Condividi:        

Possibile worm Bagle

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Possibile worm Bagle

Postdi Stiff » 15/04/08 14:09

Ciao a tutti, sono un paio di giorni che non riesco più ad aprire gli antivirus presenti sul mio pc. Norton non si apre più, e lo stesso accade con hijackthis, avenger, avg, ad-aware ecc. ecc. . Ho letto su internet che la causa è, probabilmente, il worm Bagle, ma non ho trovato risoluzioni del problema senza l'aiuto di antivirus. Mi potete aiutare, per favore? Grazie mille.
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Sponsor
 

Re: Possibile worm Bagle

Postdi Luke57 » 15/04/08 14:44

Ciao, fai uno scan on line con kaspersky, trovi qui le istruzioni dettagliate:
http://forum.wininizio.it/index.php?showtopic=36981&hl
Posta poi il relativo report (non sarà una cosa breve)
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi Stiff » 15/04/08 16:40

ciao. sto facendo la scansione, ma possibile che dopo 1 ora e mezza sta ancora all'1%? :o tu hai mai provato a fare questo tipo di scansione e sai dirmi indicativamente il tempo necessario? Grazie per l'aiuto
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Luke57 » 15/04/08 16:44

Ciao, è di una lentezza esasperante, però il suo report permette di trovare tutti i file infetti dal bagle (basta che ne rimanga uno in memoria e al riavvio l'infezione si rpropaga come prima)
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi Stiff » 15/04/08 17:08

Allora mi sa che molto probabilmente lascerò il pc acceso tutta la notte, sperando che domani mattina abbia finito tutto, così posso postare il report. Appena ho qualche novità, ti informo subito. Intanto ho scaricato e installato nod32 al posto di Norton 360...fatto bene? :)
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Stiff » 28/04/08 12:46

dopo 13 (tredici) giorni di tentativi, finalmente sono riuscito a completare (quasi) la scansione con kaspersky...posto il report, anche se purtroppo la finestra di ie si è chiusa da sola quando la scansione era arrivata al 97%. spero vada bene lo stesso. Che devo fare ora??





Monday, April 28, 2008 8:19:18 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/04/2008
Kaspersky Anti-Virus database records: 727600
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
G:\
H:\
Scan Statistics
Total number of scanned objects 120421
Number of viruses found 10
Number of infected objects 92
Number of suspicious objects 0
Duration of the scan process 14:08:24

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Dati applicazioni\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\scafato\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Cronologia\History.IE5\MSHist012008042720080428\index.dat Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Dati applicazioni\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Dati applicazioni\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Dati applicazioni\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temp\eraseme_65246.exe Infected: Trojan.Win32.Agent.giv skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\1RHHI5J0\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\1RHHI5J0\b64_2[2].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\1RHHI5J0\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\1RHHI5J0\bg_text1[1].jpg Infected: not-a-virus:AdWare.Win32.Virtumonde.qpy skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\3ZOD1ZDF\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\3ZOD1ZDF\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\6SUSQ25R\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\6SUSQ25R\b64_2[2].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\6SUSQ25R\b64_2[3].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\6SUSQ25R\b64_2[4].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\6SUSQ25R\b64_2[5].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\6SUSQ25R\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\6SUSQ25R\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\6SUSQ25R\b64_3[3].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\7C7SB95C\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\7C7SB95C\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qom skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\80MF2BFL\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\80MF2BFL\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\80MF2BFL\videoP2P85[1].exe Infected: Trojan.Win32.Agent.giv skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_1[2].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_1[3].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_1[4].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_1[5].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_2[2].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_2[3].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\b64_3[3].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\ALLWM0CH\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qpb skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\JW5PLSKM\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\M4N1JCWE\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\M4N1JCWE\b64_1[2].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_1[2].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_1[3].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_2[2].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_2[3].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_2[4].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\OJ92Q4U8\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_1[2].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_1[3].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_2[2].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_2[3].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\b64_3[3].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\RYJDHXRN\kriv[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qor skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\WDLQ0FHM\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\WDLQ0FHM\b64_1[2].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\WDLQ0FHM\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\Y9CKNMOR\b64_1[1].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\Y9CKNMOR\b64_1[2].jpg Infected: Trojan-Downloader.Win32.Bagle.ij skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\Y9CKNMOR\b64_2[1].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\Y9CKNMOR\b64_2[2].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\Y9CKNMOR\b64_2[3].jpg Infected: Email-Worm.Win32.Bagle.vr skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\Y9CKNMOR\b64_3[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5\Y9CKNMOR\b64_3[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\scafato\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\scafato\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\scafato\UserData\index.dat Object is locked skipped
C:\Programmi\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP66\A0019794.rbf Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP66\A0019940.rbf Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026505.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026506.EXE Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026507.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026508.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026509.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026510.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026511.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026512.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026513.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026514.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP68\A0026515.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033528.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033529.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033530.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033531.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033532.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033533.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033534.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033535.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033536.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033537.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033538.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033539.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033540.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033541.exe Infected: Trojan.Win32.KillAV.pb skipped
C:\System Volume Information\_restore{138F8511-A1C3-4B14-BC93-9A92C198B625}\RP72\A0033542.EXE Infected: Trojan.Win32.KillAV.pb skipped
Scan was interrupted by user!
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Luke57 » 28/04/08 14:47

Ciao, se formattavi facevi senz'altro prima, speriamo che quel 3% rimasto indietro non sia decisivo ai fini dell'infezione...
disattiva il ripristino configurazione di sistema (click tasto dx su risorse del computer>proprietà>ripristino configurazione di sistema, metti la spunta a "disattiva....">OK

decomprimi l'archivio
Avvia il file elmoalato.exe

All'interno del box bianco,copia e incolla le scritte seguenti:


Codice: Seleziona tutto
drivers to delete:
srosa

Files to delete:
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\mdelk.exe
C:\WINDOWS\system32\mdelk.exe


folders to delete:
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\Temp
C:\WINDOWS\system32\drivers\downld
C:\Documents and Settings\scafato\Impostazioni locali\Temp
C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA

Registry values to replace with dummy:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Clicca sul pulsante Execute


Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Allega poi il log generato da avenger, lo trovi in C:\avenger.txt è un file di testo.

Riattiva il ripristino configurazione di sistema con la solita procedura, solo che questa volta togli la spunta precedentemente immessa.


scarica ATF Cleaner (pulizia dei file temporanei)
http://www.atribune.org/ccount/click.php?id=1
Avvia ATF Cleaner, seleziona "Select all" e poi premi "Empty selected". attendi il messaggio Done cleaning! Ripeti la stessa operazione per le schede Firefox ed Opera (se li hai).

Fai una scansione con elibagla
http://www.zonavirus.com/datos/descarga ... ibagla.asp
lo trovi in fondo alla pagina
e allega il suo report.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi Stiff » 28/04/08 15:25

ciao, che archivio devo decomprimere?? dov'è il file elmoalato.exe??? :?:
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Luke57 » 28/04/08 15:56

Stiff ha scritto:ciao, che archivio devo decomprimere?? dov'è il file elmoalato.exe??? :?:

Ciao, excuse-moi:
http://www.wikifortio.com/838218/elmoalato.zip
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi Stiff » 28/04/08 17:21

ecco qui, fatto tutto quello che mi hai detto, ti allego il report di avenger e elibagla

Avenger:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Apr 28 17:06:45 2008

17:06:45: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "srosa" found!
DisplayName: Megadrv3
ImagePath: \??\C:\WINDOWS\system32\drivers\srosa.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "srosa" deleted successfully.
File "C:\WINDOWS\system32\drivers\hldrrr.exe" deleted successfully.
File "C:\WINDOWS\system32\drivers\srosa.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\mdelk.exe" deleted successfully.
File "C:\WINDOWS\system32\mdelk.exe" deleted successfully.
Folder "C:\WINDOWS\system32\drivers\down" deleted successfully.
Folder "C:\WINDOWS\Temp" deleted successfully.
Folder "C:\WINDOWS\system32\drivers\downld" deleted successfully.
Folder "C:\Documents and Settings\scafato\Impostazioni locali\Temp" deleted successfully.
Folder "C:\Documents and Settings\scafato\Impostazioni locali\Temporary Internet Files\Content.IE5" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\srosa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" deleted successfully.
Registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.





Elibagla:

Mon Apr 28 17:22:18 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\WINTEMS.EXE --> Bagle Renombrado a .VIR
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
Restaurada Clave: "SafeBoot\Minimal y Network"
Reinicie para Completar la Limpieza.

Mon Apr 28 17:22:50 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):

Mon Apr 28 17:23:00 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\WINTEMS.EXE.VIR --> Acceso Denegado, Bagle (Reiniciar para completar la Limpieza)

Nº Total de Directorios: 11360
Nº Total de Ficheros: 130078
Nº de Ficheros Analizados: 10662
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 1

Mon Apr 28 17:51:40 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\WINTEMS.EXE.VIR.VIR --> Acceso Denegado, Bagle (Reiniciar para completar la Limpieza)

Nº Total de Directorios: 11360
Nº Total de Ficheros: 130093
Nº de Ficheros Analizados: 10662
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 1

Mon Apr 28 18:15:38 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle



ora che si fa? :D
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Stiff » 28/04/08 17:57

no, scusami, non considerare il log di elibagla, non capisco come si fa ad eliminare i virus che trova...seleziono C:\, poi premo "Explorar", quando ha finito ho premuto "Salir" ed ho riavviato il pc....peccato che non elimina nulla al riavvio...qual'è la procedura??
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Luke57 » 28/04/08 18:36

Ciao, avenger ha eliminato tutti i file infetti che ha trovato, per elibagla devi spuntare l'opzione "elimina ficheros automaticamente" o qualcosa del genere.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi Stiff » 28/04/08 18:47

ok, sembra che anche elibagla abbia eliminato l'unico virus che ha trovato..posto il log di elibagla e quello di hijackthis, che è tornato a funzionare. Nod 32 però ancorà non me lo fa aprire, quindi suppongo che il problema è rimasto al 50%

Elibagla:

Mon Apr 28 18:16:51 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad A:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 18:16:56 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad D:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 18:16:59 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad E:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 18:17:02 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad G:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 18:17:05 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad H:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 18:17:07 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\WINTEMS.EXE.VIR.VIR.VIR --> Acceso Denegado, Bagle (Reiniciar para completar la Limpieza)

Nº Total de Directorios: 11361
Nº Total de Ficheros: 130095
Nº de Ficheros Analizados: 10662
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 1

Mon Apr 28 18:24:35 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):

Mon Apr 28 18:24:39 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\WINTEMS.EXE.VIR.VIR.VIR.VIR --> Acceso Denegado, Bagle (Reiniciar para completar la Limpieza)

Nº Total de Directorios: 11361
Nº Total de Ficheros: 130118
Nº de Ficheros Analizados: 10662
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 1

Mon Apr 28 18:33:06 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):

Mon Apr 28 18:34:25 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\WINTEMS.EXE.VIR.VIR.VIR.VIR.VIR --> Eliminado Bagle

Nº Total de Directorios: 11344
Nº Total de Ficheros: 129965
Nº de Ficheros Analizados: 10568
Nº de Ficheros Infectados: 1
Nº de Ficheros Limpiados: 1

Mon Apr 28 18:55:48 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):

Mon Apr 28 19:24:19 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):

Mon Apr 28 19:24:24 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad E:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 19:24:27 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad A:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 19:24:32 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad D:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 19:24:35 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad E:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 19:24:38 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad G:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 19:24:40 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad H:\

Nº Total de Directorios: 0
Nº Total de Ficheros: 0
Nº de Ficheros Analizados: 0
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 19:24:43 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 11345
Nº Total de Ficheros: 130042
Nº de Ficheros Analizados: 10570
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Mon Apr 28 19:33:59 2008
EliBagle v11.31 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 11345
Nº Total de Ficheros: 130116
Nº de Ficheros Analizados: 10570
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0


Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 18.58.33, on 28/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\scafato\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BMf724d791] Rundll32.exe "C:\WINDOWS\system32\pgcabsbw.dll",s
O4 - HKLM\..\Run: [f417e40d] rundll32.exe "C:\WINDOWS\system32\edicpwmg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8748888498
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Unknown owner - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Luke57 » 29/04/08 12:56

Ciao, nod dovrai reistallarlo perchè il bagle corrompe in maniera definitiva l'eseguibile.
Per quanto riguarda il il log di hijackthis, spunta queste voci:
O4 - HKLM\..\Run: [BMf724d791] Rundll32.exe "C:\WINDOWS\system32\pgcabsbw.dll",s
O4 - HKLM\..\Run: [f417e40d] rundll32.exe "C:\WINDOWS\system32\edicpwmg.dll",b

prei fix checked.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi Stiff » 29/04/08 15:26

ciao, ho fatto quello che mi hai detto, ma per quanto riguarda questo:
O4 - HKLM\..\Run: [BMf724d791] Rundll32.exe "C:\WINDOWS\system32\pgcabsbw.dll",s
l'ho selezionato, ho premuto fix checked ma ogni volta che rifaccio la scansione, continua a esserci (l'altro invece no)
In più, su explorer e firefox mi compaiono sempre finestre pop-up indesiderate, sicuramente virus...che altro devo fare?? Grazie mille per la tua disponibilità!
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Stiff » 29/04/08 15:42

ho disinstallato nod32, riavviato e rifatto la scansione con hijackthis. Ecco il log:


Logfile of HijackThis v1.99.1
Scan saved at 16.37.08, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\scafato\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMf724d791] Rundll32.exe "C:\WINDOWS\system32\efjvgvpc.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8748888498
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Unknown owner - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Luke57 » 29/04/08 16:48

Ciao, scarica ComboFix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disconettiti da internet

Avvia il file ComboFix.exe
Digita 1 per avviare il tool (non fare altre manovre durante la scansione, se le icone del desktop spariscono è normale)
Segui le istruzioni e alla fine verrà generato un log.
collegati e posta il report (C:\combofix.txt)
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi Stiff » 29/04/08 21:41

ecco qui il log:

ComboFix 08-04-28.2 - scafato 2008-04-29 22.13.10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.480 [GMT 2:00]
Eseguito da: C:\Documents and Settings\scafato\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Programmi\WinBudget
C:\Programmi\WinBudget\bin\_matrix.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aggweyyh.ini
C:\WINDOWS\system32\AJRCJRqr.ini
C:\WINDOWS\system32\AJRCJRqr.ini2
C:\WINDOWS\system32\ciyptfrf.ini
C:\WINDOWS\system32\efjvgvpc.dll
C:\WINDOWS\system32\gmwpcide.ini
C:\WINDOWS\system32\jdhttopl.ini
C:\WINDOWS\system32\lgqbaadi.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdlficii.ini
C:\WINDOWS\system32\omovniqx.dll
C:\WINDOWS\system32\onuypkyl.ini
C:\WINDOWS\system32\qekyxheb.ini
C:\WINDOWS\system32\rqRIaxUm.dll
C:\WINDOWS\system32\rqRJCRJA.dll
C:\WINDOWS\system32\tsssxyyh.ini
C:\WINDOWS\system32\ufypqadb.ini
C:\WINDOWS\system32\xqinvomo.ini
C:\WINDOWS\system32\yprvlbud.ini

.
((((((((((((((((((((((((( Files Creati Da 2008-03-28 al 2008-04-29 )))))))))))))))))))))))))))))))))))
.

2008-04-24 21:44 . 2008-04-24 21:44 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-22 16:16 . 2008-04-29 20:03 <DIR> d-------- C:\Documents and Settings\scafato\.housecall6.6
2008-04-22 14:01 . 2008-04-29 20:34 109,687 --a------ C:\WINDOWS\BMf724d791.xml
2008-04-19 14:22 . 2008-04-19 14:22 <DIR> d-------- C:\Programmi\OpenOffice.org 2.4
2008-04-15 15:52 . 2008-04-15 15:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 15:52 . 2008-04-15 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-04-15 15:45 . 2008-04-24 17:38 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-04-14 18:25 . 2008-04-29 16:31 <DIR> d-------- C:\Programmi\ESET
2008-04-13 22:43 . 2008-04-13 22:43 1,144 --a------ C:\WINDOWS\mozver.dat
2008-04-13 20:48 . 2008-04-14 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-04-11 19:13 . 2008-04-11 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Grisoft
2008-04-11 19:13 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-10 22:03 . 2008-04-10 22:03 <DIR> d-------- C:\Programmi\iPod
2008-04-07 22:52 . 2008-04-29 22:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-07 22:52 . 2008-04-10 21:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-02 12:33 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-04-02 12:33 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-04-02 10:58 . 2008-04-27 17:55 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-04-02 10:58 . 2008-04-02 10:58 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-03-31 19:02 . 2008-03-31 19:02 <DIR> d-------- C:\Documents and Settings\scafato\.DownloadManager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 20:23 --------- d-----w C:\Documents and Settings\scafato\Dati applicazioni\Skype
2008-04-29 20:22 --------- d-----w C:\Documents and Settings\scafato\Dati applicazioni\WTablet
2008-04-29 20:22 --------- d-----w C:\Documents and Settings\LocalService\Dati applicazioni\WTablet
2008-04-29 18:02 --------- d-----w C:\Documents and Settings\scafato\Dati applicazioni\skypePM
2008-04-21 20:29 --------- d-----w C:\Programmi\eMule
2008-04-19 12:25 --------- d-----w C:\Documents and Settings\scafato\Dati applicazioni\OpenOffice.org2
2008-04-17 20:37 --------- d-----w C:\Programmi\Java
2008-04-15 12:28 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-04-15 12:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-04-13 20:42 --------- d-----w C:\Programmi\Microsoft Silverlight
2008-04-10 20:03 --------- d-----w C:\Programmi\iTunes
2008-04-10 19:58 --------- d-----w C:\Programmi\QuickTime
2008-04-01 19:55 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\FLEXnet
2008-04-01 13:30 --------- d-----w C:\Programmi\File comuni\Adobe
2008-03-31 16:34 --------- d-----w C:\Documents and Settings\scafato\Dati applicazioni\Azureus
2008-03-19 12:38 --------- d-----w C:\Programmi\eSoftware
2008-03-12 08:04 --------- d-----w C:\Programmi\SystemRequirementsLab
2008-03-10 17:24 --------- d-----w C:\Documents and Settings\scafato\Dati applicazioni\DNA
2008-03-10 14:41 --------- d-----w C:\Programmi\Microsoft IntelliType Pro
2008-03-10 14:41 --------- d-----w C:\Programmi\Microsoft IntelliPoint
2008-03-07 14:00 --------- d-----w C:\Programmi\BitTyrant
2008-03-05 10:35 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\TechSmith
2008-03-05 10:34 --------- d-----w C:\Programmi\TechSmith
2008-03-05 10:34 --------- d-----w C:\Programmi\File comuni\TechSmith Shared
2008-02-29 13:45 --------- d-----w C:\Programmi\Bonjour
2008-02-29 13:26 --------- d-----w C:\Programmi\File comuni\Macrovision Shared
2008-01-23 14:03 20 ---h--w C:\Documents and Settings\All Users\Dati applicazioni\PKP_DLec.DAT
2008-01-23 14:03 20 ---h--w C:\Documents and Settings\All Users\Dati applicazioni\PKP_DLds.DAT
2008-01-08 14:42 32 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\ezsid.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E}]
2008-03-18 23:01 282636 --a------ C:\Programmi\eSoftware\studio.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" [2008-02-01 18:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-03-02 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"DXDllRegExe"="dxdllreg.exe" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 02:20:40 233472]
NkbMonitor.exe.lnk - C:\Programmi\Nikon\PictureProject\NkbMonitor.exe [2008-01-06 19:09:29 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdating"= WinUpdating.exe
"Windows Printing Driver"= WinSpooler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= CSvidcap.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\Skype\\Phone\\Skype.exe"=

R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 21:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 20:30]
S2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74d0e9d8-de22-11dc-b8f7-0050f27d85af}]
\Shell\AutoRun\command - F:\nideiect.com
\Shell\explore\Command - F:\nideiect.com
\Shell\open\Command - F:\nideiect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3451aa4-b64e-11dc-b878-0050f27d85af}]
\Shell\AutoRun\command - I:\nideiect.com
\Shell\explore\Command - I:\nideiect.com
\Shell\open\Command - I:\nideiect.com

.
Contenuto della cartella 'Scheduled Tasks'
"2008-04-14 11:00:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2008-04-01 18:30:07 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 1300 series#1199042850.job"
- C:\Programmi\HP\hpcoretech\comp\hpdarc.exe0/#Hewlett-Packard#hp psc 1300 series#1199042850
"2008-04-09 20:22:41 C:\WINDOWS\Tasks\WebReg 20080409222241.job"
- C:\Programmi\HP\Digital Imaging\bin\hpqwrg.exeX/TaskName 20080409222241 /N
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 22:23:14
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\iPod\bin\iPodService.exe
.
**************************************************************************
.
Ora fine scansione: 2008-04-29 22:37:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 20:36:28

11 Directory 126,456,262,656 byte disponibili
12 Directory 126,355,341,312 byte disponibili

188 --- E O F --- 2008-04-08 17:35:33
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Re: Possibile worm Bagle

Postdi Luke57 » 30/04/08 10:18

Ciao, copia questo codice:
Codice: Seleziona tutto
File::
C:\WINDOWS\BMf724d791.xml

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdating"=-
"Windows Printing Driver"=-


incollalo in un file di testo (blocco note), sala il file obbligatoriamente con il nome CFScript.txt e trascinalo con il puntatore del mouse sull'icona di combofix per una nuova scansione.
Luke57
Moderatore
 
Post: 6413
Iscritto il: 11/08/05 19:10

Re: Possibile worm Bagle

Postdi Stiff » 30/04/08 12:07

ciao, sembra che il problema sia scomparso del tutto, ho provato a reinstallare Nod32 e si è aperto subito, quindi suppongo che il problema sia scomparso. Che dici, devo fare, oppure hai bisogno tu, di una qualsiasi scansione di conferma? Grazie comunque di tutto per il tuo aiuto :)
Stiff
Utente Junior
 
Post: 35
Iscritto il: 17/11/06 21:59

Prossimo

Torna a Sicurezza e Privacy


Topic correlati a "Possibile worm Bagle":

Possibile Virus???
Autore: danibi60
Forum: Sicurezza e Privacy
Risposte: 3

Chi c’è in linea

Visitano il forum: Nessuno e 85 ospiti