POSSIBILE VARIANTE VIRUS BAGLE
Inviato: dom feb 03, 2008 10:11 pmBuon giorno a tutti voi,
scusate se sono prolisso ma è doveroso per spiegarvi cosa mi è accaduto;
sono nuovo e anch'io sono stato vittima del worm Bugle (o di una possibile sua variante).
Ho scoperto di essere stato attaccato da Bugle perché sul mio Pc con Sistema Operativo Win XP, mi sono accorto della disattivazione con conseguente impossibilità di reinstallazione, dell' Antivirus Panda 2008 e del Firewall ZoneAlarm.
Non avendo esperienza in materia mi sono rivolto direttamente all'assistenza di Panda la quale mi ha fornito un tool antirootkit (Panda Anti-Rootkit) per l'individuazione e la conseguente eliminazione del malware.
Questa path ha individuato due files, ma poichè nel campo name risultavano sconosciuti, sono andato a cercarli con esplora risorse per verificarne le date di origine.
Il primo (… sistem32\Hidr.exe) riportava la data di quando sono comparsi i problemi al PC (22-01-2008), il secondo (.....sistem32\drivers\srosa.sys addirittura una data del 2006).
A questo punto non essendo molto esperto ho posto il flag solo sul primo (hidr.exe) ed ho avviato la pulizia.
Quando si sono concluse le operazioni di pulizia ho provato a reinstallare:
- ZONE ALARM (Adesso Funziona !!!!!!!)
- PANDA 2008 No.
A questo punto rifaccio partire Anti-rootkit per cercare di eliminare srosa.sys ma purtroppo non mi trova più il file.
Cerco di trovarlo con esplora risorse (anche nei file nascosti) ma nessuna traccia.
Utilizzo altri tool anti¬¬-rootkit ma tutti mi danno il sistema non infetto, ma Panda non vuole saperne di reinstallarsi.
Ad un certo punto dell’installazione di panda, sul desktop mi si apre una finestra che dice:”inserire disco 1 contenente il file avciman exe”. A questo punto eseguo una scansione con ComboFix che pare abbia individuato una voce "C:\WINDOWS\system32\2309658AE1.sys" che non so assolutamente di cosa si tratta, andando della cartella sistem32 NON compare in nessun modo il file sospetto (ho attivato la visualizzazione dei file nascosti) e non so come poterlo eliminare, ammesso che si debba fare.
Non riesco a usare kaspesky poiché al mio paese non siamo serviti da linea veloce e non riesco a scansire il PC.
Vi allego i log di alcuni programmi utilizzati per rilevare il problema:
- Combofix (individuata la voce C:\WINDOWS\system32\2309658AE1.sys)
- Avenger (log dello script di pulizia)
- HijackThis
Chiedo cortesemente aiuto poiché non so proprio più cosa fare per installare l’antivirus.
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
LOG COMBOFIX
ComboFix 08-01-29.3 - Previsdomini 2008-01-30 8.48.28.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1596 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Previsdomini\Desktop\ToolsPandaAntiRootKit\2_ ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Creati Da 2007-12-28 al 2008-01-30 )))))))))))))))))))))))))))))))))))
.
2008-01-30 08:47 . 2008-01-30 08:47 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-30 00:51 . 2008-01-30 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\MailFrontier
2008-01-30 00:51 . 2008-01-30 08:50 288,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 00:51 . 2007-05-31 00:03 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2008-01-30 00:51 . 2008-01-30 00:51 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-30 00:51 . 2008-01-30 00:51 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-30 00:51 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-30 00:51 . 2008-01-30 08:45 6,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 23:55 . 2008-01-29 23:54 8,576 --a------ C:\WINDOWS\system32\drivers\gxmxolclnbpo.sys
2008-01-25 17:39 . 2008-01-30 00:55 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-25 17:29 . 2008-01-30 08:46 58,728 --a------ C:\WINDOWS\system32\vsconfig.xml
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 21:47 --------- d-----w C:\Programmi\Total Uninstall
2008-01-27 21:09 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-01-25 15:03 27,226 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_25_15_00_16_small.dmp.zip
2008-01-25 14:22 --------- d-----w C:\Programmi\Vstplugins
2008-01-22 17:05 --------- d-----w C:\Programmi\Norton AntiVirus
2008-01-12 13:57 30,309 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_07_22_11_47_small.dmp.zip
2008-01-07 22:06 --------- d-----w C:\Documents and Settings\Previsdomini\Dati applicazioni\Sony
2006-11-04 14:55 604 ---ha-w C:\Programmi\STLL Notifier
2006-06-13 01:14 269,824 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-03-08 14:11 56 --sh--r C:\WINDOWS\system32\2309658AE1.sys
2006-03-08 14:11 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 11:00 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2001-12-23 19:02 4608 C:\WINDOWS\system32\carpserv.exe]
"Collegamento alla pagina delle proprietà di High Definition Audio"="HDAudPropShortcut.exe" [2004-08-12 16:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 07:53 77824 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-01-24 04:26 2750976 C:\WINDOWS\ALCWZRD.EXE]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2005-05-03 23:33 32768]
"StatusClient"="C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 15:51 36864]
"TomcatStartup"="C:\Programmi\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 18:28 155648]
"GhostStartTrayApp"="C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 14:21 94208]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Babylon Client"="C:\Programmi\Babylon\Babylon.exe" [2005-06-27 16:36 2433086]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 17:23 86016 C:\WINDOWS\StartupMonitor.exe]
"ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"APVXDWIN"="C:\Programmi\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 11:00 15360]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
ATI CATALYST System Tray.lnk - C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe [2005-05-03 23:33:42 32768]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Tasto di scelta rapida per l'avvio di AutoCAD.lnk - C:\Programmi\File comuni\Autodesk Shared\acstart16.exe [2005-03-05 14:18:22 10872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Programmi\Messenger\msmsgs.exe
R1 GhPciScan;GhostPciScanner;C:\Programmi\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 14:11]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 22:10]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 22:10]
.
Contenuto della cartella 'Scheduled Tasks'
"2005-07-05 17:15:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 08:50:18
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-01-30 8.50.46
ComboFix-quarantined-files.txt 2008-01-30 07:50:43
ComboFix2.txt 2008-01-30 07:37:46
ComboFix3.txt 2008-01-30 07:34:00
.
2008-01-16 20:35:32 --- E O F ---
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
LOG AVENGER
ogfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hmdtbwgf
*******************
Script file located at: \??\C:\Documents and Settings\hwyfpdvy.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!
Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034
File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!
Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034
File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!
Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!
Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034
Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!
Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
LOG HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.42.13, on 03/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\UPHClean\uphclean.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
D:\VALERIO\UTILITA'\PuliziaPC\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 10.19.93.146
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-nord:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Collegamento alla pagina delle proprietà di High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [StatusClient] C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Programmi\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Programmi\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programmi\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6279 bytes
scusate se sono prolisso ma è doveroso per spiegarvi cosa mi è accaduto;
sono nuovo e anch'io sono stato vittima del worm Bugle (o di una possibile sua variante).
Ho scoperto di essere stato attaccato da Bugle perché sul mio Pc con Sistema Operativo Win XP, mi sono accorto della disattivazione con conseguente impossibilità di reinstallazione, dell' Antivirus Panda 2008 e del Firewall ZoneAlarm.
Non avendo esperienza in materia mi sono rivolto direttamente all'assistenza di Panda la quale mi ha fornito un tool antirootkit (Panda Anti-Rootkit) per l'individuazione e la conseguente eliminazione del malware.
Questa path ha individuato due files, ma poichè nel campo name risultavano sconosciuti, sono andato a cercarli con esplora risorse per verificarne le date di origine.
Il primo (… sistem32\Hidr.exe) riportava la data di quando sono comparsi i problemi al PC (22-01-2008), il secondo (.....sistem32\drivers\srosa.sys addirittura una data del 2006).
A questo punto non essendo molto esperto ho posto il flag solo sul primo (hidr.exe) ed ho avviato la pulizia.
Quando si sono concluse le operazioni di pulizia ho provato a reinstallare:
- ZONE ALARM (Adesso Funziona !!!!!!!)
- PANDA 2008 No.
A questo punto rifaccio partire Anti-rootkit per cercare di eliminare srosa.sys ma purtroppo non mi trova più il file.
Cerco di trovarlo con esplora risorse (anche nei file nascosti) ma nessuna traccia.
Utilizzo altri tool anti¬¬-rootkit ma tutti mi danno il sistema non infetto, ma Panda non vuole saperne di reinstallarsi.
Ad un certo punto dell’installazione di panda, sul desktop mi si apre una finestra che dice:”inserire disco 1 contenente il file avciman exe”. A questo punto eseguo una scansione con ComboFix che pare abbia individuato una voce "C:\WINDOWS\system32\2309658AE1.sys" che non so assolutamente di cosa si tratta, andando della cartella sistem32 NON compare in nessun modo il file sospetto (ho attivato la visualizzazione dei file nascosti) e non so come poterlo eliminare, ammesso che si debba fare.
Non riesco a usare kaspesky poiché al mio paese non siamo serviti da linea veloce e non riesco a scansire il PC.
Vi allego i log di alcuni programmi utilizzati per rilevare il problema:
- Combofix (individuata la voce C:\WINDOWS\system32\2309658AE1.sys)
- Avenger (log dello script di pulizia)
- HijackThis
Chiedo cortesemente aiuto poiché non so proprio più cosa fare per installare l’antivirus.
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
LOG COMBOFIX
ComboFix 08-01-29.3 - Previsdomini 2008-01-30 8.48.28.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.1596 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Previsdomini\Desktop\ToolsPandaAntiRootKit\2_ ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Creati Da 2007-12-28 al 2008-01-30 )))))))))))))))))))))))))))))))))))
.
2008-01-30 08:47 . 2008-01-30 08:47 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-30 00:51 . 2008-01-30 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\MailFrontier
2008-01-30 00:51 . 2008-01-30 08:50 288,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-30 00:51 . 2007-05-31 00:03 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2008-01-30 00:51 . 2008-01-30 00:51 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-01-30 00:51 . 2008-01-30 00:51 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-01-30 00:51 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-01-30 00:51 . 2008-01-30 08:45 6,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 23:55 . 2008-01-29 23:54 8,576 --a------ C:\WINDOWS\system32\drivers\gxmxolclnbpo.sys
2008-01-25 17:39 . 2008-01-30 00:55 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-25 17:29 . 2008-01-30 08:46 58,728 --a------ C:\WINDOWS\system32\vsconfig.xml
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 21:47 --------- d-----w C:\Programmi\Total Uninstall
2008-01-27 21:09 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-01-25 15:03 27,226 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_01_25_15_00_16_small.dmp.zip
2008-01-25 14:22 --------- d-----w C:\Programmi\Vstplugins
2008-01-22 17:05 --------- d-----w C:\Programmi\Norton AntiVirus
2008-01-12 13:57 30,309 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_01_07_22_11_47_small.dmp.zip
2008-01-07 22:06 --------- d-----w C:\Documents and Settings\Previsdomini\Dati applicazioni\Sony
2006-11-04 14:55 604 ---ha-w C:\Programmi\STLL Notifier
2006-06-13 01:14 269,824 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-03-08 14:11 56 --sh--r C:\WINDOWS\system32\2309658AE1.sys
2006-03-08 14:11 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 11:00 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2001-12-23 19:02 4608 C:\WINDOWS\system32\carpserv.exe]
"Collegamento alla pagina delle proprietà di High Definition Audio"="HDAudPropShortcut.exe" [2004-08-12 16:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 07:53 77824 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-01-24 04:26 2750976 C:\WINDOWS\ALCWZRD.EXE]
"ATICCC"="C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" [2005-05-03 23:33 32768]
"StatusClient"="C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 15:51 36864]
"TomcatStartup"="C:\Programmi\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 18:28 155648]
"GhostStartTrayApp"="C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2002-08-14 14:21 94208]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Babylon Client"="C:\Programmi\Babylon\Babylon.exe" [2005-06-27 16:36 2433086]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 17:23 86016 C:\WINDOWS\StartupMonitor.exe]
"ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"APVXDWIN"="C:\Programmi\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 11:00 15360]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
ATI CATALYST System Tray.lnk - C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe [2005-05-03 23:33:42 32768]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Tasto di scelta rapida per l'avvio di AutoCAD.lnk - C:\Programmi\File comuni\Autodesk Shared\acstart16.exe [2005-03-05 14:18:22 10872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Programmi\Messenger\msmsgs.exe
R1 GhPciScan;GhostPciScanner;C:\Programmi\Symantec\Norton Ghost 2003\ghpciscan.sys [2002-08-14 14:11]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-03 22:10]
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-03 22:10]
.
Contenuto della cartella 'Scheduled Tasks'
"2005-07-05 17:15:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 08:50:18
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
.
Ora fine scansione: 2008-01-30 8.50.46
ComboFix-quarantined-files.txt 2008-01-30 07:50:43
ComboFix2.txt 2008-01-30 07:37:46
ComboFix3.txt 2008-01-30 07:34:00
.
2008-01-16 20:35:32 --- E O F ---
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
LOG AVENGER
ogfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hmdtbwgf
*******************
Script file located at: \??\C:\Documents and Settings\hwyfpdvy.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!
Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\srosa.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc0000034
File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!
Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034
File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!
Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034
File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!
Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034
File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!
Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034
Folder C:\WINDOWS\exefnd not found!
Deletion of folder C:\WINDOWS\exefnd failed!
Could not process line:
C:\WINDOWS\exefnd
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!
Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
LOG HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.42.13, on 03/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\UPHClean\uphclean.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
D:\VALERIO\UTILITA'\PuliziaPC\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 10.19.93.146
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-nord:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Collegamento alla pagina delle proprietà di High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [StatusClient] C:\Programmi\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Programmi\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programmi\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Programmi\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programmi\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6279 bytes
![[:)]](http://www.megalab.it/forum/images/smilies/smile.gif "Smile")