PC distrutto da attacco W32 mille formattazioni ed un cambio HD

**OM3GA** · 10-07-2007, 12:30

Salve.
connessione rallentata, presenza dei file lsass.exe, services.exe, winlog.exe, csrss.exe, smss.exe. Il Pc a volte si blocca rendendo inutilizzabile qualsiasi icona o menù.
L'avg rileva ma nn elimina così come virit.
All'ultima scansione erano 11 i file infetti eliminati.

log di HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 1.10.15, on 10/07/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\om3ga\Impostazioni locali\Temp\Directory temporanea 1 per hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\System32\qomlmkk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [GSICONEXE] $$
O4 - HKLM\..\Run: [DSLAGENTEXE] $$
O4 - HKLM\..\Run: [AVG7_CC] $$
O4 - HKLM\..\Run: [GSICON.EXE] $$
O4 - HKLM\..\Run: [dslagent.exe USB] $$
O4 - HKLM\..\Run: [$$] $$
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{128F6032-9F07-4B17-90E6-001116776E34}: NameServer = 193.12.150.2 212.247.152.2
O20 - Winlogon Notify: qomlmkk - C:\WINDOWS\SYSTEM32\qomlmkk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Security Restore Services - Unknown owner - C:\WINDOWS\system32\svshost.exe

Log di VirIt modalità provvisoria

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]

OK

[SCANSIONE DELLA MEMORIA]

OK

--------------------------------------------------------

10/07/2007 - 01:15:25

[SCANSIONE DEL REGISTRO]

OK

[A:]

BOOT SECTOR: OK

[C:]

MASTER BOOT RECORD: OK

BOOT SECTOR: OK

C:\Programmi\File comuni\System\MSASP32.exe Infetto da Backdoor.SdBot.QB

* * * RIMOSSO * * *

C:\WINDOWS\system32\scrcons32.exe Infetto da Backdoor.RBot.XY

* * * RIMOSSO * * *

[D:]

Scan di VirIt Normale

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]

OK

[SCANSIONE DELLA MEMORIA]

OK

--------------------------------------------------------

10/07/2007 - 01:15:25

[SCANSIONE DEL REGISTRO]

OK

[A:]

BOOT SECTOR: OK

[C:]

MASTER BOOT RECORD: OK

BOOT SECTOR: OK

C:\Programmi\File comuni\System\MSASP32.exe Infetto da Backdoor.SdBot.QB

* * * RIMOSSO * * *

C:\WINDOWS\system32\scrcons32.exe Infetto da Backdoor.RBot.XY

* * * RIMOSSO * * *

[D:]

[E:]

Chiavi Registro infette: 0.

Files Infetti: 2.

Files Sospetti: 0.

Files Analizzati: 15649.

Files Totali: 15649.

Chiavi Registro rimosse: 0.

Virus Rimossi: 2.

[SCANSIONE DELLA MEMORIA]

OK

--------------------------------------------------------

10/07/2007 - 01:24:43

[SCANSIONE DEL REGISTRO]

OK

[A:]

BOOT SECTOR: OK

[C:]

MASTER BOOT RECORD: OK

BOOT SECTOR: OK

[D:]

[E:]

Chiavi Registro infette: 0.

Files Infetti: 0.

Files Sospetti: 0.

Files Analizzati: 10093.

Files Totali: 10093.

Chiavi Registro rimosse: 0.

Virus Rimossi: 0.

Scan di HijackThis dopo VirIt in modalità normale

Logfile of HijackThis v1.99.1

Scan saved at 1.29.20, on 10/07/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\svshost.exe

C:\VEXPLITE\viritsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Programmi\Winamp\winampa.exe

C:\VEXPLITE\MONLITE.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Programmi\Messenger\msmsgs.exe

C:\Programmi\Windows NT\Accessori\WORDPAD.EXE

C:\Programmi\Internet Explorer\iexplore.exe

C:\Documents and Settings\om3ga\Impostazioni locali\Temp\Directory temporanea 2 per hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti

O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\System32\qomlmkk.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [GSICONEXE] $$

O4 - HKLM\..\Run: [DSLAGENTEXE] $$

O4 - HKLM\..\Run: [AVG7_CC] $$

O4 - HKLM\..\Run: [GSICON.EXE] $$

O4 - HKLM\..\Run: [dslagent.exe USB] $$

O4 - HKLM\..\Run: [$$] $$

O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe

O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: õÿÿÿ -

O17 - HKLM\System\CCS\Services\Tcpip\..\{128F6032-9F07-4B17-90E6-001116776E34}: NameServer = 193.12.150.2 212.247.152.2

O20 - Winlogon Notify: qomlmkk - C:\WINDOWS\SYSTEM32\qomlmkk.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Security Restore Services - Unknown owner - C:\WINDOWS\system32\svshost.exe

O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

heLP pls
HelP!!!

Patrizio

**tecnico24** · 10-07-2007, 14:25

ciao,avvia hijackthis,spunta a sinistra su queste voci:
O23 - Service: Security Restore Services - Unknown owner - C:\WINDOWS\system32\svshost.exe
O16 - DPF: õÿÿÿ -
O4 - HKLM\..\Run: [$$] $$
e sotto su fix checked.
poi scarica The Avenger --- http://swandog46.geekstogo.com/avenger.zip

Ora estrai e avvia Avenger.exe

disattiva antivirus, firewall, eventuali moduli hips

Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte:

files to delete:
C:\WINDOWS\system32\svshost

dopo di che clicca su done,poi due volte SI,riavvia il pc e posta il log di avenger che si trova in c:\avenger.txt assieme ad uno nuovo di hijakchtis.dovresti essere pulito.

**OM3GA** · 10-07-2007, 14:53

Allora, fixato con hijackthis.
Ma per quanto riguarda avenger, quando immeto lo script, mi si kiude la finestra senza fare altro.
non devo premere si da nessuna parte.
mi ripate il tool iniziale del programma.

ti incollo un altro log di hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 14.53.37, on 10/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\DOCUME~1\om3ga\IMPOST~1\Temp\Directory temporanea 12 per hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [GSICONEXE] $$
O4 - HKLM\..\Run: [DSLAGENTEXE] $$
O4 - HKLM\..\Run: [AVG7_CC] $$
O4 - HKLM\..\Run: [GSICON.EXE] $$
O4 - HKLM\..\Run: [dslagent.exe USB] $$
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1184026569262
O17 - HKLM\System\CCS\Services\Tcpip\..\{128F6032-9F07-4B17-90E6-001116776E34}: NameServer = 193.12.150.2 212.247.152.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

**OM3GA** · 10-07-2007, 15:16

WQuesto è l'ultimo log, pechè dopo il precedente virit ha rimosso un dialer.

Logfile of HijackThis v1.99.1
Scan saved at 15.15.09, on 10/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\services.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Winamp\winampa.exe
C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\VEXPLITE\VIRITEXP.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\DOCUME~1\om3ga\IMPOST~1\Temp\Directory temporanea 17 per hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [GSICONEXE] $$
O4 - HKLM\..\Run: [DSLAGENTEXE] $$
O4 - HKLM\..\Run: [AVG7_CC] $$
O4 - HKLM\..\Run: [GSICON.EXE] $$
O4 - HKLM\..\Run: [dslagent.exe USB] $$
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [nxmeaa.exe] C:\WINDOWS\TEMP\nxmeaa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1184026569262
O17 - HKLM\System\CCS\Services\Tcpip\..\{128F6032-9F07-4B17-90E6-001116776E34}: NameServer = 193.12.150.2 212.247.152.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

**amvinfe** · 10-07-2007, 15:25

scarica
http://www.suspectfile.com/systemscan
aprilo ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verrà rilasciato in C:\suspectfile un file con estensione .zip (data+ora+.zip)
Vai su www.sendmefile.com carica il file e nella tua prossima risposta scrivi l'URL per scaricarlo.

**OM3GA** · 10-07-2007, 15:44

http://www.sendmefile.com/00554202

questo è il link e questo è un log di hijackthis aggiornato

Logfile of HijackThis v1.99.1
Scan saved at 15.44.38, on 10/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Winamp\winampa.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\om3ga\Impostazioni locali\Temporary Internet Files\Content.IE5\QFGB6929\sys50692[1].exe
C:\DOCUME~1\om3ga\IMPOST~1\Temp\nss2.tmp\runme.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\DOCUME~1\om3ga\IMPOST~1\Temp\Directory temporanea 18 per hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [GSICONEXE] $$
O4 - HKLM\..\Run: [DSLAGENTEXE] $$
O4 - HKLM\..\Run: [AVG7_CC] $$
O4 - HKLM\..\Run: [GSICON.EXE] $$
O4 - HKLM\..\Run: [dslagent.exe USB] $$
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [nxmeaa.exe] C:\WINDOWS\TEMP\nxmeaa.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1184026569262
O17 - HKLM\System\CCS\Services\Tcpip\..\{128F6032-9F07-4B17-90E6-001116776E34}: NameServer = 193.12.150.2 212.247.152.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

**amvinfe** · 10-07-2007, 16:07

è certa la presenza di Virtumonde (Vundo) ma anche di tante altre schifezze.

Crea una nuova cartella in C:\Programmi chiamala TMSC inserisci al suo interno questi due file
http://www.trendmicro.com/ftp/products/tsc/sysclean.com

e

http://www.trendmicro.com/ftp/produc...ern/lpt589.zip

dezippa all'interno della cartella l'archivio lpt589.zip

Disconnettiti da internet, disattiva AVG e VirIT.
Esegui il file sysclean.com che troverai nella cartella TMSC, terminata la scansione verrà rilasciato il file SYSCLEAN.LOG nella stessa cartella.
Riavvia il pc, riconnettiti.
Posta il contenuto del log

**OM3GA** · 10-07-2007, 16:39

eccolo

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/

2007-07-10, 16:25:39, Auto-clean mode specified.
2007-07-10, 16:25:39, Running scanner "C:\TMSC\TSC.BIN"...
2007-07-10, 16:25:43, Scanner "C:\TMSC\TSC.BIN" has finished running.
2007-07-10, 16:25:43, TSC Log:

Damage Cleanup Engine (DCE) 5.3(Build 1103)
Windows XP(Build 2600: Service Pack 2)

Start time : mar lug 10 2007 16:25:39

Load Damage Cleanup Template (DCT) "C:\TMSC\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\TMSC\tsc.ptn" (version 876) [success]

Complete time : mar lug 10 2007 16:25:43
Execute pattern count(2864), Virus found count(0), Virus clean count(0), Clean failed count(0)

2007-07-10, 16:25:54, An error was detected on "C:\System Volume Information\*.*": Accesso negato.
2007-07-10, 16:34:28, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/10/2007 16:26:01
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 589 (206839 Patterns) (2007/07/09) (458900)
Command Line: C:\TMSC\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\TMSC

C:\Documents and Settings\om3ga\Impostazioni locali\Temporary Internet Files\Content.IE5\K32TQ7IX\tw[1].ani [TROJ_ANICMOO.AX]
C:\WINDOWS\system32\qomlmkk.dll [TROJ_VUNDO.AWA]
C:\WINDOWS\system32\vtsqo.dll [Possible_Vundo-1]
31399 files have been read.
31399 files have been checked.
30263 files have been scanned.
37138 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/10/2007 16:34:28
---------*---------*---------*---------*---------*---------*---------*---------*
2007-07-10, 16:34:28, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/10/2007 16:26:01
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 589 (206839 Patterns) (2007/07/09) (458900)
Command Line: C:\TMSC\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\TMSC

Success Clean [ TROJ_ANICMOO.AX]( 1) from C:\Documents and Settings\om3ga\Impostazioni locali\Temporary Internet Files\Content.IE5\K32TQ7IX\tw[1].ani
Can not Clean [Possible_Vundo-1]( 1) from C:\WINDOWS\system32\vtsqo.dll
31399 files have been read.
31399 files have been checked.
30263 files have been scanned.
37138 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/10/2007 16:34:28 8 minutes 27 seconds (506.33 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-07-10, 16:34:28, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/10/2007 16:26:01
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 589 (206839 Patterns) (2007/07/09) (458900)
Command Line: C:\TMSC\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\TMSC

Can not Clean [Possible_Vundo-1]( 1) from C:\WINDOWS\system32\vtsqo.dll
31399 files have been read.
31399 files have been checked.
30263 files have been scanned.
37138 files have been scanned. (including files in archived)
3 files containing viruses.
Found 3 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/10/2007 16:34:28 8 minutes 27 seconds (506.33 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2007-07-10, 16:34:28, Scanner "C:\TMSC\VSCANTM.BIN" has finished running.

**tecnico24** · 10-07-2007, 17:34

ciao,scaricati vundofix da qui---> www.atribune.org/ccount/click.php?id=4
clicca su scan for vundo
poi su remove vundo
poi clicca su si
il desktop diventera' bianco niente paura.
riavvia il pc e posta il log che si genera in c:/vundofix.txt

**amvinfe** · 10-07-2007, 17:46

scarica http://swandog46.geekstogo.com/avenger.zip

Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente d'ingrandimento

Ti si apre lafinestra "View/edit script"
All'interno del box bianco, copia e incolla il seguente codice

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9747A09E-60D9-445A-B9FB-4F8AECB489F9}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{DC192567-65F9-4AB6-ADB7-E13575F81726}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks|{DC192567-65F9-4AB6-ADB7-E13575F81726}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\Kzckc

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run |nxmeaa.exe

Files to delete:
C:\WINDOWS\System32\vtsqo.dll
C:\WINDOWS\system32\qomlmkk.dll
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak2
C:\WINDOWS\system32\otytjays.ini
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\temp\removalfile.bat
C:\WINDOWS\TEMP\nxmeaa.exe
C:\WINDOWS\sazopc.job

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo, diversamente riavvialo manualmente

Portati in
Start>Esegui scrivi regedit dai l'OK. Aiutandoti con i + vai in
HKCR\CLSID apri la cartellina gialla CLSID cerca ed elimina {DC192567-65F9-4AB6-ADB7-E13575F81726}
e
{9747A09E-60D9-445A-B9FB-4F8AECB489F9}

chiudi il registro

Portati in C:\ postami il contenuto del log generato da Avenger

esegui una nuova scansione con Systemscan, posta il link per scaricare il nuovo report

Discussione: PC distrutto da attacco W32 mille formattazioni ed un cambio HD

Strumenti discussione

Ricerca discussione

Visualizza

PC distrutto da attacco W32 mille formattazioni ed un cambio HD

Permessi di invio