Sospetto virus

[maurofesta]

Qualcuno mi può controllare il log sottostante che ho effettuato con Hjackthis_v2,

Incovenienti sin'ora riscontrati:

1. chiusura improvvisa del pc dopo avere cliccato su un documento
2. internet non si apre bene (si blocca)
3. non si apre il menù contestuale se clicco sui file per vedere le proprietà
4. la modalità provvisoria non parte (riparte automaticamewnte quando scelgo l'opzione)
5. Le icone di Antivir e Avg antispy sono scomparse e non parte nemmeno il relativo programma.

Grazie per l'aiuto.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17.03.02, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\CPUCooL\CooLSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\vsnpstd.exe
C:\Programmi\3D-Relax\Majestic Universe Trial\trioService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\TRENDnet\TEW-424UB\WlanCU.exe
C:\Programmi\CPUCooL\CPUCooL.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\SPEEDB~1\VideoAccelerator.exe
C:\Documents and Settings\mauro\Desktop\penna\scaricato\avgas-setup-7.5.1.43.exe
C:\Documents and Settings\mauro\Desktop\penna\programmi\HiJackThis_ v2.exe
C:\Programmi\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301. 7164\swg.dll
O2 - BHO: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Coolstreaming_Tool-Bar_v1.0 toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [trioService] "C:\Programmi\3D-Relax\Majestic Universe Trial\trioService.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleTo olbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: CPUCooL.lnk = C:\Programmi\CPUCooL\CPUCooL.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.14.lnk = C:\Programmi\TRENDnet\TEW-424UB\WlanCU.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Programmi\CPUCooL\CooLSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe

--
End of file - 6663 bytes

[tecnico24]

Nel log di hijackthis non vedo nulla di strano.
scarica elibagla http://www.zonavirus.com/datos/desca...5/elibagla.asp
spunta la casella "eliminar ficheros automaticamente", e fai la scansione.
posta il report dello scan.
per la modalita provvisoria scarica il file Safeboot.zip dall indirizzo WEB http://www.didierstevens.com/files/data/SafeBoot.zip

estrai/scompatta l'archivio in una cartella a tua scelta ed esegui safeboot.reg

poi dai la conferma alla sua installazione nella schermata che apparira a video.

vedi se riesci a far partire la modalita' provvisoria e dimmi se hai risolto.

[maurofesta]

questo è il risultato

Tue Sep 18 18:23:35 2007
EliBagle v10.53 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
Por favor, envienos una muestra del fichero
C:\Muestras\WINSYS.EXE.Muestra EliBagle v10.53
a "virus@satinfo.es". Gracias.
C:\WINDOWS\SYSTEM32\WINSYS.EXE --> Eliminado Bagle

Tue Sep 18 18:24:18 2007
EliBagle v10.53 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
Por favor, envienos una muestra del fichero
C:\Muestras\HIDR.EXE.Muestra EliBagle v10.53
a "virus@satinfo.es". Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\HIDR.EXE --> Bagle Renombrado a .VIR
C:\DOCUMENTS AND SETTINGS\MAURO\DATI APPLICAZIONI\M\LIST.OCT --> Eliminado Bagle
Eliminada Carpeta "%WinDir%\exefld"
Restaurada Clave: "SafeBoot\Minimal y Network"

Tue Sep 18 18:24:28 2007
EliBagle v10.53 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
Por favor, envienos una muestra del fichero
C:\Muestras\HIDR.EXE.Muestra EliBagle v10.53
a "virus@satinfo.es". Gracias.
C:\WINDOWS\SYSTEM32\DRIVERS\HIDR.EXE --> Eliminado Bagle
Eliminada Carpeta "%WinDir%\exefld"

Tue Sep 18 18:33:27 2007
EliBagle v10.53 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\Drivers\HIDR.EXE.VIR --> Eliminado


la modalità provvisoria funziona ma quando voglio passare AVG Anti-Spyware mi dice: "connessione al servizio non riuscita. reistallare...." e nemmeno Antivir mi gira.

Internet si apre dopo qualche minuto.

[tecnico24]

scarica e decomprimi avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip

- con un doppio click avvia il file avenger.exe
- Seleziona "Input Script Manually"
- Clicca sulla lente di ingrandimento

- Nella finestra che si aprirà "View/edit script"
- copia / incolla quanto segue:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Registry keys to delete:
HKEY_LOCAL_MACHINE\system\ControlSet003\Services\s rosa

Folders to delete:
C:\windows\temp
C:\WINDOWS\Tasks
C:\WINDOWS\exefqd


Files to delete:
c:\windows\system32\hlpuybtr.exe
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys

drivers to unload:
srosa



clicca su done,sul semaforo,due volte SI,riavvia il pc,e posta qui il log di avenger(C:/AVENGER.TXT)

[ste_95]

è normale che dia quell'errore ha eliminato gli AV, resinatllali....

[maurofesta]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\ydcshqyu

*******************

Script file located at: \??\C:\Program Files\meeambwk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\system\ControlSet003\Services\s rosa deleted successfully.
Folder C:\windows\temp deleted successfully.
Folder C:\WINDOWS\Tasks deleted successfully.


Folder C:\WINDOWS\exefqd not found!
Deletion of folder C:\WINDOWS\exefqd failed!

Could not process line:
C:\WINDOWS\exefqd
Status: 0xc0000034



File c:\windows\system32\hlpuybtr.exe not found!
Deletion of file c:\windows\system32\hlpuybtr.exe failed!

Could not process line:
c:\windows\system32\hlpuybtr.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\hidr.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\srosa.sys deleted successfully.
Driver srosa unloaded successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

adesso va meglio ma quando apro internet si blocca sulla barra di caricamento e posso operare solo dopo qualche minuto. Se apro invece da Start -cerca -cerca su internet posso navigare ma i link verso altre pagine (altra finestra) vengono bloccate.

*******************

Finished! Terminate.

[ste_95]

hai eliminato i files che non facevano installare i programmi di sicurezza.... scansiona il computer con nanoscan, il link è nella mia firma...

[tecnico24]

ciao,scansiona con superantispyware www.superantispyware.com