Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Bagle (winfilse.exe)

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Bagle (winfilse.exe)

Messaggioda diodorus » gio nov 06, 2008 9:57 am

Salve!

Ho preso bagle ("winfilse.exe" voleva connettersi a internet, ma l'ho bloccato con look 'n stop). Ho letto vari posts su questo sito su bagle e ho fatto quanto segue.

(premessa: avevo nod32, che si e' fermato. kaspersky online scan si blocca. avenger (entrambe le versioni) non partono)

ho eseguito FindyKill:

----------------- FindyKill V4.095 ------------------

* User : Sandro - HOME-FUJPEALBRD
* Emplacement : C:\Program Files\FindyKill
* Outils Mis a jours le 05/11/08 par Chiquitine29
* Recherche effectuée à 1:03:51 le Thu 06/11/2008
* Windows XP - Internet Explorer 7.0.5730.13

((((((((((((((((( *** Recherche *** ))))))))))))))))))


--------------- [ Processus actifs ] ----------------


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\QuickCam 11.5\Quickcam.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WebDrive\wdService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

--------------- [ Fichiers/Dossiers infectieux ] ----------------


»»»» Presence des fichiers dans C:


»»»» Presence des fichiers dans C:\WINDOWS


»»»» Presence des fichiers dans C:\WINDOWS\Prefetch


»»»» Presence des fichiers dans C:\WINDOWS\system32


»»»» Presence des fichiers dans C:\WINDOWS\system32\drivers

Présent ! [06/11/2008 00:51] - C:\WINDOWS\system32\drivers\srosa.sys
Présent ! [06/11/2008 00:51] - C:\WINDOWS\system32\drivers\srosa2.sys
Présent ! [08/10/2004 04:05] - C:\WINDOWS\system32\drivers\winfilse.exe
Présent ! [06/11/2008 00:51] - "C:\WINDOWS\system32\drivers\downld"

»»»» Presence des fichiers dans C:\Documents and Settings\Sandro\Application Data


»»»» Presence des fichiers dans C:\DOCUME~1\Sandro\LOCALS~1\Temp

Présent ! - C:\DOCUME~1\Sandro\LOCALS~1\Temp\Eye_Patch_{72A388DF-9888-46A6-BDF0-984514656AAD}.xml
Présent ! - C:\DOCUME~1\Sandro\LOCALS~1\Temp\PatchByFile.tmp
Présent ! - C:\DOCUME~1\Sandro\LOCALS~1\Temp\jkos-Sandro\binaries\03988373.key

--------------- [ Registre / Startup ] ----------------


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
TkBellExe REG_SZ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched REG_SZ "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
SoundMan REG_SZ SOUNDMAN.EXE
sealmon REG_SZ C:\Program Files\SealedMedia\sealmon.exe
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
nwiz REG_SZ nwiz.exe /install
NvMediaCenter REG_SZ RunDLL32.exe NvMCTray.dll,NvTaskbarInit
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Maxthon Access Update REG_SZ C:\Program Files\Maxthon Access\Maxthon Access_updater.exe
Look 'n' Stop REG_SZ "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
LogitechQuickCamRibbon REG_SZ "C:\Program Files\Logitech\QuickCam 11.5\Quickcam.exe" /hide
LogitechCommunicationsManager REG_SZ "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe"
egui REG_SZ "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
Adobe Reader Speed Launcher REG_SZ "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe REG_SZ C:\WINDOWS\system32\ctfmon.exe
PC Suite Tray REG_SZ "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
Google Update REG_SZ "C:\Documents and Settings\Sandro\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
DAEMON Tools REG_SZ "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
AnyDVD REG_SZ C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

--------------- [ Registre / Clés infectieuses ] ----------------


Présent ! - HKEY_USERS\S-1-5-21-2025429265-839522115-725345543-1003\Software\Local AppWizard-Generated Applications\winfilse
Présent ! - HKEY_USERS\S-1-5-21-2025429265-839522115-725345543-1003\Software\bisoft
Présent ! - HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\winfilse
Présent ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa
Présent ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
Présent ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa
Présent ! - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Présent ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
Présent ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA
Présent ! - HKEY_CURRENT_USER\Software\bisoft

--------------- [ Etat / Services ] ----------------

Clé manquante : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

-> Mode sans echec non fonctionnel !!

Clé manquante : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

-> Mode sans echec non fonctionnel !!

Clé manquante : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

-> Mode sans echec non fonctionnel !!



+- Services : [ Auto=2 Demande=3 Désactivé=4 ]

/!\ Ndisuio - Type de démarrage = 4

EapHost - Type de démarrage = 3

/!\ Ip6Fw - Type de démarrage = 4

/!\ SharedAccess - Type de démarrage = 4

/!\ wuauserv - Type de démarrage = 4

/!\ wscsvc - Type de démarrage = 4



--------------- [ Recherche dans supports amovibles] ----------------


+- Informations :

C: - Fixed Drive
D: - Fixed Drive

+- presence des fichiers :



--------------- [ Registre / Moutpoint2 ] ----------------


-> Recherche négative.


------------------- ! Fin du rapport ! --------------------


poi ho eseguito Malwarebytes' Anti-Malware:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

6/11/2008 9:40:33
mbam-log-2008-11-06 (09-40-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 312955
Time elapsed: 3 hour(s), 16 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\drivers\srosa.sys (Rootkit.Bagle) -> No action taken.


Potete dirmi che fare adesso? Mi sembra che OtMoveIt3 funzioni... ma che script devo usare?

Grazie mille!
Diodorus
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda crazy.cat » gio nov 06, 2008 11:16 am

Le hai seguite tutte le istruzioni di amantide?
"Una volta installato chiudi tutte le applicazioni attive e disconnettiti dal internet, poi clicca sull'icona di FindyKill e nella finestra dos che si aprirà scrivi 2 e premi Invio. Attendi il termine della scansione e posta qui il log che trovi in C:\FindyKill.txt"
perché direi che ti ha rilevato il virus ma non ha rimosso niente.
Hai provato a reinstallare l'antivirus?

Hai ancora il file che ha generato l'infezione?
Me lo potresti caricare su questo sito http://www.wikifortio.com/ e poi mandarmi un pm con il link per poterlo studiare meglio.
Grazie
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Re: Bagle (winfilse.exe)

Messaggioda Amantide » gio nov 06, 2008 12:04 pm

Forse hio creato un po' di confusione con quei 1 e 2.

Allora, con l'opzione 1 Findykill fa la ricerca del Bagle nel SO, con l'opzione 2 procede con la rimozione.
Nei casi dove ero sicura che si trattasse di Bagle, facevo eseguire direttamente l'opzione 2.
Ora fallo anche tu e te lo dovrebbe rimuovere il Bagle.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Re: Bagle (winfilse.exe)

Messaggioda diodorus » gio nov 06, 2008 12:13 pm

Grazie per le risposte.

Si', avevo selezionato 1 invece di 2 in Find. Adesso l'ho rifatto usando 2. Il PC e' ripartito e FindKill.
(NB: durante la schermata rossa di FindyKill Disk cleanup di windows e' partito, ma l'ho chiuso)

----------------- FindyKill V4.095 ------------------

* User : Sandro - HOME-FUJPEALBRD
* Emplacement : C:\Program Files\FindyKill
* Outils Mis a jours le 05/11/08 par Chiquitine29
* Suppression effectuée à 11:55:17 le Thu 06/11/2008
* Windows XP - Internet Explorer 7.0.5730.13


((((((((((((((( *** Suppression *** ))))))))))))))))))


--------------- [ Processus actifs ] ----------------


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe

--------------- [ Fichiers/Dossiers infectieux ] ----------------


»»»» Suppression des fichiers dans C:


»»»» Suppression des fichiers dans C:\WINDOWS


»»»» Suppression des fichiers dans C:\WINDOWS\Prefetch


»»»» Suppression des fichiers dans C:\WINDOWS\system32


»»»» Suppression des fichiers dans C:\WINDOWS\system32\drivers

Supprimé ! - C:\WINDOWS\system32\drivers\srosa.sys
Supprimé ! - C:\WINDOWS\system32\drivers\srosa2.sys
Supprimé ! - C:\WINDOWS\system32\drivers\winfilse.exe
Supprimé ! - "C:\WINDOWS\system32\drivers\downld"

»»»» Suppression des fichiers dans C:\Documents and Settings\Sandro\Application Data


»»»» Suppression des fichiers dans C:\DOCUME~1\Sandro\LOCALS~1\Temp

Supprimé ! - C:\DOCUME~1\Sandro\LOCALS~1\Temp\Eye_Patch_{72A388DF-9888-46A6-BDF0-984514656AAD}.xml
Supprimé ! - C:\DOCUME~1\Sandro\LOCALS~1\Temp\Eye_Patch_{72A388DF-9888-46A6-BDF0-984514656AAD}.xml
Supprimé ! - C:\DOCUME~1\Sandro\LOCALS~1\Temp\PatchByFile.tmp

--------------- [ Registre / Clés infectieuses ] ----------------

Supprimé ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\srosa
Supprimé ! - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
Supprimé ! - HKEY_CURRENT_USER\Software\bisoft
Supprimé ! - HKEY_USERS\S-1-5-21-2025429265-839522115-725345543-1003\Software\Local AppWizard-Generated Applications\winfilse

--------------- [ Etat / Redémarage des services ] ----------------

+- Mode sans echec restauré !

+- Services : [ Auto=2 Demande=3 Désactivé=4 ]

Ndisuio - Type de démarrage = 3

EapHost - Type de démarrage = 2

Ip6Fw - Type de démarrage = 2

SharedAccess - Type de démarrage = 2

wuauserv - Type de démarrage = 2

wscsvc - Type de démarrage = 2


--------------- [ Nettoyage des supports amovibles ] ----------------

+- Informations :

C: - Fixed Drive
D: - Fixed Drive

+- Suppression des fichiers :


--------------- [ Registre / Moutpoint2 ] ----------------


-> Recherche négative.


--------------- [ Recherche Cracks / Keygen ] ----------------

C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\www.crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\www.crackle.com\crackleSettings.sol
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com\settings.sol
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com\settings.sol
C:\Documents and Settings\Sandro\Application Data\uTorrent\ESET.NOD32.Antivirus.Business.Edition.v3.0.566.CRACKED-CU.torrent
C:\Documents and Settings\Sandro\Application Data\uTorrent\SysTools.Export.Notes.v6.5.Build.1508.Incl.Keygen-Lz0.torrent
C:\Documents and Settings\Sandro\Desktop\dvdrb\ind-dvdrb-repack\Crack
C:\Documents and Settings\Sandro\Desktop\dvdrb\ind-dvdrb-repack\Crack\Qkgp.exe
C:\Documents and Settings\Sandro\Desktop\icons\Icons\Icone (ico)\Crackz.ico
C:\Documents and Settings\Sandro\Desktop\icons\Icons\Icone (png)\Crackz.png
C:\Documents and Settings\Sandro\Desktop\installers\foxit pdf editor 2.0\Crack
C:\Documents and Settings\Sandro\Desktop\installers\foxit pdf editor 2.0\Crack\pedkey.txt
C:\Documents and Settings\Sandro\Desktop\installers\Trivial Pursuit Unlimited (IT)\Istruzioni\Crack
C:\Documents and Settings\Sandro\Desktop\installers\Trivial Pursuit Unlimited (IT)\Istruzioni\Crack\TPPCItalian.exe
C:\Documents and Settings\Sandro\Desktop\systools\cracked.nfo
C:\Documents and Settings\Sandro\Local Settings\Temporary Internet Files\Content.IE5\1SDC28XS\sarahcracknell[1].htm


---------------- ! Fin du rapport ! ------------------


Adesso parto con Malwarebytes? O devo prima fare un restart?

PS: crazy.cat: invio tramite PM il link al sospetto file infetto
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda Amantide » gio nov 06, 2008 2:08 pm

diodorus ha scritto:Adesso parto con Malwarebytes? O devo prima fare un restart?

Il Malwarebytes non ha rilevato nulla che non facesse parte di Bagle, ed ora che questo è stato rimosso da FindyKill, non ha più senso rieseguirlo.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: Bagle (winfilse.exe)

Messaggioda diodorus » gio nov 06, 2008 5:36 pm

infatti non aveva trovato nulla.

pero' quando faccio restart, BAGLE torna. si apre una programmino di analisi traiettorie aeree (???) e tutto come all'inizio. avenger non si apre, spybot idem...

ho appena rieseguito findykill :(opzione 2)

----------------- FindyKill V4.095 ------------------

* User : Sandro - HOME-FUJPEALBRD
* Emplacement : C:\Program Files\FindyKill
* Outils Mis a jours le 05/11/08 par Chiquitine29
* Suppression effectuée à 17:24:41 le Thu 06/11/2008
* Windows XP - Internet Explorer 7.0.5730.13


((((((((((((((( *** Suppression *** ))))))))))))))))))


--------------- [ Processus actifs ] ----------------


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe

--------------- [ Fichiers/Dossiers infectieux ] ----------------


»»»» Suppression des fichiers dans C:


»»»» Suppression des fichiers dans C:\WINDOWS


»»»» Suppression des fichiers dans C:\WINDOWS\Prefetch

Supprimé ! - C:\WINDOWS\prefetch\MDELK.EXE-238AA5EF.pf
Supprimé ! - C:\WINDOWS\prefetch\WINTEMS.EXE-26D98C75.pf

»»»» Suppression des fichiers dans C:\WINDOWS\system32


»»»» Suppression des fichiers dans C:\WINDOWS\system32\drivers

Supprimé ! - "C:\WINDOWS\system32\drivers\downld"

»»»» Suppression des fichiers dans C:\Documents and Settings\Sandro\Application Data


»»»» Suppression des fichiers dans C:\DOCUME~1\Sandro\LOCALS~1\Temp


--------------- [ Registre / Clés infectieuses ] ----------------

Supprimé ! - HKEY_CURRENT_USER\Software\bisoft

--------------- [ Etat / Redémarage des services ] ----------------


+- Services : [ Auto=2 Demande=3 Désactivé=4 ]

Ndisuio - Type de démarrage = 3

EapHost - Type de démarrage = 2

Ip6Fw - Type de démarrage = 2

SharedAccess - Type de démarrage = 2

wuauserv - Type de démarrage = 2

wscsvc - Type de démarrage = 2


--------------- [ Nettoyage des supports amovibles ] ----------------

+- Informations :

C: - Fixed Drive
D: - Fixed Drive

+- Suppression des fichiers :


--------------- [ Registre / Moutpoint2 ] ----------------


-> Recherche négative.


--------------- [ Recherche Cracks / Keygen ] ----------------

C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\www.crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\www.crackle.com\crackleSettings.sol
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com\settings.sol
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com\settings.sol
C:\Documents and Settings\Sandro\Application Data\uTorrent\ESET.NOD32.Antivirus.Business.Edition.v3.0.566.CRACKED-CU.torrent
C:\Documents and Settings\Sandro\Application Data\uTorrent\SysTools.Export.Notes.v6.5.Build.1508.Incl.Keygen-Lz0.torrent
C:\Documents and Settings\Sandro\Desktop\dvdrb\ind-dvdrb-repack\Crack
C:\Documents and Settings\Sandro\Desktop\dvdrb\ind-dvdrb-repack\Crack\Qkgp.exe
C:\Documents and Settings\Sandro\Desktop\icons\Icons\Icone (ico)\Crackz.ico
C:\Documents and Settings\Sandro\Desktop\icons\Icons\Icone (png)\Crackz.png
C:\Documents and Settings\Sandro\Desktop\installers\foxit pdf editor 2.0\Crack
C:\Documents and Settings\Sandro\Desktop\installers\foxit pdf editor 2.0\Crack\pedkey.txt
C:\Documents and Settings\Sandro\Desktop\installers\Trivial Pursuit Unlimited (IT)\Istruzioni\Crack
C:\Documents and Settings\Sandro\Desktop\installers\Trivial Pursuit Unlimited (IT)\Istruzioni\Crack\TPPCItalian.exe


---------------- ! Fin du rapport ! ------------------


avete qualche idea? sono disperato, devo finire un lavoro a quel computer! : [cry]

grazie,
diodorus
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda Amantide » gio nov 06, 2008 5:40 pm

Sicuro che non hai provato ad eseguire/installare qualche programmino? [uhm]

Scarica il ComboFix rinominato da qui ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: Bagle (winfilse.exe)

Messaggioda diodorus » gio nov 06, 2008 6:26 pm

no, non ho eseguito niente... anzi, ho disinstallato un po' di roba (incluso nod32 che non funzionava piu'... non dovevo?)

combofix:

ComboFix 08-10-17.01 - Sandro 2008-11-06 17:59:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.677 [GMT 1:00]
Running from: C:\Documents and Settings\Sandro\Desktop\pincopallino.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\drivers\downld

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-05 21:21 . 2008-11-05 21:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-05 21:21 . 2008-11-05 21:21 <DIR> d-------- C:\Documents and Settings\Sandro\Application Data\Malwarebytes
2008-11-05 21:21 . 2008-11-05 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-05 21:21 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-11-05 21:21 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-11-05 21:18 . 2008-11-06 17:27 <DIR> d-------- C:\Program Files\FindyKill
2008-11-05 20:14 . 2008-11-05 20:14 135,168 --a------ C:\zip.exe
2008-11-05 20:14 . 2008-11-05 20:14 61,440 --a------ C:\WINDOWS\system32\drivers\hjebhcc.sys
2008-11-05 19:00 . 2008-11-05 19:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-11-05 17:49 . 2008-11-05 17:49 <DIR> d-------- C:\fsaua.data
2008-11-05 17:41 . 2008-11-05 20:49 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-11-04 17:27 . 2008-11-04 17:29 207 --a------ C:\WINDOWS\EurekaLog.ini
2008-11-04 15:33 . 2008-11-04 15:33 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-11-04 13:07 . 2008-11-04 13:07 <DIR> d-------- C:\Documents and Settings\Sandro\Application Data\DAEMON Tools
2008-11-02 16:11 . 2008-11-02 16:11 <DIR> d-------- C:\Documents and Settings\Sandro\Application Data\ScummVM
2008-10-27 22:35 . 2008-10-27 22:35 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-10-27 22:35 . 2008-10-27 22:37 <DIR> d-------- C:\Documents and Settings\Sandro\Application Data\FileZilla
2008-10-27 19:07 . 2008-10-27 19:07 <DIR> d-------- C:\Program Files\Fortop Digital
2008-10-27 18:11 . 2008-10-27 18:13 <DIR> d-------- C:\Documents and Settings\Sandro\Application Data\vlc
2008-10-24 16:28 . 2008-10-15 17:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-24 16:26 . 2008-10-24 16:26 <DIR> d-------- C:\Documents and Settings\Sandro\Application Data\progeSOFT
2008-10-24 16:24 . 2007-03-20 14:56 2,134,016 --a------ C:\WINDOWS\system32\cdintf251.dll
2008-10-24 16:23 . 2008-10-24 16:23 <DIR> d-------- C:\Program Files\progeSOFT
2008-10-24 16:23 . 1998-04-24 23:00 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2008-10-24 16:23 . 1999-11-08 12:45 339,968 --a------ C:\WINDOWS\system32\Slide.ocx
2008-10-24 16:23 . 1999-07-21 16:25 274,432 --a------ C:\WINDOWS\system32\DwgThumbnail.ocx
2008-10-24 16:23 . 2004-10-20 07:54 61,440 --a------ C:\WINDOWS\system32\wintab32.dll
2008-10-23 15:27 . 2008-09-08 11:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-23 15:26 . 2008-08-14 11:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-23 15:26 . 2008-08-14 11:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-23 15:26 . 2008-08-14 10:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-23 15:26 . 2008-08-14 10:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-23 15:26 . 2008-09-15 13:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 16:24 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-11-06 16:23 --------- d-----w C:\Documents and Settings\Sandro\Application Data\uTorrent
2008-11-06 16:18 --------- d-----w C:\Program Files\Common Files\Real
2008-11-06 16:15 --------- d-----w C:\Program Files\JAlbum7.2
2008-11-06 16:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-06 16:10 --------- d-----w C:\Documents and Settings\Sandro\Application Data\MxBoost
2008-11-06 16:06 --------- d-----w C:\Program Files\SealedMedia
2008-11-06 16:04 --------- d-----w C:\Program Files\ESET
2008-11-05 18:06 --------- d-----w C:\Program Files\Lavasoft
2008-11-05 18:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-11-05 15:58 --------- d-----w C:\Program Files\eMule
2008-11-05 00:32 --------- d-----w C:\Documents and Settings\Sandro\Application Data\Skype
2008-11-05 00:30 --------- d-----w C:\Documents and Settings\Sandro\Application Data\skypePM
2008-11-04 16:27 --------- d-----w C:\Program Files\Your Uninstaller 2006
2008-11-04 16:25 --------- d-----w C:\Program Files\Google
2008-11-04 14:40 --------- d-----w C:\Documents and Settings\Sandro\Application Data\dvdcss
2008-11-04 12:07 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-11-04 12:07 --------- d-----w C:\Program Files\DAEMON Tools
2008-10-31 13:26 --------- d-----w C:\Program Files\Mozilla Thunderbird 2
2008-10-29 22:04 --------- d-----w C:\Documents and Settings\Sandro\Application Data\Vso
2008-10-27 18:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-24 08:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-23 19:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-29 14:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-29 12:32 --------- d-----w C:\Program Files\DVD-RB PRO
2008-09-29 12:21 --------- d-----w C:\Program Files\Custom Technology
2008-09-24 19:48 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-09-24 19:48 361,600 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-02-21 21:28 87,608 ----a-w C:\Documents and Settings\Sandro\Application Data\inst.exe
2008-02-21 21:28 47,360 ----a-w C:\Documents and Settings\Sandro\Application Data\pcouffin.sys
2008-01-30 18:38 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-14 09:50 54 ----a-w C:\Documents and Settings\Sandro\aaa.cmd
2007-08-27 05:23 9 ----a-w C:\Documents and Settings\Sandro\Application Data\mdb.bin
2008-02-07 18:04 608 --sha-w C:\WINDOWS\system32\winzvprt5.sys
.

------- Sigcheck -------

2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 11:44 360960 744e57c99232201ae98c49168b918f48 C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-08-02 08:12 360320 3adce4790f591bf160a94f6f08039577 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2006-02-07 12:29 359808 77c0c5e7d6cfe2052b8cf28b8722f528 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-06-04 15:43 359808 19f73560b94f2970df11d05b9cb04854 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-07-17 08:33 359808 8d8949936913b041c6a0e184fbf1030b C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys
2008-02-09 10:02 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-09-24 20:48 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-09-24 20:48 361600 d24ea301e2b36c4e975fd216ca85d8e7 C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="C:\Documents and Settings\Sandro\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2004-10-08 798728]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2004-10-08 798728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 413696]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 7700480]
"Look 'n' Stop"="C:\Program Files\Soft4Ever\looknstop\looknstop.exe" [2006-11-29 368710]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam 11.5\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2006-10-22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 C:\WINDOWS\system32\nvmctray.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="C:\Program Files\Common Files\logishrd\WUApp32.exe" [2007-10-12 439568]
"RunNarrator"="Narrator.exe" [2008-04-14 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Sandro\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 110592]
utorrent.lnk - C:\Program Files\uTorrent\utorrent.exe [2005-10-30 270128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"Intellimenus"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.CDVC"= cdvccodc.dll
"vidc.DVIM"= dvifrmu.dll
"vidc.dvsd"= pdvcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 lnsfw1;lnsfw1;C:\WINDOWS\system32\drivers\lnsfw1.sys [2006-11-29 76160]
R2 WebDriveFSD;WebDrive File System Driver;C:\Program Files\WebDrive\wdfsd.sys [2006-09-07 166912]
S3 camvid20;Philips ToUcam Camera; Video;C:\WINDOWS\system32\DRIVERS\camdrv21.sys [ ]
S3 krdpdre;krdpdre;C:\DOCUME~1\Sandro\LOCALS~1\Temp\krdpdre.sys [ ]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2003-04-04 30336]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2005-08-16 18432]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d278bad5-0d0a-11da-bab7-806d6172696f}]
\Shell\AutoRun\command - E:\Bin\Assetup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-10-31 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe []

2008-10-31 C:\WINDOWS\Tasks\1-Klick-Wartung.job
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe []

2008-11-03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-11-06 C:\WINDOWS\Tasks\GoogleUpdateTaskUser.job
- C:\Documents and Settings\Sandro\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2004-10-08 04:05]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.nl/
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{2ABA5A4B-E4EE-451B-90CC-4BBCC8C9384A}: NameServer = 192.168.1.254

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/h ... jordan.cab
C:\WINDOWS\Downloaded Program Files\jordanapplet.inf
C:\Program Files\Java\jre1.5.0_06\bin\unicows.dll
C:\WINDOWS\Downloaded Program Files\JordanApplet.dll

O16 -: {4819DFDF-ABC4-488C-A323-919848C51175} - C:\WINDOWS\Downloaded Program Files\rineraproxy.inf

- hxxp://portal3.rinera.com/download/RineraProxy-1.4.cab

O16 -: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} - hxxp://www.cyclomedia.nl/download/compo ... peLite.cab
C:\WINDOWS\Downloaded Program Files\CycloScopeLite0.inf
C:\WINDOWS\system32\ir50_32.dll
C:\WINDOWS\Downloaded Program Files\NetConnectorLite.dll
C:\WINDOWS\Downloaded Program Files\CM_RowsetTransform.dll
C:\WINDOWS\Downloaded Program Files\CM_RecordingLocationDBC.dll
C:\WINDOWS\Downloaded Program Files\CM_RecordingLocationDAL2.dll
C:\WINDOWS\Downloaded Program Files\CM_RecordingLocationService2.dll
C:\WINDOWS\Downloaded Program Files\CM_ImageDirectoryDBC.dll
C:\WINDOWS\Downloaded Program Files\CM_ImageDirectoryDAL2.dll
C:\WINDOWS\Downloaded Program Files\CM_ImageDirectoryService2.dll
C:\WINDOWS\Downloaded Program Files\CM_AuthorizationProxy2.dll
C:\WINDOWS\Downloaded Program Files\CM_ADOConnector.dll
C:\WINDOWS\Downloaded Program Files\CycloFocus.dll
C:\WINDOWS\Downloaded Program Files\Ms_dcp1x.dll
C:\WINDOWS\Downloaded Program Files\HvPix1x.dll
C:\WINDOWS\Downloaded Program Files\CycloScopeLite0.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 18:01:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-06 18:20:24
ComboFix-quarantined-files.txt 2008-11-06 17:20:22

Pre-Run: 8,199,630,848 bytes free
Post-Run: 8,195,579,904 bytes free

238 --- E O F --- 2008-10-26 14:10:59


ok?

grazie!!!

edit: ho fatto restart: questo flight analyzer riparte... e ho visto che il suo processo e' anydvd (??)
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda Amantide » gio nov 06, 2008 7:20 pm

Penso che Bagle, come al suo solito, ha infettato alcuni processi in esecuzione automatica, e né Findykill né Malwarebytes sono riusciti a rilevarli.

Intanto elimina questo file "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (dopo dovrai reinstallare il programma) e fai la scansione con Kaspersky online. Posta qui il suo report della scansione.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: Bagle (winfilse.exe)

Messaggioda diodorus » gio nov 06, 2008 8:32 pm

kasperski online si blocca a meta'.
sto provando con f-secure... o mi sai suggerire una migliore alternativa?

edit: anche f-secure si blocca, dice che e' corrotto...!!

grazie,
diodorus
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda Amantide » gio nov 06, 2008 8:38 pm

Prova con Panda online, anche se non ricordo se permette di salvare il report della scansione. Dai anche un occhiata qui. Importante è riuscire a capire se nel pc è rimasto qualche altro file infetto.

Intanto hai eliminato anydvd.exe ed hai provato a riavviare il pc?
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: Bagle (winfilse.exe)

Messaggioda diodorus » gio nov 06, 2008 8:46 pm

si ho eliminato anydvd ma non avevo riavviato. ora riavvio e riprovo un online virus scan

grazie
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda diodorus » gio nov 06, 2008 8:56 pm

niente: anche panda e bitdefender si bloccano....!!! [B)]
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda Amantide » gio nov 06, 2008 9:14 pm

La scansione si blocca su qualche file in particolare?

Invece per quanto riguarda Bagle, continua a reinstallarsi dopo il riavvio del pc?
Di antivirus ora cosa ce l'hai? NOD? O non l'hai ancora reinstallato?
Se ancora non lo reinstalli, ti consiglio di provare Avira. Comunque, uno od altro, riavvia il pc in modalità provvisoria e fai la scansione completa con l'antivirus installato sul pc.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: Bagle (winfilse.exe)

Messaggioda diodorus » gio nov 06, 2008 9:43 pm

avira l'ho installato ma poi non si avvia.
safe mode non parte... torna sempre alle schermata e delle opzioni (safe/normal/...)
[...]

edit: windows e' ripartito (in modalita' normale) e avira sembra attivo. sto facebdo uno scan.....!
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda diodorus » ven nov 07, 2008 8:29 am

ecco il log di avira (modalita' normale, dato che in safe mode non partiva):

Avira AntiVir Personal
Report file date: Thursday, November 06, 2008 23:39

Scanning for 1010941 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: HOME-FUJPEALBRD

Version information:
BUILD.DAT : 8.2.0.334 16933 Bytes 10/16/2008 14:55:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 09:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 08:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 13:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 08:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 22:36:44
ANTIVIR1.VDF : 7.1.0.21 130560 Bytes 10/31/2008 22:36:45
ANTIVIR2.VDF : 7.1.0.44 139264 Bytes 11/6/2008 22:36:45
ANTIVIR3.VDF : 7.1.0.49 16384 Bytes 11/6/2008 22:36:46
Engineversion : 8.2.0.26
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 11:05:56
AESCRIPT.DLL : 8.1.1.13 332156 Bytes 11/6/2008 22:36:51
AESCN.DLL : 8.1.1.3 123252 Bytes 10/14/2008 11:05:56
AERDL.DLL : 8.1.1.3 438645 Bytes 11/6/2008 22:36:50
AEPACK.DLL : 8.1.3.3 393591 Bytes 11/6/2008 22:36:50
AEOFFICE.DLL : 8.1.0.29 196988 Bytes 11/6/2008 22:36:49
AEHEUR.DLL : 8.1.0.68 1479029 Bytes 11/6/2008 22:36:49
AEHELP.DLL : 8.1.1.2 115062 Bytes 10/14/2008 11:05:56
AEGEN.DLL : 8.1.0.43 319862 Bytes 11/6/2008 22:36:48
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 11:05:56
AECORE.DLL : 8.1.2.9 172407 Bytes 11/6/2008 22:36:47
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 11:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 09:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 10:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 11/6/2008 22:36:47
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 12:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 13:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 13:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 14:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 14:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, November 06, 2008 23:39

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'WLLoginProxy.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'COCIManager.exe' - '1' Module(s) have been scanned
Scan process 'LVComSer.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'wdService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spnsrvnt.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'LVComSer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'looknstop.exe' - '1' Module(s) have been scanned
Scan process 'soundman.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'LVPrcSrv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
35 processes with 35 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '58' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Sandro\Desktop\dvdrb\ind-dvdrb-repack.rar
[0] Archive type: RAR
--> Crack\Qkgp.exe
[1] Archive type: RSRC
--> Object
[DETECTION] Is the TR/BHO.fvp Trojan
[NOTE] The file was deleted!
C:\Documents and Settings\Sandro\Desktop\dvdrb\ind-dvdrb-repack\Crack\Qkgp.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/BHO.fvp Trojan
[NOTE] The file was moved to '497a747e.qua'!
C:\Documents and Settings\Sandro\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[DETECTION] Is the TR/Dldr.Bagle.afk Trojan
[NOTE] The file was moved to '498275fe.qua'!
C:\Program Files\DVD-RB PRO\Qkgp.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/BHO.fvp Trojan
[NOTE] The file was moved to '497a7aca.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.zip
[0] Archive type: ZIP
--> srosa.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4982e2a1.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP2\A0000057.exe
[DETECTION] Is the TR/Dldr.Bagle.afk Trojan
[NOTE] The file was moved to '4943e26f.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP2\A0000073.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '48c0ddb8.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP2\A0000078.exe
[DETECTION] Is the TR/Dldr.Bagle.afk Trojan
[NOTE] The file was moved to '4943e270.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP2\A0000106.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '4943e271.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP2\A0000164.exe
[DETECTION] Is the TR/Dldr.Bagle.afk Trojan
[NOTE] The file was moved to '4943e273.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP3\A0000216.exe
[DETECTION] Is the TR/Dldr.Bagle.afk Trojan
[NOTE] The file was moved to '4943e275.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP3\A0000218.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to '48c0ddbe.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP3\A0000245.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/BHO.fvp Trojan
[NOTE] The file was moved to '4943e277.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP3\A0000246.exe
[DETECTION] Is the TR/Dldr.Bagle.afk Trojan
[NOTE] The file was moved to '48c0ddb0.qua'!
C:\System Volume Information\_restore{194BFC5C-B827-40F5-BACA-88C15388ABBE}\RP3\A0000247.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/BHO.fvp Trojan
[NOTE] The file was moved to '4943e279.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\winfilse.exe
[DETECTION] Is the TR/Dldr.Bagle.afk Trojan
[NOTE] The file was moved to '4981e646.qua'!
Begin scan in 'D:\' <Local Disk>


End of the scan: Friday, November 07, 2008 07:57
Used time: 8:18:27 Hour(s)

The scan has been done completely.

22914 Scanning directories
709077 Files were scanned
16 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
1 files were deleted
0 files were repaired
15 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
709059 Files not concerned
2990 Archives were scanned
2 Warnings
16 Notes


e adesso..?

diodorus
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda Amantide » ven nov 07, 2008 2:29 pm

Avira ha rilevato un altro file infetto da Bagle in avvio automatico oltre ad AnyDVD.exe, questo qui:
C:\Documents and Settings\Sandro\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

Ora rifai l'opzione 2 con FindyKill, ti dovrebbe ripristinare i servizi disabilitati da Bagle e magari riesce a (ri)trovare qualcos'altro che non ha visto Avira.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: Bagle (winfilse.exe)

Messaggioda diodorus » ven nov 07, 2008 3:31 pm

findykill dice:

----------------- FindyKill V4.095 ------------------

* User : Sandro - HOME-FUJPEALBRD
* Emplacement : C:\Program Files\FindyKill
* Outils Mis a jours le 05/11/08 par Chiquitine29
* Suppression effectuée à 15:08:45 le Fri 07/11/2008
* Windows XP - Internet Explorer 7.0.5730.13


((((((((((((((( *** Suppression *** ))))))))))))))))))


--------------- [ Processus actifs ] ----------------


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdService.exe

--------------- [ Fichiers/Dossiers infectieux ] ----------------


»»»» Suppression des fichiers dans C:


»»»» Suppression des fichiers dans C:\WINDOWS


»»»» Suppression des fichiers dans C:\WINDOWS\Prefetch

Supprimé ! - C:\WINDOWS\prefetch\WINTEMS.EXE-26D98C75.pf

»»»» Suppression des fichiers dans C:\WINDOWS\system32


»»»» Suppression des fichiers dans C:\WINDOWS\system32\drivers

Supprimé ! - C:\WINDOWS\system32\drivers\srosa.sys
Supprimé ! - C:\WINDOWS\system32\drivers\srosa2.sys
Supprimé ! - "C:\WINDOWS\system32\drivers\downld"

»»»» Suppression des fichiers dans C:\Documents and Settings\Sandro\Application Data


»»»» Suppression des fichiers dans C:\DOCUME~1\Sandro\LOCALS~1\Temp


--------------- [ Registre / Clés infectieuses ] ----------------

Supprimé ! - HKEY_CURRENT_USER\Software\bisoft
Supprimé ! - HKEY_USERS\S-1-5-21-2025429265-839522115-725345543-1003\Software\Local AppWizard-Generated Applications\winfilse

--------------- [ Etat / Redémarage des services ] ----------------

+- Mode sans echec restauré !

+- Services : [ Auto=2 Demande=3 Désactivé=4 ]

Ndisuio - Type de démarrage = 3

EapHost - Type de démarrage = 2

Ip6Fw - Type de démarrage = 2

SharedAccess - Type de démarrage = 2

wuauserv - Type de démarrage = 2

wscsvc - Type de démarrage = 2


--------------- [ Nettoyage des supports amovibles ] ----------------

+- Informations :

C: - Fixed Drive
D: - Fixed Drive

+- Suppression des fichiers :


--------------- [ Registre / Moutpoint2 ] ----------------


-> Recherche négative.


--------------- [ Recherche Cracks / Keygen ] ----------------

C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\www.crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\#SharedObjects\V66JLANW\www.crackle.com\crackleSettings.sol
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com\settings.sol
C:\Documents and Settings\Sandro\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.crackle.com\settings.sol
C:\Documents and Settings\Sandro\Application Data\uTorrent\ESET.NOD32.Antivirus.Business.Edition.v3.0.566.CRACKED-CU.torrent
C:\Documents and Settings\Sandro\Application Data\uTorrent\SysTools.Export.Notes.v6.5.Build.1508.Incl.Keygen-Lz0.torrent
C:\Documents and Settings\Sandro\Desktop\dvdrb\ind-dvdrb-repack\Crack
C:\Documents and Settings\Sandro\Desktop\icons\Icons\Icone (ico)\Crackz.ico
C:\Documents and Settings\Sandro\Desktop\icons\Icons\Icone (png)\Crackz.png
C:\Documents and Settings\Sandro\Desktop\installers\foxit pdf editor 2.0\Crack
C:\Documents and Settings\Sandro\Desktop\installers\foxit pdf editor 2.0\Crack\pedkey.txt
C:\Documents and Settings\Sandro\Desktop\installers\Trivial Pursuit Unlimited (IT)\Istruzioni\Crack
C:\Documents and Settings\Sandro\Desktop\installers\Trivial Pursuit Unlimited (IT)\Istruzioni\Crack\TPPCItalian.exe


---------------- ! Fin du rapport ! ------------------


c'e' sempre??

ps: dopo il restart, findykill dice qualcosa tipo "fichiers temporanee" e nel frattempo il disk clean-up di windos parte. ho fatto bene a chiuderlo (il disk cleanup)?

edit: kasperski online si blocca sempre, e questo e' l'errore:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Invalid file signature]


edit: kasperski online adesso e' partito!
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Re: Bagle (winfilse.exe)

Messaggioda Amantide » ven nov 07, 2008 3:50 pm

diodorus ha scritto:c'e' sempre??

Si, ma spero che si tratta solo dei file residui.

ps: dopo il restart, findykill dice qualcosa tipo "fichiers temporanee" e nel frattempo il disk clean-up di windos parte. ho fatto bene a chiuderlo (il disk cleanup)?

Non conosco il francese, ma così, ad intuito, direi che FindyKill usa il tool integrato nel windows per pulire le cartelle dei file temporanei, penso che non avresti dovuto bloccarlo.

edit: kasperski online si blocca sempre, e questo e' l'errore:

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Invalid file signature]

L'errore è troppo generico e quindi non saprei dove sta il problema [boh]
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: Bagle (winfilse.exe)

Messaggioda diodorus » ven nov 07, 2008 8:41 pm

kaspersky online alla fine e' partito. questo e' il risultato:

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 07, 2008 13:10:54
Records in database: 1373649


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 268443
Threat name 2
Infected objects 3
Suspicious objects 0
Duration of the scan 04:42:33

File name Threat name Threats count
C:\Documents and Settings\Sandro\Desktop\bag\FindyKill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k 1

C:\Program Files\FindyKill\Tools\hldrrr.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k 1

C:\WINDOWS\system32\wdcl32.dll Infected: not-a-virus:AdWare.Win32.Altnet.s 1

The selected area was scanned.


findykill?? [uhm]

e questi online scanner, trovano solo, o puliscono anche?

ri-grazie!
Avatar utente
diodorus
Neo Iscritto
Neo Iscritto
 
Messaggi: 13
Iscritto il: mer nov 05, 2008 9:50 pm

Prossimo

Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 15 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising