www.MegaLab.it

da **gatun69** » lun mar 12, 2007 6:07 pm

Sono un nuovo utente del forum e vorrei sottoporvi il mio problema.
Da qualche giorno gli antivirus non partono perché non trovano il collegamento al file .exe.
Se mi connetto ad internet si aprono numerose pagine strane.
Da una scansione online viene rilevato infetto da Trojan W32 Beagle in C:\WINDOWS\system32\wintems.exe

Credo sia un worm Beagle.

Ho letto l'articolo http://www.MegaLab.it/2657 e ho lanciato GMER con questo risultato:

GMER 1.0.12.12086 - http://www.gmer.net
Autostart scan 2007-03-12 11:48:48
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
fcyvs@DLLName = C:\WINDOWS\system32\fcyvs.dll
igfxcui@DLLName = igfxsrvc.dll
mljhebc@DLLName = mljhebc.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe /*file not found*/
EvtEng /*EvtEng*/@ = C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
RegSrvc /*RegSrvc*/@ = C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
S24EventMonitor /*Spectrum24 Event Monitor*/@ = C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
VAIO Entertainment File Import Service /*VAIO Entertainment File Import Service*/@ = C:\Programmi\File comuni\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
VCI /*VAIO Cooporated Initialisation*/@ = C:\Programmi\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ApointC:\Programmi\Apoint\Apoint.exe = C:\Programmi\Apoint\Apoint.exe
@HKSERV.EXEC:\Programmi\Sony\HotKey Utility\HKserv.exe = C:\Programmi\Sony\HotKey Utility\HKserv.exe
@VAIO Update 2"C:\Programmi\sony\vaio update 2\VAIOUpdt.exe" /Stationary = "C:\Programmi\sony\vaio update 2\VAIOUpdt.exe" /Stationary
@SonyPowerCfgC:\Programmi\sony\vaio power management\SPMgr.exe = C:\Programmi\sony\vaio power management\SPMgr.exe
@OWS Setup CmdLine"C:\Programmi\File comuni\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions" = "C:\Programmi\File comuni\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions"
@DispatcherC:\WINDOWS\dispatcher.exe = C:\WINDOWS\dispatcher.exe
@2chkdskrundll32.exe "C:\WINDOWS\system32\epunkght.dll",setvm = rundll32.exe "C:\WINDOWS\system32\epunkght.dll",setvm
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe /*file not found*/ = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe /*file not found*/
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe"
@WinAntiVirusPro2006"C:\Programmi\WinAntiVirus Pro 2006\WinAV.exe" /min = "C:\Programmi\WinAntiVirus Pro 2006\WinAV.exe" /min
@uwa6pcw"C:\Programmi\File comuni\WinAntiVirus Pro 2006\uwa6pcw.exe" -c = "C:\Programmi\File comuni\WinAntiVirus Pro 2006\uwa6pcw.exe" -c
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@drvsyskitC:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe = C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe
@german.exeC:\WINDOWS\system32\wintems.exe = C:\WINDOWS\system32\wintems.exe
@Uniblue Registry BoosterC:\Programmi\Uniblue\Registry Booster\RegistryBooster.exe /S /*file not found*/ = C:\Programmi\Uniblue\Registry Booster\RegistryBooster.exe /S /*file not found*/
@eMuleAutoStartC:\Documents and Settings\andrea\emule\emule.exe -AutoStart /*file not found*/ = C:\Documents and Settings\andrea\emule\emule.exe -AutoStart /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{C47A9554-195A-4769-9B13-04F15B450A39} = C:\WINDOWS\system32\mljhebc.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{ED58A35B-B554-42AF-A26C-6F3D424200D3} /*Sony Power Management Extensiond*/C:\Programmi\sony\vaio power management\SPMPanel.dll = C:\Programmi\sony\vaio power management\SPMPanel.dll
@{DEE12703-6333-4D4E-8F34-738C4DCC2E04} /*RecordNow! SendToExt*/C:\Programmi\Sonic\RecordNow!\shlext.dll = C:\Programmi\Sonic\RecordNow!\shlext.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{259F616C-A300-44F5-B04A-ED001A26C85C} /*SolidConverter extension*/C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll = C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
ShellExtension@{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E} = C:\Programmi\WinAntiVirus Pro 2006\WAV6COM.dll
SolidConverterPDF@{259F616C-A300-44F5-B04A-ED001A26C85C} = C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ShellExtension@{1AC5C88A-DEA7-462b-A232-04AF5CA42E7E} = C:\Programmi\WinAntiVirus Pro 2006\WAV6COM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
SolidConverterPDF@{259F616C-A300-44F5-B04A-ED001A26C85C} = C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}C:\Programmi\WinAntiVirus Pro 2006\winpgi.dll = C:\Programmi\WinAntiVirus Pro 2006\winpgi.dll
@{259F616C-A300-44F5-B04A-ED001A26C85C}C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll = C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
@{51019736-A96D-4A34-9E6E-0AB5A38C9285}C:\WINDOWS\system32\winshfic.dll /*file not found*/ = C:\WINDOWS\system32\winshfic.dll /*file not found*/
@{6D81328C-1481-4D70-B2D1-CAF5A72B9505}C:\WINDOWS\system32\fcyvs.dll = C:\WINDOWS\system32\fcyvs.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar3.dll = c:\programmi\google\googletoolbar3.dll
@{B5141620-C2B2-4D95-9F0F-134D99C87AB0}C:\Programmi\WinAntiVirus Pro 2006\IEFWBHO.dll = C:\Programmi\WinAntiVirus Pro 2006\IEFWBHO.dll
@{C47A9554-195A-4769-9B13-04F15B450A39}C:\WINDOWS\system32\mljhebc.dll = C:\WINDOWS\system32\mljhebc.dll
@{D38439EC-4A7F-42b4-90C2-D810D7778FDD}C:\WINDOWS\system32\ioyqjras.dll /*file not found*/ = C:\WINDOWS\system32\ioyqjras.dll /*file not found*/
@{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}C:\WINDOWS\system32\lyqohory.dll /*file not found*/ = C:\WINDOWS\system32\lyqohory.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\AVASTSS.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.club-vaio.sony-europe.com/ = http://www.club-vaio.sony-europe.com/
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\INETCOMM.DLL
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Audio Filter.lnk = Audio Filter.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.12 ----

ora cosa faccio ?

Anticipatamente ringrazio.
Andrea

da **Amantide** » lun mar 12, 2007 7:36 pm

Ciao Andrea e benvenuto [:)]

Non ti rimando allo script per Avenger presente nell'articolo per il semplice fatto che oltre al Bagle hai anche altre schifezze. [std]

Esegui con Avenger questo script e posta qui il log con l'esito:

Files to delete:
C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\m_hook.sys
C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\fcyvs.dll
C:\WINDOWS\system32\mljhebc.dll
C:\WINDOWS\dispatcher.exe
C:\WINDOWS\system32\epunkght.dl

folders to delete:
C:\Documents and Settings\PAOLA\Dati applicazioni\hidires
C:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fcyvs
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljhebc
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks/{C47A9554-195A-4769-9B13-04F15B450A39}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51019736-A96D-4A34-9E6E-0AB5A38C9285}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D81328C-1481-4D70-B2D1-CAF5A72B9505}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5141620-C2B2-4D95-9F0F-134D99C87AB0}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C47A9554-195A-4769-9B13-04F15B450A39}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D38439EC-4A7F-42b4-90C2-D810D7778FDD}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | Dispatcher
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | 2chkdsk
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | uwa6pcw

Dopo scarica il Roguescanfix installalo ed avvialo. Alla schermata che si aprirà premi un tasto qualsiasi e al seguente menu premi 1 e poi Invio. Premi altra volta un tasto qualsiasi e all' eventuale richiesta da parte di firewall dai accesso a questi file download.exe o run.bat. Per continuare con la rimozione il programma ha bisogno di scaricare un file dall' internet.
[nota]

Durante l'esecuzione del programma verranno temporaneamente chiuse tutte le icone e la barra delle applicazioni, che in seguito verranno ripristinate.
Nella finestra che si apre premi il tasto Execute per avviare la scansione, alla fine della scansione apparirà la finestra Completed script execution premi Ok ed Exit nella finestra principale. Chiudi anche le finestre di blocco note con il file task.txt che si saranno aperte.

Scarica anche SmitfraudFix e riavvia il computer in modalita provvisoria (si entra premendo il tasto F8 all'avvio del pc).
Lancia il file smitfraudfix.cmd e seleziona l'opzione #2 - Clean scrivendo 2 e premendo Enter.
Alla domanda "Registry cleaning - Do you want to clean the registry?" rispondi Yes digitando Y.
Dopo la scansione e la pulizia copia il log, che si dovrebbe trovare nella cartella C:\rapport.txt, e postalo qui.

da **gatun69** » lun mar 12, 2007 8:52 pm

Anzitutto grazie per l'aiuto..
Ho seguito alla lettera le istruzioni e questo è l'esito:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tablesrs

*******************

Script file located at: \??\C:\ucgrpmxc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\m_hook.sys deleted successfully.
File C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe deleted successfully.
File C:\WINDOWS\system32\wintems.exe deleted successfully.

File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034

File C:\WINDOWS\dispatcher.exe deleted successfully.
Folder C:\Documents and Settings\PAOLA\Dati applicazioni\hidires deleted successfully.
Folder C:\WINDOWS\exefld deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK deleted successfully.

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Poi però non riesco a lanciare SmitfraudFix dalla modalità provvisoria ovvero
tengo premuto F8 si apre la schermata sella modalità provvisoria invio e si posizione su utente Administrator o Andrea....?????
Cosa faccio?

da **Amantide** » mar mar 13, 2007 11:31 am

gatun69 ha scritto:Ho seguito alla lettera le istruzioni e questo è l'esito:

Ma avevi incollato lo script intero? Quello che ti avevo postato io sopra? perché sembra che Avenger non ha visto per niente la metà delle voci [boh]

Poi però non riesco a lanciare SmitfraudFix dalla modalità provvisoria ovvero
tengo premuto F8 si apre la schermata sella modalità provvisoria invio e si posizione su utente Administrator o Andrea....?????
Cosa faccio?

Se l'account Andrea è un account con i privileggi di amministratore allora è indifferente quale account scegli, scegli uno ed aspetta il caricamento della modalità provvisoria, potrebbe impiegare qualche minuto.

da **gatun69** » mar mar 13, 2007 12:49 pm

Scusa forse mi sono sbagliato nell'invio del risultato

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qfmuxswy

*******************

Script file located at: \??\C:\lwjastou.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Could not open file C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a

Could not open file C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe failed!

Could not process line:
C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a

File C:\WINDOWS\system32\wintems.exe not found!
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc0000034

File C:\WINDOWS\system32\hldrrr.exe not found!
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\fcyvs.dll not found!
Deletion of file C:\WINDOWS\system32\fcyvs.dll failed!

Could not process line:
C:\WINDOWS\system32\fcyvs.dll
Status: 0xc0000034

File C:\WINDOWS\system32\mljhebc.dll not found!
Deletion of file C:\WINDOWS\system32\mljhebc.dll failed!

Could not process line:
C:\WINDOWS\system32\mljhebc.dll
Status: 0xc0000034

File C:\WINDOWS\dispatcher.exe not found!
Deletion of file C:\WINDOWS\dispatcher.exe failed!

Could not process line:
C:\WINDOWS\dispatcher.exe
Status: 0xc0000034

File C:\WINDOWS\system32\epunkght.dl not found!
Deletion of file C:\WINDOWS\system32\epunkght.dl failed!

Could not process line:
C:\WINDOWS\system32\epunkght.dl
Status: 0xc0000034

Folder C:\Documents and Settings\PAOLA\Dati applicazioni\hidires not found!
Deletion of folder C:\Documents and Settings\PAOLA\Dati applicazioni\hidires failed!

Could not process line:
C:\Documents and Settings\PAOLA\Dati applicazioni\hidires
Status: 0xc0000034

Folder C:\WINDOWS\exefld not found!
Deletion of folder C:\WINDOWS\exefld failed!

Could not process line:
C:\WINDOWS\exefld
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fcyvs not found!
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fcyvs failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljhebc not found!
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljhebc failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks/{C47A9554-195A-4769-9B13-04F15B450A39} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks/{C47A9554-195A-4769-9B13-04F15B450A39} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2178F3FB-2560-458F-BDEE-631E2FE0DFE4} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51019736-A96D-4A34-9E6E-0AB5A38C9285} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51019736-A96D-4A34-9E6E-0AB5A38C9285} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D81328C-1481-4D70-B2D1-CAF5A72B9505} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D81328C-1481-4D70-B2D1-CAF5A72B9505} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5141620-C2B2-4D95-9F0F-134D99C87AB0} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5141620-C2B2-4D95-9F0F-134D99C87AB0} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C47A9554-195A-4769-9B13-04F15B450A39} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C47A9554-195A-4769-9B13-04F15B450A39} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D38439EC-4A7F-42b4-90C2-D810D7778FDD} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D38439EC-4A7F-42b4-90C2-D810D7778FDD} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} failed!
Status: 0xc0000034

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr failed!
Status: 0xc0000034

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|Dispatcher
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|Dispatcher failed!
Status: 0xc0000034

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|2chkdsk
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|2chkdsk failed!
Status: 0xc0000034

Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|uwa6pcw
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|uwa6pcw failed!
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Controlla se va bene e questo è il risultato del:

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"

da **Amantide** » mar mar 13, 2007 12:54 pm

Ottimo, i file e le voci da eliminare non ci sono più sul pc, forse sono stati rimossi dal Roguescanfix o SmitfraudFix.
Per caso ti sono rimasti i log di questi 2 programmi?

Posta anche il nuovo log Autostart di Gmer, cosi vediamo se ora il pc è pulito.

da **gatun69** » mar mar 13, 2007 3:27 pm

Questo è il log di Autostart

GMER 1.0.12.12086 - http://www.gmer.net
Autostart scan 2007-03-13 14:20:03
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@DLLName = igfxsrvc.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe /*file not found*/
EvtEng /*EvtEng*/@ = C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
RegSrvc /*RegSrvc*/@ = C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
S24EventMonitor /*Spectrum24 Event Monitor*/@ = C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
VAIO Entertainment File Import Service /*VAIO Entertainment File Import Service*/@ = C:\Programmi\File comuni\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
VCI /*VAIO Cooporated Initialisation*/@ = C:\Programmi\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ApointC:\Programmi\Apoint\Apoint.exe = C:\Programmi\Apoint\Apoint.exe
@HKSERV.EXEC:\Programmi\Sony\HotKey Utility\HKserv.exe = C:\Programmi\Sony\HotKey Utility\HKserv.exe
@VAIO Update 2"C:\Programmi\sony\vaio update 2\VAIOUpdt.exe" /Stationary = "C:\Programmi\sony\vaio update 2\VAIOUpdt.exe" /Stationary
@SonyPowerCfgC:\Programmi\sony\vaio power management\SPMgr.exe = C:\Programmi\sony\vaio power management\SPMgr.exe
@OWS Setup CmdLine"C:\Programmi\File comuni\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions" = "C:\Programmi\File comuni\Microsoft Shared\Web Server Extensions\40\bin\cfgwiz.exe" /pkg "Office 2000 Server Extensions"
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@drvsyskitC:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe /*file not found*/ = C:\Documents and Settings\PAOLA\Dati applicazioni\hidires\hidr.exe /*file not found*/
@eMuleAutoStartC:\Documents and Settings\andrea\emule\emule.exe -AutoStart /*file not found*/ = C:\Documents and Settings\andrea\emule\emule.exe -AutoStart /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{C47A9554-195A-4769-9B13-04F15B450A39} = C:\WINDOWS\system32\mljhebc.dll /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{ED58A35B-B554-42AF-A26C-6F3D424200D3} /*Sony Power Management Extensiond*/C:\Programmi\sony\vaio power management\SPMPanel.dll = C:\Programmi\sony\vaio power management\SPMPanel.dll
@{DEE12703-6333-4D4E-8F34-738C4DCC2E04} /*RecordNow! SendToExt*/C:\Programmi\Sonic\RecordNow!\shlext.dll = C:\Programmi\Sonic\RecordNow!\shlext.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{259F616C-A300-44F5-B04A-ED001A26C85C} /*SolidConverter extension*/C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll = C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/(null) =
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
SolidConverterPDF@{259F616C-A300-44F5-B04A-ED001A26C85C} = C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
SolidConverterPDF@{259F616C-A300-44F5-B04A-ED001A26C85C} = C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{259F616C-A300-44F5-B04A-ED001A26C85C}C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll = C:\Programmi\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar3.dll = c:\programmi\google\googletoolbar3.dll
@{EE73281B-E6DE-4AC6-AB25-1C46263B954F}C:\WINDOWS\system32\fcyvs.dll /*file not found*/ = C:\WINDOWS\system32\fcyvs.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\AVASTSS.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\INETCOMM.DLL
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FB654912-43F8-4B8D-ADF3-CDB735830316} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress10.224.80.3 = 10.224.80.3
@NameServer212.17.192.49,212.17.192.216 = 212.17.192.49,212.17.192.216
@DefaultGateway10.224.80.5 = 10.224.80.5
@Domain =

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Audio Filter.lnk = Audio Filter.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.12 ----

e questo quello di SmitFraudFix v2.148

[/b]Scan done at 19.57.59,35, 12/03/2007
Run from C:\Documents and Settings\PAOLA\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

l'unico inconveniente è che essendo un pc "client" non funzione un programma condiviso con il "server".

da **Amantide** » mar mar 13, 2007 4:09 pm

E' rimasta qualche voce non più pericolosa, esegui con Avenger anche questo script:

Registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C47A9554-195A-4769-9B13-04F15B450A39}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE73281B-E6DE-4AC6-AB25-1C46263B954F}

Controlla se va bene e questo è il risultato del:

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"

Questa non l'ho capita [uhm]

Devi riaggiungere questa chiave nel registro? Ora non c'è? Se è cosi, allora i valori sono quelli esatti.

l'unico inconveniente è che essendo un pc "client" non funzione un programma condiviso con il "server".

Non ho capito nemmeno questa [boh]

da **gatun69** » mar mar 13, 2007 6:00 pm

Questo è il risultato dopo l'ultimo log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ysdwbisy

*******************

Script file located at: \??\C:\pltgbhko.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C47A9554-195A-4769-9B13-04F15B450A39} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C47A9554-195A-4769-9B13-04F15B450A39} failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE73281B-E6DE-4AC6-AB25-1C46263B954F} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Poi per la citazione del "server" lascia perdere funziona.
Ti spiego meglio:
questo pc è collegato ad una rete ed a un "server" sul quale è installato un applicativo che gira in ms-dos al accede per la condivisione di dati.
Spero di essere stato sufficentemente chiaro visto che non sono un fenomeno in informatica.
Scusa ancora e grazie mille mi hai risolto il mio problema.

www.MegaLab.it

Probabile Bagle

Probabile Bagle

Chi c’è in linea