection Helper Driver v2)
C:\WINDOWS\system32\drivers\prosync1.sys (StarForce Protection Synchronization Driver v1)
C:\WINDOWS\system32\drivers\usbvm305.sys (SUPER 188 PC CAMERA)
C:\WINDOWS\system32\drivers\pcouffin.sys (VSO Software pcouffin)
- c:\windows\system32\drivers\wdica.sys (WDICA)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\windows\system32\itss.dll (Microsoft Corporation) {9D148291-B9C8-11D0-A4CC-0000F80149F6}
c:\windows\system32\itss.dll (Microsoft Corporation) {9D148291-B9C8-11D0-A4CC-0000F80149F6}
c:\programmi\file comuni\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

042 HKLM\Software\Microsoft\Internet Explorer\Extensions
--------------------------------------------------------
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}
GUID / CLSID not found {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {219C3416-8CB2-491a-A3C7-D9FCDDC9D600}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {92780B25-18CC-41C8-B9BE-3C9C571A8263}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {77BF5300-1474-4EC7-9980-D32B190E9B07}

044 HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
------------------------------------------------------------------
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {01E04581-4EEE-11D0-BFE9-00AA005B4383}

051 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
-------------------------------------------------------------------------------
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {8C7461EF-2B13-11d2-BE35-3078302C2030}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {438755C2-A8BA-11D1-B96B-00A0C90312E1}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
GUID / CLSID not found {7E853D72-626A-48EC-A868-BA8D5E23E045}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {01E04581-4EEE-11d0-BFE9-00AA005B4383}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {7e653215-fa25-46bd-a339-34a2790f3cb7}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {A08C11D2-A228-11d0-825B-00AA005B4383}
* c:\programmi\kaspersky lab\kaspersky anti-virus 6.0\scieplugin.dll (Kaspersky Lab) {85E0B171-04FA-11D1-B7DA-00A0C90348D6}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {DD313E04-FEFF-11d1-8ECD-0000F87A470C}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {F61FFEC1-754F-11d0-80CA-00AA005B4383}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {5E6AB780-7743-11CF-A12B-00AA004AE837}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}
C:\WINDOWS\system32\cdfview.dll (Microsoft Corporation) {f3ba0dc0-9cc8-11d0-a599-00c04fd64435}
C:\WINDOWS\system32\cdfview.dll (Microsoft Corporation) {f3da0dc0-9cc8-11d0-a599-00c04fd64437}
C:\WINDOWS\system32\cdfview.dll (Microsoft Corporation) {f3ea0dc0-9cc8-11d0-a599-00c04fd64438}
C:\WINDOWS\system32\cdfview.dll (Microsoft Corporation) {f3aa0dc0-9cc8-11d0-a599-00c04fd64434}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {00BB2765-6A77-11D0-A535-00C04FD7D062}
c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {00BB2764-6A77-11D0-A535-00C04FD7D062}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {03C036F1-A186-11D0-824A-00AA005B4383}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {6756A641-DE71-11d0-831B-00AA005B4383}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {EFA24E64-B078-11d0-89E4-00C04FC9E26E}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {EFA24E61-B078-11d0-89E4-00C04FC9E26E}
C:\WINDOWS\system32\cdfview.dll (Microsoft Corporation) {f39a0dc0-9cc8-11d0-a599-00c04fd64433}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {EFA24E62-B078-11d0-89E4-00C04FC9E26E}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {acf35015-526e-4230-9596-becbe19f0ac9}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {131A6951-7F78-11D0-A979-00C04FD705A2}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {A5E46E3A-8849-11D1-9D8C-00C04FC99D61}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {7BA4C742-9E81-11CF-99D3-00AA004AE837}
C:\WINDOWS\system32\mmcshext.dll (Microsoft Corporation) {7A80E4A8-8005-11D2-BCF8-00C04F72C717}
c:\programmi\nero\nero 7\nero coverdesigner\coveredextension.dll (Nero AG) {97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}
c:\programmi\file comuni\ahead\lib\nerodigitalext.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3}
c:\programmi\file comuni\ahead\lib\nerodigitalext.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
C:\WINDOWS\system32\twext.dll (Microsoft Corporation) {596AB062-B4D2-4215-9F74-E9109B0A8153}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {169A0691-8DF9-11d1-A1C4-00C04FD75D13}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {9461b922-3c5a-11d2-bf8b-00c04fb93661}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {0A89A860-D7B1-11CE-8350-444553540000}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {ECD4FC4E-521C-11D0-B792-00A0C90312E1}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {ECD4FC4C-521C-11D0-B792-00A0C90312E1}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {3CCF8A41-5C85-11d0-9796-00AA00B90ADF}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {6413BA2C-B461-11d1-A18A-080036B11A03}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {91EA3F8B-C99B-11d0-9815-00C04FD91972}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {00BB2763-6A77-11D0-A535-00C04FD7D062}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {ECD4FC4D-521C-11D0-B792-00A0C90312E1}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {21569614-B795-46b1-85F4-E737A8DC09AD}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
c:\windows\system32\b4fm.dll {1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {22BF0C20-6DA7-11D0-B373-00A0C9034938}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {D20EA4E1-3957-11d2-A40B-0C5020524153}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {D20EA4E1-3957-11d2-A40B-0C5020524152}
C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) {AF4F6510-F982-11d0-8595-00AA004CD6D8}
C:\WINDOWS\system32\twext.dll (Microsoft Corporation) {9DB7A13C-F208-4981-8353-73CC61AE2783}
c:\programmi\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79304-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79305-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79306-84BE-11CE-9641-444553540000}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79307-84BE-11CE-9641-444553540000}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\programmi\file comuni\ahead\lib\nerodigitalext.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882}
c:\programmi\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
C:\WINDOWS\system32\lsdelete.exe

064 HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
-------------------------------------------------------------------
C:\WINDOWS\system32\olecnv32.dll (Microsoft Corporation)

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
c:\windows\system32\klogon.dll (Kaspersky Lab)

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)

072 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
---------------------------------------------------------------
C:\WINDOWS\system32\kerberos.dll (Microsoft Corporation)
C:\WINDOWS\system32\wdigest.dll (Microsoft Corporation)

100 Internet Explorer settings
------------------------------
Start Page HKCU : http://www.libero.it/

102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
------------------------------------------------------------------
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {4D5C8C25-D075-11d0-B416-00C04FB90376}
C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) {EFA24E64-B078-11D0-89E4-00C04FC9E26E}

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
GUID / CLSID not found {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
&Windows Live Search : res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
Add to Windows &Live Favorites : http://favorites.live.com/quickadd.aspx
E&sporta in Microsoft Excel : res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
Read with DeskBot :

120 Domain/DNS hijacking
------------------------
NameServer {A1870833-29E8-4E2E-885C-8434EF0F371F} : 192.168.1.1,192.168.1.2

170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
------------------------------------------------------------------------
{c76fc7ed-7af2-11dc-95eb-00e04d2f1f95} : C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

172 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
---------------------------------------------------------------
C:\WINDOWS\system32\ntlanman.dll (Microsoft Corporation)

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
c:\programmi\nero\nero 7\nero coverdesigner\coveredextension.dll (Nero AG) {73FCA462-9BD5-4065-A73F-A8E5F6904EF7}
c:\programmi\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
c:\programmi\kaspersky lab\kaspersky anti-virus 6.0\shellex.dll (Kaspersky Lab) {dd230880-495a-11d1-b064-008048ec2fc5}
c:\progra~1\winzip\wzshlstb.dll (WinZip Computing LP) {E0D79304-84BE-11CE-9641-444553540000}
c:\programmi\nero\nero 7\nero backitup\nbshell.dll (Nero AG)
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi alessia84 » 30/03/08 14:48

Chi mi aiuta?...
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi Luke57 » 30/03/08 15:36

Ciao, il report di runscanner è pulito, nessuna traccia di malware. Riporta che cosa trova esattamente spybot, vale a dire posizione del file ed eventuakle chiave di registro.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: win32.Agent.bgy

Postdi alessia84 » 30/03/08 18:01

allora...ti scrivo quello che mi riporta di preciso:
-win32.agent.bgy
IMPOSTAZONI:HKEY_USERS\S-15-21-1060284298-2049760794-725345543-1003\software\FirstRRRun
TIPO:chiave di registro

-win32.bagle.hi
ESEGUIBILE: C\WINDOWS\system32\drivers\hldrr.exe TIPO:file
CARTELLA DI PROGRAMMA:C\WINDOWS\system32\drivers\down\ TIPO:cartella

Ho anche ripulito tutto con cc cleaner, e scansionato con kaspersky nelle aree critiche ma non ha trovato nulla...magari sara una cavolata...ma vorrei eliminarla dato che fino a 2 gg fa nn c'era nulla...e il pc ha meno di 2 mesi..

Grazie per la disponibilita'.
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi Luke57 » 30/03/08 18:39

Ciao, effettivamente è un malware pericoloso. Fai uno scan on line con kaspersky, trovi qui le istruzioni dettagliate:
http://forum.wininizio.it/index.php?showtopic=36981&hl
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: win32.Agent.bgy

Postdi alessia84 » 30/03/08 20:37

Sto facendo la scansione on line e poi vi scrivo tutto...domani torno a lavoro e il pc deve essere sano..devo pure lavorare alla tesi... ;(
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi alessia84 » 30/03/08 21:17

Durante la scansione (che e' durata una 50ina di minuti) sono sat trovati 3 virus e 6 file infetti...
Non riesco ad allegare il file html, mi dice che l'estensione html nn e' permessa...
Per favore...
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi alessia84 » 30/03/08 21:19

http://w3.wikifortio.com/node-fs/downlo ... ersky.html

Ho utilizzato uno dei link consigliati in guida...spero si legga.
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi Luke57 » 31/03/08 07:47

Ciao, il link non è accessibile, incolla il report in un post. Comunque la scansione va fatta in tutto il computer, non solo nelle aree critiche.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: win32.Agent.bgy

Postdi alessia84 » 31/03/08 08:00

Buobgiorno, ho scelto my computer come cosigliato nella guida... vi posto il log

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects 48074
Number of viruses found 3
Number of infected objects 6
Number of suspicious objects 0
Duration of the scan process 00:47:19

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\Report\23d0_Web_Monitoring_eventlog.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\utente\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\utente\Dati applicazioni\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped

C:\Documents and Settings\utente\Desktop\Alessia\mIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped

C:\Documents and Settings\utente\Desktop\Alessia\programmi per il pc\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\Documents and Settings\utente\Desktop\Alessia\programmi per il pc\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped

C:\Documents and Settings\utente\Desktop\Alessia\programmi per il pc\mirc621.exe NSIS: infected - 2 skipped

C:\Documents and Settings\utente\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Ahead\Nero Home\bl.db Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Ahead\Nero Home\is2.db Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Identities\{A436A803-02AC-4ED0-8695-743E07F24FD1}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Identities\{A436A803-02AC-4ED0-8695-743E07F24FD1}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\alessia_pa@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\alessia_pa@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\alessia_pa@hotmail.com\SharingMetadata\Working\database_5AFC_963A_FC96_107D\dfsr.db Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\alessia_pa@hotmail.com\SharingMetadata\Working\database_5AFC_963A_FC96_107D\fsr.log Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\alessia_pa@hotmail.com\SharingMetadata\Working\database_5AFC_963A_FC96_107D\fsrtmp.log Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\alessia_pa@hotmail.com\SharingMetadata\Working\database_5AFC_963A_FC96_107D\tmp.edb Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Windows Live Contacts\alessia_pa@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Dati applicazioni\Microsoft\Windows Live Contacts\alessia_pa@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Temp\~DF9303.tmp Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Temp\~DF939E.tmp Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Temp\~DFBCC2.tmp Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Temp\~DFBCF3.tmp Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\utente\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\utente\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\utente\ntuser.dat.LOG Object is locked skipped

C:\Programmi\eMule\Temp\001.part Object is locked skipped

C:\Programmi\eMule\Temp\002.part Object is locked skipped

C:\Programmi\eMule\Temp\003.part Object is locked skipped

C:\Programmi\eMule\Temp\005.part Object is locked skipped

C:\Programmi\eMule\Temp\006.part Object is locked skipped

C:\Programmi\eMule\Temp\007.part Object is locked skipped

C:\Programmi\eMule\Temp\009.part Object is locked skipped

C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped

C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped

C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped

C:\Programmi\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{FD86EA0C-D88D-4887-A032-3D25A6ADC832}\RP229\A0047583.exe Infected: Trojan-Downloader.Win32.Bagle.jh skipped

C:\System Volume Information\_restore{FD86EA0C-D88D-4887-A032-3D25A6ADC832}\RP230\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped

C:\WINDOWS\system32\drivers\hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.jh skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\cch~13207c92.htp Object is locked skipped

C:\WINDOWS\Temp\cch~13208409.htp Object is locked skipped

C:\WINDOWS\Temp\cch~25076c46.htp Object is locked skipped

C:\WINDOWS\Temp\cch~250773bd.htp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi Luke57 » 31/03/08 08:21

Ciao, disattiva il ripristino configurazione di sistema (click tasto dx su risorse del computer>proprietà>ripristino configurazione di sistema, metti la spunta a "disattiva....">OK


scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio
Avvia il file avenger.exe

All'interno del box bianco,copia e incolla le scritte seguenti:

Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\mdelk.exe
C:\Documents and Settings\utente\Desktop\Alessia\mIRC.exe
C:\Documents and Settings\utente\Desktop\Alessia\programmi per il pc\mirc621.exe

folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
C:\WINDOWS\system32\drivers\down
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5
C:\Windows\tasks
C:\Documents and Settings\utente\Impostazioni locali\Temp
C:\Documents and Settings\utente\Impostazioni locali\Temporary Internet Files\Content.IE5
C:\Programmi\eMule\Temp

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32




Clicca sul pulsante Execute


Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Allega poi il log generato da avenger, lo trovi in C:\avenger.txt è un file di testo.

Riattiva il ripristino configurazione di sistema con la solita procedura, solo che questa volta togli la spunta precedentemente immessa.


scarica ATF Cleaner (pulizia dei file temporanei)
http://www.atribune.org/ccount/click.php?id=1
Avvia ATF Cleaner, seleziona "Select all" e poi premi "Empty selected". ttendi il messaggio Done cleaning! Ripeti la stessa operazione per le schede Firefox ed Opera (se li hai).


N.B. Se avenger non dovesse partire,scaricalo da qui:
http://www.wikifortio.com/630243/AntiBagle.zip
siccome dovrebbe essere una versione vecchia, la procedura è la seguente:
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla lo script suddetto
Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi ok e poi yes.
Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Allega poi il log generato da avenger, lo trovi in C:\avenger.txt è un file di testo.

Inoltre, apri il registro di sistema (start>esegui>regedit (lo digiti nello spazio)>OK

Aperto l'editor, cliccando sul segno + accanto alle singole voci, segui questo percorso:
HKEY_USERS\S-15-21-1060284298-2049760794-725345543-1003\software\FirstRRRun
click tasto dx sulla voce FirstRRRun e scegli Elimina.
Chiudi il registro.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: win32.Agent.bgy

Postdi alessia84 » 31/03/08 13:42

Ho fatto tutto quello che mi hai detto, ecco il log ricavato da avenger:
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Mar 31 14:30:11 2008

14:30:06: Warning: Skipping potentially dangerous line:
"HKLM\SYSTEM\CurrentControlSet\Services\srosa" (Registry key deletion mode)
14:30:11: Error: Execution aborted by user!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\hidr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hidr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wintems.exe" not found!
Deletion of file "C:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\trusted.exe" not found!
Deletion of file "C:\WINDOWS\system32\trusted.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\pci32.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\pci32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\hldrrr.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\1.exe" not found!
Deletion of file "C:\WINDOWS\system32\1.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\utente\Desktop\Alessia\mIRC.exe" deleted successfully.
File "C:\Documents and Settings\utente\Desktop\Alessia\programmi per il pc\mirc621.exe" deleted successfully.

Error: folder "C:\WINDOWS\exefnd" not found!
Deletion of folder "C:\WINDOWS\exefnd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\WINDOWS\exefld" not found!
Deletion of folder "C:\WINDOWS\exefld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\system32\drivers\down" deleted successfully.
Folder "C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5" deleted successfully.
Folder "C:\Windows\tasks" deleted successfully.
Folder "C:\Documents and Settings\utente\Impostazioni locali\Temp" deleted successfully.
Folder "C:\Documents and Settings\utente\Impostazioni locali\Temporary Internet Files\Content.IE5" deleted successfully.
Folder "C:\Programmi\eMule\Temp" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\pci32" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\pci32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi alessia84 » 31/03/08 13:42

Ho fatto tutto quello che mi hai detto, ecco il log ricavato da avenger:
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Mar 31 14:30:11 2008

14:30:06: Warning: Skipping potentially dangerous line:
"HKLM\SYSTEM\CurrentControlSet\Services\srosa" (Registry key deletion mode)
14:30:11: Error: Execution aborted by user!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\hidr.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\hidr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\srosa.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\srosa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\wintems.exe" not found!
Deletion of file "C:\WINDOWS\system32\wintems.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\hldrrr.exe" not found!
Deletion of file "C:\WINDOWS\system32\hldrrr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\trusted.exe" not found!
Deletion of file "C:\WINDOWS\system32\trusted.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\pci32.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\pci32.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\hldrrr.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\1.exe" not found!
Deletion of file "C:\WINDOWS\system32\1.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\mdelk.exe" not found!
Deletion of file "C:\WINDOWS\system32\mdelk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\utente\Desktop\Alessia\mIRC.exe" deleted successfully.
File "C:\Documents and Settings\utente\Desktop\Alessia\programmi per il pc\mirc621.exe" deleted successfully.

Error: folder "C:\WINDOWS\exefnd" not found!
Deletion of folder "C:\WINDOWS\exefnd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\WINDOWS\exefld" not found!
Deletion of folder "C:\WINDOWS\exefld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\WINDOWS\system32\drivers\down" deleted successfully.
Folder "C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5" deleted successfully.
Folder "C:\Windows\tasks" deleted successfully.
Folder "C:\Documents and Settings\utente\Impostazioni locali\Temp" deleted successfully.
Folder "C:\Documents and Settings\utente\Impostazioni locali\Temporary Internet Files\Content.IE5" deleted successfully.
Folder "C:\Programmi\eMule\Temp" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\pci32" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\pci32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi alessia84 » 31/03/08 13:44

Scusate tanto, per errore ho inserito il messaggio due volte...
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi Luke57 » 31/03/08 14:10

Ok, c'era un'infezione diciamo a metà del bagle. Hai tolto la voce di registro?
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: win32.Agent.bgy

Postdi alessia84 » 31/03/08 14:13

Grazie mille per l'aiuto, la voce di registro...come faccio a toglierla? Scusa l'ignoranza eh...
P:S E' normale che siano andati via da emule tutti i file che stavo scaricando? non ho piu' trasferimenti in corso..
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Re: win32.Agent.bgy

Postdi Luke57 » 31/03/08 14:23

Ciao, Inoltre, apri il registro di sistema (start>esegui>regedit (lo digiti nello spazio)>OK

Aperto l'editor, cliccando sul segno + accanto alle singole voci, segui questo percorso:
HKEY_USERS\S-15-21-1060284298-2049760794-725345543-1003\software\FirstRRRun
click tasto dx sulla voce FirstRRRun e scegli Elimina.
Chiudi il registro.

Ti sei infettata scaricando file da emule, io ti ho fatto eliminare quelli temp presenti perchè kaspersky non verifica se sono infetti (li segnala come nascosti)
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: win32.Agent.bgy

Postdi alessia84 » 31/03/08 14:25

Ok mi rispodo da sola:
Il file di registro lo cancello da start-esegui-regedit (nello spazio) e seguo il percorso di cui sopra
I file emule e' normale che nn ci siano piu', abbiamo cancellato i file temporanei anche della cartella di emule.

Grazie infinite, siete sempre i migliori.
alessia84
Utente Senior
 
Post: 132
Iscritto il: 18/07/06 14:33

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "win32.Agent.bgy":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27
Trojan Agent e Zbot
Autore: polly76
Forum: Sicurezza e Privacy
Risposte: 39
win32/sinowal.gen!y
Autore: diego78
Forum: Sicurezza e Privacy
Risposte: 15

Chi c’è in linea

Visitano il forum: Nessuno e 98 ospiti