www.MegaLab.it

da **andreasound** » lun feb 18, 2008 6:18 pm

Ciao a tutti

ieri ho constatato l'infezione e ho provveduto a individuare ed eliminare in modalità provvisoria i file hldrrr.exe, wintems.exe, mdeck.exe (se non ricordo male), uno il cui nome era costituito da numeri (tipo 159421) in windows -> system32.

Come dovrei procedere ora?

(Ora sto facendo lo scan con kaspersky, è normale che si soffermi per 6 minuti solo sui file di quick time?
Hijackthis non mi parte perché dice che non è 1 applicazione di win32 valida.per cui non so come vedere se il virus è stato debellato...)

qual è il prossimo passo?

PS:
1 nella prima fase dell'infezione comparivano anche schermate blu di windows xp che diceva che windows era stato bloccato per evitare danni al sistema, e non c'era altro da fare se non spegnere il pc manualmete
2 al momento Hldrrr.exe e wintems non compaiono più tra i processi

da **ste_95** » lun feb 18, 2008 6:26 pm

Attendi che la scansione con kaspersky finisca. Ad alcuni ha impiegato giorni.

da **crazy.cat** » lun feb 18, 2008 6:28 pm

andreasound ha scritto:Hijackthis non mi parte perché dice che non è 1 applicazione di win32 valida.

http://www.MegaLab.it/forum/viewtopic.p ... 172#325172

Serve il risultato della scansione online, la sera molto lenta più del solito, e poi si costruisce lo script da usare con avenger che trovi sempre nei link che ti ho dato prima.

da **andreasound** » lun feb 18, 2008 7:10 pm

ok, intanto lascio lavorare kaspersky! [^]

da **andreasound** » mer feb 20, 2008 11:02 pm

ecco il responso della scansione on-line di kspersky (36 orette) [V]

Non sembra dare buone notizie, che dite?

Come dovrei procedere? [uhm]

da **andreasound** » mer feb 20, 2008 11:05 pm

non riuscivo a caricarlo quindi lo posto così.. scusatemi se magari sono andato contro le regole del forum [V]

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 20, 2008 10:47:16 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 570716
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 72355
Number of viruses found: 5
Number of infected objects: 24
Number of suspicious objects: 0
Duration of the scan process: 36:54:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dati applicazioni\McAfee\AntiSpyware\Data\masdata.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\McAfee\AntiSpyware\Data\masevents.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\McAfee.com\Agent\Logs\TaskScheduler\McTskshd001.log Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\JERRY POOL\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\4B0YA8N5\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\4B0YA8N5\b64_31[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_31[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\J1971SAE\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_2[2].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_31[2].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_2[2].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K7ZL44E1\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_1[2].jpg Infected: Trojan-PSW.Win32.Agent.xd skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_2[1].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_2[2].jpg Infected: Trojan.Win32.Pakes.bwy skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_1[1].jpg Infected: Trojan-PSW.Win32.LdPinch.ewq skipped
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_31[1].jpg Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\JERRY POOL\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\JERRY POOL\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Muestras\HLDRRR.EXE.Muestra EliBagle v11.00 Infected: Trojan-Downloader.Win32.Bagle.jv skipped
C:\Programmi\FreePOPs\log.txt Object is locked skipped
C:\Programmi\FreePOPs\stderr.txt Object is locked skipped
C:\Programmi\FreePOPs\stdout.txt Object is locked skipped
C:\Programmi\McAfee\McAfee AntiSpyware\MASAlert.exe Infected: Trojan-Downloader.Win32.Bagle.jv skipped
C:\Programmi\Toshiba\TOSCDSPD\TOSCDSPD.exe Infected: Trojan-Downloader.Win32.Bagle.jv skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\drivers\hldrrr.exe Infected: Trojan-Downloader.Win32.Bagle.jv skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\sqlite_2YtPCWtlNjZ2VBN Object is locked skipped
C:\WINDOWS\Temp\sqlite_so3lWKEZiNZgerI Object is locked skipped
C:\WINDOWS\Temp\sqlite_WjkKYjYUWbilEmf Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

da **ste_95** » gio feb 21, 2008 7:10 am

Disabilita il ripristino configurazione di sistema.

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto: Files to delete: C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\system32\wintems.exe C:\windows\system32\drivers\hldrrr.exe C:\WINDOWS\system32\mdelk.exe C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\4B0YA8N5\b64_31[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\4B0YA8N5\b64_31[2].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_2[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_31[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_31[2].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\J1971SAE\b64_31[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_2[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_2[2].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_31[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_31[2].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_2[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_2[2].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_31[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K7ZL44E1\b64_31[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_1[2].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_2[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_2[2].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_1[1].jpg C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_31[1].jpg C:\Programmi\McAfee\McAfee AntiSpyware\MASAlert.exe C:\Programmi\Toshiba\TOSCDSPD\TOSCDSPD.exe Folders to delete: C:\WINDOWS\system32\drivers\down C:\Muestras Registry keys to delete: HKLM\SYSTEM\CurrentControlSet\Services\srosa HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA

Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Riscarica gli installer dei programmi di sicurezza e prova a reinstallare un antivirus.

da **andreasound** » ven feb 22, 2008 11:59 am

Ecco il responso di Avenger, sembra sia andato tutto bene no? [wow]

Grazie Ste & Crazy.cat [applauso+]

qual è il prossimo passo?

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\oeiucbgl

*******************

Script file located at: \??\C:\WINDOWS\yoxkmteq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\srosa.sys deleted successfully.
File C:\WINDOWS\system32\wintems.exe deleted successfully.
File C:\windows\system32\drivers\hldrrr.exe deleted successfully.
File C:\WINDOWS\system32\mdelk.exe deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\4B0YA8N5\b64_31[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\4B0YA8N5\b64_31[2].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_2[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_31[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_31[2].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\J1971SAE\b64_31[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_2[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_2[2].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_31[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_31[2].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_2[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_2[2].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K1EA2BTE\b64_31[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\K7ZL44E1\b64_31[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_1[2].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_2[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_2[2].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_1[1].jpg deleted successfully.
File C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_31[1].jpg deleted successfully.
File C:\Programmi\McAfee\McAfee AntiSpyware\MASAlert.exe deleted successfully.
File C:\Programmi\Toshiba\TOSCDSPD\TOSCDSPD.exe deleted successfully.
Folder C:\WINDOWS\system32\drivers\down deleted successfully.
Folder C:\Muestras deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

da **crazy.cat** » ven feb 22, 2008 12:20 pm

andreasound ha scritto:qual è il prossimo passo?

questo

ste_95 ha scritto:Riscarica gli installer dei programmi di sicurezza e prova a reinstallare un antivirus.

da **andreasound** » ven feb 22, 2008 12:23 pm

ok ho chiarito, ora provvedo, grazie!

da **andreasound** » ven feb 22, 2008 2:21 pm

ho tolto mcaffee che aveva fallito con bagle e ho messo avira, + comodo;
tutto sembra funzionare come prima, posto un log di hijack this per scrupolo..

Il vostro aiuto mi è stato davvero prezioso! [applauso+]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.23.09, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Java\j2re1.4.2_15\bin\jusched.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\Launcher.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\TOSHIBA\PadTouch\PadExe.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\livecall.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\JERRY POOL\Desktop\MegaLab_copia_hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\system32\Launcher.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PadTouch] "C:\Programmi\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://albion500.spaces.live.com/PhotoU ... nPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6451E548-E7EC-4F3B-9D75-F96037B86008}: NameServer = 85.37.17.43 85.38.28.96
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8250 bytes

da **ste_95** » ven feb 22, 2008 2:27 pm

Seleziona a sinistra queste voci e premi fix checked in basso:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe

da **andreasound** » ven feb 22, 2008 2:50 pm

Ho fatto come hai detto, posto il log seguente:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.50.12, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\Java\j2re1.4.2_15\bin\jusched.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\Launcher.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\TOSHIBA\PadTouch\PadExe.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\livecall.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Documents and Settings\JERRY POOL\Desktop\MegaLab_copia_hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [THotkey] C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\j2re1.4.2_15\bin\jusched.exe"
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\system32\Launcher.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PadTouch] "C:\Programmi\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://albion500.spaces.live.com/PhotoU ... nPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6451E548-E7EC-4F3B-9D75-F96037B86008}: NameServer = 85.37.17.43 85.38.28.96
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee AntiSpyware Service - Unknown owner - c:\progra~1\mcafee\mcafee antispyware\massrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7967 bytes

da **ste_95** » ven feb 22, 2008 2:55 pm

Sembra tutto a posto. [^]

da **andreasound** » ven feb 22, 2008 3:40 pm

nell'ultima scansione però avira ha trovato dei file sospetti..

AntiVir PersonalEdition Classic
Report file date: venerdì 22 febbraio 2008 12:51

Scanning for 1119794 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: ANDREAFAVARO

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 14:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 11:47:24
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 08/02/2008 11:47:24
ANTIVIR3.VDF : 7.0.2.178 327168 Bytes 22/02/2008 11:47:24
AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 22/02/2008 11:47:24
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 22/02/2008 11:47:24
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\programmi\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: venerdì 22 febbraio 2008 12:51

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wmplayer.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'agrsmmsg.exe' - '1' Module(s) have been scanned
Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned
Scan process 'NDSTray.exe' - '1' Module(s) have been scanned
Scan process 'PadExe.exe' - '1' Module(s) have been scanned
Scan process 'LaunchApplication.exe' - '1' Module(s) have been scanned
Scan process 'launcher.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'TFncKy.exe' - '1' Module(s) have been scanned
Scan process 'TPSBattM.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'THotkey.exe' - '1' Module(s) have been scanned
Scan process 'TPSMain.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'acs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
39 processes with 39 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '45' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\avenger\backup.zip
[0] Archive type: ZIP
-->

avenger/b64_1[1].jpg
[DETECTION] Is the Trojan horse TR/PSW.LdPinch.ewq
-->

avenger/b64_1[2].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/b64_2[1].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/b64_2[1].jpg-ren-421
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/b64_2[1].jpg-ren-447
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/b64_2[1].jpg-ren-526
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/b64_2[2].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/b64_2[2].jpg-ren-449
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/b64_2[2].jpg-ren-529
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/b64_31[1].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[1].jpg-ren-401
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[1].jpg-ren-409
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[1].jpg-ren-429
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[1].jpg-ren-451
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[1].jpg-ren-517
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[1].jpg-ren-538
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[2].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[2].jpg-ren-403
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/b64_31[2].jpg-ren-429
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/104091953.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/118830218.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/133609000.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/133688343.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/148411921.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/148414312.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/15044812.exe
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/down/15085890.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/15089812.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/163197765.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/177949453.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/177965515.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/192751218.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/192780000.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/29966625.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/29969875.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/378812.exe
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/down/381578.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/44636890.exe
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
-->

avenger/down/44669906.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/59353109.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/59360218.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/74058875.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/74348484.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/down/89197453.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/hldrrr.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JV
-->

avenger/MASAlert.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JV
-->

avenger/mdelk.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
-->

avenger/Muestras/HLDRRR.EXE.Muestra EliBagle v11.00
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JV
-->

avenger/Muestras/SROSA.SYS.Muestra EliBagle v11.00
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
-->

avenger/srosa.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
-->

avenger/TOSCDSPD.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JV
-->

avenger/wintems.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '4821b7c9.qua'!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_1[1].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_1[2].jpg
[DETECTION] Is the Trojan horse TR/PSW.LdPinch.ewq
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_1[3].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\770OCD24\b64_1[4].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_1[1].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_1[2].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_1[3].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_1[4].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\JC1M4PXT\b64_2[3].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\KATX6UJ5\b64_2[3].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_1[2].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_2[1].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\JERRY POOL\Impostazioni locali\Temporary Internet Files\Content.IE5\U1FXPB35\b64_31[2].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!

End of the scan: venerdì 22 febbraio 2008 15:37
Used time: 2:46:03 min

The scan has been done completely.

5912 Scanning directories
397016 Files were scanned
65 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
13 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
396951 Files not concerned
16113 Archives were scanned
4 Warnings
0 Notes

da **ste_95** » ven feb 22, 2008 3:49 pm

Ha trovato alcuni rimasugli e i backup che avenger aveva effettuato, ha rimosso tutto [:)]

da **andreasound** » ven feb 22, 2008 5:38 pm

Perfetto, grazie Ste!
[^]

da **andreasound** » lun feb 25, 2008 6:52 pm

Ciao a tutti,

riapro questo post perché ho constatato che ora, seppure sia il lettore cd che le chiavette usb siano tornate a funzionare, non riesco a stampare perche il computer vede la stampante (bjc 2000 canon) non in linea, sebbene tutto sia installato regolarmente...

ho eliminato e reinstallato i driver, ma ilpc non riesce ancora a comunicare con la stampante... aiuto!!! [zip]

da **ste_95** » lun feb 25, 2008 6:54 pm

Domanda banale, i collegamenti sono corretti?

da **andreasound** » lun feb 25, 2008 11:01 pm

si, ho controllato i cavi, la stampante ha fatto la stampa di prova (la fa anche se non connessa al pc) correttamente.. quindi di per sè funziona, qualcosa non va col pc credo... [acc2]

www.MegaLab.it

Infezione da virus Bagle

Infezione da virus Bagle

Re: Infezione da virus Bagle

Chi c’è in linea