rjyefdsq.dll in system32

**torejx** · 23-12-2007, 01:50

preso da una momentanea mania di sicurezza ho scansionato il pc con ogni software possibile...nel log di hijackThis (che nella mia ignoranza trovo pulito) mi ha incuriosito la riga in grassetto per la quale neanche google ha saputo illuminarmi...di cosa si tratta? dovrei fixarla?
Grazie

Logfile of HijackThis v1.99.1
Scan saved at 0.37.10, on 23/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programmi\Wireless Console 2\wcourier.exe
C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Last.fm\LastFMHelper.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\Salvatore\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programmi\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Programmi\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [bc594cbe] rundll32.exe "C:\WINDOWS\system32\rjyefdsq.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Programmi\Last.fm\LastFMHelper.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\bin\apache\apache2.2.6\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe

**torejx** · 23-12-2007, 07:43

su virustotal mi dice che il file è infetto e si tratto di vundo/virtumode (che in effetti ho rilevato con spybot).... spero di riuscire a toglierlo senza troppi smanettamenti...

**OYS** · 23-12-2007, 12:45

Si, infatti è da fixare. Utilizza:

http://securityresponse.symantec.com...r/FxVMonde.exe

**torejx** · 23-12-2007, 22:39

Originariamente inviato da OYS
Si, infatti è da fixare. Utilizza:

http://securityresponse.symantec.com...r/FxVMonde.exe

non mi trova nulla...
cmq tra varie scansioni con vari software credo di averlo eliminato...solo spybot me lo segnala ancora nella chiave di registro HKEY/local_machine/software/microsoft/mssmgr...
la chiave si ricrea poco dopo essere stata eliminata...come posso fare?

**softn** · 23-12-2007, 23:48

Prova a fare girare questi due tool:

http://www.atribune.org/ccount/click.php?id=4

http://secured2k.home.comcast.net/to...undoBeGone.exe

e postane i relativi log

**AMD64** · 24-12-2007, 00:36

Originariamente inviato da softn
Prova a fare girare questi due tool:

http://www.atribune.org/ccount/click.php?id=4

http://secured2k.home.comcast.net/to...undoBeGone.exe

e postane i relativi log

Infatti sono gli unici efficaci a rimuovere le infezione virtunmonde.

**torejx** · 24-12-2007, 01:00

Originariamente inviato da AMD64
Infatti sono gli unici efficaci a rimuovere le infezione virtunmonde.

ah si? bene perchè gli altri che ho provato non hanno risolto nulla...
VundoFix ha trovato qualcosa e da circa 5 minuti sta cercando di rimuovere il Vundo.

VundoFix V6.7.7

Checking Java version...

Sun Java not detected
Scan started at 23.35.09 23/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\akvxocbw.dll
C:\WINDOWS\system32\gyupckvt.dll
C:\WINDOWS\system32\lkxeebyx.dll
C:\WINDOWS\system32\rqrrqnn.dll
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\winker32.dll
C:\WINDOWS\system32\xybeexkl.ini

Beginning removal...

edit:aggiungo la parte del log relativa alla rimozione

Beginning removal...

Attempting to delete C:\WINDOWS\system32\akvxocbw.dll
C:\WINDOWS\system32\akvxocbw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gyupckvt.dll
C:\WINDOWS\system32\gyupckvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lkxeebyx.dll
C:\WINDOWS\system32\lkxeebyx.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rqrrqnn.dll
C:\WINDOWS\system32\rqrrqnn.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\srqss.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\winker32.dll
C:\WINDOWS\system32\winker32.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xybeexkl.ini
C:\WINDOWS\system32\xybeexkl.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

**AMD64** · 24-12-2007, 01:20

dovresti stare a posto.

**torejx** · 24-12-2007, 01:23

Originariamente inviato da AMD64
dovresti stare a posto.

dopo il riavvio per scrupolo ho provato a rifare la scansione e mi trova altri file infetti...boh...
ora provo con VirtuMundo

**AMD64** · 24-12-2007, 01:25

Se non dice nulla,allora vundofix ha eliminato tutto e spybot ha preso un falso allarme,mentre invece se rileva altro allora vundofix non ha fatto effetto.

Discussione: rjyefdsq.dll in system32

Strumenti discussione

Ricerca discussione

Visualizza

rjyefdsq.dll in system32

Permessi di invio