BHO.Agent.BM

[saciccios]

Ciao a tutti, sono un nuovo arrivato. Da qualche mese ho a che fare con qualche problema nel mio pc dopo averlo prestato a mio fratello (non ho idea che siti ha visitato...), vi chiederei gentilmente di aiutarmi.
Ho effettuato una scansione con VirIT eXplorer Lite questo è il file log, purtroppo avendo già usato il programma in passato anche se reinstallato riconosce che il periodo di prova e trascorso e non consente di eliminare i file infetti:
06/11/2006 - 19:44:55

[SCANSIONE DEL REGISTRO]
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS\SYSTEM\msorcljv.cnt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\studg.ini Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\ypaa.dll Infetto da BHO.Agent.BM
C:\WINDOWS\SYSTEM\sqlsrdui.txt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\cp_125z.nls Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\msorclgv.cnt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\vgafuls.3gr Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\tbm53df.tmp Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\licensk.txt Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3l.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3u.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\Desktop\backups\backup-20061102-183734-787-oomtdpy.exe Infetto da Trojan.Win32.Small.NP
C:\WINDOWS\Desktop\backups\backup-20061102-183756-956-oomtdpy.exe Infetto da Trojan.Win32.Small.NP
C:\WINDOWS\384217362.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\46241234110.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\1799736160.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\5241.TMP Infetto da BHO.Agent.BM
C:\WINDOWS\hostb.sam Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\163126122171.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\820175.exe Infetto da Trojan.Win32.Small.NE
C:\Programmi\File comuni\SERVICES\wdshFQm.exe Infetto da Trojan.Win32.Agent.AHW
C:\Uninstall.exe Infetto da Trojan.Win32.Small.NE

Chiavi Registro infette: 1.
Files Infetti: 22.
Files Sospetti: 0.
Files Analizzati: 36806.
Files Totali: 36806.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.





ho fatto una scansione HijackThis e vi invio il logfile:

Logfile of HijackThis v1.99.1
Scan saved at 16.08.27, on 07/11/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRAMMI\FILE COMUNI\{37E21228-0000-1040--0027}\888BAR.DLL
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRAMMI\FILE COMUNI\{37E21228-0000-1040--0027}\888BAR.DLL
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/vi...bscan_ansi.cab




grazie a tutti e in particolare chi mi vorrà aiutare

[saciccios]

Inoltre ho effettuato una scansione online con Kaspersky,ecco il risultato:

martedì 7 novembre 2006 15.43.28
Operating System: Microsoft Windows 98 SE
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/11/2006
Kaspersky Anti-Virus database records: 238846


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\WINDOWS\

Scan Statistics
Total number of scanned objects 40122
Number of viruses found 10
Number of infected objects 74 / 0
Number of suspicious objects 0
Duration of the scan process 01:47:11

Infected Object Name Virus Name Last Action
C:\WINDOWS\SYSTEM\msorcljv.cnt Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\studg.ini Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\ypaa.dll Infected: Trojan-Clicker.Win32.Small.mf skipped

C:\WINDOWS\SYSTEM\sqlsrdui.txt Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\cp_125z.nls Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\msorclgv.cnt Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\vgafuls.3gr Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\A242.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\C075.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\4125.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\E295.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\40F1.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\4112.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\A082.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\WIN386.SWP Object is locked skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/Counter.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/Worker.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/Xeyond.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/web.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip ZIP: infected - 5 skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/Counter.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/Worker.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/Xeyond.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/web.exe Infected: Trojan.Win32.Agent.rx skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip ZIP: infected - 5 skipped

C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\Cookies\index.dat Object is locked skipped

C:\WINDOWS\Cronologia\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\Cronologia\History.IE5\MSHist0120061107 20061108\index.dat Object is locked skipped

C:\WINDOWS\Impostazioni locali\Dati applicazioni\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\WINDOWS\40E6.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\IH51E0.TMP Infected: Trojan.Win32.Diamin.cr skipped

C:\WINDOWS\384217362.exe Infected: Packed.Win32.PolyCrypt.a skipped

C:\WINDOWS\46241234110.exe Infected: Trojan-Clicker.Win32.Small.kj skipped

C:\WINDOWS\1799736160.exe Infected: Packed.Win32.PolyCrypt.a skipped

C:\WINDOWS\5241.TMP Infected: Trojan-Clicker.Win32.Small.mf skipped

C:\WINDOWS\E274.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\upd.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped

C:\WINDOWS\cmdo.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped

C:\WINDOWS\~setuptmp0\upd.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped

C:\WINDOWS\~setuptmp0\cmdo.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped

C:\WINDOWS\SYSTEM\msorcljv.cnt Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\studg.ini Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\ypaa.dll Infected: Trojan-Clicker.Win32.Small.mf skipped

C:\WINDOWS\SYSTEM\sqlsrdui.txt Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\cp_125z.nls Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\msorclgv.cnt Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\SYSTEM\vgafuls.3gr Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\A242.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\C075.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\4125.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\E295.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\40F1.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\4112.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\TEMP\A082.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\WIN386.SWP Object is locked skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/Counter.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/Worker.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/Xeyond.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip/web.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-6e8ff6ab-64c75916.zip ZIP: infected - 5 skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/Counter.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/VerifierBug.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/Worker.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/Xeyond.class Infected: Trojan.Java.Femad skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip/web.exe Infected: Trojan.Win32.Agent.rx skipped

C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jar .jar-65a63229-39f0f723.zip ZIP: infected - 5 skipped

C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\Cookies\index.dat Object is locked skipped

C:\WINDOWS\Cronologia\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\Cronologia\History.IE5\MSHist0120061107 20061108\index.dat Object is locked skipped

C:\WINDOWS\Impostazioni locali\Dati applicazioni\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

C:\WINDOWS\40E6.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\IH51E0.TMP Infected: Trojan.Win32.Diamin.cr skipped

C:\WINDOWS\384217362.exe Infected: Packed.Win32.PolyCrypt.a skipped

C:\WINDOWS\46241234110.exe Infected: Trojan-Clicker.Win32.Small.kj skipped

C:\WINDOWS\1799736160.exe Infected: Packed.Win32.PolyCrypt.a skipped

C:\WINDOWS\5241.TMP Infected: Trojan-Clicker.Win32.Small.mf skipped

C:\WINDOWS\E274.TMP Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped

C:\WINDOWS\~DFBC3A.TMP Object is locked skipped

C:\WINDOWS\~WRD0000.doc Object is locked skipped

C:\WINDOWS\upd.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped

C:\WINDOWS\cmdo.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped

C:\WINDOWS\~WRS0002.tmp Object is locked skipped

C:\WINDOWS\~setuptmp0\upd.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped

C:\WINDOWS\~setuptmp0\cmdo.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped

Scan process completed.


grazie ancora

[aris73]

Operazioni prenimilari:
disattivare riprisino configurazione sistema, scansione in modalità provvisoria
cancellazione file temporanei, cache, cochies ecc.. con Ccleaner(sez. download) togliendo la spunta a "cancella file in Windows temp solo se più vecchi di 48 ore.
disabilitare antivirus, filewall, antispy
disconnettersi da internet.

tool più accreditati per la rimozione:
tool Prevx
http://www.prevx.com/gromozon.asp

tool symatec :
http://smallbiz.symantec.com/securit...092316-4153-99

in caso di impossibilità di collegarsi ai siti link alternativi:
link diretto gromozon
http://pcalsicuro.phpsoft.it/FixGrom.exe
link diretto tool symatec
http://www.mytempdir.com/1003691
se,una volta scaricati, non si possono avviare: rinominare i due eseguibili con nomi di fantasia

[saciccios]

ciao aris73 ti ringrazio per l'aiuto ma purtroppo FixGrom non funge su win98SE e FixLinkopt mi risponde che è collegato all'esportazione mancante NETAPI32.DLL:NetUserDel avviandolo in modalità provvisoria.
attualmente solo VirIT eXplorer Lite,che purtroppo non posso usare, mi rileva di tutto. riposto il log


VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
07/11/2006 - 20:06:27

[SCANSIONE DEL REGISTRO]
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM
{C004DEC2-2623-438e-9CA2-C9043AB28508} Infetto da Trojan.Win32.Agent.AGR

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS\SYSTEM\msorcljv.cnt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\studg.ini Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\ypaa.dll Infetto da BHO.Agent.BM
C:\WINDOWS\SYSTEM\sqlsrdui.txt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\cp_125z.nls Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\msorclgv.cnt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\vgafuls.3gr Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\tbm53df.tmp Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\licensk.txt Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3l.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3u.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\Desktop\backups\backup-20061102-183734-787-oomtdpy.exe Infetto da Trojan.Win32.Small.NP
C:\WINDOWS\Desktop\backups\backup-20061102-183756-956-oomtdpy.exe Infetto da Trojan.Win32.Small.NP
C:\WINDOWS\Desktop\backups\backup-20061107-184848-442.dll Infetto da Trojan.Win32.Agent.AGR
C:\WINDOWS\384217362.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\46241234110.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\1799736160.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\5241.TMP Infetto da BHO.Agent.BM
C:\WINDOWS\hostb.sam Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\163126122171.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\820175.exe Infetto da Trojan.Win32.Small.NE
C:\Programmi\File comuni\SERVICES\wdshFQm.exe Infetto da Trojan.Win32.Agent.AHW
C:\Programmi\File comuni\{07E21228-0000-1040--0027}\Update.exe Infetto da Trojan.Win32.Agent.AIB
C:\Uninstall.exe Infetto da Trojan.Win32.Small.NE
C:\!KillBox\888Bar.dll Infetto da Trojan.Win32.Agent.AGR
C:\!KillBox\888Bar.dll( 1) Infetto da Trojan.Win32.Agent.AGR
C:\!KillBox\888Bar.dll( 2) Infetto da Trojan.Win32.Agent.AGR
C:\!KillBox\888Bar.dll( 3) Infetto da Trojan.Win32.Agent.AGR

Chiavi Registro infette: 2.
Files Infetti: 28.
Files Sospetti: 0.
Files Analizzati: 39655.
Files Totali: 39655.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
07/11/2006 - 23:44:20

[SCANSIONE DEL REGISTRO]
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS\SYSTEM\msorcljv.cnt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\studg.ini Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\ypaa.dll Infetto da BHO.Agent.BM
C:\WINDOWS\SYSTEM\sqlsrdui.txt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\cp_125z.nls Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\msorclgv.cnt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\vgafuls.3gr Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\tbm53df.tmp Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\licensk.txt Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3l.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3u.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\Desktop\backups\backup-20061102-183734-787-oomtdpy.exe Infetto da Trojan.Win32.Small.NP
C:\WINDOWS\Desktop\backups\backup-20061102-183756-956-oomtdpy.exe Infetto da Trojan.Win32.Small.NP
C:\WINDOWS\Desktop\backups\backup-20061107-184848-442.dll Infetto da Trojan.Win32.Agent.AGR
C:\WINDOWS\384217362.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\46241234110.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\1799736160.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\5241.TMP Infetto da BHO.Agent.BM
C:\WINDOWS\hostb.sam Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\163126122171.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\820175.exe Infetto da Trojan.Win32.Small.NE
C:\Programmi\File comuni\SERVICES\wdshFQm.exe Infetto da Trojan.Win32.Agent.AHW
C:\Programmi\File comuni\{07E21228-0000-1040--0027}\Update.exe Infetto da Trojan.Win32.Agent.AIB
C:\!KillBox\888Bar.dll Infetto da Trojan.Win32.Agent.AGR
C:\!KillBox\888Bar.dll( 1) Infetto da Trojan.Win32.Agent.AGR
C:\!KillBox\888Bar.dll( 2) Infetto da Trojan.Win32.Agent.AGR
C:\!KillBox\888Bar.dll( 3) Infetto da Trojan.Win32.Agent.AGR

Chiavi Registro infette: 1.
Files Infetti: 27.
Files Sospetti: 0.
Files Analizzati: 26637.
Files Totali: 26637.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
08/11/2006 - 00:14:59

[SCANSIONE DEL REGISTRO]
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 1.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 120.
Files Totali: 120.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
08/11/2006 - 00:22:18

[SCANSIONE DEL REGISTRO]
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 1.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 30.
Files Totali: 30.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
08/11/2006 - 01:43:09

[SCANSIONE DEL REGISTRO]
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS\SYSTEM\msorcljv.cnt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\studg.ini Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\ypaa.dll Infetto da BHO.Agent.BM
C:\WINDOWS\SYSTEM\sqlsrdui.txt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\cp_125z.nls Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\msorclgv.cnt Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\vgafuls.3gr Infetto da Trojan.Win32.RootKit.N
C:\WINDOWS\SYSTEM\tbm53df.tmp Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\licensk.txt Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3l.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3u.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\384217362.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\46241234110.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\1799736160.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\5241.TMP Infetto da BHO.Agent.BM
C:\WINDOWS\hostb.sam Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\163126122171.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\820175.exe Infetto da Trojan.Win32.Small.NE
C:\Programmi\File comuni\SERVICES\wdshFQm.exe Infetto da Trojan.Win32.Agent.AHW
C:\Programmi\File comuni\{07E21228-0000-1040--0027}\Update.exe Infetto da Trojan.Win32.Agent.AIB

Chiavi Registro infette: 1.
Files Infetti: 20.
Files Sospetti: 0.
Files Analizzati: 26815.
Files Totali: 26815.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.


grazie a tutti quelli che potranno darmi una mano

[aris73]

cavolo questa sì che é una bella rogna.... :master:
qundi facciamo così allora armati di santa pazienza e unlocker, e da provvisoria risali a tutti i file che ti dice che sono infetti ed eliminali, sbloccandoli con unlocker e poi proseguiamo

[saciccios]

...speriamo bene!!!
grazie a Spybot - Search & Destroy,kaspersky e vari sono riuscito a far ripartire IE che non caricava più le pagine!!! questo è il nuovo file di virit:

09/11/2006 - 13:40:18

[SCANSIONE DEL REGISTRO]
{f250d521-225d-4d6b-8829-e064f944e180} Infetto da BHO.Agent.BM

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS\SYSTEM\ypaa.dll Infetto da BHO.Agent.BM
C:\WINDOWS\SYSTEM\licensk.txt Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3l.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\SYSTEM\stdole3u.tlb Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\hostb.sam Infetto da Trojan.Win32.RootKit.P
C:\WINDOWS\163126122171.exe Infetto da Trojan.Win32.Small.NE
C:\WINDOWS\820175.exe Infetto da Trojan.Win32.Small.NE
C:\Programmi\File comuni\SERVICES\wdshFQm.exe Infetto da Trojan.Win32.Agent.AHW
C:\Programmi\File comuni\{07E21228-0000-1040--0027}\Update.exe Infetto da Trojan.Win32.Agent.AIB
C:\!KillBox\5241.TMP Infetto da BHO.Agent.BM
C:\!KillBox\tbm53df.tmp Infetto da Trojan.Win32.RootKit.P

Chiavi Registro infette: 1.
Files Infetti: 11.
Files Sospetti: 0.
Files Analizzati: 21546.
Files Totali: 21546.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

ma da provvisoria i file sopraindicati anche manualmente o con Killbox??
ciao e grazie

[aris73]

se riesci manualmente se no con killbox, una volta eliminati con CCleaner, vai su Opzioni -> avanzate, e togli la spunta a "Cancella files in windows temp solo se più vecchi di 48 ore" , ripulisci dai file temporanei e dalle chiavi di registro dopodiché riavvi e vediamo cos'é rimasto

[saciccios]

Ciao Aris73 innanzitutto ti voglio ancora ringraziare per il tuo aiuto e per la tua disponibilità ...credo che il grosso sia risolto infatti ho eliminato un pò di munnizza che avevo dentro al mio pc ed ora sembra che vada bene!!! ...anche se noto ancora qualche anomalia tipo una cartella di nome "Links" che mi si continua a ricreare tra i preferiti anche quando la cancello (...ma potrebbe crearla l'antivirus?? al momento ho installato nod32!!) :master: oppure ogni tanto capita anche che quando spengo il pc senza prima staccare la connessione da internet un msg che mi avverte che 1 o più utenti sono connessi al pc e che spegnendolo questi verranno disconnessi :master: o alcuni programmi tipo XoftSpy che non riesco ad installare perchè mi dice che sono già installati anche se non ci sono!!! :master:

....virit non rileva più nessuna infezione mentre questo è il Logfile of HijackThis v1.99.1
Scan saved at 11.57.20, on 15/11/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAMMI\ESET\NOD32KRN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\VEXPLITE\MONLITE.EXE
C:\PROGRAMMI\UNLOCKER\UNLOCKERASSISTANT.EXE
C:\PROGRAMMI\ESET\NOD32KUI.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMMI\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\PROGRAMMI\UNLOCKER\UNLOCKERASSISTANT.EXE"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Programmi\Eset\nod32krn.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE" /background
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

Ciao e ancora mille volte grazie!! Ciccio

[saciccios]

...non ho ancora capito qual'è il log di HijackThis che si deve postare!! se quello di sopra o questo completo!!!

StartupList report, 15/11/06, 12.19.16
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAMMI\ESET\NOD32KRN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\VEXPLITE\MONLITE.EXE
C:\PROGRAMMI\UNLOCKER\UNLOCKERASSISTANT.EXE
C:\PROGRAMMI\ESET\NOD32KUI.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

EnsoniqMixer = starter.exe
VIRIT LITE MONITOR = C:\VEXPLITE\MONLITE.EXE
UnlockerAssistant = "C:\PROGRAMMI\UNLOCKER\UNLOCKERASSISTANT.EXE"
nod32kui = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

NOD32kernel = "C:\Programmi\Eset\nod32krn.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE" /background

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

[Setup]
Registrando Panda ActiveX = C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\ActiveScan\as.dll
Registrando Panda Almacen = C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\ActiveScan\pavpz.dll
Registering ActiveScan controles = C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\ActiveScan\ascontrol.dll
Désinstallation de DivX MPEG-4 Codec... = C:\WINDOWS\SYSTEM\regsvr32.exe /s /u C:\WINDOWS\SYSTEM\DivX_c32.ax

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[MmoptPreferredAudioDevices] *
StubPath = rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_0850&MI_01\1USB&VID _046D&PID_0850&INST_0

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[BatchSetupx] *
StubPath = C:\progra~1\intern~1\connec~1\icwconn1 /restoredesktop

[>Batchwu] *
StubPath = wupdmgr.exe -shortcut

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 14/11/2006, 0:3:16)

[Rename]
NUL=C:\WINDOWS\DRMTEMP2.HTM
NUL=C:\WINDOWS\DRMTEMP1.HTM

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb it,,C:\WINDOWS\COMMAND\keyboard.sys

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE
device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
Country=039,850,C:\WINDOWS\COMMAND\country.sys

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Avvio ottimizzazione applicazione.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.co...471.2597106481

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH8B.OCX
CODEBASE = http://fpdownload.macromedia.com/get...nt/swflash.cab

[{41564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/downlo...1F/wmvadvd.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\SYSTEM\KASPERSKY LAB\KASPERSKY ONLINE SCANNER\KAVWEBSCAN.DLL
CODEBASE = http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\ASINST.DLL
CODEBASE = http://acs.pandasoftware.com/actives...ree/asinst.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\pol icies\Explorer\Run

{07E21228-0000-1040--0027} = "C:\Programmi\File comuni\{07E21228-0000-1040--0027}\Update.exe" te-110-12-0000073

--------------------------------------------------

End of report, 7.634 bytes
Report generated in 0,800 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Ciao e grazie ancora.Ciccio

[aris73]

questa é la procedura che devi fare per il log metti il programma in un cartella dedicata in c:\programmi\Hijackthis
lancia e clicca il tasto"do a system scan and save a log file.
otterrai un file di testo che dovrai postare