Trojan-Dropper.Win32.Agent.dgo

**budu85** · 13-01-2008, 16:08

ho scoperto come si chiama il virus che avevo segnalato come rallenta sistema nel post precedente...qualcuno ha idee su come si possa estirpare o se esista qualche programmino fix apposta per lui?

**the hacker** · 13-01-2008, 21:17

CERTO! basta usare Avenger!

http://swandog46.geekstogo.com/avenger.zip

**budu85** · 13-01-2008, 21:57

e va bene,lo ho scaricato...ma che cosa devo usare come istruzione da dare ad avenger per ripulire?

**the hacker** · 13-01-2008, 22:03

scompattalo sul desktop
avvialo, seleziona Input script manually
clicca sulla lente d'ingrandimento
nella finestra che si apre View/Edit scrit copia/incolla queste righe:

C:\WINDOWS\system32\usrserv.exe
C:\DOCUME~1\Utente\IMPOST~1\Temp\588046 .exe

Clicca Done
poi sul icona del semaforo
rispondi Yes (a questo punto il PC dovrebbe riavviarsi. se così non fosse riavvialo manualmente)
al riavvio, trova la cartella C:\avenger\backup.zip, carica l'archivio su http://www.freefilehosting.net/ e mandami il link

**budu85** · 13-01-2008, 22:20

lo ho fatto ma quando clicco per la seconda volta sul semaforo mi dice che il file selezionato non e' uno script valido...mi dice o salvi un log e continui o abortisci l'azione,io ho abortito,dovevo continuare?

**the hacker** · 13-01-2008, 22:24

dovevi continuare..

**phoenix74** · 23-01-2008, 15:33

ciao a tutti

sono un neo iscritto e ho trovato il vostro forum "grazie" al virus che risiede sul mio pc,trattasi dello stesso di cui si parla in questo topic. Ho un piccolo problema pero' con il programma da voi consigliato, infatti avenger mi da un errore dopo aver inserito

C:\WINDOWS\system32\usrserv.exe
C:\DOCUME~1\Utente\IMPOST~1\Temp\588046 .exe

e non lavora.

Che posso fare? Si sono trovate altre soluzioni per eliminare questo fastidiosissimo virus?

vi ringrazio in anticipo

**phoenix74** · 23-01-2008, 21:46

ecco i log

ComboFix 08-01-23.2 - Ricky 2008-01-23 19.34.25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.700 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Ricky\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.da t
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.da t
C:\Documents and Settings\Ricky\Dati applicazioni\addon.dat
C:\WINXP\system32\geeby.dll
C:\WINXP\system32\geeby.exe
C:\WINXP\system32\server.exe
C:\WINXP\system32\ybeeg.ini
C:\WINXP\system32\ybeeg.ini2

----- BITS: Possible infected sites -----

hxxp://www.down
.
((((((((((((((((((((((((( Files Creati Da 2007-12-23 al 2008-01-23 )))))))))))))))))))))))))))))))))))
.

2008-01-23 19:32 . 2000-08-31 08:00 51,200 --a------ C:\WINXP\Nircmd.exe
2008-01-23 19:08 . 2007-06-05 10:56 44,928 --a------ C:\WINXP\system32\drivers\SDTHOOK.SYS
2008-01-23 19:07 . 2007-06-08 09:44 8,576 --a------ C:\WINXP\system32\drivers\vcwrcofbdtpm.sys
2008-01-23 19:06 . 2007-06-08 09:44 8,576 --a------ C:\WINXP\system32\drivers\RkPavProc.sys
2008-01-23 18:54 . 2008-01-23 19:07 <DIR> d-------- C:\WINXP\system32\ActiveScan
2008-01-23 18:54 . 2008-01-23 18:54 30,590 --a------ C:\WINXP\system32\pavas.ico
2008-01-23 18:54 . 2008-01-23 18:54 2,550 --a------ C:\WINXP\system32\Uninstall.ico
2008-01-23 18:54 . 2008-01-23 18:54 1,406 --a------ C:\WINXP\system32\Help.ico
2008-01-23 18:34 . 2008-01-23 18:34 <DIR> d-------- C:\Programmi\Trend Micro
2008-01-23 14:14 . 2008-01-23 14:14 <DIR> d-------- C:\VundoFix Backups
2008-01-22 23:59 . 2008-01-23 19:39 <DIR> d-------- C:\Programmi\ewido anti-spyware 4.0
2008-01-22 23:56 . 2008-01-23 00:07 <DIR> d-------- C:\WINXP\BDOSCAN8
2008-01-22 18:56 . 2008-01-22 19:05 91,492 --a------ C:\WINXP\system32\drivers\klin.dat
2008-01-22 18:56 . 2008-01-22 19:05 85,860 --a------ C:\WINXP\system32\drivers\klick.dat
2008-01-22 18:54 . 2008-01-22 18:54 <DIR> d-------- C:\Programmi\Kaspersky Lab
2008-01-22 18:54 . 2008-01-23 19:39 2,471,200 --ahs---- C:\WINXP\system32\drivers\fidbox.dat
2008-01-22 18:54 . 2008-01-23 19:38 39,368 --ahs---- C:\WINXP\system32\drivers\fidbox.idx
2008-01-22 18:54 . 2008-01-23 19:39 23,328 --ahs---- C:\WINXP\system32\drivers\fidbox2.dat
2008-01-22 18:54 . 2008-01-23 19:38 4,256 --ahs---- C:\WINXP\system32\drivers\fidbox2.idx
2008-01-22 14:14 . 2008-01-22 19:41 23,040 --a------ C:\WINXP\system32\Setup .exe
2008-01-22 07:45 . 2008-01-22 07:45 155,648 --a------ C:\WINXP\system32\NeroCheck .exe
2008-01-22 07:45 . 2008-01-22 07:45 32,768 --a------ C:\WINXP\V0220Mon .exe
2008-01-22 07:45 . 2008-01-22 07:45 15,360 --a------ C:\WINXP\system32\ctfmon .exe
2008-01-21 22:10 . 2008-01-21 22:10 <DIR> d-------- C:\Programmi\Elaborate Bytes
2008-01-21 18:39 . 2008-01-22 14:03 <DIR> d-------- C:\Programmi\VoipCheapCom
2008-01-20 14:12 . 2008-01-20 14:12 <DIR> d-------- C:\Programmi\Windows Media Connect 2
2008-01-20 14:12 . 2004-08-19 15:39 221,184 --a------ C:\WINXP\system32\wmpns.dll
2008-01-20 14:10 . 2008-01-22 18:47 <DIR> d-------- C:\WINXP\system32\LogFiles
2008-01-20 14:10 . 2008-01-20 14:11 <DIR> d-------- C:\WINXP\system32\drivers\UMDF
2008-01-13 21:32 . 2008-01-13 21:32 97,216 --a------ C:\WINXP\system32\drivers\AnyDVD.sys
2007-12-28 15:00 . 2007-12-28 15:00 <DIR> d-------- C:\KAV
2007-12-26 22:57 . 2007-12-26 22:57 <DIR> d-------- C:\Programmi\MSXML 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2008-01-23 18:30 --------- d-----w C:\Programmi\WinMX
2008-01-22 22:29 --------- d-----w C:\Programmi\Windows Live
2008-01-20 14:29 --------- d-----w C:\Programmi\DVD Profiler
2007-12-20 17:12 --------- d-----w C:\Programmi\Microsoft SQL Server Compact Edition
2007-12-20 17:07 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2007-10-25 09:26 53,248 ----a-w C:\WINXP\bdoscandel.exe
2007-10-23 16:49 586,240 ----a-w C:\WINXP\WLXPGSS.SCR
.

codice:

<pre>
----a-w            39,792 2008-01-22 16:48:19  C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           949,376 2008-01-22 16:48:23  C:\Programmi\ESET\nod32kui .exe
----a-w         6,283,264 2008-01-22 23:22:04  C:\Programmi\ewido anti-spyware 4.0\ewido  .exe
----a-w            94,208 2008-01-22 16:48:22  C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor .exe
----a-w           132,496 2008-01-22 16:48:19  C:\Programmi\Java\jre1.6.0_03\bin\jusched .exe
----a-w           218,376 2008-01-22 22:39:17  C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp  .exe
----a-w         1,694,208 2008-01-22 16:49:51  C:\Programmi\Messenger\msmsgs .exe
----a-w         5,724,184 2008-01-22 22:39:16  C:\Programmi\Windows Live\Messenger\MsnMsgr .Exe
----a-w            32,768 2008-01-22 06:45:43  C:\WINXP\V0220Mon .exe
----a-w            15,360 2008-01-22 06:45:50  C:\WINXP\system32\ctfmon .exe
----a-w           155,648 2008-01-22 06:45:45  C:\WINXP\system32\NeroCheck .exe
----a-w            23,040 2008-01-22 18:41:39  C:\WINXP\system32\Setup .exe
</pre>

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 17:00 1818624 C:\WINXP\mixer.exe]
"AVP"="C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51 218376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvuusr]

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINXP\system32\DRIVERS\fetnd5bv.sys [2007-07-05 05:33]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINXP\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 V0220Dev;Live! Cam Video IM;C:\WINXP\system32\DRIVERS\V0220Dev.sys [2006-06-29 06:58]
R3 V0220Vfx;V0220VFX;C:\WINXP\system32\DRIVERS\V0220V fx.sys [2006-06-08 09:00]
S2 avp ;avp ;"C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp .exe" []
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Programmi\MAGIX\Common\Database\bin\fb server.exe [2005-11-17 14:18]
S3 UPnPService;UPnPService;C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 16:00]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{96cefb98-75a8-11dc-9d9a-00507022c458}]
\Shell\Auto\command - G:\sys.exe
\Shell\AutoRun\command - C:\WINXP\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{f7524c10-7425-11dc-b63d-806d6172696f}]
\Shell\AutoRun\command - E:\start.exe /checksection

.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-23 18:08:00 C:\WINXP\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1191690440.job"
- C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 19:40:01
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************
.

**phoenix74** · 23-01-2008, 21:47

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45, on 2008-01-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\svchost.exe
C:\WINXP\Mixer.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINXP\system32\wscntfy.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tuvuusr - C:\WINXP\
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINXP\system32\ati2sgag.exe
O23 - Service: avp - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp .exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programmi\MAGIX\Common\Database\bin\fbserver.ex e
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP\system32\HPZipm12.exe
O23 - Service: UPnPService - Magix AG - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 3567 bytes

**Deifobe** · 23-01-2008, 22:50

Fai una scansione on line con Bitdefender. Salva e posta i risultati.

Scarica SistemScan
Disconnettiti da internet => disattiva l'antivirus => esegui sistemscan => spunta tutte le opzioni => clicca su "Scan Now".
Finita la scansione, riattiva l'antivirus, carica il rapporto che trovi in C:\Suspectfile su www.sendmefile.com e posta il link ottenuto.
Se hai problemi con il SeDebug, scarica SeDebug-Restore ed esegui l'applicazione. Riavvia e riprova con SystemScan

Discussione: Trojan-Dropper.Win32.Agent.dgo

Strumenti discussione

Ricerca discussione

Visualizza

Trojan-Dropper.Win32.Agent.dgo

Permessi di invio