www.MegaLab.it

[FDM75]

Ciao a tutti,

ho un problema mai avuto prima.
Avendo letto la vostra guida per la disinfezione, ieri o effettuato la scansione con le impostazioni avanzate da voi suggerite ed in modalità provvisoria.
Con molta sorpresa, alla fine della scansione risultava perfettamente pulito (cosa strana perché di solito risultano almeno dei "Warning" o "Hidden Objects" ma stavolta che ho fatto la scansione in modo approfondito nulla).

Ho controllato i settaggi e pare abbia fatto solo la scansione della partizione C: mentre D: (quella con tutti i files) era deselezionata.

Ho perciò selezionato D: ed effettuato la scansione solo lì (ma non più in modalità provvisoria) ed Avira ha rilevato 14 Virus/malware ma spostato in quarantena solo 1.
Presumo sia ancora infetto, come faccio ad eliminare tutto il resto?

Riporto qui il report della scansione.

Grazie mille in anticipo a chi mi aiuterà a risolvere il problema! :)

Avira Free Antivirus
Report file date: martedì 11 settembre 2012 12:19

Scanning for 4191975 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available.

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 Home Premium
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted

Version information:
BUILD.DAT : 12.0.0.1199 40869 Bytes 07/09/2012 22:20:00
AVSCAN.EXE : 12.3.0.33 468472 Bytes 08/08/2012 12:26:35
AVSCAN.DLL : 12.3.0.15 54736 Bytes 08/05/2012 18:11:59
LUKE.DLL : 12.3.0.15 68304 Bytes 08/05/2012 18:12:02
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 08/05/2012 18:12:02
AVREG.DLL : 12.3.0.17 232200 Bytes 11/05/2012 11:32:46
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 18:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 09:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 11:35:26
VBASE003.VDF : 7.11.21.238 4472832 Bytes 01/02/2012 11:32:11
VBASE004.VDF : 7.11.26.44 4329472 Bytes 28/03/2012 15:00:17
VBASE005.VDF : 7.11.34.116 4034048 Bytes 29/06/2012 13:38:41
VBASE006.VDF : 7.11.41.250 4902400 Bytes 06/09/2012 10:29:06
VBASE007.VDF : 7.11.41.251 2048 Bytes 06/09/2012 10:29:06
VBASE008.VDF : 7.11.41.252 2048 Bytes 06/09/2012 10:29:06
VBASE009.VDF : 7.11.41.253 2048 Bytes 06/09/2012 10:29:06
VBASE010.VDF : 7.11.41.254 2048 Bytes 06/09/2012 10:29:06
VBASE011.VDF : 7.11.41.255 2048 Bytes 06/09/2012 10:29:06
VBASE012.VDF : 7.11.42.0 2048 Bytes 06/09/2012 10:29:07
VBASE013.VDF : 7.11.42.1 2048 Bytes 06/09/2012 10:29:07
VBASE014.VDF : 7.11.42.65 203264 Bytes 09/09/2012 20:02:10
VBASE015.VDF : 7.11.42.125 156672 Bytes 11/09/2012 10:19:05
VBASE016.VDF : 7.11.42.126 2048 Bytes 11/09/2012 10:19:05
VBASE017.VDF : 7.11.42.127 2048 Bytes 11/09/2012 10:19:05
VBASE018.VDF : 7.11.42.128 2048 Bytes 11/09/2012 10:19:05
VBASE019.VDF : 7.11.42.129 2048 Bytes 11/09/2012 10:19:05
VBASE020.VDF : 7.11.42.130 2048 Bytes 11/09/2012 10:19:05
VBASE021.VDF : 7.11.42.131 2048 Bytes 11/09/2012 10:19:05
VBASE022.VDF : 7.11.42.132 2048 Bytes 11/09/2012 10:19:05
VBASE023.VDF : 7.11.42.133 2048 Bytes 11/09/2012 10:19:05
VBASE024.VDF : 7.11.42.134 2048 Bytes 11/09/2012 10:19:05
VBASE025.VDF : 7.11.42.135 2048 Bytes 11/09/2012 10:19:06
VBASE026.VDF : 7.11.42.136 2048 Bytes 11/09/2012 10:19:06
VBASE027.VDF : 7.11.42.137 2048 Bytes 11/09/2012 10:19:06
VBASE028.VDF : 7.11.42.138 2048 Bytes 11/09/2012 10:19:06
VBASE029.VDF : 7.11.42.139 2048 Bytes 11/09/2012 10:19:06
VBASE030.VDF : 7.11.42.140 2048 Bytes 11/09/2012 10:19:06
VBASE031.VDF : 7.11.42.142 2048 Bytes 11/09/2012 10:19:06
Engine version : 8.2.10.158
AEVDF.DLL : 8.1.2.10 102772 Bytes 10/07/2012 10:25:22
AESCRIPT.DLL : 8.1.4.48 459130 Bytes 07/09/2012 10:25:30
AESCN.DLL : 8.1.8.2 131444 Bytes 27/01/2012 10:46:02
AESBX.DLL : 8.2.5.12 606578 Bytes 14/06/2012 12:42:29
AERDL.DLL : 8.1.9.15 639348 Bytes 08/09/2011 21:16:06
AEPACK.DLL : 8.3.0.34 811383 Bytes 07/09/2012 10:25:30
AEOFFICE.DLL : 8.1.2.42 201083 Bytes 20/07/2012 10:28:49
AEHEUR.DLL : 8.1.4.96 5267830 Bytes 07/09/2012 10:25:29
AEHELP.DLL : 8.1.23.2 258422 Bytes 28/06/2012 13:38:31
AEGEN.DLL : 8.1.5.36 434549 Bytes 24/08/2012 10:25:28
AEEXP.DLL : 8.1.0.86 90484 Bytes 07/09/2012 10:25:30
AEEMU.DLL : 8.1.3.2 393587 Bytes 10/07/2012 10:25:21
AECORE.DLL : 8.1.27.4 201078 Bytes 07/08/2012 10:25:33
AEBB.DLL : 8.1.1.0 53618 Bytes 01/09/2011 21:46:01
AVWINLL.DLL : 12.3.0.15 27344 Bytes 08/05/2012 18:11:57
AVPREF.DLL : 12.3.0.15 51920 Bytes 08/05/2012 18:11:59
AVREP.DLL : 12.3.0.15 179208 Bytes 08/05/2012 18:12:02
AVARKT.DLL : 12.3.0.15 211408 Bytes 08/05/2012 18:11:58
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 08/05/2012 18:11:58
SQLITE3.DLL : 3.7.0.1 398288 Bytes 08/05/2012 18:12:02
AVSMTP.DLL : 12.3.0.32 63480 Bytes 08/08/2012 12:26:35
NETNT.DLL : 12.3.0.15 17104 Bytes 08/05/2012 18:12:02
RCIMAGE.DLL : 12.3.0.31 4445944 Bytes 08/08/2012 12:26:30
RCTEXT.DLL : 12.3.0.31 97784 Bytes 08/08/2012 12:26:30

Configuration settings for the scan:
Jobname.............................: ShlExt
Configuration file..................: C:\Users\Fabio\AppData\Local\Temp\7de1d422.avp
Logging.............................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: D:,
Process scan........................: off
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Deviating archive types.............: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox, +ISO 9660, +Windows Imaging File (WIM),
Macro heuristic.....................: on
File heuristic......................: Complete
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+PFS,+SPR,

Start of the scan: martedì 11 settembre 2012 12:19

Starting the file scan:

Begin scan in 'D:\' <DATA>
D:\Chaddo\SEO Cash Club\SEO Cash Club Part_1\SEO Cash Club\Bonuses\Bonus Infoproducts\BacklinkHurricane.zip
[WARNING] Invalid compressed data
D:\Chaddo\SEO Cash Club\SEO Cash Club Part_3\SEO Cash Club\Bonuses\Bonus Infoproducts\BacklinkHurricane.zip
[WARNING] Invalid compressed data
D:\Chaddo\SEO Cash Club\SEO Cash Club Part_5\SEO Cash Club\Bonuses\Bonus Infoproducts\IncomeExplosion-CD.zip
[WARNING] Invalid compressed data
D:\Downloads\Files zip\180.zip
[WARNING] Invalid end of file
D:\Downloads\Files zip\3922.zip
[WARNING] Invalid end of file
D:\Downloads\Files zip\Google_20Sniper_202.part01.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\INFETTIVE.rar
[WARNING] The file is password protected
D:\Downloads\Files zip\SEO Cash Club.part01.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part01.rar.crdownload
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part02.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part02.rar.crdownload
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part03.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part04.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part05.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part06.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part07.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part08.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part09.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part10.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part11.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part12.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part13.rar
[WARNING] Error multiple volume
D:\Downloads\Files zip\SEO Cash Club.part14.rar
[WARNING] Error multiple volume
D:\Downloads\Wordpress Themes\WP Elite Club\IMBoltWPTheme.zip
[WARNING] Invalid end of file
D:\My Sites\freeonlinemoviesfree.com\backup\backup-11.25.2011_11-28-41_freeonli.tar.gz
[WARNING] Unexpected end of block
D:\My Sites\freeonlinemoviesfree.com\backup\backup-freeonlinemoviesfree.com-12-11-2011.tar.gz
[WARNING] Unexpected end of block
D:\My Sites\SOLD - DELETED\free-multiplayer-online-games.org\backup\backup-3.17.2012_04-48-29_freemult.tar.gz
[WARNING] Unexpected end of block
D:\Programmi\TinyXP-Rev09.iso
[0] Archive type: ISO 9660
BootCD/WinTools/WinKeyFinder.exe
[DETECTION] Contains recognition pattern of the SPR/WinKey.AI program
EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
ROOT/0001/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
ROOT/0001/EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
ROOT/0002/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
ROOT/0002/EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
ROOT/0003/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
ROOT/0004/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
ROOT/0005/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
ROOT/0005/EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
ROOT/0006/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
ROOT/0006/EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
ROOT/0007/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
ROOT/0008/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
D:\Programmi\Scrapebox\ninja-proxy\project-posted 07-02-2012.spp
[WARNING] The file is password protected
D:\Video\Video Training\Google Sniper 2.0\Google Sniper 2.part03.rar
[WARNING] Error multiple volume
D:\Video\Video Training\Google Sniper 2.0\Google_20Sniper_202.part01.rar
[WARNING] Error multiple volume
D:\Video\Video Training\Google Sniper 2.0\Google_20Sniper_202.part02.rar
[WARNING] Error multiple volume
D:\Video\Video Training\Google Sniper 2.0\Google_20Sniper_202.part04.rar
[WARNING] Error multiple volume
D:\Video\Video Training\Google Sniper 2.0\Google_20Sniper_202.part05.rar
[WARNING] Error multiple volume
D:\Video\Video Training\Google Sniper 2.0\Google_20Sniper_202.part06.rar
[WARNING] Error multiple volume
D:\Video\Video Training\Xo971\Back+Up+Content+Revenge.rar
[WARNING] The file is password protected

Beginning disinfection:
D:\Programmi\TinyXP-Rev09.iso
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application
[NOTE] The file was moved to the quarantine directory under the name '555f8cc7.qua'.


End of the scan: martedì 11 settembre 2012 14:22
Used time: 1:27:23 Hour(s)

The scan has been done completely.

10131 Scanned directories
1222996 Files were scanned
14 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1222982 Files not concerned
42293 Archives were scanned
35 Warnings
1 Notes

[crazy.cat]

Direi che l'unico di cui ti devi preoccupare (forse non troppo) è questo file
EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Ma potrebbe essere un falso positivo o un downloader di quelli di softonic (o qualcosa di simile)

Il resto sono parti di archivi protetti da password o incompleti che non riesce ad analizzare.

Qui non è che hai alzato l'euristica al massimo?
BootCD/WinTools/WinKeyFinder.exe
[DETECTION] Contains recognition pattern of the SPR/WinKey.AI program
ROOT/0001/$OEM$/$$/system32/cmdow.exe
[DETECTION] Contains recognition pattern of the APPL/HideWindows.31232.1 application

[FDM75]

Ciao,

innanzitutto grazie mille per la risposta! :)

Dunque, ho usato il settaggio per Avira di questa guida

http://www.MegaLab.it/6303/4/pc-infetto ... ntervenire

Perciò sì, l''euristica è settata al massimo. Può semplicemente essere tutto un falso positivo quindi o è meglio effettuare qualche altro test (se sì quali?) per accertarmi che non sia nulla di preoccupante?

Grazie ancora!! :)

[crazy.cat]

Direi che puoi provare a caricare il file Windows-Media-Player-11-Silent-Install.exe (sempre se sai in quale cartella si trova perché dal log non è che si capisca) sul sito www.virustotal.com e farlo analizzare.

Il rischio dell'alzare l'euristica è che ti veda anche troppi pericoli, bisogna saperli poi distinguere.

[FDM75]

Correggimi se sbaglio ma mi pare che quel file dovrebbe essere in D:\Programmi\TinyXP-Rev09.iso secondo il log. O sbaglio?

In effetti è l'unico spostato in quarantena tra l'altro.

Si tratta di un file che ho scaricato tempo fa ma non dovrebbe avere niente di strano credo. Serviva per installare una macchina virtuale sul mio PC.

Secondo te se cambio il settaggio dell'euristica e faccio un'altra scansione, se non verrà trovato nulla posso ritenermi "pulito"?

Grazie!!

[crazy.cat]

O sbaglio?

No, è una cosa diversa, ma non dice dove sia.
EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
ROOT/0001/EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
ROOT/0002/EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
ROOT/0005/EXTRAS/Windows-Media-Player-11-Silent-Install.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Prova a usare la ricerca di windows se ti dice dove si trova quel file Windows-Media-Player-11-Silent-Install.exe.

Se abbassi l'euristica i rilevamenti dovrebbero essere minimi.
Direi che sei abbastanza tranquillo, se vuoi proprio fare un controllo extra usa malwarebytes.

[FDM75]

Ah ok, mi sembrava indicasse fosse quello il file.

Purtroppo non riesco a trovare questo Windows-Media-Player-11-Silent-Install.exe, ho fatto ricerche ma sembra non ci sia nulla.

Malwarebytes l'ho già usato ma non in modalità provvisoria. Riprovo in quel modo e vedo che succede.

In modalità normale non ha rilevato nulla, così come Superantispyware.

Speriamo bene!

Grazie mille per l'aiuto!!