www.MegaLab.it

[fuoripiove]

Avast mi ha rilevato il virus win32:Obfuscated che è risultato particolarmente difficile da eliminare. Ho seguito la vostra guida per la rimozione di linkoptimizer!
Con programma myunist non ho trovato niente di sospetto da disistallare.
Per il resto ho usato Virit senza problemi.
Vorrei sapere a che punto sono. Non ho usato avenger perché non so che script usare.
Adesso posto i log autostart di gmer e quello di hijackThis.
Grazie x l'aiuto

POST HIJACK:
Logfile of HijackThis v1.99.1
Scan saved at 20.59.34, on 15/08/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
E:\Programmi\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\svchost.exe
E:\Programmi\HP\HP Software Update\HPWuSchd2.exe
E:\WINDOWS\System32\RunDll32.exe
E:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Programmi\File comuni\Real\Update_OB\realsched.exe
E:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
E:\Programmi\Messenger\msmsgs.exe
E:\Programmi\MSN Messenger\msnmsgr.exe
E:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
E:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
E:\Programmi\Alwil Software\Avast4\ashWebSv.exe
E:\WINDOWS\System32\HPZipm12.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Programmi\Java\jre1.5.0_11\bin\jucheck.exe
E:\VEXPLITE\viritsvc.exe
E:\Programmi\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Giulia Tovani\Desktop\Kit Rimozione\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Class - {AC37A624-BEE5-88EF-2776-4DFE74AEB9CC} - E:\WINDOWS\xprrv1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] "E:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] E:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CloneCDTray] "E:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "E:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programmi\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] E:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [MSMSGS] "E:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "E:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = E:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://lamejo-91.spaces.live.com/PhotoU ... nPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02F471E-2DB3-4EFA-99F9-89A586C3C503}: NameServer = 212.216.172.62,212.216.172.162
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\
O20 - Winlogon Notify: winzsr32 - winzsr32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - E:\VEXPLITE\viritsvc.exe
O23 - Service: WebGpu - Unknown owner - E:\Programmi\File comuni\System\bTF.exe (file missing)

POST AUTOSTART GMER:
MER 1.0.13.12551 - http://www.gmer.net
Autostart scan 2007-08-15 20:53:18
Windows 5.1.2600


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = E:\WINDOWS\System32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
winzsr32@DLLName = winzsr32.dll /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "E:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
Ati HotKey Poller@ = %SystemRoot%\System32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = E:\WINDOWS\system32\ati2sgag.exe
avast! Antivirus /*avast! Antivirus*/@ = "E:\Programmi\Alwil Software\Avast4\ashServ.exe"
Pml Driver HPZ12 /*Pml Driver HPZ12*/@ = E:\WINDOWS\System32\HPZipm12.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = E:\WINDOWS\System32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = E:\VEXPLITE\viritsvc.exe
WebGpu /*WebGpu*/@ = "E:\Programmi\File comuni\System\bTF.exe" /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@HP Software Update"E:\Programmi\HP\HP Software Update\HPWuSchd2.exe" = "E:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@ATIPTAE:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe = E:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
@NeroFilterCheckE:\WINDOWS\system32\NeroCheck.exe = E:\WINDOWS\system32\NeroCheck.exe
@avast!E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@CloneCDTray"E:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s = "E:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
@TkBellExe"E:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "E:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@SunJavaUpdateSched"E:\Programmi\Java\jre1.5.0_11\bin\jusched.exe" = "E:\Programmi\Java\jre1.5.0_11\bin\jusched.exe"
@VIRIT LITE MONITORE:\VEXPLITE\MONLITE.EXE = E:\VEXPLITE\MONLITE.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"E:\Programmi\Messenger\msmsgs.exe" /background = "E:\Programmi\Messenger\msmsgs.exe" /background
@msnmsgr"E:\Programmi\MSN Messenger\msnmsgr.exe" /background = "E:\Programmi\MSN Messenger\msnmsgr.exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/E:\Programmi\WinRAR\rarext.dll = E:\Programmi\WinRAR\rarext.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/E:\Programmi\Alwil Software\Avast4\ashShell.dll = E:\Programmi\Alwil Software\Avast4\ashShell.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/E:\Programmi\Real\RealPlayer\rpshell.dll = E:\Programmi\Real\RealPlayer\rpshell.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/(null) =
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/E:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll = E:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = E:\Programmi\Alwil Software\Avast4\ashShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = E:\Programmi\Alwil Software\Avast4\ashShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = E:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}E:\Programmi\Java\jre1.5.0_11\bin\ssv.dll = E:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
@{AC37A624-BEE5-88EF-2776-4DFE74AEB9CC}E:\WINDOWS\xprrv1.dll /*file not found*/ = E:\WINDOWS\xprrv1.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = E:\WINDOWS\System32\ssmyst.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLabout:blank = about:blank
@Start Pageabout:blank = about:blank
@Local Pageabout:blank = about:blank

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLabout:blank = about:blank
@Start Pageabout:blank = about:blank
@Local Pageabout:blank = about:blank

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = E:\WINDOWS\System32\msvidctl.dll
its@CLSID = E:\WINDOWS\System32\itss.dll
lid@CLSID = E:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = E:\WINDOWS\System32\itss.dll
msnim@CLSID = E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
tv@CLSID = E:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = E:\WINDOWS\System32\msdxm.ocx
wia@CLSID = E:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B02F471E-2DB3-4EFA-99F9-89A586C3C503} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.2 = 192.168.1.2
@NameServer212.216.172.62,212.216.172.162 = 212.216.172.62,212.216.172.162
@DefaultGateway192.168.1.254 = 192.168.1.254
@Domain =

E:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio rapido di HP Image Zone.lnk = Avvio rapido di HP Image Zone.lnk
HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk

---- EOF - GMER 1.0.13 ----

grazie ancora

[crazy.cat]

Per il win32:Obfuscated devi seguire questa guida e postare il log di
Findawf.
http://www.MegaLab.it/2684/2

Poi si vedono dei resti di linkoptimizer, virit è riuscito a rimuoverlo?

rifai la scansione con hijackthis, selezioni le caselle di queste righe e premi fix cheked per eliminarle.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Class - {AC37A624-BEE5-88EF-2776-4DFE74AEB9CC} - E:\WINDOWS\xprrv1.dll (file missing)
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\
O20 - Winlogon Notify: winzsr32 - winzsr32.dll (file missing)

Svuota questa cartella da tutti i file exe che ci sono dentro, usa il tools della nod che trovi nell'articolo per cancellare i file che ti danno problemi.
Per cancellare il servizio fasullo segui le istruzioni dell'articolo
http://www.MegaLab.it/2578

O23 - Service: WebGpu - Unknown owner - E:\Programmi\File comuni\System\bTF.exe (file missing)

[fuoripiove]

Grazie mille!
Per rimuovere i virus ho seguito le fasi manuali della guida su questo sito.
Non so bene a che punto sono...credo di dover usdare avenger ma il report di FindAWF è questo, anche se avast mi aveva trovato il virus:


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~


end of report

Spero sia un buon segno...

[crazy.cat]

anche se avast mi aveva trovato il virus:

Dove ti aveva trovato il virus?

Non è obbligatorio usare avenger, segui intanto le istruzioni che ti ho già dato.

[fuoripiove]

Ok ho fatto quallo che hai scritto.
Non mi ricordo dove era posizionato di preciso il virus. mi sembra in windows/system32/com2.vrb ma non sono sicuro!
Ho fatto una scansione con Virit e Avg anty spyweare e non hanno trovato niente.
tutto risolto?