file infetti che nonostante eliminati si ripresentano al riavvio del sistema

**perfectgirl963** · 03-07-2007, 02:14

In questi giorni ho avuto problemi con un malware che mi faceva comparire finestre popup contenenti pubblicità all'avvio del browser. Era presente nella cartella C:\WINDOWS e non potevo eliminarlo con l'antispyware che me lo individuava ma non riusciva a cancellarlo perché il malware entrava in funzione subito dopo aver aperto windows. Quindi ho provato ad effettuare una scansione in modalità provvisoria, ma il file era già in uso dal sistema ancora una volta. Allora, non sapendo più che fare, ho avviato la console di ripristino di win xp e ho finalmente eliminato il file manualmente con alcuni comandi dos. Riavvio il sistema e sembra tutto ok, finalmente i popup non ci sono più! Ma adesso c'è qualcosa che è rimasto: effettuando nuovamente una scansione con l'antispyware mi trova un certo "Smitfraud-C.Toolbar888" che è una chiave di registro, e successivamente tanti cookie traccianti. L'antispyware gli elimina tranquillamente, ma quando riavvio il sistema o mi connetto ad internet vengono fuori di nuovo. Non ho idea di come eliminare in modo permanente questi file infetti, perciò vi lascio il log di HijackThis. Spero mi possiate aiutare, grazie.

codice:

Logfile of HijackThis v1.99.1
Scan saved at 1.38.34, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\UMonit.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Programmi\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: f¬X°\´bºfQ…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty32UPGRADE32Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty31UPGRADE31Q…
O1 - Hosts: YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty30UPGRADE30O… YC{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty3UPGRADE3Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty29UPGRADE29Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty28UPGRADE28Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty27UPGRADE27Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty26UPGRA
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {503CFFA6-C7C0-4F84-9C27-64D2D46B69C9} - C:\WINDOWS\system32\awvvs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\qdfcgfrm.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E5225210-F293-40FE-BB2F-D5A3C7F13C47} - C:\WINDOWS\system32\ddcawut.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\system32\UMonit.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [j7241831] rundll32 C:\WINDOWS\system32\j7241831.dll sook
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\mwioplmy.dll",realset
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe"  -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Maria Teresa\Dati applicazioni\Mozilla\Firefox\Profiles\q7zwbaym.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Maria Teresa\Dati applicazioni\Mozilla\Firefox\Profiles/q7zwbaym.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Ritaglio schermata e avvio di OneNote 2007.lnk = C:\Programmi\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programmi\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175794169453
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: awvvs - C:\WINDOWS\system32\awvvs.dll (file missing)
O20 - Winlogon Notify: ddcawut - ddcawut.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - C:\Programmi\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Programmi\MySQL\MySQL.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

**tecnico24** · 03-07-2007, 09:30

ciao,ecco cosa devi fare:
avvia hijackthis,spunta a sinistra sulle seguenti voci:
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O4 - HKLM\..\Run: [j7241831] rundll32 C:\WINDOWS\system32\j7241831.dll sook
poi spunta anche gli hosts,sarebbero gli 01.spunta anche le 01.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
e sotto su FIX CHECKED.
per eliminare smitfraud,scaricati vundofix da qui---> www.atribune.org/ccount/click.php?id=4
avvialo,clicca su scan for vundo
poi su remove vundo
clicca su si
il desktop diventera' bianco attendi...
riavvia il pc e posta il logfile di vundofix in c:/vundofix.txt
poi se non dovesse bastare,scaricati questo programma da qui--->
http://noahdfear.geekstogo.com/click...click.php?id=1
Doppio click sul file in modo da scompattare i file in una cartella
3. Riavvia facendo partire Windows in modalità provvisoria
4. Apri la cartella e doppio click sul file RunThis.bat
5. Segui le istruzioni del programma in modo che faccia lo scan e cancelli i file dannosi.

**amvinfe** · 03-07-2007, 13:01

tecnico24
magari per eliminare Smitfraud servirebbe un fix_tool che elimini Smitfraud...tu che ne dici?

perfectgirl963
scarica
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
e decomprimi l'erchivio sul desktop.

Riavvia in modalità provvisoria.

Apri la cartella appena dezippata, avvia smitfraudfix.cmd .
Seleziona l'opzione #2 - Clean cliccando sul 2 premi "Invio".
Al messaggio: Registry cleaning - Do you want to clean the registry ?
Rispondi SI cliccando Y premi invio.
Rispondi SI (Y) ad eventuali altre domande.

Eseguita tutta la scansione riavvia il pc in modalità normale. Posta il log della scansione.

**perfectgirl963** · 03-07-2007, 18:39

amvife, ho eseguito il procedimento che hai postato. Dopo aver riavviato in modalità normale ho provato ad effettuare una scansione con l'antispyware ma Smitfraud c'è ancora. Posto il log di SmitFraudFix:

codice:

SmitFraudFix v2.199

Scan done at 18.19.36,54, 03/07/2007
Run from C:\Documents and Settings\xxxxx xxxxxx\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts





f
¬X°\´b
º
f




Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty32UPGRADE32Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty31UPGRADE31Q…
YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty30UPGRADE30O…	YC{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty3UPGRADE3Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty29UPGRADE29Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty28UPGRADE28Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty27UPGRADE27Q…YE{C9BE6782-B94E-4EA6-9208-CF92811B28E7}5AdobeUpgradeActionProperty26UPGRA

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done. 
 
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

**tecnico24** · 03-07-2007, 20:48

perche non provi a fare cosa ho detto io?

**perfectgirl963** · 03-07-2007, 23:03

Originariamente inviato da tecnico24
perche non provi a fare cosa ho detto io?

ops.. mi era sfuggito il tuo post.

Grazie tecnico24, sono riuscita a rimuovere tutti i file dannosi e non mi viene più fuori l'errore di sistema all'avvio di windows. grazie ancora!
(non so se a questo punto servono i log generati da vundofix e smitrem ... )

**tecnico24** · 04-07-2007, 07:59

si non servono.alla prossima!

Discussione: file infetti che nonostante eliminati si ripresentano al riavvio del sistema

Strumenti discussione

Ricerca discussione

Visualizza

file infetti che nonostante eliminati si ripresentano al riavvio del sistema

Permessi di invio