Aiuto per rimozione trojan Virtumonde

[julio99]

Ciao a tutti

ho bisogno di aiuto per la rimozione di torjian virtumonde. Ho provato con il norton (anche con il tool specifico FxVMonde.exe), con adaware, con Vundofix e con numerosi altri programmi. Molti lo individuano, dicono di averlo rimosso ma poi lo ritrovo all'avvio successivo. In particolare molte delle applicazioni normali vanno a caricare il file c:\windows\system32\awtqo.dll e anche se provo a rimuoverlo con avenger continua sempre a ritornare.

Un grazie a chi prova ad aiutarmi :-))))

julio


Questo è il log di HJT:

Logfile of HijackThis v1.99.1
Scan saved at 21.57.02, on 15/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\a-squared Anti-Malware\a2service.exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\Programmi\Spyware Doctor\SDTrayApp.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqo.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {69249ACC-5719-4EE7-A6AC-AFD94AE2E00C} - C:\WINDOWS\system32\awtqo.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe /auto
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Programmi\a-squared Anti-Malware\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
O23 - Service: Sistema Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe

[Luke57]

Ciao, apri hijackthis, premi "do a system scan only", cerca e spunta le voci seguenti:
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqo.exe
O2 - BHO: (no name) - {69249ACC-5719-4EE7-A6AC-AFD94AE2E00C} - C:\WINDOWS\system32\awtqo.dll

premi fix checked.

Poi utilizza nuovamente vundofix, Clicca con il destro del mouse nello spazio bianco e seleziona l'opzione "Add more files?"
Ti si apre una nuova finestra
Clicca con il mouse nella prima riga, copia e incolla questo percorso
C:\WINDOWS\system32\awtqo.exe
Clicca con il mouse sulla seconda riga, copia e incolla questo percorso
C:\WINDOWS\system32\oqtwa.*
Clicca sul pulsante "Add file(s) poi su "close Windows" e ritornerai nella schermata principale dove vedrai i percorsi dei files(quelli che hai copiato e incollato) adesso clicca sul pulsante "Remove Vundo", poi continua confermando con yes (se vundofix riappareal riavvio con ancora il file da eliminare premi il pulsante Remove vundo per continuare la rimozione).
Posta il report dello scan.

[julio99]

ciao Luke

grazie intanto per l'aiuto e scusa se ci ho messo un po' a fare quallo che mi hai detto.

Spyware doctor continua dirmi che blocca "attività dannose" di virtumonde.

Ti posto il report dello scan di vundofix e attendo istruzioni.

Grazie

Julio


VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 21.32.30 15/01/2008

Listing files found while scanning....

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtqo.exe
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini2
C:\windows\system32\zmnkuazw.dllbox

Beginning removal...

Attempting to delete C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtqo.exe
C:\WINDOWS\system32\awtqo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.ini2 Has been deleted!

Attempting to delete C:\windows\system32\zmnkuazw.dllbox
C:\windows\system32\zmnkuazw.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awtqo.dll Has been deleted!

Attempting to delete c:\windows\system32\awtqo.exe
c:\windows\system32\awtqo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\oqtwa.ini2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 16.05.49 17/01/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Performing Repairs to the registry.
Done!

[Luke57]

Ciao, sembra che l'abbia cancellato.
Scarica il file - combofix.exe da qui http://www.techsupportforum.com/sect...s/ComboFix.exe
o da qui
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
SALVALO SU DESKTOP
Doppio click su combofix.exe e segui le istruzioni a video (non fare altro durante la scansione)
Quando avrà finito, creerà un file di log in C:
Posta qui il log C:\combofix.txt .
Tieni presente che durante la scansione verranno creati alcuni file sul desktop che poi spariranno automaticamente.
Durante la scansione spariranno tutte le icone del desktop
Durante la scansione il firewall potrebbe avvisarti che verranno rimossi alcuni driver (in tal caso acconsenti)

[julio99]

Ciao Luke

ho fatto quello che mi hai detto. Ho fatto uno scan con adaware, con spywaredoctor e con spybotsearch&destroy. Nessuno trova niente tuttavia spywaredoctor continua a segnalarmi che blocca il virus che cerca di accedere a qualche file. Ti allego il log di spywaredoctor e in fondo il log di combofix.

Grazie

Julio

SPYWAREDOCTOR

17/01/2008 18.06.29:541 Nel computer è stata rilevata un’infezione
Nome minaccia - Trojan.Generic
Tipo - Registry Key
Livello rischio - Medio
Infezione - HKEY_USERS\S-1-5-21-1960408961-1580818891-682003330-1003\Software\Wget

17/01/2008 18.06.29:619 Nel computer è stata rilevata un’infezione
Nome minaccia - Trojan.Generic
Tipo - Registry Key
Livello rischio - Medio
Infezione - HKEY_USERS\S-1-5-18\Software\Wget

17/01/2008 18.07.52:260 Scansione terminata
Tipo scansione - Intelli-Scan
Elementi elaborati - 173968
Minacce rilevate - 2
Infezioni rilevate - 3
Infezioni ignorate - 0

17/01/2008 18.09.09:994 OnGuard: Evento di sistema bloccato
Nome minaccia - Trojan.Virtumonde
Dettagli - Spyware Doctor ha bloccato un'applicazione che tentava di chiudi un file.
Livello rischio - Grave
Infezione - C:\WINDOWS\SYSTEM32\AWTQO.DLL

COMBOFIX

ComboFix 08-01-09.2 - julio 2008-01-17 17.19.05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.207 [GMT 1:00]
Eseguito da: C:\Documents and Settings\julio\Desktop\Vundo\ComboFix.exe
.

((((((((((((((((((((((((( Files Creati Da 2007-12-17 al 2008-01-17 )))))))))))))))))))))))))))))))))))
.

2008-01-17 15:46 . 2008-01-17 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2008-01-16 19:22 . 2008-01-16 19:22 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-16 18:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 21:30 . 2008-01-17 16:05 <DIR> d-------- C:\HJT
2008-01-15 21:09 . 2008-01-15 21:09 <DIR> d-------- C:\Programmi\Lavasoft
2008-01-15 20:59 . 2008-01-15 21:17 <DIR> d-------- C:\Programmi\Yahoo!
2008-01-15 20:58 . 2008-01-15 21:19 <DIR> d-------- C:\Programmi\CCleaner
2008-01-13 09:08 . 2008-01-15 21:08 <DIR> d-------- C:\Programmi\a-squared Free
2008-01-12 15:29 . 2008-01-12 15:29 60,416 --a------ C:\WINDOWS\system32\drivers\ngewfqqr.sys
2008-01-12 15:01 . 2008-01-17 16:25 <DIR> d-------- C:\VundoFix Backups
2008-01-12 12:56 . 2008-01-15 21:11 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-11 20:17 . 2008-01-11 20:17 60,416 --a------ C:\WINDOWS\system32\drivers\uyucdgkd.sys
2008-01-11 19:50 . 2008-01-11 19:50 60,416 --a------ C:\WINDOWS\system32\drivers\xmmjhbor.sys
2008-01-11 19:38 . 2008-01-11 19:38 60,416 --a------ C:\WINDOWS\system32\drivers\qfsvwcth.sys
2008-01-11 15:40 . 2008-01-11 15:40 60,416 --a------ C:\WINDOWS\system32\drivers\srethyeo.sys
2008-01-06 19:06 . 2008-01-16 18:57 <DIR> d-------- C:\Programmi\a-squared Anti-Malware
2008-01-06 18:33 . 2008-01-11 16:13 <DIR> d-------- C:\Programmi\Norton AntiVirus
2008-01-06 11:52 . 2008-01-06 11:52 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Webroot
2008-01-06 11:43 . 2001-06-20 17:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-01-06 11:43 . 2001-06-20 17:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-01-06 11:43 . 2008-01-06 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-01-06 11:43 . 2004-06-20 16:49 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-01-06 11:43 . 2001-06-20 17:41 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-01-06 11:43 . 2008-01-16 19:00 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-01-06 11:43 . 2001-06-20 17:41 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-01-06 11:43 . 2008-01-13 10:04 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-01-05 18:53 . 2008-01-05 18:53 <DIR> dr------- C:\Documents and Settings\LocalService\Preferiti
2008-01-05 13:22 . 2008-01-05 13:22 <DIR> d-------- C:\Documents and Settings\NetworkService\Dati applicazioni\Webroot
2008-01-01 18:34 . 2008-01-17 16:28 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-01-01 18:34 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-01 18:34 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-01 18:34 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-01 18:34 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-01 18:33 . 2008-01-17 15:48 <DIR> d-------- C:\Programmi\Spyware Doctor
2008-01-01 18:33 . 2008-01-01 18:33 <DIR> d-------- C:\Documents and Settings\julio\Dati applicazioni\PC Tools
2008-01-01 18:33 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-01 18:22 . 2008-01-05 13:40 <DIR> d-------- C:\Programmi\Norton Security Scan
2008-01-01 18:20 . 2008-01-17 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2008-01-01 10:08 . 2008-01-01 10:08 <DIR> d-------- C:\Programmi\Enigma Software Group
2007-12-30 15:47 . 2007-12-30 15:47 <DIR> d-------- C:\Documents and Settings\LocalService\Dati applicazioni\Webroot
2007-12-30 15:46 . 2007-12-30 15:46 <DIR> d-------- C:\Programmi\Webroot
2007-12-30 15:46 . 2007-12-30 15:46 <DIR> d-------- C:\Documents and Settings\julio\Dati applicazioni\Webroot
2007-12-30 15:46 . 2007-12-30 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Webroot
2007-12-30 15:46 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-30 15:46 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-30 15:46 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-30 15:46 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-30 15:46 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-30 10:15 . 2007-12-30 10:15 <DIR> d-------- C:\Documents and Settings\julio\Dati applicazioni\McAfee
2007-12-30 09:51 . 2008-01-06 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\McAfee
2007-12-29 16:55 . 2007-12-29 16:55 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2007-12-29 16:55 . 2007-12-29 16:55 <DIR> d-------- C:\Programmi\FLV Player
2007-12-26 12:02 . 2007-12-30 10:04 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-24 18:08 . 2007-12-24 18:08 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-24 18:05 . 2007-12-29 08:59 367,616 --a------ C:\WINDOWS\mrofinu1188.exe.tmp
2007-12-22 16:14 . 2007-12-22 16:14 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2007-12-19 19:35 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-19 19:35 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-19 19:35 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 18:37 --------- d-----w C:\Programmi\EppPat2005
2008-01-16 17:55 --------- d-----w C:\Programmi\KMaestro
2008-01-15 20:14 --------- d-----w C:\Programmi\Java
2008-01-15 19:46 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-01-11 15:13 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-01-11 15:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-01-07 23:27 --------- d-----w C:\Programmi\APDFPRP
2008-01-07 22:05 --------- d-----w C:\Programmi\Symantec
2008-01-02 18:53 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-01-01 17:58 --------- d-----w C:\Programmi\File comuni\Adobe
2008-01-01 17:28 --------- d-----w C:\Programmi\Google
2007-12-30 21:44 --------- d-----w C:\Documents and Settings\julio\Dati applicazioni\dvdcss
2007-12-30 10:59 --------- d-----w C:\Programmi\File comuni\Autodesk Shared
2007-12-30 09:08 --------- d-----w C:\Programmi\StopDialers
2007-12-22 15:48 --------- d-----w C:\Programmi\LimeWire
2007-12-14 16:04 --------- d-----w C:\Programmi\MSXML 4.0
2007-12-01 08:16 --------- d-----w C:\Programmi\RETScreen
2007-11-24 14:47 --------- d-----w C:\Documents and Settings\julio\Dati applicazioni\RETScreen
2007-11-19 19:11 --------- d-----w C:\Programmi\PARCELLE
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-08-08 19:38 10 ----a-w C:\Programmi\dm143.mdd
1997-06-23 10:06 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

Codice: Seleziona tutto

<pre>
----a-w            94,208 2008-01-17 15:30:32  C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor .exe
----a-w            50,880 2008-01-11 09:31:53  C:\Programmi\File comuni\Symantec Shared\ccApp .exe
----a-w            34,504 2008-01-11 09:31:54  C:\Programmi\File comuni\Symantec Shared\ccRegVfy .exe
----a-w           218,240 2008-01-05 07:56:36  C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt .exe
----a-w            79,480 2008-01-11 15:04:49  C:\Programmi\Norton AntiVirus\AdvTools\ADVCHK .EXE
----a-w           155,648 2007-12-30 09:04:02  C:\WINDOWS\system32\NeroCheck .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-16_18.59.40.85 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
+ 2007-03-06 01:48:10 15,584 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spmsg.dll
+ 2007-03-06 01:48:15 215,776 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spuninst.exe
+ 2007-03-06 01:48:08 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\spcustom.dll
+ 2007-03-06 01:48:33 724,192 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
+ 2007-03-06 01:49:24 390,880 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\updspapi.dll
+ 2007-11-07 09:49:53 732,672 ----a-w C:\WINDOWS\$hf_mig$\KB943485\SP2QFE\lsasrv.dll
+ 2007-03-06 01:48:10 15,584 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spmsg.dll
+ 2007-03-06 01:48:15 215,776 ----a-w C:\WINDOWS\$hf_mig$\KB943485\spuninst.exe
+ 2007-03-06 01:48:08 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\spcustom.dll
+ 2007-03-06 01:48:33 724,192 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\update.exe
+ 2007-03-06 01:49:24 390,880 ----a-w C:\WINDOWS\$hf_mig$\KB943485\update\updspapi.dll
+ 2007-03-06 01:48:15 215,776 -c----w C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe
+ 2007-03-06 01:49:24 390,880 -c----w C:\WINDOWS\$NtUninstallKB941644$\spuninst\updspapi.dll
+ 2006-04-20 11:51:50 359,808 -c----w C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
+ 2006-08-17 12:29:46 727,552 -c----w C:\WINDOWS\$NtUninstallKB943485$\lsasrv.dll
+ 2007-03-06 01:48:15 215,776 -c----w C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe
+ 2007-03-06 01:49:24 390,880 -c----w C:\WINDOWS\$NtUninstallKB943485$\spuninst\updspapi.dll
- 2007-12-31 15:17:17 23,552 ----a-r C:\WINDOWS\Installer\{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}\Icon78CC3BAB.exe
+ 2008-01-17 14:46:18 23,552 ----a-r C:\WINDOWS\Installer\{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}\Icon78CC3BAB.exe
- 2007-12-31 15:17:17 23,552 ----a-r C:\WINDOWS\Installer\{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}\Icon78CC3BAB2.exe
+ 2008-01-17 14:46:18 23,552 ----a-r C:\WINDOWS\Installer\{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}\Icon78CC3BAB2.exe
- 2006-08-17 12:29:46 727,552 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:27:27 727,552 -c----w C:\WINDOWS\system32\dllcache\lsasrv.dll
- 2006-04-20 11:51:50 359,808 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-04-20 11:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2007-12-02 14:00:06 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
- 2007-03-06 01:48:09 15,584 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-03-06 01:48:10 15,584 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-01-17 15:27:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_774.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe" [ ]
"SDTray"="C:\Programmi\Spyware Doctor\SDTrayApp.exe" [2008-01-16 18:41 1065288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
--a------ 2008-01-13 09:37 1816208 C:\Programmi\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftqfjqut]
C:\ohechrrd.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\awtqo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
--a------ 2008-01-16 18:41 1065288 C:\Programmi\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xaopsgqf]
C:\eyldnuvm.bat

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
R3 axvbusx;axvbusx;C:\WINDOWS\system32\DRIVERS\axvbusx.sys [2003-01-31 21:43]
R3 axvscsi;axvscsi;C:\WINDOWS\system32\DRIVERS\axvscsi.sys [2003-01-31 21:43]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 17:21:27
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-17 17.22.07
ComboFix-quarantined-files.txt 2008-01-17 16:22:04
ComboFix2.txt 2008-01-16 18:00:05
.
2008-01-16 18:23:20 --- E O F ---

[Luke57]

Ciao, copia questo codice:

file::
C:\WINDOWS\system32\drivers\ngewfqqr.sys
C:\WINDOWS\system32\drivers\uyucdgkd.sys
C:\WINDOWS\system32\drivers\xmmjhbor.sys
C:\WINDOWS\system32\drivers\qfsvwcth.sys
C:\WINDOWS\system32\drivers\srethyeo.sys
C:\WINDOWS\mrofinu1188.exe.tmp
C:\ohechrrd.bat
C:\WINDOWS\system32\awtqo.exe

registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftqfjqut]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

apri un file di testo (start>esegui>notepad.exe>OK), incollaci il codice, salva questo file chiamandolo obbligatoriamente CFScript.exe.
TRascinalo sopra, con il puntatore del mouse, l'icona di combofix.
Attendi l'elaborazione di una nuova scansione e un eventuale riavvio. Posta il nuovo report prodotto.

[julio99]

Ciao Luke

ho fatto ed ecco il log. Aspetto istruzioni.

Julio


ComboFix 08-01-09.2 - julio 2008-01-18 15.06.31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.216 [GMT 1:00]
Eseguito da: C:\Documents and Settings\julio\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\julio\Desktop\CFScript.exe
* Creato nuovo punto di ripristino

FILE
C:\ohechrrd.bat
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\awtqo.exe
C:\WINDOWS\system32\drivers\ngewfqqr.sys
C:\WINDOWS\system32\drivers\qfsvwcth.sys
C:\WINDOWS\system32\drivers\srethyeo.sys
C:\WINDOWS\system32\drivers\uyucdgkd.sys
C:\WINDOWS\system32\drivers\xmmjhbor.sys
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\drivers\ngewfqqr.sys
C:\WINDOWS\system32\drivers\qfsvwcth.sys
C:\WINDOWS\system32\drivers\srethyeo.sys
C:\WINDOWS\system32\drivers\uyucdgkd.sys
C:\WINDOWS\system32\drivers\xmmjhbor.sys

.
((((((((((((((((((((((((( Files Creati Da 2007-12-18 al 2008-01-18 )))))))))))))))))))))))))))))))))))
.

2008-01-17 15:46 . 2008-01-17 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2008-01-16 18:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 21:30 . 2008-01-17 16:05 <DIR> d-------- C:\HJT
2008-01-15 21:09 . 2008-01-15 21:09 <DIR> d-------- C:\Programmi\Lavasoft
2008-01-15 20:59 . 2008-01-15 21:17 <DIR> d-------- C:\Programmi\Yahoo!
2008-01-15 20:58 . 2008-01-15 21:19 <DIR> d-------- C:\Programmi\CCleaner
2008-01-13 09:08 . 2008-01-15 21:08 <DIR> d-------- C:\Programmi\a-squared Free
2008-01-12 15:01 . 2008-01-17 16:25 <DIR> d-------- C:\VundoFix Backups
2008-01-12 12:56 . 2008-01-15 21:11 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-06 19:06 . 2008-01-16 18:57 <DIR> d-------- C:\Programmi\a-squared Anti-Malware
2008-01-06 18:33 . 2008-01-11 16:13 <DIR> d-------- C:\Programmi\Norton AntiVirus
2008-01-06 11:52 . 2008-01-06 11:52 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Webroot
2008-01-06 11:43 . 2001-06-20 17:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-01-06 11:43 . 2001-06-20 17:41 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-01-06 11:43 . 2008-01-06 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-01-06 11:43 . 2004-06-20 16:49 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-01-06 11:43 . 2001-06-20 17:41 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-01-06 11:43 . 2008-01-17 17:22 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-01-06 11:43 . 2001-06-20 17:41 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-01-06 11:43 . 2008-01-13 10:04 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-01-05 18:53 . 2008-01-05 18:53 <DIR> dr------- C:\Documents and Settings\LocalService\Preferiti
2008-01-05 13:22 . 2008-01-05 13:22 <DIR> d-------- C:\Documents and Settings\NetworkService\Dati applicazioni\Webroot
2008-01-01 18:34 . 2008-01-18 14:46 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-01-01 18:34 . 2007-10-04 17:10 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-01 18:34 . 2007-10-04 17:10 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-01 18:34 . 2007-10-04 17:10 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-01 18:34 . 2007-10-04 17:11 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-01 18:33 . 2008-01-17 15:48 <DIR> d-------- C:\Programmi\Spyware Doctor
2008-01-01 18:33 . 2008-01-01 18:33 <DIR> d-------- C:\Documents and Settings\julio\Dati applicazioni\PC Tools
2008-01-01 18:33 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-01 18:22 . 2008-01-05 13:40 <DIR> d-------- C:\Programmi\Norton Security Scan
2008-01-01 18:20 . 2008-01-17 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2008-01-01 10:08 . 2008-01-01 10:08 <DIR> d-------- C:\Programmi\Enigma Software Group
2007-12-30 15:47 . 2007-12-30 15:47 <DIR> d-------- C:\Documents and Settings\LocalService\Dati applicazioni\Webroot
2007-12-30 15:46 . 2007-12-30 15:46 <DIR> d-------- C:\Programmi\Webroot
2007-12-30 15:46 . 2007-12-30 15:46 <DIR> d-------- C:\Documents and Settings\julio\Dati applicazioni\Webroot
2007-12-30 15:46 . 2007-12-30 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Webroot
2007-12-30 15:46 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-12-30 15:46 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-12-30 15:46 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-12-30 15:46 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-12-30 15:46 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-12-30 10:15 . 2007-12-30 10:15 <DIR> d-------- C:\Documents and Settings\julio\Dati applicazioni\McAfee
2007-12-30 09:51 . 2008-01-06 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\McAfee
2007-12-29 16:55 . 2007-12-29 16:55 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2007-12-29 16:55 . 2007-12-29 16:55 <DIR> d-------- C:\Programmi\FLV Player
2007-12-26 12:02 . 2007-12-30 10:04 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-24 18:08 . 2007-12-24 18:08 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-22 16:14 . 2007-12-22 16:14 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2007-12-19 19:35 . 2006-08-21 10:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-19 19:35 . 2006-08-21 10:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-19 19:35 . 2006-08-21 13:26 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 18:37 --------- d-----w C:\Programmi\EppPat2005
2008-01-16 17:55 --------- d-----w C:\Programmi\KMaestro
2008-01-15 20:14 --------- d-----w C:\Programmi\Java
2008-01-15 19:46 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-01-11 15:13 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-01-11 15:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-01-07 23:27 --------- d-----w C:\Programmi\APDFPRP
2008-01-07 22:05 --------- d-----w C:\Programmi\Symantec
2008-01-02 18:53 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-01-01 17:58 --------- d-----w C:\Programmi\File comuni\Adobe
2008-01-01 17:28 --------- d-----w C:\Programmi\Google
2007-12-30 21:44 --------- d-----w C:\Documents and Settings\julio\Dati applicazioni\dvdcss
2007-12-30 10:59 --------- d-----w C:\Programmi\File comuni\Autodesk Shared
2007-12-30 09:08 --------- d-----w C:\Programmi\StopDialers
2007-12-22 15:48 --------- d-----w C:\Programmi\LimeWire
2007-12-14 16:04 --------- d-----w C:\Programmi\MSXML 4.0
2007-12-01 08:16 --------- d-----w C:\Programmi\RETScreen
2007-11-24 14:47 --------- d-----w C:\Documents and Settings\julio\Dati applicazioni\RETScreen
2007-11-19 19:11 --------- d-----w C:\Programmi\PARCELLE
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 09:00 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-08-08 19:38 10 ----a-w C:\Programmi\dm143.mdd
1997-06-23 10:06 287,504 --sha-w C:\WINDOWS\system32\Msxbse35.dll
.

Codice: Seleziona tutto

<pre>
----a-w            94,208 2008-01-18 14:04:26  C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor .exe
----a-w            50,880 2008-01-11 09:31:53  C:\Programmi\File comuni\Symantec Shared\ccApp .exe
----a-w            34,504 2008-01-11 09:31:54  C:\Programmi\File comuni\Symantec Shared\ccRegVfy .exe
----a-w           218,240 2008-01-05 07:56:36  C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt .exe
----a-w            79,480 2008-01-11 15:04:49  C:\Programmi\Norton AntiVirus\AdvTools\ADVCHK .EXE
----a-w           155,648 2007-12-30 09:04:02  C:\WINDOWS\system32\NeroCheck .exe
</pre>

((((((((((((((((((((((((((((( snapshot_2008-01-17_17.21.42.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 17:50:09 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-18 14:06:03 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 17:50:09 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-18 14:06:03 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 17:50:09 7,471,104 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-18 14:06:04 7,483,392 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-16 17:50:09 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-18 14:06:04 225,280 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 17:50:09 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-18 14:06:04 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 17:50:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 14:06:04 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-18 13:46:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_62c.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe" [ ]
"SDTray"="C:\Programmi\Spyware Doctor\SDTrayApp.exe" [2008-01-16 18:41 1065288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
--a------ 2008-01-13 09:37 1816208 C:\Programmi\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\System32\CTFMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
--a------ 2008-01-16 18:41 1065288 C:\Programmi\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xaopsgqf]
C:\eyldnuvm.bat

R0 BsStor;B.H.A Storage Helper Driver;C:\WINDOWS\system32\drivers\BsStor.sys [2002-06-06 01:07]
R3 axvbusx;axvbusx;C:\WINDOWS\system32\DRIVERS\axvbusx.sys [2003-01-31 21:43]
R3 axvscsi;axvscsi;C:\WINDOWS\system32\DRIVERS\axvscsi.sys [2003-01-31 21:43]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 15:08:59
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-18 15.09.36
ComboFix-quarantined-files.txt 2008-01-18 14:09:33
ComboFix2.txt 2008-01-17 16:22:08
ComboFix3.txt 2008-01-16 18:00:05
.
2008-01-16 18:23:20 --- E O F ---

[julio99]

Ciao Luke

Spero che tu non ti sia dimenticato di me perchè il mio PC ha sempre gli stessi problemi!!

Attendo istruzioni.

Grazie.

Julio

[Luke57]

Ciao, non è che ci sia riamasto granchè da togliere, copia questo codice:

file::
C:\eyldnuvm.bat
C:\WINDOWS\system32\vbzip10.dll

registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xaopsgqf]


lo salvi come file di testo CFScript.txt ed esegui la solita procedura.
POi fai uno scan on line qui:
http://www.kasperskyitalia.it/servizi/k ... bscan.html
e posti il report.