Browser Dirottato Senza Via Di Ritorno!!!

[akab69]

Salve a tutti..
Ho un portatile nuovo da una settimana, e mi connetto ad internet tramite connessione wirless da un albergo..
Da ieri sera sto "combattendo" con un virus chiamato "Hijacking". In pratica la pagina di default che ho impostato all'avvio dell'explorer cioe' http://www.google.it viene ignorata e reindirizzata su un'altra url dove vendono antivirus e dove mi dice che il mio sistema è infettato.. E come se non bastasse, se, dopo aver caricato la home falsa scrivo la url http://www.google.it a mano e premo invio, il browser reindirizza di nuovo sulla pagina bastarda!! Ovviamente l'unico virus è proprio di loro proprieta' in quanto ti dirottano il browser con la speranza che tu faccia acquisti.. Il problema è che stanotte ci ho fatto le 4 e da questa mattina sono qui davanti a cercare di toglierlo dalle balle ma non ci riesco!!!! Ho seguito tutti i consigli del mod habanero, che riporta qui
http://forum.html.it/forum/showthrea...hreadid=811189
ma non sono riuscito neppure provando tutti i programmi indicati a togliere quella maledetta home page truffaldina, per ultimo ho scaricato anche hijackthis e ho seguito le istruzioni..
Qui di seguito c'è il log fornito a connessione disabilitata dal programma sul mio sistema Spero che possiate individuare cio' che va cancellato, dato che la mia conoscenza del settore non mi consente di arrivare a tanto...
Atendo fiducioso una vostra risposta.. E grazie a tutti
Fabrizio
-----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 16.27.05, on 10/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Programmi\File comuni\Symantec Shared\ccProxy.exe
c:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Programmi\Norton Internet Security\ISSVC.exe
c:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
c:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ASWLSVC.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
c:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\iCodecPack\isamonitor.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\ASUS\ASUS Live Update\ALU.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Programmi\Wireless Console 2\wcourier.exe
C:\Programmi\ASUS\WLAN Card Utilities\Center.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\marcellamaffei\Desktop\hijackthis\HijackT his.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Programmi\iCodecPack\isaddon.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - c:\Programmi\File comuni\Symantec

Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Programmi\Norton Internet

Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programmi\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUSTeK\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "c:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programmi\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [Control Center] C:\Programmi\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programmi\Asus\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) -

http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD1C6B29-8315-4779-9980-4EDAF82AAD8C}: NameServer = 151.99.125.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASWLSVC - Unknown owner - C:\WINDOWS\system32\ASWLSVC.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programmi\File comuni\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Programmi\File comuni\Symantec

Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Programmi\File comuni\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programmi\File comuni\Symantec

Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware

4.0\guard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - c:\Programmi\Norton

Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Programmi\File comuni\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Programmi\File comuni\Symantec

Shared\SPBBC\SPBBCSvc.exe

[LUCASS]

Ciao,per piacere portati in C:\Programmi\iCodecPack
Comprimi tutta la cartella iCodecPack ed invia l'archivio qui
http://www.suspectfile.com/ (Grazie)

Portati in installazioni applicazioni e disinstalla iCodecPack
Riavvia il pc ed elimina la relativa cartella C:\Programmi\iCodecPack <-------

scarica questo programma sul desktop
http://download.bleepingcomputer.com/sUBs/combofix.exe
Avvia il file combofix.exe e segui le istruzioni a schermo,quando il programma ha finito rilasciaerà un log(C:\Combofix.txt)postalo nella tua risposta

PS urante l'esecuzione del programma non usare il mouse altrimenti l'applicazione potrebbe andare in stallo(bloccarsi)

[akab69]

ciao e grazie per il tuo tempo ed aiuto..
Allora la cartella zippata "iCodecPack" l'ho uppata il mio nome è FABRIZIO
In installazioni applicazioni non ho trovato il programma iCodecPack da disinstallare.. non c'è e la cartella iCodecPack in c:\programmi si cancella in parte, mi ha lasciato i file isaddon.dll e isamonitor, non me li lascia cancellare in quanto in uso. Come faccio?
Ad ogni modo ecco il log lasciato dal programma combofix

marcellamaffei - 06-09-10 17.56.14,54
ComboFix 06.09.07 - Running from: C:\Documents and Settings\marcellamaffei\Desktop

Microsoft Windows XP [Versione 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-10 to 2006-09-10 ))))))))))))))))))))))))))))))))))


2006-09-10 15:33 516,096 --a------ C:\WINDOWS\system32\ASWL2K.exe
2006-09-10 15:33 496,640 --a------ C:\WINDOWS\system32\ASWLSVC.exe
2006-09-10 15:33 159,827 --a------ C:\WINDOWS\system32\RemSvc.exe
2006-09-10 15:32 987,136 --a------ C:\WINDOWS\system32\wcourier.exe
2006-09-10 14:36 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2006-09-10 14:36 118,784 --a------ C:\WINDOWS\system32\msstdfmt.dll
2006-09-10 14:36 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2006-09-10 00:17 176,128 --a------ C:\WINDOWS\system32\oqabf.dll
2006-09-08 09:48 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-09-10 15:55 -------- d-------- C:\Programmi\ewido anti-spyware 4.0
2006-09-10 15:32 -------- d-------- C:\Programmi\Wireless Console 2
2006-09-10 14:56 -------- d-------- C:\Programmi\SymNetDrv
2006-09-10 14:36 -------- d-------- C:\Programmi\BulletProofSoft.com
2006-09-10 11:48 -------- d-------- C:\Programmi\Trend Micro
2006-09-10 04:31 -------- d-------- C:\Programmi\Spy-Heal
2006-09-10 03:52 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\Lavasoft
2006-09-10 02:36 -------- d-------- C:\Programmi\Enigma Software Group
2006-09-10 00:17 -------- d-------- C:\Programmi\Virus-Burst
2006-09-10 00:17 -------- d-------- C:\Programmi\iCodecPack
2006-09-08 21:38 -------- d-------- C:\Programmi\AceSpeeder
2006-09-08 10:23 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\AdobeUM
2006-09-08 10:23 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\Adobe
2006-09-07 21:25 812 --a------ C:\Programmi\INSTALL.LOG
2006-09-07 21:25 -------- d-------- C:\Programmi\Winamp3
2006-09-07 20:54 -------- d-------- C:\Programmi\ACD Systems
2006-09-07 17:47 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\Google
2006-09-07 17:44 -------- d-------- C:\Programmi\Philips
2006-09-07 17:44 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\Philips
2006-09-07 15:45 -------- d-------- C:\Programmi\Google
2006-09-07 15:44 -------- d-------- C:\Programmi\WinZip
2006-09-06 22:45 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\CyberLink
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 15:25 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:27 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HControl"="C:\\WINDOWS\\ATK0100\\HControl.exe "
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"ASUS Live Update"="C:\\Programmi\\ASUS\\ASUS Live Update\\ALU.exe"
"SynTPEnh"="C:\\Programmi\\Synaptics\\SynTP\\SynTP Enh.exe"
"Zshutdown"="c:\\sysprep\\patch\\sysprep.cmd"
"RemoteControl"="C:\\Programmi\\ASUSTeK\\ASUSDVD\\ PDVDServ.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe"
"ccApp"="\"c:\\Programmi\\File comuni\\Symantec Shared\\ccApp.exe\""
"Power_Gear"="C:\\Programmi\\ASUS\\Power4 Gear\\BatteryLife.exe 1"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Wireless Console 2"="C:\\Programmi\\Wireless Console 2\\wcourier.exe"
"Control Center"="C:\\Programmi\\ASUS\\WLAN Card Utilities\\Center.exe"
"!ewido"="\"C:\\Programmi\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"MsnMsgr"="\"C:\\Programmi\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run]
"homepage.monitor.exe"="C:\\Programmi\\iCodecPack\ \isamonitor.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00 ,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23 ,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 10/09/2006 17:56:40.39
ComboFix.txt

[LUCASS]

Ciao,grazie per i files
Intanto che analizzo il log esegui questa operazione
scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio

Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in rosso

registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717}

folders to delete:
C:\Programmi\iCodecPack

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Una volta riavviato il pc,collegati e posta il contenuto del file C:\Avenger.txt

[akab69]

allora ti informo che la home truffaldina è scomparsa e mi apre il mio amato google!!!!
ti posto il log di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\vvdlabjy

*******************

Script file located at: \??\C:\WINDOWS\xiajkwqd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\Programmi\iCodecPack deleted successfully.
Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{202a961f-23ae-42b1-9505-ffe3c818d717} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Non so come ringraziarti lucass.. grazie di cuore..
Fabrizio (GR)

[LUCASS]

Portati in Installazioni applicazioni e disinstalla i seguenti programmi:
BulletProofSoft.com
Spy-Heal
Virus-Burst
Riavvia il pc dopo la dinstallazione dei software

Riavvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in rosso:

Folders to delete:
C:\Programmi\BulletProofSoft.com
C:\Programmi\Spy-Heal
C:\Programmi\Virus-Burst

registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Clicca su start>esegui nella casellina copia e incolla:
"%userprofile%\desktop\combofix.exe" /v oqabf
Clicca su Ok
Anche qui non muovere il mouse altrimenti va in stallo combofix

Per piacere posta i seguenti logs
C:\Avenger.txt
C:\Combofix.txt

[akab69]

Ti posto tutti e 2 i log..

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\hvtwfwxu

*******************

Script file located at: \??\C:\Program Files\oasrbtff.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Folder C:\Programmi\BulletProofSoft.com deleted successfully.
Deletion of folder C:\Programmi\BulletProofSoft.com successfully!

Could not process line:
C:\Programmi\BulletProofSoft.com
Status: 0xc0000034



Folder C:\Programmi\Spy-Heal deleted successfully.
Deletion of folder C:\Programmi\Spy-Heal successfully!

Could not process line:
C:\Programmi\Spy-Heal
Status: 0xc0000034



Folder C:\Programmi\Virus-Burst deleted successfully.
Deletion of folder C:\Programmi\Virus-Burst successfully!

Could not process line:
C:\Programmi\Virus-Burst
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

marcellamaffei - 06-09-10 18.45.47,84
ComboFix 06.09.07 - Running from: C:\Documents and Settings\marcellamaffei\desktop

Microsoft Windows XP [Versione 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-10 to 2006-09-10 ))))))))))))))))))))))))))))))))))


2006-09-10 15:33 516,096 --a------ C:\WINDOWS\system32\ASWL2K.exe
2006-09-10 15:33 496,640 --a------ C:\WINDOWS\system32\ASWLSVC.exe
2006-09-10 15:33 159,827 --a------ C:\WINDOWS\system32\RemSvc.exe
2006-09-10 15:32 987,136 --a------ C:\WINDOWS\system32\wcourier.exe
2006-09-10 14:36 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2006-09-10 14:36 118,784 --a------ C:\WINDOWS\system32\msstdfmt.dll
2006-09-10 14:36 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2006-09-08 09:48 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2006-09-10 15:32 -------- d-------- C:\Programmi\Wireless Console 2
2006-09-10 14:56 -------- d-------- C:\Programmi\SymNetDrv
2006-09-10 11:48 -------- d-------- C:\Programmi\Trend Micro
2006-09-10 03:52 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\Lavasoft
2006-09-10 02:36 -------- d-------- C:\Programmi\Enigma Software Group
2006-09-08 21:38 -------- d-------- C:\Programmi\AceSpeeder
2006-09-08 10:23 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\AdobeUM
2006-09-08 10:23 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\Adobe
2006-09-07 21:25 812 --a------ C:\Programmi\INSTALL.LOG
2006-09-07 21:25 -------- d-------- C:\Programmi\Winamp3
2006-09-07 20:54 -------- d-------- C:\Programmi\ACD Systems
2006-09-07 17:47 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\Google
2006-09-07 17:44 -------- d-------- C:\Programmi\Philips
2006-09-07 17:44 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\Philips
2006-09-07 15:45 -------- d-------- C:\Programmi\Google
2006-09-07 15:44 -------- d-------- C:\Programmi\WinZip
2006-09-06 22:45 -------- d-------- C:\Documents and Settings\marcellamaffei\Dati applicazioni\CyberLink
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 15:25 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 10:27 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"HControl"="C:\\WINDOWS\\ATK0100\\HControl.exe "
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SoundMan"="SOUNDMAN.EXE"
"ASUS Live Update"="C:\\Programmi\\ASUS\\ASUS Live Update\\ALU.exe"
"SynTPEnh"="C:\\Programmi\\Synaptics\\SynTP\\SynTP Enh.exe"
"Zshutdown"="c:\\sysprep\\patch\\sysprep.cmd"
"RemoteControl"="C:\\Programmi\\ASUSTeK\\ASUSDVD\\ PDVDServ.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe"
"ccApp"="\"c:\\Programmi\\File comuni\\Symantec Shared\\ccApp.exe\""
"Power_Gear"="C:\\Programmi\\ASUS\\Power4 Gear\\BatteryLife.exe 1"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Wireless Console 2"="C:\\Programmi\\Wireless Console 2\\wcourier.exe"
"Control Center"="C:\\Programmi\\ASUS\\WLAN Card Utilities\\Center.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.ex e"
"MsnMsgr"="\"C:\\Programmi\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00 ,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,12,03,00,00,23 ,00,00,00,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 10/09/2006 18:46:11.79
ComboFix3.txt
ComboFix2.txt
ComboFix.txt

[LUCASS]

Scusami,solo per informazione,hai eseguito questo?:
Clicca su start>esegui nella casellina copia e incolla:
"%userprofile%\desktop\combofix.exe" /v oqabf
Clicca su Ok
Anche qui non muovere il mouse altrimenti va in stallo combofix

Scarica questo programma sul desktop
http://noahdfear.geekstogo.com/click...click.php?id=1
Avvia l'eseguibile,sul desktop si creerà la cartella Smitrem
Avvia in modalità provvisoria
Apri la cartella smitrem e doppio click sul file RUNTHIS.BAT
Si apre il prompt dos(segui le istruzioni in inglese)
Al termine del tool riavvia il pc e posta il contenuto del file C:\Smitfiles,txt

Grazie ciao

[akab69]

ecco qua:


smitRem © log file
version 3.2

by noahdfear


Microsoft Windows XP [Versione 5.1.2600]
"IE"="6.0000"

Running from
C:\Documents and Settings\marcellamaffei\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe (C)2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 772 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!

Allora per rispondere alla tua domanda: SI! Ho eseguito cio' che mi hai chiesto:
Clicca su start>esegui nella casellina copia e incolla:
"%userprofile%\desktop\combofix.exe" /v oqabf
Clicca su Ok
Anche qui non muovere il mouse altrimenti va in stallo combofix


dimmi per cortesia se il sistema adesso è pulito :-) e se mi sai consigliare un programma di backup buono per poter salvare l'intero sistema operativo sano nella partizione D:\ o su un cd, in modo da poter richiamare l'immagine salvata al momento del bisogno e sovrascrivere il SO infettato... (casomai ce ne fosse bisogno in futuro)
In attesa ti ringrazio molto e ti porgo i miei piu' distinti saluti..
Aggiungo anche:
SEI UN GRANDE!!
Fabrizio

[LUCASS]

Si adesso è pulito
Backup puoi usare true image o norton ghost
Se vuoi potresti fare un ulteriore controllo,ho visto un dll riconducibile al malware vundo
Scarica il software da qui
http://www.atribune.org/ccount/click.php?id=4
Doppio click su vundofix.exe
Clicca su "Scan for vundo"
Finita la scansione clicca su "Remove vundo"
Riceverai un messaggio se vuoi eliminare i files,rispondi SI(Yes)
Subito dopo il desktop scomparirà(è normale)
Ti chiederà se vuoi riavviare anche qui di SI(Yes)
Posta il contenuto del file vundofix.exe(in C:\ se ben ricordo o dove hai eseguito il tool)