www.MegaLab.it

da **tyons** » mar set 01, 2009 10:46 am

salve sull'altro computer credo di aver preso una nuova versione di bagle, infatti non l'ho vista descritta in nessun articolo di MegaLab...

ho già trovato e cancellato i file srosa e srosa2 che erano camuffati con dei numeri in mezzo al nome, poi gmer (che funziona) ha trovato nella stessa cartella di quei due un sacco di file .exe, winupgro.exe e la cartella "downld", ma se ci vado non li vedo e non posso cancellare la cartella in cui sono. ah, la cartella si chiama drivers e si trova in C:\Documents and Settings\Administrator\Dati applicazioni\ .

in una delle versioni descritte negli articoli esisteva una cartella shared da qualche parte; non so se centra ma gmer ha trovato una cartella shared in C:\WINDOWS\ime\ .

non saprei cosa altro cercare, se conoscete questa versione vi prego di aiutarmi, grazie.

da **crazy.cat** » mar set 01, 2009 10:49 am

usa findykill e dopo il riavvio dovrebbe partire anche combofix.
Scansiona con tutti e due poi vedi se riesci a reinstallare il tuo antivirus scaricando nuovamente il programma di installazione.

da **tyons** » mar set 01, 2009 10:54 am

combofix l'ho già usato e funzionava, solo che su quel computer ho pochissimo spazio libero e non credo che sia riuscito a fare granchè, infatti aveva finito solo il "passo" 49 senza fare quelli prima... poi nel log non mi sermbra che ci sia granchè che riguardi bagle. te lo allego?

da **crazy.cat** » mar set 01, 2009 10:57 am

fai findykill prima e posta il suo log.

da **tyons** » mar set 01, 2009 11:06 am

ehm... dove lo scarico? una volta ce l'avevo ma l'ho cancellato perché aveva fatto casino.

niente fa lo stesso, l'ho trovato.

adesso allego i 3 log.

combofix (prima di findykill)

ComboFix 09-03-29.04 - Administrator 2009-08-31 12.14.33.1 - NTFSx86
Eseguito da: D:\Com-bo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090826-0] *On-access scanning disabled* (Updated)

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -
.

((((((((((((((((((((((((( Files Creati Da 2009-07-28 al 2009-08-31 )))))))))))))))))))))))))))))))))))
.

2009-08-26 14:36 . 2009-08-26 19:17 <DIR> d--h-c--- c:\documents and settings\Administrator\Dati applicazioni\drivers
2009-07-29 11:16 . 2009-07-29 11:16 <DIR> d--h-c--- c:\windows\$hf_mig$
2009-07-05 13:21 . 2009-05-26 17:18 90,112 --a--c--- c:\windows\system32\QuickTimeVR.qtx
2009-07-05 13:21 . 2009-05-26 17:18 57,344 --a--c--- c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 10:06 405 -c--a-w c:\programmi\psc 1110.exe.lnk
2009-08-30 19:31 --------- dc----w c:\programmi\Bonjour
2009-07-05 11:21 --------- dc----w c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2009-06-29 17:49 --------- dc----w c:\programmi\File comuni\Adobe
2009-06-29 14:09 --------- dc----w c:\documents and settings\Administrator\Dati applicazioni\Download Manager
2009-06-16 14:36 81,920 -c--a-w c:\windows\system32\fontsub.dll
2009-06-16 14:36 119,808 -c--a-w c:\windows\system32\t2embed.dll
2009-06-03 19:09 1,296,384 -c--a-w c:\windows\system32\quartz.dll
2009-05-07 15:32 347,648 -c--a-w c:\windows\system32\localspl.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="d:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2005-01-21 839680]
"MSMSGS"="d:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusTray"="c:\programmi\Asus\EeePC ACPI\AsTray.exe" [2008-03-27 102400]
"AsusACPIServer"="c:\programmi\Asus\EeePC ACPI\AsAcpiSvr.exe" [2008-03-20 544768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-08 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-08 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-08 94208]
"ETDWare"="c:\programmi\Elantech\ETDCtrl.exe" [2008-04-16 335872]
"SunJavaUpdateSched"="d:\programmi\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"FreePDF Assistant"="d:\programmi\FreePDF_XP\fpassist.exe" [2007-06-26 312320]
"avast!"="d:\i386\Install\Avast\ashDisp.exe" [2009-08-31 81000]
"Adobe Reader Speed Launcher"="d:\i386\Install\ACR\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-07 c:\windows\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 c:\windows\Alcmtr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Collegamento a eeectl.lnk - d:\i386\Install\eeectl\eeectl.exe [2008-02-17 31232]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
AutoRun OSCleaner.lnk - c:\programmi\ASUS\Asus OS Cleaner\AsOSCleaner.exe [2008-06-27 118784]
BTTray.lnk - d:\i386\Install\BLT\BTTray.exe [2007-02-27 561213]
InterVideo WinCinema Manager.lnk - d:\i386\Install\Common\Bin\WinCinemaMgr.exe [2008-06-30 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

La chiave di registro SafeBoot ha bisogno di essere riparata. Questo pc non può avviarsi in Modalità Provvisoria.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"d:\\I386\\Install\\emule\\emule.exe"=
"d:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 aswSP;avast! Self Protection; [x]
R2 aswFsBlk;aswFsBlk; [x]
R3 ONDAusbmdm6k;ONDA Proprietary USB Driver; [x]
R3 ONDAusbnet;ONDA USB-NDIS miniport; [x]
R3 ONDAusbnmea;ONDA NMEA Port; [x]
R3 ONDAusbser6k;ONDA Diagnostic Port; [x]
S1 111111s1ro1s1a;111111s1ro1s1a;c:\documents and settings\Administrator\Dati applicazioni\drivers\111wfs1intwq.sys [2009-08-31 121658]
S1 sK9Ou0s;sK9Ou0s;c:\documents and settings\Administrator\Dati applicazioni\drivers\11s11ro1s1a2.sys [2009-08-31 7168]
S3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\DRIVERS\ASUSACPI.sys [2007-07-26 11264]
S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l251x86.sys [2007-10-18 30720]
S3 dciiodrv;dciiodrv;c:\windows\system32\drivers\dciiodrv.sys [2008-07-04 2944]
S3 Ktp;Elantech Smart-Pad;c:\windows\system32\DRIVERS\ETD.sys [2008-04-15 25088]

--- Altri Servizi/Drivers In Memoria ---

*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - btwdins
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - IviRegMgr
*Deregistered* - JavaQuickStarterService
*Deregistered* - LanmanServer
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - PartMgr
*Deregistered* - PCIIde
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteAccess
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - sK9Ou0s
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WmiApSrv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{676575c5-4909-11dd-b7a2-0015afa77039}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{676575c8-4909-11dd-b7a2-0015afa77039}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bba99c4-46b0-11dd-b797-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bba99c7-46b0-11dd-b797-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f813079-4458-11dd-b793-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a81be302-468b-11dd-b795-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a81be306-468b-11dd-b795-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfd83d6f-49a7-11dd-aa49-0002721326f2}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contenuto della cartella 'Scheduled Tasks'

2009-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe []

2009-08-29 c:\windows\Tasks\WebReg 20080914165811.job
- d:\digital imaging\Bin\hpqwrg.exe []

2009-08-26 c:\windows\Tasks\WebReg 20080929175536.job
- d:\digital imaging\Bin\hpqwrg.exe []

2009-08-26 c:\windows\Tasks\WebReg 20081006150419.job
- d:\digital imaging\Bin\hpqwrg.exe []

2009-08-31 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKLM-Run-<NO NAME> - (no file)

.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = *.local
IE: E&sporta in Microsoft Excel - d:\i386\Install\OFFICE~1\OFFICE11\EXCEL.EXE/3000
IE: Invia a periferica &Bluetooth... - d:\i386\Install\BLT\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 12:16:29
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

c:\documents and settings\Administrator\Dati applicazioni\drivers\winupgro.exe [1924] 0x881DF320

scansione entrate autostart nascoste ...

Scansione files nascosti ...

c:\documents and settings\Administrator\Dati applicazioni\drivers\downld
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld\16803687.exe 1508 bytes
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld\16806843.exe 1508 bytes
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld\16807843.exe 1508 bytes
c:\documents and settings\Administrator\Dati applicazioni\drivers\downld\16903000.exe 2536 bytes
c:\documents and settings\Administrator\Dati applicazioni\drivers\winupgro.exe 839680 bytes executable

Scansione completata con successo
Files nascosti: 6

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"="c:\\Documents and Settings\\Administrator\\Dati applicazioni\\drivers\\winupgro.exe"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(3788)
c:\windows\system32\btmmhook.dll
.
Ora fine scansione: 2009-08-31 12.25.30
ComboFix-quarantined-files.txt 2009-08-31 10:25:07

Pre-Run: 140.730.368 byte disponibili
Post-Run: 130,584,576 byte disponibili

257

da **tyons** » mar set 01, 2009 11:32 am

il log di gmer devo allegarlo perché è di circa 250000 caratteri...

findykill

############################## | FindyKill V5.007 |

# User : Administrator (Administrators) # EEEPC900
# Update on 31/08/09 by Chiquitine29
# Start at: 12.18.22 | 01/09/2009
# Website : http://pagesperso-orange.fr/NosTools/index.html

# Intel(R) Celeron(R) M processor 900MHz
# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 7.0.5730.13
# Windows Firewall Status : Enabled
# AV : avast! antivirus 4.8.1335 [VPS 090826-0] 4.8.1335 [ (!) Disabled | Updated ]

# C:\ # Disco rigido locale # 3,75 Go (71,5 Mo free) [OS-XPP] # NTFS
# D:\ # Disco rigido locale # 15,03 Go (1,87 Go free) [DATI] # NTFS
# E:\ # Disco rimovibile # 1,9 Go (3,41 Mo free) # FAT

############################## | Active Processes |

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\I386\Install\BLT\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
D:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Asus\EeePC ACPI\AsTray.exe
C:\Programmi\Asus\EeePC ACPI\AsAcpiSvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Programmi\Elantech\ETDCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
D:\Programmi\FreePDF_XP\fpassist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
D:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Dati applicazioni\drivers\winupgro.exe
D:\I386\Install\BLT\BTTray.exe
D:\I386\Install\Common\Bin\WinCinemaMgr.exe
D:\I386\Install\eeectl\eeectl.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

############################## | Infected processes stopped |

"C:\Documents and Settings\Administrator\Dati applicazioni\drivers\winupgro.exe" (2080)

################## | C: |

################## | C:\WINDOWS |

Found ! C:\WINDOWS\Prefetch\KEY_GENERATOR.EXE-201C8243.pf

################## | C:\WINDOWS\system32 |

################## | C:\WINDOWS\system32\drivers |

################## | C:\Documents and Settings\Administrator\Dati applicazioni |

################## | C:\Documents and Settings\Administrator\Temporary Internet Files |

################## | Registry / Infected keys |

Found ! [HKLM\SYSTEM\CurrentControlSet\Services\111111s1ro1s1a]
Found ! [HKLM\SYSTEM\ControlSet001\Services\111111s1ro1s1a]
Found ! [HKLM\SYSTEM\ControlSet002\Services\111111s1ro1s1a]
Found ! [HKLM\SYSTEM\CurrentControlSet\Services\sK9Ou0s]
Found ! [HKLM\SYSTEM\ControlSet001\Services\sK9Ou0s]
Found ! [HKLM\SYSTEM\ControlSet002\Services\sK9Ou0s]
Found ! [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_111111s1ro1s1a]
Found ! [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_111111s1ro1s1a]
Found ! [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_111111s1ro1s1a]
Found ! [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SK9OU0S]
Found ! [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SK9OU0S]
Found ! [HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S]
Found ! [HKCU\Software\bisoft]
Found ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"
Found ! [HKU\S-1-5-21-1606980848-1897051121-515967899-500\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"
Found ! [HKU\S-1-5-21-1606980848-1897051121-515967899-500\Software\bisoft]
Found ! [HKCU\Software\Local AppWizard-Generated Applications\key_generator]
Found ! [HKCU\Software\Local AppWizard-Generated Applications\winupgro]
Found ! [HKU\S-1-5-21-1606980848-1897051121-515967899-500\Software\Local AppWizard-Generated Applications\key_generator]
Found ! [HKU\S-1-5-21-1606980848-1897051121-515967899-500\Software\Local AppWizard-Generated Applications\winupgro]
Found ! [HKLM\software\microsoft\security center] "AntiVirusDisableNotify" 0x1
Found ! [HKLM\software\microsoft\security center] "UpdatesDisableNotify" 0x1

################## | State / Service / Information |

# Showing of hidden files : OK

Missing key : HKLM\...\SafeBoot | Safe boot mode disabled !

# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 3 ( Good = 2 | Bad = 4 )
# (!) Ip6Fw -> Start = 4 ( Good = 2 | Bad = 4 )
# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )
# (!) wuauserv -> Start = 4 ( Good = 2 | Bad = 4 )
# (!) wscsvc -> Start = 4 ( Good = 2 | Bad = 4 )

################## | Cracks / Keygens / Serials |

################## | End of Report # FindyKill V5.007 ! |

da **Amantide** » mar set 01, 2009 11:53 am

Rifai la scansione con Findykill, però questa volta seleziona la voce 2, per effettuare l'eliminazione del Bagle.

da **tyons** » mar set 01, 2009 11:58 am

c'è una cosa che non mi convince... findykill non ha trovato niente nella cartella drivers, dove imvece gmer ci ha trovato un sacco di roba... non è che findykill non cancella quella roba lì e quindi riparte il virus, vero?

ecco il nuovo log

############################## | FindyKill V5.007 |

# User : Administrator (Administrators) # EEEPC900
# Update on 31/08/09 by Chiquitine29
# Start at: 13.03.21 | 01/09/2009
# Website : http://pagesperso-orange.fr/NosTools/index.html

# Intel(R) Celeron(R) M processor 900MHz
# Microsoft Windows XP Professional (5.1.2600 32-bit) # Service Pack 3
# Internet Explorer 7.0.5730.13
# Windows Firewall Status : Enabled
# AV : avast! antivirus 4.8.1335 [VPS 090826-0] 4.8.1335 [ (!) Disabled | Updated ]

# C:\ # Disco rigido locale # 3,75 Go (76,32 Mo free) [OS-XPP] # NTFS
# D:\ # Disco rigido locale # 15,03 Go (1,87 Go free) [DATI] # NTFS
# E:\ # Disco rimovibile # 1,9 Go (3,41 Mo free) # FAT

############################## | Active Processes |

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\I386\Install\BLT\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\InterVideo\RegMgr\iviRegMgr.exe
D:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe

################## | C: |

################## | C:\WINDOWS |

Deleted ! C:\WINDOWS\Prefetch\KEY_GENERATOR.EXE-201C8243.pf
Deleted ! C:\WINDOWS\Prefetch\WINUPGRO.EXE-040DDF25.pf

################## | C:\WINDOWS\system32 |

################## | C:\WINDOWS\system32\drivers |

################## | C:\Documents and Settings\Administrator\Dati applicazioni |

Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\drivers\winupgro.exe
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\drivers\downld
Deleted ! C:\Documents and Settings\Administrator\Dati applicazioni\drivers

################## | Other ... |

# Reference of comparaison Bagle MD5 :

File : C:\Documents and Settings\Administrator\Dati applicazioni\drivers\winupgro.exe
-> Crc32 : 2b46e14c | Md5 : 75e0bc131a4da5b2924a6d8ab78db703

Deleted ! "D:\Programmi\Windows Live\Messenger\msnmsgr.exe"
-> Size : 839680 | Crc32 : 2b46e14c | Md5 : 75e0bc131a4da5b2924a6d8ab78db703

################## | Temporary Internet Files |

################## | Registry / Infected keys |

Deleted ! [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "drvsyskit"

################## | State / Service / Information |

# Safe boot mode restored restauré !

# Showing of hidden files : OK

# Ndisuio -> Start = 3 ( Good = 3 | Bad = 4 )
# EapHost -> Start = 2 ( Good = 2 | Bad = 4 )
# Ip6Fw -> Start = 2 ( Good = 2 | Bad = 4 )
# SharedAccess -> Start = 2 ( Good = 2 | Bad = 4 )
# wuauserv -> Start = 2 ( Good = 2 | Bad = 4 )
# wscsvc -> Start = 2 ( Good = 2 | Bad = 4 )

################## | PEH ... |

Corrupted : C:\Documents and Settings\Administrator\Impostazioni locali\TempImages\register.exe
[Offset = 000000EC - Value = 0x0001]

Corrupted : C:\WINDOWS\SoftwareDistribution\Download\159b973be07ea9ac20f4e23636d5b404\update\update.exe
[Offset = 000000EC - Value = 0x0001]

Attempt of repair...
Backup : update.exe.REN
[Offset = 000000EC - New value = 0x4C01]
File repaired successfully.

Corrupted : C:\WINDOWS\SoftwareDistribution\Download\cba05876d9acf56c5c0068111a2ac743\update\update.exe
[Offset = 000000EC - Value = 0x0001]

Attempt of repair...
Backup : update.exe.REN
[Offset = 000000EC - New value = 0x4C01]
File repaired successfully.

Corrupted : D:\avenger.exe
[Offset = 00000084 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashAvast.exe
[Offset = 0000011C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashChest.exe
[Offset = 0000010C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashDisp.exe
[Offset = 00000124 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashLogV.exe
[Offset = 0000010C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashMaiSv.exe
[Offset = 0000010C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashPopWz.exe
[Offset = 0000011C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashQuick.exe
[Offset = 0000011C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashServ.exe
[Offset = 00000124 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashSimp2.exe
[Offset = 0000011C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashSimpl.exe
[Offset = 0000011C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashSkPcc.exe
[Offset = 00000104 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashSkPck.exe
[Offset = 00000114 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashUpd.exe
[Offset = 00000104 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\ashWebSv.exe
[Offset = 00000114 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\aswRegSvr.exe
[Offset = 000000D4 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\aswUpdSv.exe
[Offset = 00000114 - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\copyx64.exe
[Offset = 000000CC - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\sched.exe
[Offset = 000000FC - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\VisthLic.exe
[Offset = 0000010C - Value = 0x0001]

Corrupted : D:\I386\Install\Avast\VisthUpd.exe
[Offset = 000000F4 - Value = 0x0001]

Corrupted : D:\I386\Install\Update.exe
[Offset = 000000EC - Value = 0x0001]

################## | Cracks / Keygens / Serials |

################## | End of Report # FindyKill V5.007 ! |

da **Amantide** » mar set 01, 2009 12:13 pm

Ciò che ha ritrovato Findykill, è la roba molto più importante ed insidiosa rispetto ai file nella cartella downl.
Intando esegui l'opzione 2 di Findykill, e dopo, come ti aveva già detto anche Crazy.cat, esegui Combofix.

Prima la rimozione con Findykill, poi la scansione con Combofix, ed alla fine la scansione con l'antivirus reinstallato, proprio in questo ordine.

da **tyons** » mar set 01, 2009 4:07 pm

ecco il log di combofix

ComboFix 09-03-29.04 - Administrator 2009-09-01 13.42.50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2039.1593 [GMT 2:00]
Eseguito da: D:\Com-bo-Fix.exe
.
- MODALITÀ CON FUNZIONALITÀ RIDOTTE -
.

((((((((((((((((((((((((( Files Creati Da 2009-08-01 al 2009-09-01 )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 10:06 405 -c--a-w c:\programmi\psc 1110.exe.lnk
2009-08-30 19:31 --------- dc----w c:\programmi\Bonjour
2009-07-05 11:21 --------- dc----w c:\documents and settings\All Users\Dati applicazioni\Apple Computer
2009-06-16 14:36 81,920 -c--a-w c:\windows\system32\fontsub.dll
2009-06-16 14:36 119,808 -c--a-w c:\windows\system32\t2embed.dll
2009-06-03 19:09 1,296,384 -c--a-w c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_12.18.41,15 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-05-26 11:41:05 763,768 -c--a-w c:\windows\SoftwareDistribution\Download\159b973be07ea9ac20f4e23636d5b404\update\update.exe
- 2007-11-30 12:39:40 763,768 -c--a-w c:\windows\SoftwareDistribution\Download\cba05876d9acf56c5c0068111a2ac743\update\update.exe
+ 2009-09-01 11:30:15 262,144 ----a-w c:\windows\system32\config\systemprofile\NtUser.dat
+ 2009-09-01 11:03:15 16,384 -c--atw c:\windows\Temp\Perflib_Perfdata_5c8.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="d:\programmi\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusTray"="c:\programmi\Asus\EeePC ACPI\AsTray.exe" [2008-03-27 102400]
"AsusACPIServer"="c:\programmi\Asus\EeePC ACPI\AsAcpiSvr.exe" [2008-03-20 544768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-08 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-08 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-08 94208]
"ETDWare"="c:\programmi\Elantech\ETDCtrl.exe" [2008-04-16 335872]
"SunJavaUpdateSched"="d:\programmi\Java\jre6\bin\jusched.exe" [2009-01-21 136600]
"FreePDF Assistant"="d:\programmi\FreePDF_XP\fpassist.exe" [2007-06-26 312320]
"Adobe Reader Speed Launcher"="d:\i386\Install\ACR\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-07 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
Collegamento a eeectl.lnk - d:\i386\Install\eeectl\eeectl.exe [2008-02-17 31232]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
AutoRun OSCleaner.lnk - c:\programmi\ASUS\Asus OS Cleaner\AsOSCleaner.exe [2008-06-27 118784]
BTTray.lnk - d:\i386\Install\BLT\BTTray.exe [2007-02-27 561213]
InterVideo WinCinema Manager.lnk - d:\i386\Install\Common\Bin\WinCinemaMgr.exe [2008-06-30 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"d:\\I386\\Install\\emule\\emule.exe"=

R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2008-06-27 11264]
R3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2007-10-18 30720]
R3 dciiodrv;dciiodrv;c:\windows\system32\drivers\dciiodrv.sys [2008-07-04 2944]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2008-04-15 25088]
S3 ONDAusbmdm6k;ONDA Proprietary USB Driver;c:\windows\system32\DRIVERS\ONDAusbmdm6k.sys -->

c:\windows\system32\DRIVERS\ONDAusbmdm6k.sys [?]

S3 ONDAusbnet;ONDA USB-NDIS miniport;c:\windows\system32\DRIVERS\ONDAusbnet.sys -->

c:\windows\system32\DRIVERS\ONDAusbnet.sys [?]

S3 ONDAusbnmea;ONDA NMEA Port;c:\windows\system32\DRIVERS\ONDAusbnmea.sys -->

c:\windows\system32\DRIVERS\ONDAusbnmea.sys [?]

S3 ONDAusbser6k;ONDA Diagnostic Port;c:\windows\system32\DRIVERS\ONDAusbser6k.sys -->

c:\windows\system32\DRIVERS\ONDAusbser6k.sys [?]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - EAPHOST
*NewlyCreated* - IP6FW

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{676575c5-4909-11dd-b7a2-0015afa77039}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{676575c8-4909-11dd-b7a2-0015afa77039}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bba99c4-46b0-11dd-b797-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bba99c7-46b0-11dd-b797-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f813079-4458-11dd-b793-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a81be302-468b-11dd-b795-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a81be306-468b-11dd-b795-001fc6e7c6fc}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfd83d6f-49a7-11dd-aa49-0002721326f2}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
Contenuto della cartella 'Scheduled Tasks'

2009-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe []

2009-08-31 c:\windows\Tasks\WebReg 20080914165811.job
- d:\digital imaging\Bin\hpqwrg.exe []

2009-08-31 c:\windows\Tasks\WebReg 20080929175536.job
- d:\digital imaging\Bin\hpqwrg.exe []

2009-08-26 c:\windows\Tasks\WebReg 20081006150419.job
- d:\digital imaging\Bin\hpqwrg.exe []

2009-09-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = <local>
IE: E&sporta in Microsoft Excel - d:\i386\Install\OFFICE~1\OFFICE11\EXCEL.EXE/3000
IE: Invia a periferica &Bluetooth... - d:\i386\Install\BLT\btsendto_ie_ctx.htm
TCP: {C1E4DB0D-32F7-4B1F-8F05-66FE4C539DF4} = 85.37.17.10 85.38.28.86
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 13:43:29
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2009-09-01 13.46.43
ComboFix-quarantined-files.txt 2009-09-01 11:46:40

Pre-Run: 48.287.744 byte disponibili
Post-Run: 39,366,656 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

131

e allego quello di nod32 che è troppo lungo.

www.MegaLab.it

nuova versione di bagle, credo...

nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Re: nuova versione di bagle, credo...

Chi c’è in linea