www.MegaLab.it

[tyons]

un mio amico ha virtumonde e anche se lo elimina ritorna dopo che ha riavviato il computer. possiamo fare un log e ci potete dire che codice mettere per avenger? grazie. dopo questo messaggio risponderà lui.

p.s. ha anche tanti altri virus.....

[stevens]

ciao

posta un log di hijackthis avendo cura di mettere HIJACKTHIS in una cartella a lui dedicata (in Programmi o Documenti)

lancia il programma cliccando l’eseguibile e avvia la scansione, scegliendo la voce "Do a system scan and save a logfile"

Posta il log che ti rilascia

[tyons]

asd lo sapevo, ce l'ho già. adesso lo faccio.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.31.46, on 14/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Launch Manager\LaunchAp.exe
C:\Programmi\Launch Manager\HotkeyApp.exe
C:\Programmi\Launch Manager\OSDCtrl.exe
C:\Programmi\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\system32\lvcomsx.exe
C:\Program Files\Libero\Adsl\dslstat.exe
C:\Program Files\Libero\Adsl\dslagent.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Ares\Ares.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\USER\Documenti\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Programmi\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Programmi\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Programmi\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Programmi\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Programmi\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programmi\Acer\OrbiCam\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programmi\Acer\OrbiCam\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Libero\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Libero\Adsl\dslagent.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [063aeda7] rundll32.exe "C:\WINDOWS\system32\mprtgshu.dll",b
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\USER\IMPOST~1\Temp\IXP001.TMP\"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Insider] C:\Programmi\Insider\Insider.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Programmi\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3280063437
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwa ... wflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A693E6F-1869-4E1A-89D9-7CDE42255545}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A693E6F-1869-4E1A-89D9-7CDE42255545}: NameServer = 193.70.152.15 193.70.152.25
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ruyfrx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Programmi\Ares\chatServer.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 9870 bytes

modifica: abbiamo deciso che rispondo sempre io.

[ste_95]

Segui le istruzioni di questa guida.

[tyons]

mi sa che l'avevamo già seguita, ma forse non abbiamo provato tutti i programmi. appena avremo tempo la seguiremo alla lettera e poi vi diremo com'è andata...

tra l'altro volevo chiedervi se virtumonde visualizza dei messaggi dicendo di scaricare un antivirus e poi apre autmaticamente una pagina web con un falso antivirus da scaricare. nella guida non c'è scritto che lo fa, ma oggi ci è successo. chissà quanti virus ha...

[ste_95]

Scarica ComboFix ed esegui una scansione, le istruzioni le trovi in fondo a questo articolo.

[tyons]

ce l'ho già, asd. non andava bene il log di hijackthis?

comunque passerà un po' di tempo prima che lo facciamo perché lui non ha mai voglia di stare sul computer per risolvere i problemi, preferisce darlo al "tecnico" che come minimo glielo formatta. e poi non sono spesso a casa sua. però potrei farglielo connettendomi da remoto, o come si dice...

[ste_95]

ce l'ho già, asd. non andava bene il log di hijackthis?

Combofix l'hai già usato?

comunque passerà un po' di tempo prima che lo facciamo perché lui non ha mai voglia di stare sul computer per risolvere i problemi, preferisce darlo al "tecnico" che come minimo glielo formatta. e poi non sono spesso a casa sua. però potrei farglielo connettendomi da remoto, o come si dice...

Controllo remoto del PC con TeamViewer

[tyons]

il computer è suo, non mio. comunque in questi 2 giorni non abbiamo tempo per fare quella roba lì. per fare il coso remoto non si può usare anche messenger?

[ste_95]

il computer è suo, non mio. comunque in questi 2 giorni non abbiamo tempo per fare quella roba lì. per fare il coso remoto non si può usare anche messenger?

Non l'ho mai usato, ma non penso possa competere con software di supporto remoto specializzati.

[tyons]

ieri abbiamo usato combofix e ha cancellato un sacco di file infetti con nomi a caso, come quelli che crea virtumonde. in questi giorni posterò il log, poi ditemi se è tutto a posto...

[tyons]

ecco finalmente il log di combofix. credo che avesse anche conficker, ma non ne sono sicuro...

ComboFix 09-03-29.04 - USER 2009-04-05 17.26.14.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1014.480 [GMT 2:00]
Eseguito da: c:\documents and settings\USER\Desktop\ComboFix.exe
AV: Sistema Antivirus NOD32 2.70 *On-access scanning enabled* (Updated)
* Creato nuovo punto di ripristino
* Resident AV is active


ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.
I seguenti file sono stati disabilitati durante la scansione:
c:\programmi\Enigma Software Group\SpyHunter\SpyHunterMonitor.dll
c:\programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll


((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\USER\Dati applicazioni\SSTEM~1
c:\documents and settings\USER\Dati applicazioni\STEM32~1
c:\documents and settings\USER\Dati applicazioni\WinTouch
c:\documents and settings\USER\Dati applicazioni\WinTouch\wintouch.cfg
c:\documents and settings\USER\Dati applicazioni\WinTouch\WTUninstaller.exe
c:\documents and settings\USER\Impostazioni locali\Temporary Internet Files\Content.Word
c:\documents and settings\USER\Menu Avvio\Programmi\Videos.url
c:\documents and settings\USER\new.txt
c:\documents and settings\USER\Preferiti\Videos.url
c:\programmi\mantec~1
c:\programmi\outerinfo
c:\programmi\outerinfo\OiUninstaller.exe
c:\programmi\outerinfo\Thumbs.db
c:\programmi\Temporary
c:\programmi\WinAble
c:\programmi\WinAble\winable.exe.lzma
c:\programmi\Words
c:\programmi\Words\list.txt
c:\programmi\Words\script.txt
c:\windows\ecurit~1
c:\windows\IE4 Error Log.txt
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\AHQsAJlm.ini
c:\windows\system32\AHQsAJlm.ini2
c:\windows\system32\aksngfvx.dll
c:\windows\system32\auygdhud.dll
c:\windows\system32\awysiuku.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\duhbewvr.dll
c:\windows\system32\ejmbqf.dll
c:\windows\system32\emztcs.dll
c:\windows\system32\gwqwve.dll
c:\windows\system32\gxayjlen.dll
c:\windows\system32\hbjszj.dll
c:\windows\system32\hftnodkm.dll
c:\windows\system32\idxvomwf.dll
c:\windows\system32\jqhvekkd.ini
c:\windows\system32\jqhvekkd.ini2
c:\windows\system32\jzorku.dll
c:\windows\system32\kqocqefc.dll
c:\windows\system32\kubzes.dll
c:\windows\system32\kvmaaeep.dll
c:\windows\system32\kvwvtz.dll
c:\windows\system32\kyxqal.dll
c:\windows\system32\lghdmlil.dll
c:\windows\system32\mantec~1
c:\windows\system32\mcrh.tmp
c:\windows\system32\niuoqwxe.dll
c:\windows\system32\ntkgfq.dll
c:\windows\system32\ofskdd.dll
c:\windows\system32\orgutjjy.dll
c:\windows\system32\othncwfr.dll
c:\windows\system32\otubsr.dll
c:\windows\system32\ougwatlj.dll
c:\windows\system32\packet.dll
c:\windows\system32\pafqcl.dll
c:\windows\system32\pdxpnvhs.dll
c:\windows\system32\pkfgatkd.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\pwpuer.dll
c:\windows\system32\qaghao.dll
c:\windows\system32\rtguthxl.dll
c:\windows\system32\rvpeji.dll
c:\windows\system32\scmyjz.dll
c:\windows\system32\sks~1
c:\windows\system32\sks~1\??sks\
c:\windows\system32\ssqNGxVP.dll
c:\windows\system32\tdomwqtk.dll
c:\windows\system32\tkjkkqtm.dll
c:\windows\system32\towkkrbp.dll
c:\windows\system32\ujdgcn.dll
c:\windows\system32\visrvpsp.dll
c:\windows\system32\vxjujb.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wemnepfr.dll
c:\windows\system32\wnscpsv.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\wyodsvtv.dll
c:\windows\system32\xabtvfxu.dll
c:\windows\system32\xedqwhyy.dll
c:\windows\system32\xexiudyu.dll
c:\windows\system32\xhtvtx.dll
c:\windows\system32\xximpu.dll
c:\windows\system32\ywpdkx.dll
c:\windows\system32\zpznht.dll
c:\windows\Temp\log.txt
F:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Creati Da 2009-03-05 al 2009-04-05 )))))))))))))))))))))))))))))))))))
.

2009-04-04 20:06 . 2009-04-04 20:06 <DIR> d-------- c:\programmi\Enigma Software Group
2009-04-01 16:00 . 2009-04-01 16:00 61,440 --a------ c:\windows\system32\vqhxmlwk.exe
2009-03-28 21:43 . 2009-03-28 21:43 <DIR> d-------- C:\Com-bo-Fix
2009-03-28 21:31 . 2003-06-02 14:28 40,060 -ra------ c:\windows\system32\drivers\ulink.sys
2009-03-28 21:23 . 2003-06-03 01:07 57,516 -ra------ c:\windows\system32\drivers\VNic.sys
2009-03-28 21:23 . 2003-05-21 05:06 5,358 -ra------ c:\windows\system32\drivers\M5633.bin
2009-03-14 16:33 . 2009-03-14 16:33 1,903,447 ---hs---- c:\windows\system32\uhsgtrpm.ini
2009-03-13 16:31 . 2009-03-13 16:54 1,903,447 ---hs---- c:\windows\system32\eflncjbd.ini
2009-03-13 16:28 . 2009-03-13 16:28 1,804,409 ---hs---- c:\windows\system32\osdbbgih.ini
2009-03-11 21:37 . 2009-03-11 21:58 1,804,409 ---hs---- c:\windows\system32\avdmoqeb.ini
2009-03-11 13:26 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2009-03-11 13:20 . 2009-03-11 13:20 <DIR> d-------- c:\programmi\Microsoft Works
2009-03-11 13:18 . 2009-03-11 13:18 <DIR> d-------- c:\programmi\Microsoft.NET
2009-03-11 13:10 . 2009-03-11 13:10 <DIR> d-------- c:\programmi\Microsoft Visual Studio 8
2009-03-11 13:09 . 2009-03-11 13:09 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2009-03-11 13:04 . 2009-03-11 13:04 <DIR> dr-h----- C:\MSOCache
2009-03-10 12:33 . 2009-03-10 12:33 <DIR> d-------- C:\VundoFix Backups
2009-03-08 19:21 . 2009-03-08 19:21 <DIR> d--hs---- C:\FOUND.016
2009-03-08 15:54 . 2009-03-08 16:17 1,828,762 ---hs---- c:\windows\system32\mbeslgiy.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 14:15 72,704 ----a-w c:\windows\system32\axebdmby.dll
2009-02-22 12:24 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\SSScanAppDataDir
2009-02-22 12:23 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\MSScanAppDataDir
2009-02-22 12:22 72,704 ----a-w c:\windows\system32\pbcrrwpn.dll
2009-02-19 20:06 72,704 ----a-w c:\windows\system32\dkkevhqj.dll
2008-10-23 13:27 32 ----a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2008-03-08 18:19 12,580,696 ----a-w c:\programmi\mm20enu.exe
2007-09-20 19:00 3,893,760 ----a-w c:\programmi\TIpp.dll
2007-09-20 19:00 1,478,144 ----a-w c:\programmi\TRes.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-09-07 15360]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 1460560]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ares"="c:\programmi\Ares\Ares.exe" [2008-02-20 963072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\programmi\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"ntiMUI"="c:\programmi\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"LaunchAp"="c:\programmi\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"LManager"="c:\programmi\Launch Manager\HotkeyApp.exe" [2006-04-19 69632]
"CtrlVol"="c:\programmi\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\programmi\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\programmi\Launch Manager\Wbutton.exe" [2006-04-20 86016]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-03-30 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"LogitechCameraAssistant"="c:\programmi\Acer\OrbiCam\CameraAssistant.exe" [2006-06-26 331776]
"LogitechVideo[inspector]"="c:\programmi\Acer\OrbiCam\InstallHelper.exe" [2006-06-26 15:55 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"ImageItEncrypt"="c:\windows\system32\ImageItEncrypt.exe" [2005-12-30 40960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"DSLSTATEXE"="c:\program files\Libero\Adsl\dslstat.exe" [2004-11-29 299008]
"DSLAGENTEXE"="c:\program files\Libero\Adsl\dslagent.exe" [2004-11-29 16384]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2007-09-27 949376]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SpyHunter Security Suite"="c:\programmi\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-01-13 864256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"="c:\windows\system32\advpack.dll" [2008-06-23 124928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-07 15360]

c:\documents and settings\USER\Menu Avvio\Programmi\Esecuzione automatica\
Ritaglio schermata e avvio di OneNote 2007.lnk - c:\programmi\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2007-01-29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ruyfrx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\Ares\\Ares.exe"=
"c:\\Programmi\\WORMS\\KIDS\\WA.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programmi\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2007-01-29 9867]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-09-27 15424]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2007-01-29 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2007-01-29 78208]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-09-25 1097728]
S1 mailKmd;mailKmd; [x]
S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys c:\windows\system32\drivers\Wbutton.sys
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2009-03-28 40060]
S3 VNic;ULan Network Driver Module;c:\windows\system32\drivers\VNic.sys [2009-03-28 57516]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - UBHELPER
*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{575bfa50-7a45-11dc-b9e0-003054300101}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9672cbe-28b8-11dc-b934-001302e34e94}]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

BHO-{0D2C8F78-39E4-41A0-8F87-A43DBE1CAE8F} - (no file)
BHO-{122E652A-465B-40DE-B7BC-1A7393995E53} - (no file)
BHO-{2D852049-E0C8-45FF-ACF2-D30825212417} - (no file)
BHO-{3CF24DB8-889D-4E7B-BFE8-E03ED5923B9D} - (no file)
BHO-{3D4B7D4B-1A6A-4AAE-BBC4-AD51B92DF47F} - (no file)
BHO-{45352825-0476-4FB4-9E7D-64A07FDBD529} - (no file)
BHO-{455C178E-55EE-408C-B3E6-C7C06BA5F578} - (no file)
BHO-{51C2E859-46D7-44B7-962A-5730C787278F} - (no file)
BHO-{5A84659C-2DFF-4BD8-B5A1-50F6EA2F8786} - (no file)
BHO-{7325f4d2-8415-4c87-9115-df1b59320dbc} - c:\windows\system32\vxjujb.dll
BHO-{80415E9E-875F-4DC8-B1E1-E165F11E2556} - (no file)
BHO-{8443DFF1-1389-476F-9BC2-95B7FF631055} - c:\windows\system32\ssqNGxVP.dll
BHO-{8ABC9B81-C723-4944-A351-1CDA88C21943} - (no file)
BHO-{8CEC61E5-A18A-4154-B941-D0A272E19183} - (no file)
BHO-{8ED58E3E-E543-4096-B1D4-BEB86218F425} - (no file)
BHO-{9163EE2A-E7BB-4428-9D87-30FBA21FF55C} - (no file)
BHO-{97E8FD7A-65B5-5845-EC28-3D761C4905CA} - c:\windows\system32\tnqqol.dll
BHO-{9BA4889C-2C87-4D37-96B5-F42B6A6083A5} - (no file)
BHO-{9ec4f417-447b-4e54-8f38-c92a46ade4cb} - (no file)
BHO-{A80AE170-0300-4952-BCD6-AF05792CDC77} - (no file)
BHO-{A84374C9-BFA6-4270-B682-7A44289B9BFD} - (no file)
BHO-{A98A6B84-C49E-4AC2-9768-1481E0FCA3C8} - (no file)
BHO-{AFBBA26F-1CC0-436D-9D55-52A9D77D2F8F} - (no file)
BHO-{BFF7D6D1-D800-498A-9522-C280217B6463} - (no file)
BHO-{D339C6F0-FD51-42C8-B814-CE827B59C625} - (no file)
BHO-{E7A99B9B-4CF1-42ED-B91D-E4EC2394E67F} - c:\windows\system32\mlJAsQHA.dll
BHO-{E9669546-266B-429E-B405-4C0DB34DE3A6} - (no file)
BHO-{FC83F941-C6EA-4DE8-BE21-3384FE7AAF51} - (no file)
HKLM-Run-kxkbplla - C:\kqyofblo.bat
ShellExecuteHooks-{49443ea8-1ae1-45b2-91e9-5ff9d1a70b48} - c:\windows\system32\vxjujb.dll
Notify-rqRLEwXr - (no file)
Notify-WgaLogon - (no file)


.
------- Scansione supplementare -------
.
uStart Page =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {1A693E6F-1869-4E1A-89D9-7CDE42255545} = 193.70.152.15 193.70.152.25
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 17:33:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"0140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'lsass.exe'(900)
c:\windows\system32\imon.dll
c:\programmi\Eset\pr_imon.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\programmi\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\programmi\FILE COMUNI\LOGITECH\LVMVFM\LVPRCSRV.EXE
c:\acer\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
c:\windows\EHOME\EHRECVR.EXE
c:\windows\EHOME\EHSCHED.EXE
c:\programmi\FILE COMUNI\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\programmi\ESET\NOD32KRN.EXE
c:\programmi\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\windows\EHOME\MCRDSVC.EXE
c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
c:\windows\SYSTEM32\DLLHOST.EXE
c:\windows\SYSTEM32\LVCOMSX.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Ora fine scansione: 2009-04-05 17:37:16 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-04-05 15:37:14

Pre-Run: 37.411.323.904 byte disponibili
Post-Run: 37,544,198,144 byte disponibili

302 --- E O F --- 2008-10-17 19:55:27

[ste_95]

C'è ancora qualche cosa che è rimasta.

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Ora incolla queste righe nella box bianca che si è aperta:

Codice: Seleziona tutto

Files to delete:
c:\windows\system32\uhsgtrpm.ini
c:\windows\system32\eflncjbd.ini
c:\windows\system32\osdbbgih.ini
c:\windows\system32\avdmoqeb.ini
c:\windows\system32\axebdmby.dll
c:\windows\system32\pbcrrwpn.dll
c:\windows\system32\dkkevhqj.dll

Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Se Avenger riporta un errore, prova a riscrivere manualmente la prima riga (Files to delete:) ricordando i due punti.

[Amantide]

Ste, ti è scappato qualche file.. Lo script completo per Avenger dovrebbe essere così:

Codice: Seleziona tutto

Files to delete:
c:\windows\system32\uhsgtrpm.ini
c:\windows\system32\eflncjbd.ini
c:\windows\system32\osdbbgih.ini
c:\windows\system32\avdmoqeb.ini
c:\windows\system32\axebdmby.dll
c:\windows\system32\pbcrrwpn.dll
c:\windows\system32\dkkevhqj.dll
c:\windows\system32\vqhxmlwk.exe
c:\windows\system32\mbeslgiy.ini
c:\windows\system32\ruyfrx.dll

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

[tyons]

grazie, sono sicuro che dopo sarà tutto a posto.

modifica: ecco il log di avenger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\uhsgtrpm.ini" not found!
Deletion of file "c:\windows\system32\uhsgtrpm.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Error: file "c:\windows\system32\eflncjbd.ini" not found!
Deletion of file "c:\windows\system32\eflncjbd.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Error: file "c:\windows\system32\osdbbgih.ini" not found!
Deletion of file "c:\windows\system32\osdbbgih.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Error: file "c:\windows\system32\avdmoqeb.ini" not found!
Deletion of file "c:\windows\system32\avdmoqeb.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist

File "c:\windows\system32\axebdmby.dll" deleted successfully.
File "c:\windows\system32\pbcrrwpn.dll" deleted successfully.
File "c:\windows\system32\dkkevhqj.dll" deleted successfully.

Error: file "c:\windows\system32\vqhxmlwk.exe" not found!
Deletion of file "c:\windows\system32\vqhxmlwk.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Error: file "c:\windows\system32\mbeslgiy.ini" not found!
Deletion of file "c:\windows\system32\mbeslgiy.ini" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Error: file "c:\windows\system32\ruyfrx.dll" not found!
Deletion of file "c:\windows\system32\ruyfrx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist

Registry value "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs" replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

[tyons]

ehm ho modificato il messaggio ma credo che così non abbia aggiornato la data del post e non avete letto la modifica. ho messo il log di avenger. è tutto a posto?

[crazy.cat]

Qualcosa è stato rimosso e qualcosa non è stato trovato.
come va il tuo pc adesso?

[tyons]

non è il mio ma di un mio amico, comunque ora gli va tutto bene.