www.MegaLab.it

[crazy.cat]

attenzione a questo file
Suspect ! - 415fc83995272b36248ff9df0e8cc95d C:\Programmi\NVIDIA Corporation\nTune\nTuneCmd.exe
se è ancora presente è quasi sicuramente infetto e potrebbe ridare il via all'infezione

[ziobello]

Ho cancellato il file indicato adesso ho rifa i log con combofix e findkill ecco il log....me li analizzereste???


findkill

###################### [ FindyKill V4.714 ]

# User : Administrator - MATTEO-EBC167CE
# Executed from : C:\Programmi\FindyKill
# Update on 19/01/09 by Chiquitine29
# Start at 14:19:26 the 29/01/2009
# Windows XP - Internet Explorer 7.0.5730.13

# [ FindyKill V4.714 - Deleting ] ###############

\\\\\\\\\\\\\\\\\\ [ Active Processes ] ///////////////////


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Canon\IJPLM\IJPLMSVC.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Programmi\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmi\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\WgaTray.exe

\\\\\\\\\\\\\\\\\\ [ Infected Files / Folders ] ///////////////////


################## [ C:\ ]


################## [ C:\WINDOWS ]


################## [ C:\WINDOWS\Prefetch ]

Deleted ! - C:\WINDOWS\prefetch\MDELK.EXE-38854776.pf

################## [ C:\WINDOWS\system32 ]


################## [ C:\WINDOWS\system32\drivers ]


################## [ C:\Documents and Settings\Administrator\Dati applicazioni ]

Deleted ! - "C:\Documents and Settings\Administrator\Dati applicazioni\drivers"

################## [ C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp ]


################## [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ]


\\\\\\\\\\\\\\\\\\ [ Registry / Infected keys ] ///////////////////


\\\\\\\\\\\\\\\\\\ [ States / Restarting of services ] ///////////////////


# Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - # Type of startup = 3

EapHost - # Type of startup = 2

Ip6Fw - # Type of startup = 2

SharedAccess - # Type of startup = 2

wuauserv - # Type of startup = 2

wscsvc - # Type of startup = 2

WinDefend - # Type of startup = 2


\\\\\\\\\\\\\\\\\\ [ Cleaning Removable drives ] ///////////////////

# Informations :

C: - Unit… fissa

D: - Unit… CD-ROM

E: - Unit… rimovibile

F: - Unit… fissa

I: - Unit… fissa

J: - Unit… fissa

K: - Unit… fissa


# deleting files :

Not deleted !! - D:\autorun.inf

\\\\\\\\\\\\\\\\\\ [ Registry / Mountpoint2 ] ///////////////////


-> Not found !


\\\\\\\\\\\\\\\\\\ [ Searching Other Infections ] ///////////////////


\\\\\\\\\\\\\\\\\\ [ Searching Cracks / Keygen ] ///////////////////

C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\just_a_louser@hotmail.it\Sharing Folders\alessio.romanista@hotmail.it\CRACK E SERIAL
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\just_a_louser@hotmail.it\Sharing Folders\alessio.romanista@hotmail.it\CRACK E SERIAL\Istruzioni.txt
C:\Documents and Settings\Administrator\Impostazioni locali\Dati applicazioni\Microsoft\Messenger\just_a_louser@hotmail.it\Sharing Folders\alessio.romanista@hotmail.it\CRACK E SERIAL\Seriale.txt

################## [ ! End of report # FindyKill V4.714 ! ]

combofix

ComboFix 09-01-21.04 - Administrator 2009-01-29 14.12.26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.3326.2798 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Dati applicazioni\drivers\downld
c:\documents and settings\Administrator\Preferiti\Videos.url
C:\InfoSat.txt

.
((((((((((((((((((((((((( Files Creati Da 2008-12-28 al 2009-01-29 )))))))))))))))))))))))))))))))))))
.

2009-01-28 22:13 . 2009-01-28 22:13 <DIR> d-------- c:\programmi\Trend Micro
2009-01-28 22:07 . 2009-01-28 22:07 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-01-28 22:07 . 2009-01-28 22:07 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-28 22:07 . 2009-01-28 22:07 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-01-28 22:07 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 22:07 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-28 22:00 . 2009-01-29 14:12 <DIR> d--h----- c:\documents and settings\Administrator\Dati applicazioni\drivers
2009-01-28 21:38 . 2009-01-28 21:48 <DIR> d-------- c:\programmi\FindyKill
2009-01-24 20:09 . 2009-01-24 20:09 <DIR> d-------- c:\programmi\File comuni\AVSMedia
2009-01-24 20:09 . 2009-01-25 16:09 <DIR> d-------- c:\programmi\AVS4YOU
2009-01-24 20:09 . 2009-01-24 20:09 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\AVS4YOU
2009-01-24 20:09 . 2009-01-24 20:09 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\AVS4YOU
2009-01-24 20:09 . 2006-03-03 10:02 658,432 --a------ c:\windows\system32\cc3270mt.dll
2009-01-24 20:09 . 2002-01-05 15:40 487,424 --a------ c:\windows\system32\msvcp70.dll
2009-01-24 20:09 . 2003-05-21 13:50 24,576 --a------ c:\windows\system32\msxml3a.dll
2009-01-22 18:46 . 2001-09-24 11:58 230 --------- c:\windows\XIIIHooligans.ini
2009-01-19 21:20 . 1996-10-16 11:49 301,568 --a------ c:\windows\unin0410.exe
2009-01-15 23:01 . 2009-01-15 23:01 <DIR> d-------- c:\windows\{C173E1F3-D2DF-4B8D-89BC-9A3AF75E2AC7}
2009-01-15 23:01 . 2009-01-15 23:01 <DIR> d-------- c:\programmi\USRobotics
2009-01-15 21:51 . 2009-01-15 21:51 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\InstallShield
2009-01-14 15:31 . 2009-01-14 15:31 <DIR> d-------- c:\documents and settings\Administrator\Dati applicazioni\Yahoo!
2009-01-12 19:51 . 2008-04-13 11:45 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2009-01-12 19:51 . 2008-04-13 11:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2009-01-12 19:50 . 2008-01-29 09:39 77,056 --a------ c:\windows\system32\drivers\HDJMidi.sys
2009-01-12 19:50 . 2009-01-12 19:50 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-12 19:50 . 2009-01-12 19:50 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_HDJBulk_01005.Wdf
2009-01-12 19:50 . 2009-01-12 19:50 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_HDJAsioK_01005.Wdf
2009-01-12 19:49 . 2006-11-02 07:09 1,419,232 --a------ c:\windows\system32\WdfCoInstaller01005.dll
2009-01-12 19:47 . 2009-01-12 19:47 <DIR> d-------- c:\programmi\Guillemot
2009-01-12 19:47 . 2008-02-11 11:54 159,744 --a------ c:\windows\system32\HDJAPI.dll
2009-01-12 19:47 . 2008-02-11 11:54 106,496 --a------ c:\windows\system32\HRFDongle.dll
2009-01-12 19:47 . 2008-01-18 14:03 27,136 --a------ c:\windows\system32\HDJSAPI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 12:54 196,608 -c--a-w c:\windows\system32\drivers\nStandard.bin
2009-01-29 12:52 --------- d-----w c:\documents and settings\LocalService\Dati applicazioni\VMware
2009-01-29 12:52 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\VMware
2009-01-25 19:12 --------- d-----w c:\programmi\Windows Live
2009-01-25 19:05 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2009-01-22 17:45 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-01-15 20:58 --------- d-----w c:\programmi\File comuni\Adobe
2009-01-15 20:52 --------- d-----w c:\programmi\Yahoo!
2009-01-14 14:31 --------- d-----w c:\programmi\CCleaner
2008-12-21 13:22 --------- d-----w c:\programmi\Microsoft
2008-12-21 13:21 --------- d-----w c:\programmi\Windows Live SkyDrive
2008-12-21 13:12 --------- d-----w c:\programmi\File comuni\Windows Live
2008-12-13 19:29 --------- d-----w c:\programmi\Illustrate
2008-12-13 19:29 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\AccurateRip
2008-12-13 19:27 5,068,152 ----a-w c:\windows\system32\SpoonUninstall.exe
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 15:41 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\DivX
2008-12-10 15:39 --------- d-----w c:\programmi\DivX
2008-12-01 20:25 --------- d-----w c:\programmi\Horizons 2
2008-12-01 20:23 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Any DVD Converter Professional
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-11-15 01:20 960 --sha-w C:\wvzjawja.sys
2008-07-07 12:31 24,992 -c--a-w c:\documents and settings\Administrator\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-09-26 21:41 67,696 ----a-w c:\programmi\mozilla firefox\components\jar50.dll
2008-09-26 21:41 54,376 -c--a-w c:\programmi\mozilla firefox\components\jsd3250.dll
2008-09-26 21:41 34,952 ----a-w c:\programmi\mozilla firefox\components\myspell.dll
2008-09-26 21:41 46,720 ----a-w c:\programmi\mozilla firefox\components\spellchk.dll
2008-09-26 21:41 172,144 -c--a-w c:\programmi\mozilla firefox\components\xpinstal.dll
2008-09-26 22:41 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-26 22:41 32,768 -csha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
2008-05-11 20:29 32,768 -csha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008051120080512\index.dat
2008-09-26 22:41 32,768 -csha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS SmartDoctor"="c:\program files\ASUS\SmartDoctor\SmartDoctor.exe" [2007-10-30 1126400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [2005-11-24 94208]
"PcSync"="j:\pcsuite\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-09-21 137216]
"SoundMAXPnP"="c:\programmi\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"AsusStartupHelp"="c:\programmi\ASUS\AASP\1.00.24\AsRunHelp.exe" [2006-12-29 363008]
"Launch Ai Booster"="c:\programmi\ASUS\AI Booster\OverClk.exe" [2006-12-08 3714048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"RemoteControl"="c:\programmi\ASUS\ASUS Remote\RemoteControlAppl.exe" [2007-02-12 65536]
"PCMService"="c:\programmi\CyberLink\PowerCinema\PCMService.exe" [2007-02-09 159744]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"PCSuiteTrayApplication"="j:\pcsuite\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376]
"Gtwatch"="c:\windows\gtwatch.exe" [2000-11-13 28672]
"VMware hqtray"="c:\programmi\VMware\VMware Player\hqtray.exe" [2008-05-15 55856]
"CanonSolutionMenu"="c:\programmi\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\programmi\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SMSTray"="j:\samsung mp3\SMSTray.exe" [2007-12-14 132624]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
"DWQueuedReporting"="c:\progra~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
USRobotics Wireless USB Adapter.lnk - c:\programmi\USRobotics\Wireless USB Manager\USR54G.exe [2006-04-14 663552]
Watch.lnk - c:\windows\twain_32\Trust\Direct Webscan\WATCH.exe [2008-01-24 356352]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\ASUS\ASUS Splendid
ASUS Splendid.lnk - c:\programmi\ASUS\ASUS Splendid\ASUSplendid.exe [2008-01-01 651264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{88485281-8b4b-4f8d-9ede-82e29a064277}"= "c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL" [2004-11-23 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\VMware\\VMware Player\\bin\\vmware-vmx.exe"=
"j:\\MotoGP 2007\\motogp.exe"=
"f:\\Matteo\\eMule\\emule.exe"=
"f:\\Matteo\\eMule10\\emule.exe"=
"k:\\Matteo\\eMule10\\emule.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"j:\\eMuleprimo\\emule.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4672:UDP"= 4672:UDP:eMule_UDP
"4662:TCP"= 4662:TCP:eMule_TCP

R3 3xHybrid;ASUSTek SAA713x PCI Card;c:\windows\system32\drivers\3xHybrid.sys [2008-01-01 2831232]
S1 aswSP;avast! Self Protection; [x]
S1 sdpiosys;sdpiosys;c:\windows\system32\drivers\sdpiosys.sys c:\windows\system32\drivers\sdpiosys.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2008-10-20 16512]
S3 Bulk;HDJBulk;c:\windows\system32\Drivers\HDJBulk.sys c:\windows\system32\Drivers\HDJBulk.sys
S3 HDJAsioK;HDJAsioK;c:\windows\system32\Drivers\HDJAsioK.sys c:\windows\system32\Drivers\HDJAsioK.sys
S3 HDJMidi;Hercules DJ Console Rmx MIDI;c:\windows\system32\drivers\HDJMidi.sys [2009-01-12 77056]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-01-14 31872]
S3 USRWGU(USR);USRobotics Wireless USB Adapter(USR);c:\windows\system32\drivers\USRWGU.sys [2005-12-29 408064]
S4 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys c:\windows\system32\DRIVERS\aswFsBlk.sys
S4 d3dramp32;Microsoft Direct3D;rundll32.exe c:\windows\system32\d3dramp32.dll,esov rundll32.exe c:\windows\system32\d3dramp32.dll,esov
S4 WinDefend;Windows Defender;c:\programmi\Windows Defender\MsMpEng.exe [2006-11-03 13592]
.
Contenuto della cartella 'Scheduled Tasks'

2009-01-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\programmi\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-01-17 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-04-08 11:16]

2009-01-29 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-04-08 11:16]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-NVIDIA nTune - c:\programmi\NVIDIA Corporation\nTune\nTuneCmd.exe
HKCU-Run-WebCamRT.exe - (no file)
Notify-d3dramp32 - d3dramp32.dll


.
------- Scansione supplementare -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - i:\office\PROGRA~1\Office10\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 14:13:23
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(952)
c:\windows\system32\nvappfilter.dll
.
Ora fine scansione: 2009-01-29 14.14.15
ComboFix-quarantined-files.txt 2009-01-29 13:14:13

Pre-Run: 6.536.605.696 byte disponibili
Post-Run: 6,520,102,912 byte disponibili

204 --- E O F --- 2009-01-27 13:51:00

[Amantide]

Analizza su www.virustotal.com questo file e vedi se è dannoso:
C:\wvzjawja.sys

Per il resto il log sembra essere pulito.

[ziobello]

Analizza su http://www.virustotal.com questo file e vedi se è dannoso:
C:\wvzjawja.sys

Per il resto il log sembra essere pulito.

non lo trovo questo file con cerca possibile??

[Amantide]

Devi abilitare la visualizzazione di file nascosti.

[ziobello]

Devi abilitare la visualizzazione di file nascosti.

Ma sto virus mi ha tolto lopzione come faccio??..comunque nn riesco ancora ad aprire il windows firewall!!!!! sicuri che sti virus è debellato??
ho rimesso avast e programmato la scansione all'avvio serve???

[Amantide]

Devi abilitare la visualizzazione di file nascosti.

Ma sto virus mi ha tolto lopzione come faccio??..comunque nn riesco ancora ad aprire il windows firewall!!!!!

Segui queste istruzioni:
http://www.MegaLab.it/2657/4/bagle-un-w ... -antivirus

sicuri che sti virus è debellato??

Il worm - si, gli effetti collaterali da lui causati - no, devi seguire la guida indicata sopra per rimediare.

ho rimesso avast e programmato la scansione all'avvio serve???

Male non farà di sicuro

[ziobello]

1000 grazi finisce la scasione e procedo con quella guida poi vi faccio sapere Tk

[kimykaiba]

ciao ho provato anche io con findykill e questo è il rapporto poi cosa devo fare?

############################## [ FindyKill V4.720 ]

# User : Computer (Administrators) # CASA-9C3D15C4E0
# Update on 12/03/09 by Chiquitine29
# Start at: 15.58.54 | 13/03/2009

# Intel(R) Pentium(R) 4 CPU 3.00GHz
# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 2
# Internet Explorer 7.0.5730.13
# Windows Firewall Status : Disabled

# A:\ # Disco floppy, 3,5 pollici
# C:\ # Disco rigido locale # 45,23 Go (34,67 Go free) [OS] # NTFS
# D:\ # Disco CD-ROM
# E:\ # Disco rigido locale # 107,43 Go (106,45 Go free) [DATA] # NTFS
# H:\ # Disco CD-ROM

############################## [ Active Processes ]

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\Lexmark 2400 Series\lxcrmon.exe
C:\Programmi\Lexmark 2400 Series\ezprint.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\template\driven~1\syncer\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Computer\Dati applicazioni\drivers\winupgro.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Documents and Settings\Computer\Dati applicazioni\m\flec006.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\Alice ti aiuta\vendors\AliceRE\content\template\driven_dev\syncer\McciBrowser.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

################## [ Infected processes stopped ]

"C:\Documents and Settings\Computer\Dati applicazioni\drivers\winupgro.exe" (1368)
"C:\Documents and Settings\Computer\Dati applicazioni\m\flec006.exe" (3740)
"C:\WINDOWS\system32\wintems.exe" (1176)

################## [ Infected Files / Folders C:\ ]


################## [ C:\WINDOWS ]


################## [ C:\WINDOWS\system32 ]

Deleted ! - C:\WINDOWS\system32\mdelk.exe
Deleted ! - C:\WINDOWS\system32\wintems.exe
Deleted ! - C:\WINDOWS\system32\ban_list.txt

################## [ C:\WINDOWS\system32\drivers ]


################## [ C:\.. Application Data ... ]

Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\m\flec006.exe"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\m\list.oct"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\m\data.oct"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\m\srvlist.oct"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\m\shared"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\m"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\drivers\srosa2.sys"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\drivers\wfsintwq.sys"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\drivers\winupgro.exe"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\drivers\downld"
Deleted ! - "C:\Documents and Settings\Computer\Dati applicazioni\drivers"

################## [ Registry / Infected keys ]

Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sK9Ou0s
Deleted ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S
Deleted ! - HKEY_CURRENT_USER\Software\bisoft
Deleted ! - HKEY_CURRENT_USER\Software\DateTime4
Deleted ! - HKEY_CURRENT_USER\Software\FirtR
Deleted ! - HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\winupgro
Deleted ! - HKEY_USERS\S-1-5-21-1177238915-1993962763-725345543-1003\Software\FFC
Deleted ! - HKEY_USERS\S-1-5-21-1177238915-1993962763-725345543-1003\Software\MuleAppData
Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\"drvsyskit"
Deleted ! - HKEY_USERS\S-1-5-21-1177238915-1993962763-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\"drvsyskit"
Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\"german.exe"
Deleted ! - HKEY_USERS\S-1-5-21-1177238915-1993962763-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\"german.exe"
Deleted ! - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\"mule_st_key"
Deleted ! - HKEY_USERS\S-1-5-21-1177238915-1993962763-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\"mule_st_key"

################## [ Cleaning Removable drives ]

# Deleting files :


################## [ Registry / Mountpoint2 ]

# -> Not found !

################## [ Searching Other Infections ]

# Références de comparaison Bagle MD5 :

File ... : C:\Documents and Settings\Computer\Dati applicazioni\drivers\winupgro.exe
CRC32 .. : e435b851
MD5 .... : 09a3f9484b015f6b094fe57edc03ead9

Deleted ! : C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
# Taille : 864256 # MD5 : 09A3F9484B015F6B094FE57EDC03EAD9


################## [ PEH Corrupted ]

C:\Documents and Settings\Computer\Dati applicazioni\Convivea\Bit_Che\scripts\update.exe
C:\Programmi\Mozilla Firefox\uninstall\helper.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\WINDOWS\$hf_mig$\KB898461\update\update.exe
C:\WINDOWS\$hf_mig$\KB915865\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\014daa43525429d2b605d442811dfa4c\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\0f9f0b0ef719d55647276c9b0dcb1011\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\1625ff8b7438d61d92f359dc5ceb594a\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\253d6743b570229e13ccbdf2a2b86a56\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\2f751deff4c9646c9a2883fbe2a60450\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\37f74e72b9ef038fb2245d83c051f453\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\3a1b5a9702d7c606b0b5ef90a1802dab\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\47e571c0bd630f6b06c3e1049ae6812d\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\47ece55550b4a9ba86327e4a445c8ed5\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\5307ce719a63c5e43a1e47d30fe59196\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\55a1f2bf9a0b677485e95d3183288e9e\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\6cdcc41c09e52fe4f90d12333903527b\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\75a9e3b0522fcd305a8656e2536b0934\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\7786b1f59f09a74654c49611283ea0bc\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\7f7ce87167494981476e3aebeb726dec\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\860fd2882d5382dfdbd9b8629634dfa0\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\a9ad40526dde3a393ad2162221e95e92\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\b2b3864a89ecb73979b42bf38a67309b\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\b3d1f234bd66db36eba3602f0e2bcbc9\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\bdc6d6f19de1d2b8d66794bfb32efbf4\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\c48b75641b482fc09c915782274e020d\update\Update.exe
C:\WINDOWS\SoftwareDistribution\Download\c88095f3731fd4c28495f41823b075be\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\ca86f91b965b9d2ea4258137e8cca517\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\cba05876d9acf56c5c0068111a2ac743\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\d499a0e9eac95217c81baefa82102914\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\d9666354574f19717322d571fcc0d36f\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\e01610020f827bc60f09563514e31bcd\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\e0f58fb04db140ae217a522a23a7b301\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\e774480d6b5f128fa6bdaceb7b79373d\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\f357e00ce13110972fa7731afa75465d\update\update.exe
C:\WINDOWS\SoftwareDistribution\Download\f6c9ae7e343700890543c7c514ab4de6\update\update.exe
C:\WINDOWS\system32\dllcache\register.exe
C:\WINDOWS\system32\dllcache\sysinfo.exe

################## [ ! End of Report # FindyKill V4.720 ! ]

[Amantide]

Pare che il Bagle sia stato rimosso completamente questa volta.

Riesci a reinstallare l'antivirus ed avviare il firewall?

[kimykaiba]

sisi l'antivirus và!solo che CCclean aveva trovato ancora qualche file che nn era riuscito a rimuovere!!ma dopo la scansione con avg non si è presentato più alcun problema!!vi ringrazio tantissimo mi avete salvata!!

[paolettapc]

help!!!!!!!!!!!

ho preso un bagle.
I sintomi principali sono: all'avvio di AVG antivirus non risponde, msn messenger non risponde ed è impossibile far partire quasi tutti gli antivirus. Inoltre ogni tanto si blocca internet.

ho provato a scaricare svariati programmi appositi (x bagle) per trovare il virus ma niente.. l'unico che ha funzionato è stato Findykill che in modalità provvisoria sembrava avesse risolto il problema:

############################# [ FindyKill V4.720 ]

# User : Paola () # PC-PAOLA
# Update on 22/03/09 by Chiquitine29
# Start at: 20.17.58 | 25/03/2009
# Website : http://pagesperso-orange.fr/FindyKill.Ad.Remover/

# AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
# Microsoft® Windows Vista™ Home Premium (6.0.6000 32-bit) #
# Internet Explorer 7.0.6000.16809
# Windows Firewall Status : Disabled
# AV : AVG Anti-Virus Free 8.0 [ Enabled | Updated ]
# FW : PC Tools Firewall Plus[ Enabled ]4.0.0

# C:\ # Disco rigido locale # 113,2 Go (64,17 Go free) # NTFS
# D:\ # Disco rigido locale # 112,85 Go (110,68 Go free) [DATA] # NTFS
# E:\ # Disco CD-ROM
# F:\ # Disco rimovibile
# G:\ # Disco rimovibile
# H:\ # Disco rimovibile
# I:\ # Disco rimovibile

############################## [ Active Processes ]

C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\helppane.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe

################## [ Infected Files / Folders C:\ ]


################## [ C:\Windows ]


################## [ C:\Windows\system32 ]


################## [ C:\Windows\system32\drivers ]


################## [ C:\.. Application Data ... ]


################## [ Registry / Infected keys ]


################## [ Cleaning Removable drives ]

# Deleting files :


################## [ Registry / Mountpoint2 ]

# -> Not found !

################## [ Searching Other Infections ]

# -> Nothing found.

################## [ ! End of Report # FindyKill V4.720 ! ]



ho fatto la pulizia con ccleaner .. riattivato firewall e fatto partire la scansione di AVG che ha trovato qualche piccolo spyware ma niente di serio.. tutto ok... sia Avg che msn che tutti i vari antivirus partivano correttamente.

Ho spendo il pc e poco tempo dopo i problemi si sono ripresentati come prima.

Ho riavviato Findykill in mod provvisoria e fatto partire la scansione di combofix; ecco il log:


ComboFix 09-03-19.02 - Paola 2009-03-25 20.36.54.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1040.18.1791.995 [GMT 1:00]
Eseguito da: c:\users\Paola\Downloads\ComboFixolo.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: PC Tools Firewall Plus *enabled*
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((( Files Creati Da 2009-02-25 al 2009-03-25 )))))))))))))))))))))))))))))))))))
.

2009-03-25 19:09 . 2009-03-25 19:09 <DIR> d-------- c:\users\All Users\Office Genuine Advantage
2009-03-25 19:09 . 2009-03-25 19:09 <DIR> d-------- c:\progra~2\Office Genuine Advantage
2009-03-24 21:45 . 2009-03-24 21:45 0 --ah----- C:\ntuser.dat.LOG2
2009-03-24 21:45 . 2009-03-24 21:45 0 --ah----- C:\ntuser.dat.LOG1
2009-03-24 21:45 . 2009-03-24 21:45 0 --a------ C:\ntuser.dat
2009-03-24 21:39 . 2009-03-25 19:17 196,608 --a------ c:\windows\System32\Ikeext.etl
2009-03-24 20:26 . 2009-03-25 19:06 169,512,188 --a------ c:\windows\MEMORY.DMP
2009-03-23 21:51 . 2009-03-23 21:51 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-23 20:57 . 2008-12-05 05:29 1,244,672 --a------ c:\windows\System32\mcmde.dll
2009-03-23 20:57 . 2008-12-05 05:29 428,032 --a------ c:\windows\System32\EncDec.dll
2009-03-23 20:57 . 2008-12-05 05:29 292,352 --a------ c:\windows\System32\psisdecd.dll
2009-03-23 20:57 . 2008-12-05 05:29 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-03-23 20:57 . 2008-12-05 05:29 177,152 --a------ c:\windows\System32\mpg2splt.ax
2009-03-23 20:57 . 2008-12-05 05:29 80,896 --a------ c:\windows\System32\MSNP.ax
2009-03-23 20:57 . 2008-12-05 05:29 68,608 --a------ c:\windows\System32\Mpeg2Data.ax
2009-03-23 20:57 . 2008-12-05 05:29 57,856 --a------ c:\windows\System32\MSDvbNP.ax
2009-03-23 20:48 . 2008-07-08 13:54 148,496 --a------ c:\windows\System32\drivers\54755232.sys
2009-03-23 20:43 . 2009-03-25 20:39 16,992,288 --ahs---- c:\windows\System32\drivers\fidbox.dat
2009-03-23 20:43 . 2009-03-25 19:21 183,608 --ahs---- c:\windows\System32\drivers\fidbox.idx
2009-03-23 20:43 . 2008-07-08 13:54 148,496 --a------ c:\windows\System32\drivers\18090445.sys
2009-03-23 20:34 . 2008-12-16 05:00 8,147,968 --a------ c:\windows\System32\wmploc.DLL
2009-03-23 20:34 . 2009-02-09 02:59 2,028,032 --a------ c:\windows\System32\win32k.sys
2009-03-23 20:34 . 2008-11-27 05:42 269,824 --a------ c:\windows\System32\schannel.dll
2009-03-23 20:34 . 2008-12-16 06:53 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-23 20:34 . 2008-12-16 06:53 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-23 20:34 . 2008-12-16 06:53 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-23 19:59 . 2009-03-24 21:08 69 --a------ c:\windows\NeroDigital.ini
2009-03-23 19:47 . 2009-03-24 21:34 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-23 18:28 . 2009-03-23 18:28 <DIR> d-------- C:\_OTMoveIt
2009-03-23 18:18 . 2009-03-25 20:29 <DIR> d-------- c:\program files\FindyKill
2009-03-22 21:44 . 2009-03-22 21:44 <DIR> d-------- c:\program files\CCleaner
2009-03-22 20:09 . 2009-03-24 00:39 <DIR> d-------- C:\SDFix
2009-03-21 22:17 . 2009-03-21 22:17 <DIR> d-------- c:\program files\FaceDub
2009-03-21 22:15 . 2009-03-21 22:15 <DIR> d-------- c:\program files\Gimp-2.0
2009-03-12 19:32 . 2009-03-12 19:32 130,424 --a------ c:\windows\System32\drivers\PCTCore.sys
2009-03-10 22:04 . 2009-03-10 22:04 <DIR> d-------- c:\program files\CardRecovery
2009-03-07 19:36 . 2009-03-14 16:39 <DIR> d-------- c:\users\Paola\AppData\Roaming\dvdcss
2009-02-27 22:29 . 2009-02-27 22:29 <DIR> d-------- c:\users\All Users\PC Drivers HeadQuarters
2009-02-27 22:29 . 2009-02-27 22:29 <DIR> d-------- c:\program files\PC Drivers HeadQuarters
2009-02-27 22:29 . 2009-02-27 22:29 <DIR> d-------- c:\progra~2\PC Drivers HeadQuarters

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 19:19 --------- d---a-w c:\progra~2\TEMP
2009-03-23 21:00 --------- d-----w c:\progra~2\avg8
2009-03-23 20:57 --------- d-----w c:\program files\Windows Mail
2009-03-22 16:49 2,516 --sha-w c:\windows\System32\KGyGaAvL.sys
2009-03-21 22:24 --------- d-----w c:\program files\PC Tools Firewall Plus
2009-03-21 22:19 --------- d-----w c:\users\Paola\AppData\Roaming\vlc
2009-03-15 15:01 --------- d-----w c:\users\Paola\AppData\Roaming\DVD Flick
2009-02-27 21:31 --------- d-----w c:\program files\InstallShield Installation Information
2009-02-25 12:17 --------- d-----w c:\progra~2\PC Suite
2009-02-24 12:33 --------- d-----w c:\users\Paola\AppData\Roaming\PCToolsFirewallPlus
2009-02-23 22:17 --------- d-----w c:\program files\Common Files\PC Tools
2009-02-23 21:25 --------- d-----w c:\users\Paola\AppData\Roaming\PC Suite
2009-02-23 20:05 --------- d-----w c:\users\Paola\AppData\Roaming\Nokia
2009-02-23 19:57 --------- d-----w c:\program files\Nokia
2009-02-23 19:57 --------- d-----w c:\program files\Common Files\PCSuite
2009-02-23 19:57 --------- d-----w c:\program files\Common Files\Nokia
2009-02-23 19:56 --------- d-----w c:\program files\DIFX
2009-02-23 19:54 --------- d-----w c:\program files\PC Connectivity Solution
2009-02-23 19:50 --------- d-----w c:\progra~2\Installations
2009-02-18 19:58 --------- d-----w c:\users\Paola\AppData\Roaming\NeroDigital™
2009-02-18 18:37 --------- d-----w c:\program files\Common Files\Corel
2009-02-18 18:35 --------- d-----w c:\program files\Corel
2009-02-18 18:01 --------- d-----w c:\progra~2\Corel
2009-02-17 20:21 --------- d-----w c:\users\Paola\AppData\Roaming\Corel
2009-02-17 19:28 --------- d-----w c:\users\Paola\AppData\Roaming\InstallShield
2009-02-16 17:28 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-02-16 12:10 --------- d-----w c:\progra~2\Messenger Plus!
2009-02-15 18:57 --------- d-----w c:\program files\MSN Messenger
2009-02-15 18:57 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-15 18:23 --------- d-----w c:\users\Paola\AppData\Roaming\Nero
2009-02-15 18:22 --------- d-----w c:\program files\Common Files\Nero
2009-02-15 18:20 --------- d-----w c:\program files\Nero
2009-02-15 18:20 --------- d-----w c:\progra~2\Nero
2009-02-15 13:44 --------- d-----w c:\program files\DVD Flick
2009-02-15 13:18 --------- d-----w c:\users\Paola\AppData\Roaming\Pegasys Inc
2009-02-15 13:09 59,488 ----a-w c:\windows\System32\GenSvcInst.exe
2009-02-15 13:09 145,504 ----a-w c:\windows\System32\bgsvcgen.exe
2009-02-15 13:09 13,567 ----a-w c:\windows\system32\drivers\CDRBSDRV.SYS
2009-02-15 13:09 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-13 12:07 --------- d-----w c:\program files\VideoLAN
2009-02-11 18:35 --------- d-----w c:\program files\eMule
2009-02-11 18:35 --------- d-----w c:\progra~2\eMule
2009-02-09 18:59 --------- d-----w c:\program files\Maxtor
2009-02-09 18:53 --------- d-----w c:\progra~2\Maxtor
2009-02-08 21:05 --------- d-----w c:\progra~2\WLInstaller
2009-02-08 20:30 --------- d-----w c:\program files\QuickTime
2009-02-08 20:30 --------- d-----w c:\progra~2\Apple Computer
2009-02-08 20:29 --------- d-----w c:\program files\Apple Software Update
2009-02-08 20:29 --------- d-----w c:\progra~2\Apple
2009-02-06 19:49 --------- d-----w c:\program files\Windows Live SkyDrive
2009-02-06 19:49 --------- d-----w c:\program files\Windows Live
2009-02-06 19:49 --------- d-----w c:\program files\Microsoft
2009-02-06 19:40 --------- d-----w c:\program files\Common Files\Windows Live
2009-02-06 16:37 --------- d-----w c:\users\Paola\AppData\Roaming\AdobeUM
2009-02-06 16:35 --------- d-----w c:\program files\Common Files\Adobe
2009-02-06 16:21 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-06 16:21 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-06 16:21 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-02-06 16:21 --------- d-----w c:\program files\AVG
2009-02-06 16:17 268,800 ----a-w c:\windows\System32\es.dll
2009-02-06 16:17 229,888 ----a-w c:\windows\System32\msshsq.dll
2009-02-06 14:25 --------- d-----w c:\progra~2\NVIDIA
2009-02-06 14:24 174 --sha-w c:\program files\desktop.ini
2009-02-06 14:20 --------- d-----w c:\program files\Windows Sidebar
2009-02-06 14:20 --------- d-----w c:\program files\Windows Defender
2009-02-06 14:20 --------- d-----w c:\program files\Windows Calendar
2009-02-06 13:46 61,440 ----a-w c:\windows\System32\winipsec.dll
2009-02-06 13:46 361,984 ----a-w c:\windows\System32\IPSECSVC.DLL
2009-02-06 13:46 28,672 ----a-w c:\windows\System32\FwRemoteSvr.dll
2009-02-06 13:46 272,896 ----a-w c:\windows\System32\polstore.dll
2009-02-06 13:44 95,232 ----a-w c:\windows\System32\PortableDeviceClassExtension.dll
2009-02-06 13:44 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2009-02-06 13:44 160,768 ----a-w c:\windows\System32\PortableDeviceTypes.dll
2009-02-06 13:42 87,040 ----a-w c:\windows\System32\msoert2.dll
2009-02-06 13:42 39,424 ----a-w c:\windows\System32\ACCTRES.dll
2009-02-06 13:42 205,824 ----a-w c:\windows\System32\msoeacct.dll
2009-02-06 13:41 704,000 ----a-w c:\windows\System32\PhotoScreensaver.scr
2009-02-06 13:41 67,584 ----a-w c:\windows\System32\wlanhlp.dll
2009-02-06 13:41 542,720 ----a-w c:\windows\System32\sysmain.dll
2009-02-06 13:41 502,784 ----a-w c:\windows\System32\wlansvc.dll
2009-02-06 13:41 47,104 ----a-w c:\windows\System32\wlanapi.dll
2009-02-06 13:41 297,984 ----a-w c:\windows\System32\wlansec.dll
2009-02-06 13:41 290,816 ----a-w c:\windows\System32\wlanmsm.dll
2009-02-06 13:41 258,232 ----a-w c:\windows\system32\drivers\acpi.sys
2009-02-06 13:41 24,064 ----a-w c:\windows\System32\wtsapi32.dll
2009-02-06 13:39 194,560 ----a-w c:\windows\System32\WebClnt.dll
2009-02-06 13:39 110,080 ----a-w c:\windows\system32\drivers\mrxdav.sys
2009-02-06 13:36 49,664 ----a-w c:\windows\System32\csrsrv.dll
2009-02-06 13:36 376,320 ----a-w c:\windows\System32\winsrv.dll
2009-02-06 13:32 297,472 ----a-w c:\windows\System32\gdi32.dll
2009-02-06 13:31 41,984 ----a-w c:\windows\system32\drivers\monitor.sys
2009-02-06 13:31 1,060,920 ----a-w c:\windows\system32\drivers\ntfs.sys
2009-02-06 13:28 211,456 ----a-w c:\windows\system32\drivers\mrxsmb10.sys
2009-02-06 13:27 537,600 ----a-w c:\windows\AppPatch\AcLayers.dll
2009-02-06 13:27 449,536 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2009-02-06 13:27 4,247,552 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2009-02-06 13:27 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2009-02-06 13:27 2,560 ----a-w c:\windows\AppPatch\AcRes.dll
2009-02-06 13:27 2,144,256 ----a-w c:\windows\AppPatch\AcGenral.dll
2009-02-06 13:27 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-20 92704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-25 2652056]

c:\users\Paola\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
is-5NS0Q.lnk - c:\users\Paola\Desktop\Virus Removal Tool1\is-5NS0Q\startup.exe [2009-03-23 65536]
is-DR9N2.lnk - c:\users\Paola\Desktop\Virus Removal Tool\is-DR9N2\startup.exe [2009-03-23 65536]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]

c:\users\Paola\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\
is-5NS0Q.lnk - c:\users\Paola\Desktop\Virus Removal Tool1\is-5NS0Q\startup.exe [2009-03-23 65536]
is-DR9N2.lnk - c:\users\Paola\Desktop\Virus Removal Tool\is-DR9N2\startup.exe [2009-03-23 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
--a------ 2009-02-06 13:55 1232896 c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2006-11-02 13:34 2159104 c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1385902102-4090305123-520801781-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5D531305-43AF-46F6-8F57-F0EECFC7B581}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{B66112B3-09CB-46F4-88F4-3DDD5984E223}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{10BE3F42-602A-47B0-B3C6-33CDC9EC000D}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule Plus
"UDP Query User{4F701539-2924-40C2-99E4-A30279487FE8}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule Plus
"{272CDEB4-8EC1-45A4-A409-62BB908550BB}"= UDP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{6667D07D-8C71-4BB1-ACB7-FDCEBD158F2B}"= TCP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{81F0BDF9-7160-472E-BD8E-EB080B584F05}"= UDP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{03F25E26-66EE-4998-97B2-D84D588C4FC8}"= TCP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{E2E52407-678E-47B9-ABEC-3D734F04AB89}"= UDP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{B0F5767F-F2A9-4314-92C0-3A0677C8163D}"= TCP:c:\program files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{301E50C3-DC5B-45D5-BEFE-E5269BC70031}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-06 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-06 107272]
R1 is-5NS0Qdrv;is-5NS0Qdrv;c:\windows\System32\drivers\54755232.sys [2009-03-23 148496]
R1 is-DR9N2drv;is-DR9N2drv;c:\windows\System32\drivers\18090445.sys [2009-03-23 148496]
R1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2009-02-23 159600]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-06 298264]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\System32\drivers\PCTAppEvent.sys [2009-02-23 73840]
R3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2009-02-23 95640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-Corel Photo Downloader - c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService


.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {14072B60-7382-4030-BB0A-E8C6383B6B53} = 193.70.152.15 193.70.152.25
FF - ProfilePath - c:\users\Paola\AppData\Roaming\Mozilla\Firefox\Profiles\140lkdso.default\
FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 20:39:20
Windows 6.0.6000 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2009-03-25 20.41.43
ComboFix-quarantined-files.txt 2009-03-25 19:41:39

Pre-Run: 66.767.646.720 byte disponibili
Post-Run: 66,313,723,904 byte disponibili

256 --- E O F --- 2009-03-24 20:47:52



potete per favore dare un'occhiata ai log e dirmi cosa dovrei fare ora?
Adesso il pc sembra funzionare correttamente.. ma ho idea che durerà per poco...
grazie in anticipo

[Amantide]

Il pc sembra essere pulito, d'altronde... con tutti questi tool di rimozione che si vedono nei log, non poteva essere altrimenti

Per disinstallarli (ora che non ti servono più) puoi usare anche questo strumento per rimuoverli tutti in una mossa, ToolCleaner.

[paolettapc]

Tutti i problemi si sono risolti tranne quello di msn messenger.
Ogni qualvolta accedo a msn, la finestra si blocca e non risponde, l'unico modo che ho per risolvere il problema è avviare in modalità provvisoria Findykill e il problema si risolve, tuttavia se spengo il pc o lo riavvio msn contina a bloccarsi.
Con web messenger il problema non si riscontra in quanto è sempre perfettamente funzionante.
Ho provato a cancellare e reinstallare msn ma le cose non sono cambiate.
Dato che ormai il problema bagle non credo sia più presente cosa può essere? e come si può risolvere?
notare che il problema si è presentato da quando ho preso un bagle.
Grazie ancora.

[Amantide]

Si doveva risolvere proprio reinstallando MSN, visto che il suo eseguibile viene spesso infettato da Bagle.

Prova a fare la scansione completa con Kaspersky online e vedi se trova qualcos'altro di infetto che impedisce il funzionamento di messenger.

[paolettapc]

Grazie Amantide..
ho provato a far partire Kaspersky e non mi ha rilevato virus, ho provato a scansionare le cartelle di msn con avg e non mi da virus. Mi è venuto il dubbio di non aver cancellato bene il vecchio msn in quanto quando l'ho reinstallato e usato, comparivano ancora le emoticons vecchie e i vari avatar.
Sto provando a ricancellarlo tramite ccleaner e l'eliminazione manuale di tutto ciò che trovo in PROGRAMMI e con la ricerca.
Sai consigliarmi per piacere un modo per cancellare ogni sottocartella?

[Amantide]

In rete ho visto Quick MSN Messenger Remover, ma non avendolo mai provato, non so se funziona davvero. Comunque puoi sempre provarlo:
http://www.wellteksoftware.com/products ... mover.html

[paolettapc]

quel link da l'errore 404 Not Found...
comunque è palese che il virus dopo ogni scansione di findykill si elimina ma ogni qualvolta si spenga il pc automaticamente si riforma...
dopo un po' mi blocca anche qualche finestra a caso.
Help!!!!!

[Amantide]

quel link da l'errore 404 Not Found...

Ho riprovato ed a me funziona

comunque è palese che il virus dopo ogni scansione di findykill si elimina ma ogni qualvolta si spenga il pc automaticamente si riforma...dopo un po' mi blocca anche qualche finestra a caso.

Questo è molto strano, anche perché kaspersky Online non ti trova altri file infetti.

[paolettapc]

quel link da l'errore 404 Not Found...

Ho riprovato ed a me funziona

comunque è palese che il virus dopo ogni scansione di findykill si elimina ma ogni qualvolta si spenga il pc automaticamente si riforma...dopo un po' mi blocca anche qualche finestra a caso.

Questo è molto strano, anche perché kaspersky Online non ti trova altri file infetti.

sono riuscita ad utiliazzare quel programma per cancellare msn ma i dati come emoticons e avatar restano.
Il problema persiste.... sapete aiutarmi o devo x forza farlo formattare?
Grazie e scusate