Problema con trojan wvUnMeDS.dll (FakeAlert / SmitFraud)

[Step_Light]

questo virus (che risiede in system32) non riesco proprio ad eliminarlo. A volte il desktop scompare e il pc rallenta molto...altre volte mi si apre una finestra dove dice che vi è un virus nel sistema e bisogna scaricare un file di dubbia provenienza (infatti nego lo scaricamento). Ho provato con scansioni online con NOD32 con Trojan hunter, trojan remover (anche in modalità provvisoria) ecc ecc... ma niente quel trojan rimane li...... aiuto,please

[Step_Light]

Da circa due giorni mi sono imbattuto in un trojan davvero ....... comunque ne ho provate davvero di tutte vi posto il log di hijack...:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.06.49, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Roper\AirBlue Bluetooth Software\bin\btwdins.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
c:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\sm56hlpr.exe
C:\Programmi\Logitech\MouseWare\system\em_exec.exe
C:\Programmi\Analog Devices\SoundMAX\DrvLsnr.exe
C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\templ ate\driven_dev\syncer\McciTrayApp.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Roper\AirBlue Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nerooo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Programmi\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.1119 .1736\swg.dll
O2 - BHO: (no name) - {BA44CBC8-E16A-4F36-B066-4D75699E171D} - C:\WINDOWS\system32\wvUnMeDS.dll
O2 - BHO: BhoApp Class - {BBEEBE4F-3EDA-40F4-A0AB-87593EE49C56} - C:\WINDOWS\system32\apiview2.dll
O2 - BHO: (no name) - {E766CAAC-6E7E-4F53-A75D-63549AA190AF} - C:\WINDOWS\system32\efcCuSih.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Programmi\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Systran50premi.IEPlugIn - {9A0844DB-84CF-4440-BDB1-1F4F7C4F7FB0} - C:\Programmi\SYSTRAN\5.0\Premium\IEPlugIn.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DrvLsnr] C:\Programmi\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AliceRE_McciTrayApp] C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\templ ate\driven_dev\syncer\McciTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe "
O4 - HKLM\..\Run: [amd_dc_opt] C:\Programmi\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Documents and Settings\gino\Desktop\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Open and Translate in Word - res://C:\Programmi\SYSTRAN\5.0\Premium\IEShellExt.dll /10
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Barra di ricerca di Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\Roper\AirBlue Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {C9386579-3C0F-4713-82C6-5BA8088C7C8D} (Windows Live SkyDrive Upload Tool) - https://secure.shared.live.com/Pa6vG...RichUpload.cab
O20 - Winlogon Notify: wvUnMeDS - C:\WINDOWS\SYSTEM32\wvUnMeDS.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\Roper\AirBlue Bluetooth Software\bin\btwdins.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\DOCUME~1\gino\Desktop\PR\CACHEM~1\CachemanXP.ex e
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - VIA Technologies, Inc. - (no file)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Network WanMiniport First Position - Unknown owner - C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11081 bytes

[Deifobe]

ciao,
mi serve il rapporto di systemscan x vedere se ci sono altri files nel pc (a parte quelli presenti in hjt)... quindi, scarica SystemScan, disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, riattiva l'antivirus.

Carica il rapporto che trovi sul desktop su Savefile e posta il link ottenuto .

[Step_Light]

Scusate del mio colossale ritardo....ma tra impegni e il PC che rallenta a vista d'occhio!!!!
..... cmq ecco qui il link del report fatto con il programma:


http://www.savefile.com/files/1618587


grazie per la pazienza!

[Deifobe]

lo controllo e ti faccio sapere.

edit:

Questa connessione è tua?
gsa_00967_Connection PhoneNumber=89919XXXX
e controlla le altre...

Copia su file txt queste indicazioni

Scarica Avenger, SmitfraudFix, CCleaner e disconnetti il pc da internet (cerca di non riconnetterti fino a fine procedura)

Crea una nuova cartella in c:\ e chiamala pippo

Apri il blocco note e nella pagina copia/incolla:

Windows Registry Editor Version 5.00

[-HKCR\CLSID\{BA44CBC8-E16A-4F36-B066-4D75699E171D}]

[-HKCR\CLSID\{BBEEBE4F-3EDA-40F4-A0AB-87593EE49C56}]

[-HKCR\CLSID\{A5693AF6-FF5B-4F63-9A0E-4F22D7E511B7}]

salvalo in c:\ con il nome nome: fix.reg
tipo di file: tutti i file


Esegui avenger e nella finestra copia/incolla tutta la citazione:

files to delete:
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\iiffDUlM.dll
C:\WINDOWS\system32\wvUnMeDS.dll
C:\WINDOWS\system32\SAKjlUvw.ini2
C:\WINDOWS\system32\SAKjlUvw.ini
C:\WINDOWS\system32\XHgPoUvw.ini2
C:\WINDOWS\system32\XHgPoUvw.ini
C:\WINDOWS\system32\mpVvDJlm.ini2
C:\WINDOWS\system32\mpVvDJlm.ini
C:\WINDOWS\system32\mTtAaccf.ini2
C:\WINDOWS\system32\mTtAaccf.ini
C:\WINDOWS\system32\UvvDdMoq.ini2
C:\WINDOWS\system32\UvvDdMoq.ini
C:\WINDOWS\system32\gOprtvut.ini2
C:\WINDOWS\system32\gOprtvut.ini
C:\WINDOWS\system32\QqtuDJlm.ini2
C:\WINDOWS\system32\QqtuDJlm.ini
C:\WINDOWS\system32\AyyHNqss.ini2
C:\WINDOWS\system32\AyyHNqss.ini
C:\WINDOWS\system32\mnoXyccf.ini2
C:\WINDOWS\system32\mnoXyccf.ini
C:\WINDOWS\system32\EgMWDJlm.ini2
C:\WINDOWS\system32\EgMWDJlm.ini
C:\WINDOWS\system32\OYcbcMoq.ini2
C:\WINDOWS\system32\OYcbcMoq.ini
C:\WINDOWS\system32\TuxIknnn.ini2
C:\WINDOWS\system32\TuxIknnn.ini
C:\WINDOWS\system32\kjTBLnmp.ini2
C:\WINDOWS\system32\kjTBLnmp.ini
C:\WINDOWS\system32\hiSuCcfe.ini2
C:\WINDOWS\system32\hiSuCcfe.ini
C:\WINDOWS\system32\MlUDffii.ini2
C:\WINDOWS\system32\MlUDffii.ini
C:\WINDOWS\system32\winview8x.dll
C:\WINDOWS\system32\syscheck32.dll
C:\WINDOWS\system32\apiview2.dll

folders to delete:
C:\found.000

files to move:
C:\WINDOWS\tasks\ejswcc.job | c:\pippo\ejswcc.job

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks | {BA44CBC8-E16A-4F36-B066-4D75699E171D}

registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUnMeDS
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BA44CBC8-E16A-4F36-B066-4D75699E171D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A5693AF6-FF5B-4F63-9A0E-4F22D7E511B7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BBEEBE4F-3EDA-40F4-A0AB-87593EE49C56}

programs to launch on reboot:
c:\fix.reg

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

Esegui CCleaner e ripulisci i file temporanei e i cookie (eseguilo 2 volte).

Da hijackthis fixa (se ancora presenti):

(se non ti appartine) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:// www . nerooo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {A5693AF6-FF5B-4F63-9A0E-4F22D7E511B7} - C:\WINDOWS\system32\iiffDUlM.dll (file missing)
O2 - BHO: (no name) - {BA44CBC8-E16A-4F36-B066-4D75699E171D} - C:\WINDOWS\system32\wvUnMeDS.dll
O2 - BHO: BhoApp Class - {BBEEBE4F-3EDA-40F4-A0AB-87593EE49C56} - C:\WINDOWS\system32\apiview2.dll
O20 - Winlogon Notify: wvUnMeDS - C:\WINDOWS\SYSTEM32\wvUnMeDS.dll

Sempre da hijackthis, clicca su "Open the Misc Tools section" - "Open ADS Spy" - "Scan". Se rileva ADS spunta voci e clicca su "remove selected".

entra in modalità provvisoria (*) ed esegui SmitfraudFix.
Seleziona l'opzione 2 (Clean) e premi invio (elimina i file infetti). Alla domanda "Registry cleaning - Do you want to clean the registry ?" digita "Y" e dai l'invio.
Il computer si riavviera' per completare il processo di pulizia (altrimenti riavvialo tu in modalita' normale). Sul desktop verra' visualizzato un file di testo con risultati che dovrai postare.

Posta un nuovo rapporto di systemscan, quello di SmitfraudFix e il rapporto di avenger



(*) Per entrare in modalità provvisoria: all'avvio del pc, prima che inizi a caricare Windows, premi ripetutamente F8. Uscirà la finestra del menu Opzioni avanzate di Windows
=> scegli modalità provvisoria (usa il tasto freccia ^).

Ciao

[Step_Light]

Scusatemi sempre per l'enorme attesa comunque intato ti posto di seguito il report di avenger:


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Jun 19 22:20:28 2008

22:20:28: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\clkcnt.txt" deleted successfully.

Error: file "C:\WINDOWS\system32\iiffDUlM.dll" not found!
Deletion of file "C:\WINDOWS\system32\iiffDUlM.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\wvUnMeDS.dll" deleted successfully.
File "C:\WINDOWS\system32\SAKjlUvw.ini2" deleted successfully.
File "C:\WINDOWS\system32\SAKjlUvw.ini" deleted successfully.
File "C:\WINDOWS\system32\XHgPoUvw.ini2" deleted successfully.
File "C:\WINDOWS\system32\XHgPoUvw.ini" deleted successfully.
File "C:\WINDOWS\system32\mpVvDJlm.ini2" deleted successfully.
File "C:\WINDOWS\system32\mpVvDJlm.ini" deleted successfully.
File "C:\WINDOWS\system32\mTtAaccf.ini2" deleted successfully.
File "C:\WINDOWS\system32\mTtAaccf.ini" deleted successfully.
File "C:\WINDOWS\system32\UvvDdMoq.ini2" deleted successfully.
File "C:\WINDOWS\system32\UvvDdMoq.ini" deleted successfully.
File "C:\WINDOWS\system32\gOprtvut.ini2" deleted successfully.
File "C:\WINDOWS\system32\gOprtvut.ini" deleted successfully.
File "C:\WINDOWS\system32\QqtuDJlm.ini2" deleted successfully.
File "C:\WINDOWS\system32\QqtuDJlm.ini" deleted successfully.
File "C:\WINDOWS\system32\AyyHNqss.ini2" deleted successfully.
File "C:\WINDOWS\system32\AyyHNqss.ini" deleted successfully.
File "C:\WINDOWS\system32\mnoXyccf.ini2" deleted successfully.
File "C:\WINDOWS\system32\mnoXyccf.ini" deleted successfully.
File "C:\WINDOWS\system32\EgMWDJlm.ini2" deleted successfully.
File "C:\WINDOWS\system32\EgMWDJlm.ini" deleted successfully.
File "C:\WINDOWS\system32\OYcbcMoq.ini2" deleted successfully.
File "C:\WINDOWS\system32\OYcbcMoq.ini" deleted successfully.
File "C:\WINDOWS\system32\TuxIknnn.ini2" deleted successfully.
File "C:\WINDOWS\system32\TuxIknnn.ini" deleted successfully.
File "C:\WINDOWS\system32\kjTBLnmp.ini2" deleted successfully.
File "C:\WINDOWS\system32\kjTBLnmp.ini" deleted successfully.
File "C:\WINDOWS\system32\hiSuCcfe.ini2" deleted successfully.
File "C:\WINDOWS\system32\hiSuCcfe.ini" deleted successfully.
File "C:\WINDOWS\system32\MlUDffii.ini2" deleted successfully.
File "C:\WINDOWS\system32\MlUDffii.ini" deleted successfully.
File "C:\WINDOWS\system32\winview8x.dll" deleted successfully.
File "C:\WINDOWS\system32\syscheck32.dll" deleted successfully.
File "C:\WINDOWS\system32\apiview2.dll" deleted successfully.
Folder "C:\found.000" deleted successfully.
File move operation "C:\WINDOWS\tasks\ejswcc.job|c:\pippo\ejswcc.j ob" completed successfully.
Registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ShellExecuteHooks|{BA44CBC8-E16A-4F36-B066-4D75699E171D}" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvUnMeDS" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{BA44CBC8-E16A-4F36-B066-4D75699E171D}" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{A5693AF6-FF5B-4F63-9A0E-4F22D7E511B7}" deleted successfully.
Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{BBEEBE4F-3EDA-40F4-A0AB-87593EE49C56}" deleted successfully.
Program "c:\fix.reg" successfully queued to run on reboot.

Completed script processing.

*******************

Finished! Terminate.

[Step_Light]

di seguito il rapport di SmitFraudFix eseguito in modalità provvisoria.... credo che irisultati non siano molto felici... .... comunque mi affido a te.... e grazie di tutto... speriamo .....e incrocio le dita in attesa di una risposta.....ora non mi resta che un nuovo rapporto di systemscan, quello di SmitfraudFix e il rapporto di avenger.... giusto???

[Deifobe]

avenger l'hai già postato.
Serve il rapporto di smitfraudfix (lo trovi in C:\rapport.txt) e un nuovo systemscan, si.
Ciao

[Step_Light]

Allora intanto ti do il rapporto di SmitFraudFix di seguito mentre per quello di systemscan lo eseguirò adesso, staccando l'antivirus e la connessione ad internet....


SmitFraudFix v2.328

Scan done at 22.42.43,65, 19/06/2008
Run from C:\Documents and Settings\gino\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost



































»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system\svchost.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{665DC321-3839-40EC-A699-316C20990F94}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{665DC321-3839-40EC-A699-316C20990F94}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{665DC321-3839-40EC-A699-316C20990F94}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[Step_Light]

allora ecco di seguito il link del rapporto di system scan finito da poco.... attendo risponste....
...speriamo...

http://www.savefile.com/files/1620306

e con questo ho finito.... fammi sapere al più presto.....please.....