Olimpo Informatico

Viperone · Mortale pio Registrato: 19/05/08 11:01 Messaggi: 17

Buon Giorno a tutti! Sono stato infettato da questo virsus Virtumonde, il Nod lo rileva continuamente e non riesce ad eliminarlo. Avendo individuato il percorso del file infetto[c:windows/sistem32/urqrqPgG.dll] Ho provato a cancellarlo/modificarlo/rinominarlo manualmente ma non ci riesco, ogni tentativo è vano con qualsiasi tipo di programmi non ho avuto soluzioni, in modalità provvisoria nemmeno.Ultima cosa che posso dire, è che il nod commenta cosi: Evento occorso durante il tentativo di accesso al file da parte di un'applicazione: C:\WINDOWS\system32\lsass.exe. Confido nella pazienza e nell'aiuto di qualcuno! Ecco il mio Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.35.05, on 19/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {94BFEDD3-A0D0-407D-8628-3EDCEDA9CA8A} - C:\WINDOWS\system32\urqrqPgG.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Unknown owner - C:\Programmi\iPod\bin\iPodService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe

--
End of file - 1378 bytes

[/b]

bdoriano

Ciao Viperone, Ciao

Disabilita il ripristino di sistema.
Pulisci i files temporanei con ATF-Cleaner e/o CCleaner
Fai una scansione cone Norman Malware Cleaner.
- Scarica il programma
- Avvia il pc in modalità provvisoria.
- Avvia Norman Malware Cleaner e fagli fare la scansione completa.
- Alla fine della scansione viene generato un log sul desktop chiamato NFix_2008-MM-gg_hh-mm-ss.log.
Riavvia il computer in modalità normale
Scarica VundoFix e VirtumundoBegone e salvali sul desktop.
Avvia VundoFix
Seleziona Scan for Vundo e a scansione terminata scegli Remove Vundo.
Clicca Yes e alla richiesta di riavviare il Pc rispondi Ok.
Al riavvio dovrebbe comparire il blocco-note con dentro il log, copia e posta sul forum il contenuto.
Ora avvia in modalità provvisoria
Avvia VirtumundoBeGone e segui le indicazioni a video.
riavvia il Pc in modalità normale e posta il log.
Segui le istruzioni di questo topic per eseguire combofix.
Riferisci con un nuovo messaggio in questa discussione dell'esito: se ci sono stati problemi particolari, ecc. ecc. E riporta:
- Carica il log di Norman Malware Cleaner su FreeFileHosting come indicato qui e posta il link che ti viene assegnato
- Il log di Combofix generalmente non è molto lungo, quindi postalo direttamente nel messaggio

Viperone · Mortale pio Registrato: 19/05/08 11:01 Messaggi: 17

Innanzi tutto GRAZIE per la disponibilità!
Allora, ho fatto tutto quello che mi hai detto, ma..
1)Vundofix non trova nulla 2)virtumondobegone no si apre, dice che è un applicazione di win32 non valida... ho provato a disinstallare e installare nuovamnete ma nn và!
NormanMalware invece in mod.provvisoria trova 2 infezioni:
Norman Malware Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/05/12 19:08:33

Norman Scanner Engine Version: 5.92.04
Nvcbin.def Version: 5.92.00, Date: 2008/05/12 19:08:33, Variants: 1631317

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600(Safe mode) Service Pack 2
Logged on user: PC-SOR\Gianluca

Scan started: 19/05/2008 14:36:51

Scanning running processes and process memory...

C:\WINDOWS\system32\lsass.exe(268) (C:\WINDOWS\system32\urqrqPgG.dll!0x10000000) (Infected with Vundo.gen148)
File marked for defered cleaning (reboot required)

C:\WINDOWS\Explorer.EXE(1400) (C:\WINDOWS\system32\urqrqPgG.dll!0x10000000) (Infected with Vundo.gen148)
File marked for defered cleaning (reboot required)

Number of processes/threads found: 535
Number of processes/threads scanned: 535
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 22s

Scanning file system...

Scanning: C:\*.*

C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo0.dll (Infected with W32/Shopper.U)
Deleted file

C:\Programmi\VideoLAN\VLC\vlc-0.8.6b.tar.bz2/unknown0 (Error whilst scanning file: I/O Error)

C:\WINDOWS\msagent\agentsr.dll (Error whilst scanning file: I/O Error)

C:\WINDOWS\system32\urqrqPgG.dll (Infected with Vundo.gen148)
File marked for defered cleaning (reboot required)

Scanning: D:\*.*

D:\Programmi\vlc-0.8.6d-win32.zip/vlc-0.8.6d/osdmenu/default/selection/fw.png (Error whilst scanning file: I/O Error)

D:\Programmi\vlc-0.8.6d.tar.bz2/unknown0 (Error whilst scanning file: I/O Error)

Scanning: c:\System Volume Information\*.*

Running post-scan cleanup routine:

Number of files found: 175912
Number of archives unpacked: 6105
Number of files scanned: 175871
Number of files not scanned: 41
Number of files skipped due to exclude list: 0
Number of infected files found: 2
Number of infected files repaired/deleted: 1
Number of infections removed: 1
Total scanning time: 2h 6m 51s

Attendo Istruzioni Shocked

bdoriano

Manca un passaggio:

Viperone · Mortale pio Registrato: 19/05/08 11:01 Messaggi: 17

ABBIAMO VINTO
Allora, ComboFix ha fatto il suo lavoro Egregiamente direi. difatto il nod non trova più nulla e non mi appare quella fastidiosa finestra di allarme virus. sono andato a vedere nel system32 se c'era ancora quel file infetto e non lo trovo più. io direi di avere risolto no? attendo comunque il tuo parere finale prima di cantare vittoria.

CMQ Grazie 1000---sei impagabile!

bdoriano

La sfera di cristallo ancora non ce l'ho. Rolling Eyes

Posta il log creato da combofix. Lo trovi in c:\combofix.txt

Viperone · Mortale pio Registrato: 19/05/08 11:01 Messaggi: 17

ecco il log: (Attendo con ansia)

ComboFix 08-05-15.3 - Gianluca 2008-05-19 19.03.12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.589 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Gianluca\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\GgPqrqru.ini
C:\WINDOWS\system32\GgPqrqru.ini2

.
((((((((((((((((((((((((( Files Creati Da 2008-04-19 al 2008-05-19 )))))))))))))))))))))))))))))))))))
.

2008-05-19 00:29 . 2008-05-19 10:13 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-18 23:40 . 2008-05-18 23:40 <DIR> d-------- C:\Programmi\Trend Micro
2008-05-18 19:57 . 2008-05-19 10:17 <DIR> d-------- C:\Programmi\Enigma Software Group
2008-05-17 04:03 . 2008-05-17 04:03 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 14:05 . 2008-05-16 14:05 <DIR> d-------- C:\VundoFix Backups
2008-05-16 12:44 . 2008-05-17 09:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 12:44 . 2008-05-16 12:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 20:17 . 2008-05-12 20:18 <DIR> d-------- C:\Programmi\DivX
2008-05-12 19:53 . 2008-05-12 19:53 <DIR> d-------- C:\WINDOWS\system32\Quicktime
2008-05-12 19:53 . 2008-05-12 19:53 <DIR> d-------- C:\Programmi\SmartSound Software
2008-05-12 19:53 . 2008-05-14 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SmartSound Software Inc
2008-05-12 19:28 . 2001-09-28 18:00 164,864 --a------ C:\Documents and Settings\Gianluca\UNWISE.EXE
2008-05-12 19:27 . 2004-08-06 14:10 121,504 --a------ C:\Documents and Settings\Gianluca\UninstallPatchesAndApp.exe
2008-05-12 19:17 . 2004-02-04 18:22 10,999,074 --------- C:\Documents and Settings\Gianluca\hfbm0107.zip
2008-05-12 19:15 . 2008-05-12 19:15 <DIR> d-------- C:\Documents and Settings\Gianluca\Titles 16x9
2008-05-12 19:15 . 2008-05-12 19:15 <DIR> d-------- C:\Documents and Settings\Gianluca\Titles
2008-05-12 19:14 . 2008-05-12 19:14 <DIR> d-------- C:\Documents and Settings\Gianluca\Support
2008-05-12 19:14 . 2008-05-13 12:09 <DIR> d-------- C:\Documents and Settings\Gianluca\Sound Effects
2008-05-12 19:14 . 2008-05-12 19:14 <DIR> d-------- C:\Documents and Settings\Gianluca\GuidedTour
2008-05-12 19:14 . 2008-05-15 22:26 <DIR> d-------- C:\Documents and Settings\Gianluca\Alpha Magic
2008-05-12 19:14 . 2004-04-07 10:49 49,152 --a------ C:\Documents and Settings\Gianluca\LaunchList.exe
2008-05-12 19:14 . 2003-12-22 23:16 27,648 --a------ C:\Documents and Settings\Gianluca\PopUpMsg.exe
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> dr------- C:\Documents and Settings\Hollywood FX 5\Lightwave Content
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Album
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Gianluca\WmProfiles
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Gianluca\InstantInfo
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Gianluca\bin
2008-05-12 19:13 . 2003-12-11 14:09 3,693,769 --a------ C:\Documents and Settings\Gianluca\PPE114.EXE
2008-05-12 19:12 . 2008-05-12 19:12 <DIR> dr------- C:\Documents and Settings\Hollywood FX 5\Splines
2008-05-12 19:12 . 2008-05-12 19:12 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Plugins
2008-05-12 19:12 . 2008-05-12 19:12 <DIR> d-a------ C:\Documents and Settings\Hollywood FX 5\Orgs
2008-05-12 19:12 . 2008-05-12 19:30 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Objects
2008-05-12 19:12 . 2008-05-12 19:30 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Languages
2008-05-12 19:12 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Images
2008-05-12 19:12 . 2008-05-12 19:30 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Host Plugins
2008-05-12 19:12 . 2008-05-12 19:12 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Envelopes
2008-05-12 19:12 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Effects
2008-05-12 19:11 . 2008-05-12 19:30 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Documents and Settings\Gianluca\Temp
2008-05-12 19:11 . 2008-05-12 20:18 <DIR> d-------- C:\Documents and Settings\Gianluca\OEM
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Documents and Settings\Gianluca\Menus 16x9
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Documents and Settings\Gianluca\Menus
2008-05-12 19:11 . 2008-05-15 22:26 <DIR> d-------- C:\Documents and Settings\Gianluca\Buttons
2008-05-12 19:11 . 2008-05-15 22:26 <DIR> d-------- C:\Documents and Settings\Gianluca\Backgrounds 16x9
2008-05-12 19:11 . 2008-05-15 22:26 <DIR> d-------- C:\Documents and Settings\Gianluca\Backgrounds
2008-05-12 19:10 . 2008-05-12 19:52 <DIR> d-------- C:\Documents and Settings\Gianluca\Textures
2008-05-12 19:10 . 2008-05-19 14:21 <DIR> d-------- C:\Documents and Settings\Gianluca\programs
2008-05-12 19:10 . 2008-05-12 19:52 <DIR> d-------- C:\Documents and Settings\Gianluca\Plugins
2008-05-12 19:06 . 2008-05-12 19:06 <DIR> d-------- C:\Programmi\Pinnacle Systems
2008-05-11 21:53 . 2008-05-11 21:53 <DIR> d-------- C:\Programmi\File comuni\Synacast
2008-05-10 18:27 . 2008-05-12 18:40 <DIR> d-------- C:\Programmi\Pinnacle
2008-05-10 09:40 . 2008-05-10 09:40 10 --a------ C:\WINDOWS\popcinfo.dat
2008-05-10 08:39 . 2008-05-10 09:40 14 --a------ C:\WINDOWS\popcinfot.dat
2008-05-10 08:39 . 2008-05-10 08:39 0 --a------ C:\WINDOWS\popcreg.dat
2008-05-09 14:01 . 2008-05-09 14:01 275,968 --a------ C:\WINDOWS\system32\urqrqPgG.dll
2008-04-26 17:14 . 2008-04-26 17:14 <DIR> d-------- C:\Programmi\Red Kawa
2008-04-22 18:30 . 2008-04-22 18:30 <DIR> d-------- C:\ConvertTemp
2008-04-22 18:26 . 2008-04-22 19:35 1,602 --a------ C:\Documents and Settings\Gianluca\Dati applicazioni\filterclsid.dat
2008-04-22 16:59 . 2008-04-22 16:58 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-04-22 13:20 . 2008-04-22 13:20 <DIR> d-------- C:\Programmi\ModelliFiscali
2008-04-22 13:20 . 2008-04-24 19:07 1,883 --a------ C:\Tol2008.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 13:25 --------- d-----w C:\Programmi\Coolstreaming_Tool-Bar_v1.0
2008-05-19 12:21 --------- d-----w C:\Programmi\AdunanzA
2008-05-18 21:56 --------- d-----w C:\Programmi\Google
2008-05-13 12:42 98,272 ----a-w C:\Documents and Settings\Gianluca\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-05-12 18:05 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Pinnacle
2008-05-12 17:54 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-05-12 16:55 --------- d-----w C:\Programmi\IHMC CmapTools
2008-05-11 19:54 --------- d-----w C:\Documents and Settings\Gianluca\Dati applicazioni\PPStream
2008-05-11 19:48 --------- d-----w C:\Programmi\Mediacenter 1.0 Coolstreaming
2008-05-11 19:47 --------- d-----w C:\Programmi\Drawing for Children
2008-05-09 09:28 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Bluetooth
2008-05-09 09:27 --------- d-----w C:\Documents and Settings\Gianluca\Dati applicazioni\Lavasoft
2008-05-06 14:20 --------- d-----w C:\Programmi\MSN Messenger
2008-05-06 14:20 --------- d-----w C:\Programmi\Messenger Plus! Live
2008-04-13 16:44 --------- d-----w C:\Documents and Settings\Gianluca\Dati applicazioni\Ahead
2008-04-13 16:39 --------- d-----w C:\Programmi\Ahead
2008-04-13 16:32 --------- d-----w C:\Programmi\File comuni\Ahead
2008-04-03 07:25 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InterAction studios
2008-03-28 10:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\HPSSUPPLY
2008-03-27 16:58 --------- d-----w C:\Documents and Settings\Gianluca\Dati applicazioni\CoSoSys
2008-03-25 21:09 --------- d-----w C:\Programmi\Java
2008-03-19 16:26 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2008-03-19 16:26 --------- d-----w C:\Programmi\Windows Live
2008-03-19 16:25 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2008-03-12 16:56 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-12 16:56 253,952 ------w C:\WINDOWS\Setup1.exe
2008-03-09 17:57 733,696 ----a-w C:\WINDOWS\GPInstall.exe
2004-12-01 11:20 90,112 ----a-w C:\Documents and Settings\Hollywood FX 5\Easy_FX.exe
2004-12-01 11:20 135,168 ----a-w C:\Documents and Settings\Hollywood FX 5\InstallHFZ.exe
2004-12-01 11:19 2,322,432 ----a-w C:\Documents and Settings\Hollywood FX 5\HfxGUI55.dll
2004-12-01 11:18 1,105,920 ----a-w C:\Documents and Settings\Hollywood FX 5\HfxClasses55.dll
2004-11-09 12:47 73,728 ----a-w C:\Documents and Settings\Hollywood FX 5\HfxSerial.exe
2004-09-24 07:53 245,408 ----a-w C:\Documents and Settings\Hollywood FX 5\unicows.dll
2003-11-03 08:13 352,085 ----a-w C:\Documents and Settings\Hollywood FX 5\UNhfx5studio.exe
2003-11-03 08:13 351,902 ----a-w C:\Documents and Settings\Hollywood FX 5\UNhfx5edition.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F77F148-6DC6-47DB-8782-F25649D16686}]
2008-05-09 14:01 275968 --a------ C:\WINDOWS\system32\urqrqPgG.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\AdunanzA\\eMule_AdnzA.exe"=
"C:\\Programmi\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Programmi\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Programmi\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Programmi\\IncrediMail\\bin\\ImLc.exe"=
"C:\\Programmi\\Internet Explorer\\iexplore.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\explorer.exe"=

R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-06-05 09:04]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-06-12 09:47]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-19 19:09:42
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programmi\Eset\nod32krn.exe
.
**************************************************************************
.
Ora fine scansione: 2008-05-19 19:17:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-19 17:16:44

17 Directory 44,646,637,568 byte disponibili
20 Directory 44,698,656,768 byte disponibili

166 --- E O F --- 2008-05-17 02:03:26

bdoriano

Crea un file di testo con le seguenti istruzioni:

Codice:

File::
C:\WINDOWS\system32\urqrqPgG.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F77F148-6DC6-47DB-8782-F25649D16686}]

Salva il file sul desktop con il nome CFScript.txt e trascinalo sull'icona di ComboFix, come indicato in seguito:

Attendi pazientemente la fine dei lavori senza toccare tastiera, mouse o altro.
Posta il log aggiornato di combofix.
Rifai la scansione con Norman Malware sempre dalla modalità provvisoria
Fai questa scansione con VirIT

Viperone · Mortale pio Registrato: 19/05/08 11:01 Messaggi: 17

Eccoci....Allora Scasionato con virIT e file infetti zero- con NormanMalware zero, e questo è il log di comboFix:

ComboFix 08-05-15.3 - Gianluca 2008-05-20 8.34.30.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.673 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Gianluca\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gianluca\Desktop\cfscript.txt
* Creato nuovo punto di ripristino
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\urqrqPgG.dll
.

((((((((((((((((((((((((( Files Creati Da 2008-04-20 al 2008-05-20 )))))))))))))))))))))))))))))))))))
.

2008-05-20 00:17 . 2008-05-20 00:24 <DIR> d-------- C:\VEXPLITE
2008-05-20 00:17 . 2008-03-17 19:23 39,808 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-05-19 00:29 . 2008-05-19 10:13 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-05-18 23:40 . 2008-05-18 23:40 <DIR> d-------- C:\Programmi\Trend Micro
2008-05-18 19:57 . 2008-05-19 10:17 <DIR> d-------- C:\Programmi\Enigma Software Group
2008-05-17 04:03 . 2008-05-17 04:03 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-16 14:05 . 2008-05-16 14:05 <DIR> d-------- C:\VundoFix Backups
2008-05-16 12:44 . 2008-05-19 23:50 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-16 12:44 . 2008-05-16 12:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-12 20:17 . 2008-05-12 20:18 <DIR> d-------- C:\Programmi\DivX
2008-05-12 19:53 . 2008-05-12 19:53 <DIR> d-------- C:\WINDOWS\system32\Quicktime
2008-05-12 19:53 . 2008-05-12 19:53 <DIR> d-------- C:\Programmi\SmartSound Software
2008-05-12 19:53 . 2008-05-14 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SmartSound Software Inc
2008-05-12 19:28 . 2001-09-28 18:00 164,864 --a------ C:\Documents and Settings\Gianluca\UNWISE.EXE
2008-05-12 19:27 . 2004-08-06 14:10 121,504 --a------ C:\Documents and Settings\Gianluca\UninstallPatchesAndApp.exe
2008-05-12 19:17 . 2004-02-04 18:22 10,999,074 --------- C:\Documents and Settings\Gianluca\hfbm0107.zip
2008-05-12 19:15 . 2008-05-12 19:15 <DIR> d-------- C:\Documents and Settings\Gianluca\Titles 16x9
2008-05-12 19:15 . 2008-05-12 19:15 <DIR> d-------- C:\Documents and Settings\Gianluca\Titles
2008-05-12 19:14 . 2008-05-12 19:14 <DIR> d-------- C:\Documents and Settings\Gianluca\Support
2008-05-12 19:14 . 2008-05-13 12:09 <DIR> d-------- C:\Documents and Settings\Gianluca\Sound Effects
2008-05-12 19:14 . 2008-05-12 19:14 <DIR> d-------- C:\Documents and Settings\Gianluca\GuidedTour
2008-05-12 19:14 . 2008-05-15 22:26 <DIR> d-------- C:\Documents and Settings\Gianluca\Alpha Magic
2008-05-12 19:14 . 2004-04-07 10:49 49,152 --a------ C:\Documents and Settings\Gianluca\LaunchList.exe
2008-05-12 19:14 . 2003-12-22 23:16 27,648 --a------ C:\Documents and Settings\Gianluca\PopUpMsg.exe
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> dr------- C:\Documents and Settings\Hollywood FX 5\Lightwave Content
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Album
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Gianluca\WmProfiles
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Gianluca\InstantInfo
2008-05-12 19:13 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Gianluca\bin
2008-05-12 19:13 . 2003-12-11 14:09 3,693,769 --a------ C:\Documents and Settings\Gianluca\PPE114.EXE
2008-05-12 19:12 . 2008-05-12 19:12 <DIR> dr------- C:\Documents and Settings\Hollywood FX 5\Splines
2008-05-12 19:12 . 2008-05-12 19:12 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Plugins
2008-05-12 19:12 . 2008-05-12 19:12 <DIR> d-a------ C:\Documents and Settings\Hollywood FX 5\Orgs
2008-05-12 19:12 . 2008-05-12 19:30 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Objects
2008-05-12 19:12 . 2008-05-12 19:30 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Languages
2008-05-12 19:12 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Images
2008-05-12 19:12 . 2008-05-12 19:30 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Host Plugins
2008-05-12 19:12 . 2008-05-12 19:12 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Envelopes
2008-05-12 19:12 . 2008-05-12 19:13 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5\Effects
2008-05-12 19:11 . 2008-05-12 19:30 <DIR> d-------- C:\Documents and Settings\Hollywood FX 5
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Documents and Settings\Gianluca\Temp
2008-05-12 19:11 . 2008-05-12 20:18 <DIR> d-------- C:\Documents and Settings\Gianluca\OEM
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Documents and Settings\Gianluca\Menus 16x9
2008-05-12 19:11 . 2008-05-12 19:11 <DIR> d-------- C:\Documents and Settings\Gianluca\Menus
2008-05-12 19:11 . 2008-05-15 22:26 <DIR> d-------- C:\Documents and Settings\Gianluca\Buttons
2008-05-12 19:11 . 2008-05-15 22:26 <DIR> d-------- C:\Documents and Settings\Gianluca\Backgrounds 16x9
2008-05-12 19:11 . 2008-05-15 22:26 <DIR> d-------- C:\Documents and Settings\Gianluca\Backgrounds
2008-05-12 19:10 . 2008-05-12 19:52 <DIR> d-------- C:\Documents and Settings\Gianluca\Textures
2008-05-12 19:10 . 2008-05-19 14:21 <DIR> d-------- C:\Documents and Settings\Gianluca\programs
2008-05-12 19:10 . 2008-05-12 19:52 <DIR> d-------- C:\Documents and Settings\Gianluca\Plugins
2008-05-12 19:06 . 2008-05-12 19:06 <DIR> d-------- C:\Programmi\Pinnacle Systems
2008-05-11 21:53 . 2008-05-11 21:53 <DIR> d-------- C:\Programmi\File comuni\Synacast
2008-05-10 18:27 . 2008-05-12 18:40 <DIR> d-------- C:\Programmi\Pinnacle
2008-05-10 09:40 . 2008-05-10 09:40 10 --a------ C:\WINDOWS\popcinfo.dat
2008-05-10 08:39 . 2008-05-10 09:40 14 --a------ C:\WINDOWS\popcinfot.dat
2008-05-10 08:39 . 2008-05-10 08:39 0 --a------ C:\WINDOWS\popcreg.dat
2008-04-26 17:14 . 2008-04-26 17:14 <DIR> d-------- C:\Programmi\Red Kawa
2008-04-22 18:30 . 2008-04-22 18:30 <DIR> d-------- C:\ConvertTemp
2008-04-22 18:26 . 2008-04-22 19:35 1,602 --a------ C:\Documents and Settings\Gianluca\Dati applicazioni\filterclsid.dat
2008-04-22 16:59 . 2008-04-22 16:58 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-04-22 13:20 . 2008-04-22 13:20 <DIR> d-------- C:\Programmi\ModelliFiscali
2008-04-22 13:20 . 2008-04-24 19:07 1,883 --a------ C:\Tol2008.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 13:25 --------- d-----w C:\Programmi\Coolstreaming_Tool-Bar_v1.0
2008-05-19 12:21 --------- d-----w C:\Programmi\AdunanzA
2008-05-18 21:56 --------- d-----w C:\Programmi\Google
2008-05-13 12:42 98,272 ----a-w C:\Documents and Settings\Gianluca\Dati applicazioni\GDIPFONTCACHEV1.DAT
2008-05-12 18:05 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Pinnacle
2008-05-12 17:54 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-05-12 16:55 --------- d-----w C:\Programmi\IHMC CmapTools
2008-05-11 19:54 --------- d-----w C:\Documents and Settings\Gianluca\Dati applicazioni\PPStream
2008-05-11 19:48 --------- d-----w C:\Programmi\Mediacenter 1.0 Coolstreaming
2008-05-11 19:47 --------- d-----w C:\Programmi\Drawing for Children
2008-05-09 09:28 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Bluetooth
2008-05-09 09:27 --------- d-----w C:\Documents and Settings\Gianluca\Dati applicazioni\Lavasoft
2008-05-06 14:20 --------- d-----w C:\Programmi\MSN Messenger
2008-05-06 14:20 --------- d-----w C:\Programmi\Messenger Plus! Live
2008-04-14 02:14 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-04-13 16:44 --------- d-----w C:\Documents and Settings\Gianluca\Dati applicazioni\Ahead
2008-04-13 16:39 --------- d-----w C:\Programmi\Ahead
2008-04-13 16:32 --------- d-----w C:\Programmi\File comuni\Ahead
2008-04-03 16:05 172,544 ----a-w C:\WINDOWS\system32\cncs32.dll
2008-04-03 07:25 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InterAction studios
2008-03-28 10:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\HPSSUPPLY
2008-03-27 16:58 --------- d-----w C:\Documents and Settings\Gianluca\Dati applicazioni\CoSoSys
2008-03-25 21:09 --------- d-----w C:\Programmi\Java
2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-20 08:06 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 16:56 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-12 16:56 253,952 ------w C:\WINDOWS\Setup1.exe
2008-03-09 17:57 733,696 ----a-w C:\WINDOWS\GPInstall.exe
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2004-12-01 11:20 90,112 ----a-w C:\Documents and Settings\Hollywood FX 5\Easy_FX.exe
2004-12-01 11:20 135,168 ----a-w C:\Documents and Settings\Hollywood FX 5\InstallHFZ.exe
2004-12-01 11:19 2,322,432 ----a-w C:\Documents and Settings\Hollywood FX 5\HfxGUI55.dll
2004-12-01 11:18 1,105,920 ----a-w C:\Documents and Settings\Hollywood FX 5\HfxClasses55.dll
2004-11-09 12:47 73,728 ----a-w C:\Documents and Settings\Hollywood FX 5\HfxSerial.exe
2004-09-24 07:53 245,408 ----a-w C:\Documents and Settings\Hollywood FX 5\unicows.dll
2003-11-03 08:13 352,085 ----a-w C:\Documents and Settings\Hollywood FX 5\UNhfx5studio.exe
2003-11-03 08:13 351,902 ----a-w C:\Documents and Settings\Hollywood FX 5\UNhfx5edition.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-20_ 0.01.00,10 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 17:35:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 05:06:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-05-15 14:24 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg21.dll
"VIDC.PIM1"= pclepim1.dll
"VIDC.I420"= vdrcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\AdunanzA\\eMule_AdnzA.exe"=
"C:\\Programmi\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Programmi\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Programmi\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Programmi\\IncrediMail\\bin\\ImLc.exe"=
"C:\\Programmi\\Internet Explorer\\iexplore.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\explorer.exe"=

R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-03-17 19:23]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-05-20 00:20]
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2003-06-05 09:04]
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2003-06-12 09:47]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 08:37:02
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-05-20 8.38.38
ComboFix-quarantined-files.txt 2008-05-20 06:38:28
ComboFix2.txt 2008-05-19 22:01:29
ComboFix3.txt 2008-05-19 17:31:54
ComboFix4.txt 2008-05-19 17:17:49

18 Directory 44,444,532,736 byte disponibili
20 Directory 44,531,376,128 byte disponibili

174 --- E O F --- 2008-05-19 17:43:38

bdoriano

Ok, dovresti essere a posto. Wink

Per sicurezza posta un log aggiornato (e completo) di hijackthis.

Viperone · Mortale pio Registrato: 19/05/08 11:01 Messaggi: 17

Eccolo.... incrocio le dita

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9.19.06, on 20/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tgcom.mediaset.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servizio iPod (iPod Service) - Unknown owner - C:\Programmi\iPod\bin\iPodService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 2108 bytes

bdoriano

Orpo! E' proprio ridotto all'osso! Shocked

Disabilita il VirIT Lite Monitor e, se noti rallentamenti, disinstalla completamente VirIT.

Riabilita il ripristino di sistema e scegli anche un buon firewall. Ciao

Viperone · Mortale pio Registrato: 19/05/08 11:01 Messaggi: 17

OK Grazie infinite, sei stato di grandissimo aiuto.
Grazie a te e a quanti come te si impegnano in queste cose!
G R A Z I E G R A Z I E G R A Z I E
10 100 1000 volte GRAIEEEEE!!!

Dimenticavo G R A Z I E