Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

virus bagle problema script x avenger

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

virus bagle problema script x avenger

Messaggioda Gianni78 » mar feb 19, 2008 10:36 am

Un saluto a tutti, il mio pc è stato infetto dal virus bagle ed è grazie al Vs forum che l'ho scoperto. Io ho windows XP, ho eseguito tutta la procedura da voi descritta e dopo più di 112 ore, oggi ho terminato la scansione con kaspersky. Ora anche avendo visto con gli esempi come realizzate gli script ho dei dubbi, ecco perché gentilmente Vi chiedo se potete indicarmi voi lo script giusto da inserire in avenger e se vi è qualcos'altro da fare successivamente all'eliminazione dei file.
Vi allego il file della scansione
Vi ringrazio anticipatamente
Saluti
Gianni
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda crazy.cat » mar feb 19, 2008 11:02 am

112 ore, ma non facevi prima a formattare tutto?

Disattiva il ripristino della configurazione su tutti i dischi poi riavvia il pc
http://www.MegaLab.it/2330

Scarica Avenger http://www.MegaLab.it/forum/viewtopic.p ... 172#325172
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nel box bianco che si è aperto:

Codice: Seleziona tutto
Files to delete:
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\windows\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\mdelk.exe
C:\copy.exe
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temp\wz983d\Password Keeper 1.0.exe
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_1[1].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_2[2].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_31[1].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_1[1].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_1[2].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_2[1].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_31[1].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_1[1].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_2[1].jpg
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_31[1].jpg
C:\host.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\temp2.exe
C:\WINDOWS\xcopy.exe
D:\copy.exe
D:\host.exe

folders to delete:
c:\WINDOWS\system32\drivers\down

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA



Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà e prova a reinstallare subito l'antivirus e cancella la cartella c:\avenger.

Dovrai, quasi sicuramente, riscaricare i file d'installazione dei programmi di sicurezza perché danneggiati dal virus.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Problema script

Messaggioda Gianni78 » mar feb 19, 2008 1:03 pm

Ciao, grazie per avermi risposto, ho fatto tutto come mi hai indicato, però dopo che si è riavviato mi è comparsa la scritta impossibile trovare il file C:\WINDOWS\svchost.exe. Dopo aver premuto OK la scritta impossibile caricare o eseguire il file C:\WINDOWS\svchost.exe. Poi mi è uscita la schermata di DOS e dopo un po' il messaggio Windows Disco non presente - Exception Processing Message c0000013 Parameters 75b1bf9c 4 75b1bf9c 75b1bf9c Sotto vi è scritto annulla - riprova - continua. Non sò che fare.
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm


Messaggioda crazy.cat » mar feb 19, 2008 1:09 pm

Se gli dai continua o annulla il pc parte?

riesci a partire almeno in modalità provvisoria?
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda Gianni78 » mar feb 19, 2008 1:22 pm

Il pc si è avviato ed è comparso il seguente script:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xxeqmega

*******************

Script file located at: \??\C:\WINDOWS\system32\wbmxkbrn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\srosa.sys deleted successfully.
File C:\WINDOWS\system32\wintems.exe deleted successfully.


File C:\WINDOWS\system32\trusted.exe not found!
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc0000034

File C:\windows\system32\drivers\hldrrr.exe deleted successfully.
File C:\WINDOWS\system32\mdelk.exe deleted successfully.
File C:\copy.exe deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temp\wz983d\Password Keeper 1.0.exe deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_1[1].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_2[2].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_31[1].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_1[1].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_1[2].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_2[1].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_31[1].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_1[1].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_2[1].jpg deleted successfully.
File C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_31[1].jpg deleted successfully.
File C:\host.exe deleted successfully.
File C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe deleted successfully.
File C:\WINDOWS\svchost.exe deleted successfully.
File C:\WINDOWS\system32\temp1.exe deleted successfully.
File C:\WINDOWS\system32\temp2.exe deleted successfully.
File C:\WINDOWS\xcopy.exe deleted successfully.
File D:\copy.exe deleted successfully.
File D:\host.exe deleted successfully.
Folder c:\WINDOWS\system32\drivers\down deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda crazy.cat » mar feb 19, 2008 1:25 pm

Hai reinstallato l'antivirus?

Puoi fare una scansione con hijackthis e farci vedere il log?
http://www.MegaLab.it/2286
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda Gianni78 » mar feb 19, 2008 1:47 pm

Ora ho installato l'antivirus Antivir PE, è partito con l'update ma non riesce ad eseguirlo. Ora provo a scaricare quello che mi hai indicato tu.
Penso ci sia ancora qualcosa che non và.
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda Gianni78 » mar feb 19, 2008 2:44 pm

Ho eseguito la scnsione con hijackthis, il log è il seguente:
Logfile of HijackThis v1.99.1
Scan saved at 14.42.31, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Programmi\Google\Gmail Notifier\gnotify.exe
C:\Programmi\TomTom HOME\TomTomHOME.exe
C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\MSTMON_N.EXE
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\CyberLink\PowerStarter\PowerBar.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\slrundll.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\PC PLOTTER\Desktop\HijackThis.exe
C:\Programmi\Java\jre1.6.0_02\bin\jucheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dei_build
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Programmi\iMesh applications\iMesh MediaBar\MediaBar.dll (file missing)
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCool.dll
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programmi\Winamp Toolbar\winamptb.dll (file missing)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Programmi\NewDotNet\newdotnet7_48.dll (file missing)
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\PCPLOT~1\IMPOST~1\Temp\~DPD1.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: XBTP01621 Class - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCool.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Programmi\DAP\DAPIEBar.dll (file missing)
O3 - Toolbar: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Programmi\iMesh applications\iMesh MediaBar\MediaBar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar3.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCool.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programmi\Winamp Toolbar\winamptb.dll (file missing)
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=022108 serial=DR12WES-3007622-EUW lang=IT
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programmi\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Programmi\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Storm2Set] C:\WINDOWS\system32\rundll32.exe "C:\PROGRA~1\StormII\StormSet.dll",CheckEnv
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1300WStatusDisplay] C:\WINDOWS\system32\MSTMON_N.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PowerBar] "C:\Programmi\CyberLink\PowerStarter\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [Power2GoExpress] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Programmi\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dati applicazioni\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.olidata.com
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://212.162.68.228/rainet02/Rawflow.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} (TVAnts ActiveX Control) - http://www.coolstreaming.us/consolle/plug-in/tvants.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://www.coolstreaming.us/consolle/pl ... OPCORE.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C65425-9286-4A11-A06D-FD563A718873}: NameServer = 151.99.125.2,151.99.125.3
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programmi\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Ci risentiamo più tardi.
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda ste_95 » mar feb 19, 2008 3:05 pm

Seleziona queste voci e premi fix checked:

F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\PCPLOT~1\IMPOST~1\Temp\~DPD1.dll
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il flag su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto
Files to delete:
C:\WINDOWS\svchost.exe

Folders to delete:
C:\DOCUME~1\PCPLOT~1\IMPOST~1\Temp


Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Messaggioda crazy.cat » mar feb 19, 2008 4:45 pm

Strano che siano richiamati due ctfmon.exe e ancora più strana la definizione in rosso del secondo.

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] C:\WINDOWS\system32\ctfmon.exe

Giusto per sicurezza fai analizzare il file sul sito www.virustotal.com e vedi cosa ne esce.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda Gianni78 » mar feb 19, 2008 5:58 pm

Ecco il contenuto del nuovo blocco note dopo aver nuovamente utlilizzato avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vcpgsdcw

*******************

Script file located at: \??\C:\Documents and Settings\eglhijlo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\svchost.exe deleted successfully.
Folder C:\DOCUME~1\PCPLOT~1\IMPOST~1\Temp deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vcpgsdcw

*******************

Script file located at: \??\C:\Documents and Settings\eglhijlo.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda Gianni78 » mar feb 19, 2008 8:03 pm

Il computer và già meglio e vi ringrazio ora ho eseguito una scansione con Antivir con il seguente risultato.
Resto in attesa di un Vs risposta in merito.
Saluti


AntiVir PersonalEdition Classic
Report file date: martedì 19 febbraio 2008 18:10

Scanning for 1117323 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: PC PLOTTER
Computer name: PUBBLISYSTEM

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 17:06:31
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 17:06:31
ANTIVIR2.VDF : 7.0.2.113 1673728 Bytes 08/02/2008 17:06:31
ANTIVIR3.VDF : 7.0.2.162 292864 Bytes 19/02/2008 17:06:31
AVEWIN32.DLL : 7.6.0.67 3293696 Bytes 19/02/2008 17:06:32
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 19/02/2008 17:06:32
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: c:\programmi\avira\antivir personaledition classic\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: martedì 19 febbraio 2008 18:10

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'slrundll.exe' - '1' Module(s) have been scanned
Scan process 'ONENOTEM.EXE' - '1' Module(s) have been scanned
Scan process 'WZQKPICK.EXE' - '1' Module(s) have been scanned
Scan process 'hpqimzone.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'PowerBar.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'DAP.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb12.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'MSTMON_N.EXE' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'TomTomHOME.exe' - '1' Module(s) have been scanned
Scan process 'gnotify.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'mqsvc.exe' - '1' Module(s) have been scanned
Scan process 'mcrdsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'slserv.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'inetinfo.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehrecvr.exe' - '1' Module(s) have been scanned
Scan process 'mscorsvw.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'msdtc.exe' - '1' Module(s) have been scanned
Scan process 'netdde.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
63 processes with 63 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!
Boot sector 'L:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!
Boot sector 'G:\'
[NOTE] In the drive 'G:\' no data medium is inserted!
Boot sector 'H:\'
[NOTE] In the drive 'H:\' no data medium is inserted!
Boot sector 'I:\'
[NOTE] In the drive 'I:\' no data medium is inserted!
Boot sector 'K:\'
[NOTE] In the drive 'K:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( '69' files ).


Starting the file scan:

Begin scan in 'C:\' <XP>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_1[3].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_2[1].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_2[3].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\2XAT61KR\b64_31[2].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_1[3].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_1[4].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_1[5].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_2[2].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_31[2].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_31[3].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_31[4].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\OJKLY56J\b64_31[5].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_1[2].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_2[2].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_31[2].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_31[3].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_31[4].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\QT8BMN6Z\b64_31[5].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\WT6PY7OJ\b64_2[1].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\WT6PY7OJ\b64_2[2].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\WT6PY7OJ\b64_2[3].jpg
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\Documents and Settings\PC PLOTTER\Impostazioni locali\Temporary Internet Files\Content.IE5\WT6PY7OJ\b64_31[1].jpg
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\WINDOWS\xcopy.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Perlovga.A.1
[INFO] The file was deleted!
Begin scan in 'D:\'
D:\copy.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Perlovga.A.1
[INFO] The file was deleted!
D:\host.exe
[DETECTION] Is the Trojan horse TR/Drop.Small.apl
[INFO] The file was deleted!
Begin scan in 'L:\' <DATA>
L:\copy.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Perlovga.A.1
[INFO] The file was deleted!
L:\host.exe
[DETECTION] Is the Trojan horse TR/Drop.Small.apl
[INFO] The file was deleted!
Begin scan in 'A:\'
Search path A:\ could not be opened!
Periferica non pronta.

Begin scan in 'G:\'
Search path G:\ could not be opened!
Periferica non pronta.

Begin scan in 'H:\'
Search path H:\ could not be opened!
Periferica non pronta.

Begin scan in 'I:\'
Search path I:\ could not be opened!
Periferica non pronta.

Begin scan in 'K:\'
Search path K:\ could not be opened!
Periferica non pronta.

Begin scan in 'E:\'
Search path E:\ could not be opened!
Periferica non pronta.



End of the scan: martedì 19 febbraio 2008 19:41
Used time: 1:31:28 min

The scan has been done completely.

10420 Scanning directories
432185 Files were scanned
27 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
27 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
432158 Files not concerned
10907 Archives were scanned
2 Warnings
4 Notes
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda ste_95 » mar feb 19, 2008 8:54 pm

C'erano anche dei rimasugli di bagle.

Strano che siano richiamati due ctfmon.exe e ancora più strana la definizione in rosso del secondo.

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] C:\WINDOWS\system32\ctfmon.exe

Giusto per sicurezza fai analizzare il file sul sito www.virustotal.com e vedi cosa ne esce.

Esegui l'operazione.

PS. Nel caso in cui i file:

Codice: Seleziona tutto
D:\copy.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Perlovga.A.1
[INFO] The file was deleted!
D:\host.exe
[DETECTION] Is the Trojan horse TR/Drop.Small.apl


Si ripresentino, cortesemente comprimili e inoltrali a questo indirizzo. Grazie.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Messaggioda Gianni78 » mer feb 20, 2008 11:41 am

Ciao, ho fatto la scansione di quel file con virtualvirus, ma non ha trovato alcun virus. Come detto il pc và meglio ma ogni tanto o non funziona internet o si blocca oppure si riavvia da solo. c'è sicuramente qualcosa ancora da sistemare.
Resto in attesa di Vs suggerimenti.
Saluti
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda ste_95 » mer feb 20, 2008 2:32 pm

Scarica GMER, poi segui i seguenti passaggi:

--- 1° passaggio ---
Avviamo gmer
clicchiamo su > > >
Clicchiamo su Autostart
mettiamo il segno di spunta a Show All
clicchiamo su Scan
al termine della scansione, clicchiamo su Copy
Apriamo il blocco note e premiamo CTRL+V (oppure clicchiamo su Modifica e poi su Incolla).
Salviamo il file e carichiamolo su FreeFileHosting
Postiamo qui il link che ci viene assegnato.

--- 2° passaggio ---
Sempre nel programma appena scaricato (gmer),
clicchiamo su Rootkit
clicchiamo su Scan
al termine della scansione, clicchiamo su Copy
Apriamo il blocco note e premiamo CTRL+V (oppure clicchiamo su Modifica e poi su Incolla).
Salviamo il file e carichiamolo su FreeFileHosting
Postiamo qui il link che ci viene assegnato.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Messaggioda Gianni78 » mer feb 20, 2008 7:08 pm

Ciao ho eseguito i due passaggi indicati i link sono i seguenti:

Link 1° passaggio:

http://www.freefilehosting.net/download/3caef

<a href="http://www.freefilehosting.net/files/3caef">gmer pas 1.txt</a>

[url="http://www.freefilehosting.net/files/3caef"]gmer pas 1.txt[/url]


Link 2° passaggio:

http://www.freefilehosting.net/download/3caei

<a href="http://www.freefilehosting.net/files/3caei">gmer pas 2.txt</a>

[url="http://www.freefilehosting.net/files/3caei"]gmer pas 2.txt[/url]

Resto in attesa di tue comunicazioni
Saluti
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda ste_95 » mer feb 20, 2008 7:32 pm

Anche da questi log non vedo anomalie di nessun tipo.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Messaggioda Gianni78 » gio feb 21, 2008 10:44 am

Quindi deduco che il problema è risolto, anche perché per ora i problemi di riavvio o blocco del pc non li stò avendo più, solo quando scarico le e-mail non riesco a salvare gli allegati e si blocca il programma.
Comunque il problema del virus bagle è risolto. Grazie del grosso aiuto che mi avete dato.
Saluti
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm

Messaggioda ste_95 » gio feb 21, 2008 1:17 pm

Ripristina anche la modalità provvisoria utilizzando questo file.
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
Avatar utente
ste_95
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 17271
Iscritto il: lun ago 06, 2007 11:19 am

Messaggioda Gianni78 » gio feb 21, 2008 8:04 pm

Ok fatto.
Grazie ancora
Saluti
Gianni
Avatar utente
Gianni78
Aficionado
Aficionado
 
Messaggi: 51
Iscritto il: mer feb 13, 2008 7:02 pm


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 5 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising