www.MegaLab.it

[Light Phoenix]

Ciao io ti suggerisco di usare Avira Rescue CD, dovrebbe essere in grado di rimuovere il bagle.

[Kirkfrusciante]

Ciao Pciccio!
Come puoi vedere dai messaggi nel forum son stato anche io fino a ieri alle prese con il tuo virus, lo stesso, il Bagle. Se ti può essere d' aiuto ti posso dire che la procedurà che si è rivelata vincente per me è stata questa:

- Megalabcd versione settima Caricamento del sistema operativo in live Scansione totale con Avira
- Su Windows Scansione totale con Malwarebytes Anti Malware (più scansioni in realtà con vari riavii per vedere se il malware si rigenerava)
- Su Windows Installazione di Avire Free
- Su Windows Scansione Totale con Avira
- Su Windows Scansione Totale con il tools della symantec che mi ha consigliato Cosmo nel mio Thread
- Su Windows Scansione con Findykill Proprio quest' ultimo mi ha dato la prova definitiva dell' eliminazione del virus in quanto non partiva mai e dopo tutto questo procedimento a ripreso a funzionarmi. E la sua scansione mi ha dato la conferma dell' avvenuta eliminazione.

Non mi sento certo a livello di consigliarti visto il mio grado di conoscenze rispetto a quello dei ragazzi amministratori e simili di questo sito (peraltro gentilissimi! Grazie mille a Crazy.Cat, Cosmo, Ste 95) ma visto che mi è appena successo ed ho appena vinto la battaglia contro il Bagle provo a darti una mano!

Fammi sapere!

[Pciccio]

Grazie Kirk siete tutti molto disponibili. Sembra che questa volta ci siamo, ho fatto un'altra passata con elibagle, findykill e combofix e poi sono riuscito a reinstallare antivir e hijackthis. Intanto che antivir sta effettuando la scansione del sistema vi posto il log di hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.20.37, on 02/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir Desktop\sched.exe
C:\Programmi\Avira\AntiVir Desktop\avguard.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\PowerKey.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\CtrlVol.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Mozilla Thunderbird\thunderbird.exe
C:\Programmi\Java\jre6\bin\jusched.exe
C:\Programmi\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Programmi\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Programmi\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Programmi\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O5 "LPT1:" /M "Stylus C64"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Thunderbird] "C:\Programmi\Mozilla Thunderbird\thunderbird.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{87255EDD-D14F-40C0-A2C0-67D233BCA22E}: NameServer = 192.168.1.1,151.99.125.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autorun CDROM Monitor - Unknown owner - C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 8072 bytes

Una cosa che mi sembra sia diversa da prima è che mentre navigo mi vengono fuori i pop up, prima non succedeva. Sarà suggestione? Devo riprovare con uno dei passaggi indicati da Kirk?

[ste_95]

Scarica ComboFix , salvandolo sul desktop con un nome di fantasia, ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto inserendolo tra i tag LOG, in questo modo:

Codice: Seleziona tutto

[LOG]qui va inserito il log[/LOG]

[Pciccio]

Durante l'esecuzione di Combofix ho risposto NO a questa richiesta:

ripristino.JPG

: ho fatto male?

Comunque ecco il log

ComboFix 09-05-02.4 - Giovanni 02/05/2009 12.16.56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.39.1040.18.1262.846 [GMT 2:00]
Eseguito da: c:\documents and settings\Giovanni\Desktop\cf.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((( Files Creati Da 2009-04-02 al 2009-05-02 )))))))))))))))))))))))))))))))))))
.

2009-05-02 09:21 . 2009-05-02 09:21 -------- d-----w c:\documents and settings\Giovanni\Dati applicazioni\Malwarebytes
2009-05-02 09:21 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 09:21 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 09:21 . 2009-05-02 09:21 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-05-02 09:21 . 2009-05-02 09:21 -------- d-----w c:\programmi\Malwarebytes' Anti-Malware
2009-04-30 20:54 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-30 20:54 . 2009-04-30 20:54 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Avira
2009-04-26 15:07 . 2009-04-26 15:07 -------- d-----w c:\programmi\Trend Micro
2009-04-26 14:55 . 2009-04-30 20:27 -------- d--h--w c:\documents and settings\Giovanni\Dati applicazioni\drivers
2009-04-26 14:47 . 2009-04-30 20:27 -------- d--h--w c:\documents and settings\Francesca\Dati applicazioni\drivers
2009-04-26 13:08 . 2009-04-26 13:45 -------- d-----w c:\programmi\emule0.49c-Xtreme7.2
2009-04-20 20:00 . 2009-04-26 13:05 -------- d-----w c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\SpookyManor
2009-04-19 09:26 . 2009-04-19 16:52 -------- d-----w c:\windows\system32\Adobe
2009-04-18 20:04 . 2009-04-18 20:04 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\Trymedia
2009-04-18 09:28 . 2009-04-18 09:31 -------- d-----w c:\documents and settings\All Users\Dati applicazioni\AutoPowerOn
2009-04-17 12:30 . 2008-04-21 21:14 219136 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-17 12:30 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 12:30 . 2009-03-06 14:19 286208 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 12:30 . 2009-02-09 11:22 111104 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 12:30 . 2009-02-09 10:51 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 12:30 . 2009-02-09 10:51 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 12:30 . 2009-02-09 10:51 683520 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 12:30 . 2009-02-09 10:51 734720 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 12:30 . 2009-02-09 10:51 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 12:30 . 2009-02-09 10:51 736256 ------w c:\windows\system32\dllcache\ntdll.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 10:16 . 2003-05-30 14:21 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 10:09 . 2008-03-30 19:26 -------- d-----w c:\programmi\Mozilla Thunderbird
2009-05-02 08:22 . 2009-01-08 21:55 -------- d-----w c:\programmi\Alice Mobile
2009-04-30 21:12 . 2008-04-03 19:12 -------- d-----w c:\programmi\Avira
2009-04-30 20:28 . 2008-04-02 20:55 -------- d-----w c:\programmi\Spybot - Search & Destroy
2009-04-01 20:57 . 2008-04-03 17:42 -------- d-----w c:\programmi\Java
2009-04-01 20:57 . 1979-12-31 23:00 65070 ----a-w c:\windows\system32\perfc010.dat
2009-04-01 20:57 . 1979-12-31 23:00 429776 ----a-w c:\windows\system32\perfh010.dat
2009-03-17 13:01 . 2008-03-29 21:40 98824 ----a-w c:\documents and settings\Francesca\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-03-09 03:19 . 2008-12-14 14:05 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-07 09:38 . 2009-01-11 14:42 98824 ----a-w c:\documents and settings\Giovanni\Impostazioni locali\Dati applicazioni\GDIPFONTCACHEV1.DAT
2009-03-06 14:19 . 1979-12-31 23:00 286208 ----a-w c:\windows\system32\pdh.dll
2009-03-03 22:03 . 2009-03-03 21:50 -------- d-----w c:\programmi\File comuni\Autodesk Shared
2009-03-03 22:03 . 2009-03-03 21:50 -------- d-----w c:\programmi\AutoCAD 2004
2009-03-03 21:53 . 2009-03-03 21:53 -------- d-----w c:\programmi\Autodesk
2009-03-03 21:53 . 2009-03-03 21:53 -------- d-----w c:\programmi\File comuni\Macrovision Shared
2009-03-03 21:53 . 2009-03-03 21:53 12464 ----a-w c:\windows\system32\drivers\CDAC15BA.SYS
2009-03-03 21:53 . 2009-03-03 21:53 54784 ----a-w c:\windows\system32\drivers\CDAC11BA.EXE
2009-03-03 21:52 . 2009-03-03 21:52 -------- d-----w c:\programmi\AnswerWorks 4.0
2009-03-03 00:03 . 1979-12-31 23:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 17:08 . 2004-08-19 22:39 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-10 17:02 . 2002-09-09 12:34 2069760 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-09 14:04 . 1979-12-31 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:23 . 1979-12-31 23:00 2192768 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-09 11:22 . 1979-12-31 23:00 111104 ----a-w c:\windows\system32\services.exe
2009-02-09 10:51 . 1979-12-31 23:00 734720 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:51 . 2008-03-29 16:08 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:51 . 1979-12-31 23:00 683520 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:51 . 1979-12-31 23:00 736256 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:39 . 1979-12-31 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:57 . 1979-12-31 23:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_20.28.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 00:19 . 2007-11-07 00:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 04:07 . 2008-07-29 04:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 04:07 . 2008-07-29 04:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-05-02 10:08 . 2009-05-02 10:08 16384 c:\windows\Temp\Perflib_Perfdata_6b8.dat
+ 2008-04-03 19:12 . 2009-02-13 10:50 28376 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-04-30 20:54 . 2009-03-30 08:33 96104 c:\windows\system32\drivers\avipbb.sys
+ 2009-04-30 20:54 . 2009-02-13 10:29 22360 c:\windows\system32\drivers\avgntmgr.sys
+ 2009-04-30 20:54 . 2009-02-13 10:17 45416 c:\windows\system32\drivers\avgntdd.sys
+ 2008-07-29 06:05 . 2008-07-29 06:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 01:54 . 2008-07-29 01:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-04-30 21:22 . 2009-04-30 21:22 295606 c:\windows\Installer\{AC76BA86-7AD7-5464-3428-800000000003}\ARPPRODUCTICON.exe
+ 2008-07-29 06:05 . 2008-07-29 06:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 06:05 . 2008-07-29 06:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="LaunApp" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-06 114688]
"LaunchAp"="c:\programmi\Launch Manager\LaunchAp.exe" [2003-05-12 32768]
"PowerKey"="c:\programmi\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\programmi\Launch Manager\HotkeyApp.exe" [2003-05-19 45056]
"CtrlVol"="c:\programmi\Launch Manager\CtrlVol.exe" [2003-05-12 167936]
"Wbutton"="c:\programmi\Launch Manager\Wbutton.exe" [2003-05-28 53248]
"NeroFilterCheck"="c:\programmi\File comuni\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"EPSON Stylus C64 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\programmi\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Thunderbird"="c:\programmi\Mozilla Thunderbird\thunderbird.exe" [2009-03-21 8500328]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
BTTray.lnk - c:\programmi\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-13 561213]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Programmi\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\iTunes\\iTunes.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\emule0.49c-Xtreme7.2\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 mailKmd;mailKmd; [x]
R1 Wbutton;Wbutton; [x]
R3 PRISM;IEEE 802.11 Wireless NIC Driver;c:\windows\system32\DRIVERS\EXPRESS.sys [2002-11-15 614912]
S1 Hotkey;Hotkey; [x]
S2 acernbm;acernbm;c:\windows\system32\drivers\acernbm.sys [2003-03-05 6570]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2008-04-19 81920]
S2 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [2008-04-02 35584]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe [2008-04-02 284280]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\DRIVERS\ONDAusbmdm6k.sys [2008-04-23 104960]
S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\DRIVERS\ONDAusbnet.sys [2008-04-23 110080]
S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\DRIVERS\ONDAusbnmea.sys [2008-04-23 104960]
S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\DRIVERS\ONDAusbser6k.sys [2008-04-23 104960]
S3 POWERKEY;POWERKEY;c:\programmi\Launch Manager\POWERKEY.sys [2000-12-19 2343]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ec61300-0449-11de-9393-000ae44bd656}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68541470-0365-11de-9392-000ae44bd656}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a181eeb1-16c8-11de-93b8-000ae44bd656}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4702241-0758-11de-9398-000ae44bd656}]
\Shell\AutoRun\command - I:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aed57bb2-e7bb-11dd-9354-000ae44bd656}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e836df90-1e2d-11de-93c2-000ae44bd656}]
\Shell\AutoRun\command - G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbc29950-df74-11dd-9340-000ae44bd656}]
\Shell\AutoRun\command - G:\AutoRun.exe
.
Contenuto della cartella 'Scheduled Tasks'

2008-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.repubblica.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {87255EDD-D14F-40C0-A2C0-67D233BCA22E} = 192.168.1.1,151.99.125.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 12:18
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


c:\windows\TEMP\pkwkmbqv.TMP 616448 bytes

Scansione completata con successo
Files nascosti: 1

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\igfx.CUITestConfig.1\CLSID]
@DACL=(02 0000)
@SACL=
@="c"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{C8DA3399-8196-4CB3-ADD9-30280DCC1A2F}\TypeLib]
@DACL=(02 0000)
@SACL=
@="{53B18F72-9271-47BD-9B9C-17E0E8F25007}"
"Version"="6.5.17"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\ProxyStubClsid32]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9781-280D-11CF-A24D-444553540000}\TypeLib]
@DACL=(02 0000)
@SACL=
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\ProxyStubClsid32]
@DACL=(02 0000)
@SACL=
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{CA8A9782-280D-11CF-A24D-444553540000}\TypeLib]
@DACL=(02 0000)
@SACL=
@="{CA8A9783-280D-11CF-A24D-444553540000}"
"Version"="1.3"

[HKEY_LOCAL_MACHINE\software\CyberLink\PowerDVD\BuildInfo]
@DACL=(02 0000)
@SACL=
"SR_No"="DVD030423-04"
"Skin"="2420"
"iPower"="030407"
"UG"="1510"
"Setup"="030421"
"Help"="2416"
"RC"="030414"
"Readme"="2416"
"Kernel"="v2834_DS(Acer)"
"UI"="v2824_DDVS_DS(Acer)"
"Filter"="v2834_DS(Acer)"

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\REALTEK Semiconductor Corp.\Realtek RTL8139/810x Fast Ethernet NIC Driver Setup]
@DACL=(02 0000)
@SACL=
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(352)
c:\windows\system32\btmmhook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
Ora fine scansione: 2009-05-02 12.21.00
ComboFix-quarantined-files.txt 2009-05-02 10:20
ComboFix2.txt 2009-04-30 20:30

Pre-Run: 7.507.210.240 byte disponibili
Post-Run: 7.525.806.080 byte disponibili

269 --- E O F --- 2009-04-17 13:02

[ste_95]

Si, hai fatto bene.

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto

Files to delete:
c:\windows\TEMP\pkwkmbqv.TMP

Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Se Avenger riporta un errore, prova a riscrivere manualmente la prima riga (Files to delete:) ricordando i due punti.

[Pciccio]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Error: file "c:\windows\TEMP\pkwkmbqv.TMP" not found!
Deletion of file "c:\windows\TEMP\pkwkmbqv.TMP" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[ste_95]

Sembra che quel file non sia stato trovato... strano.
Come va il computer?

[Pciccio]

Adesso come adesso è un po' lenta la navigazione, ma può anche dipendere dalla Internet Key che si sa, non è l'ADSL via cavo... per il resto sembra tutto nella norma. Non so perché Avenger non abbia trovato il file, c'è da dire che nel frattempo ho cancellato dei files infetti trovati dalla scansione di Antivir. Poi ho lanciato una scansione con Malwarebytes Antimalware che mi ha trovato dei files sospetti che in realtà erano i pop up caps dei giochi di virgilio. Li ho tolti lo stesso tanto poi li riscarico. Non so se a questo punto posso fare una prova del nove...ditemi voi

[ste_95]

Non mi viene in mente altro, tutti i virus li abbiamo scovati e rimossi.

[Pciccio]

Beh, che dire Ste, se non viene in mente niente a te...Ubi maior.... ...
Stavo però osservando che tutta questa manovra di pulizia mi ha tolto l'autorun alla internet key e all' hard disk esterno, che ora devo lanciare manualmente. Suggerimenti? Altrimenti cercherò di cavarmela da solo, siete stati comunque di grande aiuto.

[ste_95]

Guarda se nella scheda Autoplay delle Proprietà delle unità non sia disattivata la funzione. Se risulta attiva ma hai ancora problemi, apri un nuovo topic nella sezione più appropriata.

[Pciccio]

Ok, grazie ancora e ciao