OBFUSTAT

[plutone77]

Ciao

Ho un problema non indifferente.
Il solito virus sconosciuto (e bastardo) che non riesco a debellare.
Purtroppo neanche Google ne sa nulla per cui non so dove sbattere la testa.

Il file infettato è il CIODMJ.DLL che sta sotto C\Windows\System32\

L'antivirus (AVG) me lo riconosce come OBFUSTAT.ZTA ma non lo riesce ad eliminare.

Ho provato con qualsiasi software:
HiJackThis
KillBox
Avanst
XoftSpyS
SpyHunter
etc...

Sia sotto il mio profilo e sia in modalità provvisoria

Non c'è verso...

Potete aiutarmi?

Grazie,
Mirko.

[Luke57]

Ciao, scarica COMBOFIX sul desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Una volta scaricato,avvialo con un doppio click.
- Si aprirà una finestra blu , attendi
- Dopo qualche attimo apparirà un avviso che declina l'autore da ogni responsabilità.
- A questo punto seleziona 1 e premi ENTER per lanciare lo scan.
- Attendere.....
Il tool ti avviserà una volta lo scan finito e in qualche attimo visualizzerà il rapporto con i dettagli. (C:\ComboFix.txt)
Inserisci in un post il log (C:\ComboFix.txt)

[plutone77]

Ecco il log:

ComboFix 07-11-08.1 - Jeric 2007-11-17 13.40.08.1 - FAT32x86
Eseguito da: D:\Temp\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\packet.dll

.
((((((((((((((((((((((((( Files Creati Da 2007-10-17 al 2007-11-17 )))))))))))))))))))))))))))))))))))
.

2007-11-17 13:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-17 10:47 376,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-17 10:47 512 --a------ C:\ScanSectorLog.dat
2007-11-17 10:47 288 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-17 09:54 36,096 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2007-11-17 09:53 <DIR> d-------- C:\Programmi\VEXPLITE
2007-11-16 19:47 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-16 19:37 <DIR> d-------- C:\Programmi\Enigma Software Group
2007-11-15 20:15 <DIR> d-------- C:\Programmi\Smart PC Solutions
2007-11-14 20:46 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-11-14 20:46 741,632 --a------ C:\WINDOWS\system32\rcjgdkni.dat
2007-11-14 20:46 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-11-14 20:46 41,728 --a------ C:\WINDOWS\system32\wtotaefg.dat
2007-11-14 20:46 36,096 --a------ C:\WINDOWS\system32\ykkawbkj.dat
2007-11-14 20:46 35,072 --a------ C:\WINDOWS\system32\fffkytpr.dat
2007-11-14 07:42 120,064 --a------ C:\WINDOWS\system32\fonfdhif.dat
2007-11-14 07:36 18,688 C:\WINDOWS\system32\drivers\trrzsvhf.dat
2007-11-14 07:35 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-11-14 07:34 84,480 --a------ C:\WINDOWS\system32\ciodmj.dll
2007-11-14 07:33 95,232 --a------ C:\WINDOWS\system32\msfeedsbsg.dll
2007-10-26 18:31 <DIR> d-------- C:\Documents and Settings\Jeric\Dati applicazioni\uk.co.planetside
2007-10-25 22:20 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-25 22:16 <DIR> d-------- C:\Documents and Settings\Jeric\.smplayer
2007-10-25 22:15 <DIR> d-------- C:\Programmi\SMPlayer
2007-10-25 21:55 <DIR> d-------- C:\Programmi\MKVtoolnix
2007-10-25 21:42 <DIR> d-------- C:\Programmi\LD-Anime
2007-10-25 07:19 <DIR> d-------- C:\Programmi\dvdSanta

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 10:56 6,116 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-17 10:56 1,100 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-16 18:50 --------- d-----w C:\Programmi\iTunes
2007-10-16 18:50 --------- d-----w C:\Programmi\iPod
2007-10-16 18:48 --------- d-----w C:\Programmi\QuickTime
2007-10-16 18:47 --------- d-----w C:\Programmi\File comuni\Apple
2007-10-16 18:44 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2007-10-05 20:13 --------- d-----w C:\Programmi\Mio Technology
2007-10-05 18:11 --------- d-----w C:\Programmi\Summitsoft
2007-09-30 18:43 --------- d-----w C:\Programmi\File comuni\DAZ
2007-03-04 11:22 87,608 ----a-w C:\Documents and Settings\Jeric\Dati applicazioni\ezpinst.exe
2007-03-04 11:22 47,360 ----a-w C:\Documents and Settings\Jeric\Dati applicazioni\pcouffin.sys
2007-07-04 18:34:54 80 --sh--r C:\WINDOWS\system32\0D52E19636.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832}]
2006-11-07 21:03 95232 --a------ C:\WINDOWS\system32\msfeedsbsg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2}]
2007-11-16 18:33 84480 --a------ c:\windows\system32\ciodmj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-12 21:10]
"UpdReg"="C:\WINDOWS\Updreg.exe" [2000-05-11 01:00]
"AHQInit"="C:\Programmi\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 17:49]
"INTERNET KEYBOARD"="C:\Programmi\Trust\Internet Keyboard\MMKeybd.exe" [2000-11-20 09:57]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2000-02-17 15:11 C:\WINDOWS\system32\WFXSNT40.EXE]
"EPSON Stylus Photo RX420 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.exe" [2004-04-09 04:00]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 15:39 C:\WINDOWS\system32\bthprops.cpl]
"Zone Labs Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"ZoneAlarm Client"="C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-25 09:59]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spamihilator"="C:\Programmi\Spamihilator\spamihilator.exe" []
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Update"=vpc32.exe

C:\Documents and Settings\Jeric\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2004-03-21 15:33:29]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Programmi\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 04:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wbukqwkq]
ciodmj.dll 2007-11-16 18:33 84480 C:\WINDOWS\system32\ciodmj.dll

R0 wzntxmzj;wzntxmzj;C:\WINDOWS\system32\drivers\trrzsvhf.dat
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys
R2 nhksrv;Netropa NHK Server;C:\Programmi\Trust\Internet Keyboard\nhksrv.exe
R2 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE
S2 algtxcsg; TAPI NDIS di accesso remotoHelper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 Asysnavpsi;Asysnavpsi;C:\WINDOWS\System32\ckcnv.exe
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\System32\drivers\CDANT.SYS
S3 memsysdrv;Memory System;\??\C:\WINDOWS\system32\drivers\memsysdrv.sys
S3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slnt7554.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S4 UpdMtp;UpdMtp;"\\?\C:\Programmi\File comuni\Services\con.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
algtxcsg

.
Contenuto della cartella 'Scheduled Tasks'
"2007-11-12 18:24:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 13:48:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2007-11-17 13:50:00 - machine was rebooted
.
--- E O F ---



Quindi?

Mirko

[Luke57]

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Files to delete:
C:\WINDOWS\system32\rcjgdkni.dat
C:\WINDOWS\system32\wtotaefg.dat
C:\WINDOWS\system32\ykkawbkj.dat
C:\WINDOWS\system32\fffkytpr.dat
C:\WINDOWS\system32\fonfdhif.dat
C:\WINDOWS\system32\drivers\trrzsvhf.dat
C:\WINDOWS\system32\ciodmj.dll
C:\WINDOWS\system32\msfeedsbsg.dll
C:\Documents and Settings\Jeric\Dati applicazioni\ezpinst.exe
C:\WINDOWS\system32\0D52E19636.dll
C:\Programmi\File comuni\Services\con.exe



registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wbukqwkq


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Posta anche il log generato da avenger, lo trovi in C:\ è un file di testo

Inoltre apri il registro di sistema
Start>esegui>regedit (lo digiti nello spazio)>OK
Aperto l'editor, cliccando sul segno + accanto alle singole voci
segui questo percorso:
HKEY_USERS\.default\software\microsoft\windows\currentversion\run
click sulla cartella Run
se sulla parte destra trovi:
Microsoft Update"=vpc32.exe
click tasto dx sulla voce e scegli Elimina

Inoltre, scarica questi due tools:

prevx
http://www.prevx.com/gromozon.asp

Tool di rimozione della Symantec:
http://securityresponse.symantec.com/av ... inkopt.exe

Eseguili uno alla volta; disattiva il tuo antivirus durante la scansione.

Quello della prevx fa riavviare il computer e al riavvio viene completata la scansione, al termine della quale viene rilasciato un report che trovi in C:\Gromozon_Removal.log.

Poi esegui il tool della symantec (dalla modalità provvisoria; se
non sai come andarci, premi ripetutamente il tasto F8 all'accensione del computer prima che inizi a caricarsi windows; sulla schermata grigia che appare scegli modalità provvisoria spostandoti con le freccette e premendo invio).

Anche questo tool rilascia un rapporto della scansione nella cartella dove
hai messo il file (Fixlinkopt.log)
Invia anche questo rapporto.

[plutone77]

Innanzi tutto grazie per l'aiuto

Veniamo al problema:
Controllando il log di avenger, questo maledetto ciodmj.dll non ne vuole sapere di cancellarsi....


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ujembkhe

*******************

Script file located at: \??\C:\yqkrhgmi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\rcjgdkni.dat deleted successfully.
File C:\WINDOWS\system32\wtotaefg.dat deleted successfully.
File C:\WINDOWS\system32\ykkawbkj.dat deleted successfully.
File C:\WINDOWS\system32\fffkytpr.dat deleted successfully.
File C:\WINDOWS\system32\fonfdhif.dat deleted successfully.


Could not open file C:\WINDOWS\system32\drivers\trrzsvhf.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\trrzsvhf.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\trrzsvhf.dat
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\ciodmj.dll for deletion
Deletion of file C:\WINDOWS\system32\ciodmj.dll failed!

Could not process line:
C:\WINDOWS\system32\ciodmj.dll
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\msfeedsbsg.dll for deletion
Deletion of file C:\WINDOWS\system32\msfeedsbsg.dll failed!

Could not process line:
C:\WINDOWS\system32\msfeedsbsg.dll
Status: 0xc0000022

File C:\Documents and Settings\Jeric\Dati applicazioni\ezpinst.exe deleted successfully.
File C:\WINDOWS\system32\0D52E19636.dll deleted successfully.
File C:\Programmi\File comuni\Services\con.exe deleted successfully.


Could not open registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832} for deletion
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832} failed!
Status: 0xc0000022



Could not open registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2} for deletion
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2} failed!
Status: 0xc0000022



Could not open registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wbukqwkq for deletion
Deletion of registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wbukqwkq failed!
Status: 0xc0000022

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.



________________________


poi ecco il log di prevx:

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

__________________

e poi quello di Fixlinkopt:

Symantec Trojan.Linkoptimizer Removal Tool 1.0.8

C:\Avenger\con.exe: (deleted)

Trojan.Linkoptimizer has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 90271
The number of deleted threat files: 1
The number of threat processes terminated: 0
The number of threat threads terminated: 0
The number of registry entries fixed: 0

The tool initiated a system reboot.

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (cleared)

________________________

è ostico...

[Luke57]

Ciao, scarica systemscan (strumento di diagnosi),
http://www.suspectfile.com/systemscan
estrailo sul desktop, applcazioni e programmi chiusi, avvialo, metti la spunta a tutte le voci e premi "Scan". Al termine della scansione sarà rilasciato un log che troverai in C:\suspectfile -un file con estensione .zip (data+ora+.zip)
E' troppo lungo per inserirlo in un post, quindi vai su http://www.easy-share.com e carica lì il file.
POi inserisci in un nuovo post il link per scaricarlo (solo quello per scaricarlo, non quello per eliminarlo dal sito di hosting)

Nel caso che systemscan non si avviasse per la mancanza di alcuni privilegi (il SeDebugPrivilege) scarica anche questo tool

http://download.bleepingcomputer.com/sU ... estore.exe

e usalo. Poi riavvia il pc, dopo di che systemscan dovrebbe funzionare.

[plutone77]

ecco il link:

http://xoomer.alice.it/plutone/temp/sus ... report.zip

Mirko.

PS
non so perchè ma per scaricare il log va copiato l'indirizzo sulla barra di IE perchè se ci clicchi solo su ti da "pagina non trovata"

[plutone77]

ecco il link:

http://xoomer.alice.it/plutone/temp/sus ... report.zip

Mirko.

PS
non so perchè ma per scaricare il log va copiato l'indirizzo sulla barra di IE perchè se ci clicchi solo su ti da "pagina non trovata"

[plutone77]

ecco il link:

http://xoomer.alice.it/plutone/temp/sus ... report.zip

Mirko.

PS
non so perchè ma per scaricare il log va copiato l'indirizzo sulla barra di IE perchè se ci clicchi solo su ti da "pagina non trovata"

[Luke57]

Ciao, prova nuovamente con avenger in base al seguente script:

Files to delete:
C:\WINDOWS\system32\ciodmj.dll
C:\WINDOWS\system32\drivers\trrzsvhf.dat


registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wbukqwkq
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2}
HKLM\system\currentcontrolset\services\UpdMtp
HKLM\system\currentcontrolset\services\wzntxmzj


registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | PwjMcqZuHzIsJBZtHo

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Posta il report.

[plutone77]

niente da fare:



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qdrekcqw

*******************

Script file located at: \??\C:\WINDOWS\jycedgor.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\ciodmj.dll for deletion
Deletion of file C:\WINDOWS\system32\ciodmj.dll failed!

Could not process line:
C:\WINDOWS\system32\ciodmj.dll
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\drivers\trrzsvhf.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\trrzsvhf.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\trrzsvhf.dat
Status: 0xc0000022



Registry key HKLM\system\currentcontrolset\services\UpdMtp not found!
Deletion of registry key HKLM\system\currentcontrolset\services\UpdMtp failed!

Could not process line:
HKLM\system\currentcontrolset\services\UpdMtp
Status: 0xc0000034



Could not open registry key HKLM\system\currentcontrolset\services\wzntxmzj for deletion
Deletion of registry key HKLM\system\currentcontrolset\services\wzntxmzj failed!

Could not process line:
HKLM\system\currentcontrolset\services\wzntxmzj
Status: 0xc0000022



Could not open registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wbukqwkq for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wbukqwkq failed!
Status: 0xc0000022



Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832} failed!
Status: 0xc0000022



Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2} failed!
Status: 0xc0000022



Could not delete registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|PwjMcqZuHzIsJBZtHo
Deletion of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|PwjMcqZuHzIsJBZtHo failed!
Status: 0xc0000034



Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[Luke57]

Ciao, ripeti l'operazione, non ha eliminato niente.

[plutone77]

me ne sono accorto anch'io che no ha eliminato niente ma prima di postare il log c'ho provato per ben 3 volte!

ti posto la quarta... come sopra:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tgwcrnpv

*******************

Script file located at: \??\C:\WINDOWS\system32\twhysrqk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\ciodmj.dll for deletion
Deletion of file C:\WINDOWS\system32\ciodmj.dll failed!

Could not process line:
C:\WINDOWS\system32\ciodmj.dll
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\drivers\trrzsvhf.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\trrzsvhf.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\trrzsvhf.dat
Status: 0xc0000022



Registry key HKLM\system\currentcontrolset\services\UpdMtp not found!
Deletion of registry key HKLM\system\currentcontrolset\services\UpdMtp failed!

Could not process line:
HKLM\system\currentcontrolset\services\UpdMtp
Status: 0xc0000034



Could not open registry key HKLM\system\currentcontrolset\services\wzntxmzj for deletion
Deletion of registry key HKLM\system\currentcontrolset\services\wzntxmzj failed!

Could not process line:
HKLM\system\currentcontrolset\services\wzntxmzj
Status: 0xc0000022



Could not open registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wbukqwkq for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wbukqwkq failed!
Status: 0xc0000022



Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2764C2DB-8A48-4A9C-844E-F7F67D30C832} failed!
Status: 0xc0000022



Could not open registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2} for deletion
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{96832EB3-9D5C-47A1-8154-CF2FD2B62BF2} failed!
Status: 0xc0000022



Could not delete registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|PwjMcqZuHzIsJBZtHo
Deletion of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|PwjMcqZuHzIsJBZtHo failed!
Status: 0xc0000034



Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


non so più cosa fare

[plutone77]

provo a dirti di più:
da quando ho beccato questo virus maledetto, il problema più grosso è che spesso, mentre navigo, quando clicco su un link con il Cntr (ovvero "apri in un altra finestra") mi va diretamente a questo link:

http: //201.218.196.152/click.php?c=9524002c061d80a2c46f4001&r=1

da qui fa poi un redirect ad un altro sito di software, oppure porno, oppure di negozi online etc...

altre volte invece, dall'icon try menu, parte un triangolino giallo col punto esclamatico e poi mi si apre in automatico un'altra pagina in cui mi chiede di fare una scansione del pc perchè è infetto.

veramente noioso...

[Luke57]

Ciao, scarica SmitFraudfix e decomprimilo in una cartella a tua scelta estraendo tutti i file:
http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Riavvia in modalità provvisoria (premi il tasto f8 ripetutamente all'avvio del computer, prima che si carichi windows, nella schermata grigia che appare scegli modalità provvisoria spostandoti con le freccette e confermando con invio)

Apri la cartella che contiene SmitfraudFix avvia smitfraudfix.cmd
Seleziona opzione #2 - Clean cliccando sul 2 e premi Invio.
Riceverai questo messaggio: Registry cleaning - Do you want to clean the registry ?
Rispondi Sì cliccando Y e premi invio.
Rispondi Sì (Y) ad eventuali altre domande

eseguita tutta la scansione dopo il riavvio del pc posta sul forum il rapporto del programma .

Non mi ricodo se l'hai, scarica superantispyware ed.free da qui:
http://www.superantispyware.com/downloa ... PYWAREFREE
lo installi, lo aggiorni con check for updates e fai una scansione completa.

[plutone77]

ciao, ecco il log:


SmitFraudFix v2.253

Scan done at 19.29.04,78, 19/11/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{561A959C-9451-41D5-8DB5-BBAFDA446509}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{561A959C-9451-41D5-8DB5-BBAFDA446509}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{561A959C-9451-41D5-8DB5-BBAFDA446509}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[plutone77]

i problemi che causa questo virus aumentano di giorno in giorno

[Luke57]

i problemi che causa questo virus aumentano di giorno in giorno

Ciao, Scarica VundoFix
http://www.atribune.org/ccount/click.php?id=4

Disconettiti da internet
Disattiva l'antivirus
Esegui il file VundoFix.exe
VundoFix si chiuderà e si riaprirà da solo, una volta riaperto, clicca sul pulsante "Scan for Vundo" quando la scansione è finita, clicca sul pulsante "Remove Vundo" a questo punto ti chiederà se vuoi eliminare i files, rispondi Yes una volta cliccato su Yes, non preoccuparti se il desktop scompare, è normale dato che è iniziata la procedura di eliminazione, finito la rimozione ti chiederà se vuoi riavviare, rispondi Yes e si riavvierà il pc.
E' possibile che vundofix non riesca ad eliminare alcuni files, in questo caso, vedrai vundofix apparire al riavvio basta che premi il pulsante Remove for vundo per continuare la rimoazione.
Finito tutto, posta il contenuto del file C:\vundofix.txt (se ha trovato qualcosa) e riattiva l'antivirus.

[plutone77]

niente da fare, non ha trovato nula...

[plutone77]

Ciao

per tua informazione ho disinstallato AVG free ed ho installato Avast.... niente da fare, addirittura non mi vedeva nessun trojan.
Allora ho attivato la protezione Antivirus e Antispyware di Zone Alarm pro e mi ha trovato due bei virus..

trojan.win32.BOH.yr
(sul file c/windows/system32/smfeedsbsg.dll)

trojan.win32.Pakes
(sul file c/windows/system32/ciodmj.dll)

ma non me li elimina.

Che tool uso?