www.MegaLab.it

da **peolo_82** » mer nov 19, 2008 8:59 pm

Ciao a tutti ho un problema. Quando ho acceso il pc mi è comparso un programma che scansionava il mio disco rigido senza che potessi diasttivarlo poi dopo un po' di tempo ha terminato la scansione ed è stato possibile chiuderlo.Scrivendo su google il nome del programma nn mi faceva aprire le pagine riguardanti la rimozione di questo virus potete aiutarmi per favore? Grazie

da **ste_95** » mer nov 19, 2008 9:17 pm

Scarica HijackThis
Salvalo in una cartella (non aprirlo direttamente, sennò non farà i backup!)
Apri l'eseguibile
Clicca quindi su "Do a System Scan and Save a Logfile"
Attendi che finisca la scansione
Posta sul forum il risultato facendo attenzione a queste regole.

da **peolo_82** » mer nov 19, 2008 10:53 pm

Ciao ste ho fatto la scansione con hijackthis eccola. Grazie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.52.11, on 19/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Programmi\Eset\nod32krn.exe
G:\WINDOWS\explorer.exe
G:\Programmi\Eset\nod32kui.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
G:\Programmi\Windows Live\Messenger\usnsvc.exe
G:\Programmi\Windows Live\Messenger\msnmsgr.exe
G:\Programmi\Internet Explorer\IEXPLORE.EXE
G:\Documents and Settings\Paolo\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - G:\Programmi\Applications\iebt.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "G:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [avgnt] "G:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "G:\WINDOWS\TEMP\E_S106.tmp" /EF "HKCU"
O4 - HKLM\..\Policies\Explorer\Run: [akZKq3AO4K] G:\Documents and Settings\All Users\Dati applicazioni\qdevgbgh\qhcxczix.exe
O4 - HKLM\..\Policies\Explorer\Run: [smile] G:\Programmi\Applications\wcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = G:\Programmi\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04CA3BF6-B950-4053-B724-83D7DBF66271}: NameServer = 85.37.17.49 85.38.28.91
O17 - HKLM\System\CS1\Services\Tcpip\..\{04CA3BF6-B950-4053-B724-83D7DBF66271}: NameServer = 85.37.17.49 85.38.28.91
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - G:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - G:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - G:\Programmi\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NMIndexingService - Nero AG - G:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - G:\Programmi\Eset\nod32krn.exe

--
End of file - 4350 bytes

da **nannolo** » gio nov 20, 2008 7:11 am

Ciao, riesegui Hijackthis e metti la spunta alle seguenti righe:

Codice: Seleziona tutto: O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - G:\Programmi\Applications\iebt.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Policies\Explorer\Run: [akZKq3AO4K] G:\Documents and Settings\All Users\Dati applicazioni\qdevgbgh\qhcxczix.exe O4 - HKLM\..\Policies\Explorer\Run: [smile] G:\Programmi\Applications\wcs.exe

Dopo di che premi "Fix Checked". Riavvia, riesegui la scansione e riposta il log (si spera ora pulito).

da **ste_95** » gio nov 20, 2008 7:27 am

Poi scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto: Files to delete: G:\Programmi\Applications\iebt.dll G:\Programmi\Applications\wcs.exe Folders to delete: G:\Documents and Settings\All Users\Dati applicazioni\qdevgbgh

Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Se Avenger riporta un errore, prova a riscrivere manualmente la prima riga (Files to delete:) ricordando i due punti. Se il problema persiste prova con la vecchia versione di Avenger.

da **peolo_82** » gio nov 20, 2008 1:11 pm

Ecco i log di Hijackthis e Avenger

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.00.45, on 20/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
G:\Programmi\Eset\nod32krn.exe
G:\WINDOWS\system32\svchost.exe
G:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe
G:\Programmi\Eset\nod32kui.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
G:\WINDOWS\system32\wscntfy.exe
G:\Programmi\Internet Explorer\IEXPLORE.EXE
G:\WINDOWS\system32\wuauclt.exe
G:\Documents and Settings\Paolo\Desktop\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "G:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [avgnt] "G:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "G:\WINDOWS\TEMP\E_S106.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = G:\Programmi\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04CA3BF6-B950-4053-B724-83D7DBF66271}: NameServer = 85.37.17.49 85.38.28.91
O17 - HKLM\System\CS1\Services\Tcpip\..\{04CA3BF6-B950-4053-B724-83D7DBF66271}: NameServer = 85.37.17.49 85.38.28.91
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - G:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - G:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - G:\Programmi\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NMIndexingService - Nero AG - G:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - G:\Programmi\Eset\nod32krn.exe

--
End of file - 3945 bytes

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at G:\Avenger

*******************

Beginning to process script file:

Error: could not open file "G:\Programmi\Applications\iebt.dll"
Deletion of file "G:\Programmi\Applications\iebt.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
-->

bad path / the parent directory does not exist

Error: could not open file "G:\Programmi\Applications\wcs.exe"
Deletion of file "G:\Programmi\Applications\wcs.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
-->

bad path / the parent directory does not exist

Folder "G:\Documents and Settings\All Users\Dati applicazioni\qdevgbgh" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

da **Amantide** » gio nov 20, 2008 1:16 pm

Siccome Hijackthis è capace di farci vedere solo "la punta del iceberg" delle infezioni che girano ultimamente, ti consiglio di fare anche la scansione con Combofix.
Scarica ComboFix ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto.

da **peolo_82** » gio nov 20, 2008 2:48 pm

Ecco il report di Combofix :

ComboFix 08-11-19.08 - Paolo 2008-11-20 14.37.27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.178 [GMT 1:00]
Eseguito da: g:\documents and settings\Paolo\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

g:\windows\system\msvbvm60.dll
g:\windows\system32\drivers\downld
g:\windows\system32\drivers\downld\11490000.exe
g:\windows\system32\drivers\downld\11491453.exe
g:\windows\system32\drivers\downld\11517843.exe
g:\windows\system32\drivers\downld\11525484.exe
g:\windows\system32\drivers\downld\11528218.exe
g:\windows\system32\drivers\downld\11533296.exe
g:\windows\system32\drivers\downld\11574343.exe
g:\windows\system32\drivers\downld\11581140.exe
g:\windows\system32\drivers\downld\11604515.exe
g:\windows\system32\drivers\downld\11615171.exe
g:\windows\system32\drivers\downld\11622296.exe
g:\windows\system32\drivers\downld\249234.exe
g:\windows\system32\drivers\downld\250687.exe

.
((((((((((((((((((((((((( Files Creati Da 2008-10-20 al 2008-11-20 )))))))))))))))))))))))))))))))))))
.

2008-11-20 13:04 . 2008-11-20 13:04 135,168 --a------ G:\zip.exe
2008-11-20 13:04 . 2008-11-20 13:04 19,286 --a------ G:\cleanup.exe
2008-11-20 13:04 . 2008-11-20 13:04 574 --a------ G:\cleanup.bat
2008-11-19 18:51 . 2008-11-19 20:52 <DIR> d-------- g:\programmi\XLGuarder
2008-11-18 21:20 . 2008-11-19 21:46 <DIR> d-------- g:\programmi\uTorrent
2008-11-18 21:20 . 2008-11-19 02:23 <DIR> d-------- g:\documents and settings\Paolo\Dati applicazioni\uTorrent
2008-11-18 21:12 . 2008-11-18 21:12 <DIR> d-------- g:\programmi\DNA
2008-11-18 21:12 . 2008-11-18 21:12 <DIR> d-------- g:\programmi\AskBarDis
2008-11-18 21:12 . 2008-11-18 23:10 <DIR> d-------- g:\documents and settings\Paolo\Dati applicazioni\DNA
2008-11-16 15:34 . 2001-08-30 23:07 8,704 --a------ g:\windows\system32\kbdjpn.dll
2008-11-16 15:34 . 2001-08-30 23:07 8,704 --a--c--- g:\windows\system32\dllcache\kbdjpn.dll
2008-11-16 15:34 . 2001-08-30 23:07 8,192 --a------ g:\windows\system32\kbdkor.dll
2008-11-16 15:34 . 2001-08-30 23:07 8,192 --a--c--- g:\windows\system32\dllcache\kbdkor.dll
2008-11-16 15:34 . 2001-08-17 22:55 6,144 --a------ g:\windows\system32\kbd106.dll
2008-11-16 15:34 . 2001-08-17 22:55 6,144 --a------ g:\windows\system32\kbd101c.dll
2008-11-16 15:34 . 2001-08-17 22:55 6,144 --a------ g:\windows\system32\kbd101b.dll
2008-11-16 15:34 . 2001-08-17 22:55 6,144 --a--c--- g:\windows\system32\dllcache\kbd106.dll
2008-11-16 15:34 . 2001-08-17 22:55 6,144 --a--c--- g:\windows\system32\dllcache\kbd101c.dll
2008-11-16 15:34 . 2001-08-17 22:55 6,144 --a--c--- g:\windows\system32\dllcache\kbd101b.dll
2008-11-16 15:34 . 2001-08-17 22:55 5,632 --a------ g:\windows\system32\kbd103.dll
2008-11-16 15:34 . 2001-08-17 22:55 5,632 --a--c--- g:\windows\system32\dllcache\kbd103.dll
2008-11-11 20:01 . 2008-11-11 20:01 <DIR> d-------- g:\programmi\Ontrack
2008-10-22 22:15 . 2004-08-03 22:00 149,376 --a------ g:\windows\system32\drivers\tffsport.sys
2008-10-22 22:15 . 2004-08-03 22:00 149,376 --a--c--- g:\windows\system32\dllcache\tffsport.sys
2008-10-21 01:24 . 2008-10-21 01:24 <DIR> d--h----- g:\windows\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 00:51 --------- d-----w g:\programmi\eMule
2008-11-11 19:25 --------- d--h--w g:\programmi\InstallShield Installation Information
2008-10-21 19:37 --------- d-----w g:\programmi\SopCast
2008-10-15 14:26 --------- d-----w g:\programmi\Alcohol Soft
2008-10-15 14:22 716,272 ----a-w g:\windows\system32\drivers\sptd.sys
2008-10-14 15:26 --------- d-----w g:\documents and settings\Paolo\Dati applicazioni\dvdcss
2008-10-08 14:44 --------- d-----w g:\programmi\AoA Audio Extractor
2008-10-08 14:43 --------- d---a-w g:\documents and settings\All Users\Dati applicazioni\TEMP
2008-10-08 11:01 --------- d-----w g:\programmi\DsNET Corp
2008-10-08 10:30 --------- d-----w g:\programmi\Tunatic
2008-10-06 21:05 78,596 --sha-w g:\windows\system32\drivers\fidbox.idx
2008-10-06 21:05 6,436,896 --sha-w g:\windows\system32\drivers\fidbox.dat
2008-10-06 12:04 --------- d-----w g:\programmi\Stellar Phoenix Windows Data Recovery
2008-10-06 10:26 --------- d-----w g:\programmi\File comuni\Acronis
2008-10-05 17:40 --------- d-----w g:\programmi\ESET
2008-10-05 15:23 --------- d-----w g:\documents and settings\All Users\Dati applicazioni\Avira
2008-10-05 15:17 512,096 ----a-w g:\windows\system32\drivers\amon.sys
2008-10-05 15:17 298,104 ----a-w g:\windows\system32\imon.dll
2008-10-05 15:17 15,424 ----a-w g:\windows\system32\drivers\nod32drv.sys
2008-10-05 13:53 734 ----a-w g:\programmi\coppv.txt
2008-10-05 13:53 61,440 ----a-w g:\windows\system32\drivers\bnlyw.sys
2008-10-05 13:52 934 ----a-w g:\programmi\tfmmcuuq.txt
2008-10-05 13:52 61,440 ----a-w g:\windows\system32\drivers\updgha.sys
2008-10-05 13:52 61,440 ----a-w g:\windows\system32\drivers\rvvxk.sys
2008-10-05 13:51 61,440 ----a-w g:\windows\system32\drivers\iovrnlfz.sys
2008-09-19 08:54 17,144 ----a-w g:\documents and settings\Paolo\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-09-18 13:26 116,176 ----a-w g:\windows\iun1405.exe
2008-09-12 09:13 155,995 ----a-w g:\windows\java\Packages\17R7LJPR.ZIP
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\ctfmon.exe" [2004-08-19 15360]
"SpybotSD TeaTimer"="g:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"EPSON Stylus DX4400 Series"="g:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE" [2007-03-01 180736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="g:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"nod32kui"="g:\programmi\Eset\nod32kui.exe" [2008-10-05 949376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

g:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Microsoft Office.lnk - g:\programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytoosl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-19 14:51 1667584 g:\programmi\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\Programmi\\Messenger\\msmsgs.exe"=
"g:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"g:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"g:\\Programmi\\Veoh Networks\\Veoh\\VeohClient.exe"=
"g:\\Programmi\\eMule\\emule.exe"=
"g:\\Programmi\\Windows Media Player\\wmplayer.exe"=

R0 tffsport;M-Systems DiskOnChip 2000;g:\windows\system32\DRIVERS\tffsport.sys [2008-10-22 149376]
S3 getPlus(R) Helper;getPlus(R) Helper;g:\programmi\NOS\bin\getPlus_HelperSvc.exe [2008-09-12 33752]

*Newly Created Service* - PROCEXP90
.
- - - - ORFÃOS REMOVIDOS - - - -

HKLM-Run-avgnt - g:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
MSConfigStartUp-avgnt - g:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe

.
------- Supplementare di scansione -------
.
uStart Page = hxxp://www.google.it/
LSP: g:\windows\system32\imon.dll
TCP: {04CA3BF6-B950-4053-B724-83D7DBF66271} = 85.37.17.49 85.38.28.91

O16 -: Microsoft XML Parser for Java - file://g:\windows\Java\classes\xmldso.cab
g:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 14:40:57
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

g:\docume~1\Paolo\IMPOST~1\Temp\RGI21B.tmp

Scansione completata con successo
Files nascosti: 1

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSO: g:\windows\system32\lsass.exe
-> g:\programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-11-20 14.44.24
ComboFix-quarantined-files.txt 2008-11-20 13:43:52

Pre-Run: 6.335.995.904 byte disponibili
Post-Run: 6,402,838,528 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
g:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

154

da **Amantide** » gio nov 20, 2008 3:32 pm

Scarica The Avenger, estrailo in una cartella ed avvia il file avenger.exe.
Incolla il seguente spript nello spazio bianco sotto alla voce Input script here, togli la spunta alla voce Scan for rootkits e clicca su Execute.

Codice: Seleziona tutto: Files to delete: g:\programmi\coppv.txt g:\windows\system32\drivers\bnlyw.sys g:\programmi\tfmmcuuq.txt g:\windows\system32\drivers\updgha.sys g:\windows\system32\drivers\rvvxk.sys g:\windows\system32\drivers\iovrnlfz.sys g:\docume~1\Paolo\IMPOST~1\Temp\RGI21B.tmp

Il pc dovrebbe riavviarsi, se così non fosse, riavvialo manualmente.
Al riavvio dovrebbe apparire il log avenger.txt, posta qui il suo contenuto.

P.S. Sapevi di aver avuto il worm Bagle? [uhm]

da **peolo_82** » gio nov 20, 2008 10:03 pm

Si ieri facendo una scansione ho trovato un file infetto da bagle . comunque ho un altro problema mi esce l'errore generic host process.... e pur scaricando e installando due patch il problema persiste come posso fare? grazie

da **peolo_82** » gio nov 20, 2008 10:11 pm

comunque ecco il report di avenger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at G:\Avenger

*******************

Beginning to process script file:

File "g:\programmi\coppv.txt" deleted successfully.
File "g:\windows\system32\drivers\bnlyw.sys" deleted successfully.
File "g:\programmi\tfmmcuuq.txt" deleted successfully.
File "g:\windows\system32\drivers\updgha.sys" deleted successfully.
File "g:\windows\system32\drivers\rvvxk.sys" deleted successfully.
File "g:\windows\system32\drivers\iovrnlfz.sys" deleted successfully.

Error: file "g:\docume~1\Paolo\IMPOST~1\Temp\RGI21B.tmp" not found!
Deletion of file "g:\docume~1\Paolo\IMPOST~1\Temp\RGI21B.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
-->

the object does not exist

Completed script processing.

*******************

Finished! Terminate.

da **Amantide** » gio nov 20, 2008 10:33 pm

Allora, intanto vediamo se è rimasto qualcos'altro di Bagle e ripristiniamo i servizi da lui terminati.

Scarica FindyKill (by Chiquitine29)ed installalo (è in francese però è di facile comprensione).
Una volta installato chiudi tutte le applicazioni attive e disconnettiti dal internet, poi clicca sull'icona di FindyKill e nella finestra dos che si aprirà scrivi 2 e premi Invio. Attendi il termine della scansione e posta qui il log che trovi in C:\FindyKill.txt

Per quanto riguarda l'errore di generic host process, l'unica soluzione definitiva è installare il service pack 3.

da **peolo_82** » ven nov 21, 2008 1:14 am

ecco il report di Findkill :

----------------- FindyKill V4.705 ------------------

* User : Paolo - PAOLO
* executed from : G:\Programmi\FindyKill
* Update on 17/11/08 par Chiquitine29
* Start at 1:07:36 the 21/11/2008
* Windows XP - Internet Explorer 6.0.2900.2180

((((((((((((((( *** deleting *** ))))))))))))))))))

--------------- [ Active Processes ] ----------------

G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\logonui.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\userinit.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Documents and Settings\All Users\Dati applicazioni\EPSON\EPW!3 SSRP\E_S40RP7.EXE
G:\Programmi\Eset\nod32krn.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\wdfmgr.exe

--------------- [ Infected files / folders ] ----------------

»»»» Supression files in G:

»»»» Supression files in G:\WINDOWS

»»»» Supression files in G:\WINDOWS\Prefetch

»»»» Supression files in G:\WINDOWS\system32

»»»» Supression files in G:\WINDOWS\system32\drivers

»»»» Supression files in G:\Documents and Settings\Paolo\Dati applicazioni

»»»» Supression files in G:\DOCUME~1\Paolo\IMPOST~1\Temp

»»»» Supression files in G:\Documents and Settings\Paolo\Local Settings\Temporary Internet Files\Content.IE5

--------------- [ Registry / Infected keys ] ----------------

Deleted ! - HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_SROSA

--------------- [ States / Restarting of services ] ----------------

+- Services : [ Auto=2 / Request=3 / Disable=4 ]

Ndisuio - Type of startup = 3

Ip6Fw - Type of startup = 2

SharedAccess - Type of startup = 2

wuauserv - Type of startup = 2

wscsvc - Type of startup = 2

--------------- [ Cleaning removable drives ] ----------------

+- Informations :

C: - Unit… fissa

D: - Unit… fissa

G: - Unit… fissa

+- deleting files :

--------------- [ Registry / Mountpoint2 ] ----------------

-> Not found !

--------------- [ Searching Cracks / Keygen ] ----------------

G:\Documents and Settings\Paolo\Recent\Ontrack Easy Recovery Pro V66.03 + Crack.lnk

---------------- ! End of report ! ------------------

da **Amantide** » ven nov 21, 2008 8:54 am

Ok, sono stati rimossi gli ultimi rimasugli di virus.

www.MegaLab.it

Virus Xlg

Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Re: Virus Xlg

Chi c’è in linea