WIN32/Dialer.RU cavallo di troia

[gippi73]

Ciao a tutti, il mio antivirus NOD32 ha rilevato il virus WIN32/Dialer.RU cavallo di troia,
Ho fatto una scansione con HijackThis e questo è il log:

Logfile of HijackThis v1.99.1
Scan saved at 9.29.11, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\winlogon.exe
C:\Programmi\Firebird\Firebird_1_5\bin\fbguard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\SiteAdvisor\6253\SAService.exe
C:\Programmi\Firebird\Firebird_1_5\bin\fbserver.ex e
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3Trayp.exe
C:\Programmi\SiteAdvisor\6253\SiteAdv.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
\Tserver\Documenti\UFFICIO FORCELLINI\Pigi\foto\Nuova cartella\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.it/
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programmi\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programmi\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3Trayp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] C:\Programmi\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [qzreaa.exe] C:\WINDOWS\TEMP\qzreaa.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\shellexp.exe en
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{27B64346-109A-48E9-AA36-FA05E5F6AE0E}: NameServer = 151.99.125.2,151.99.0.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC54E1BA-34DB-4287-BC07-F15F4FD159A1}: NameServer = 151.99.125.2,151.99.0.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{27B64346-109A-48E9-AA36-FA05E5F6AE0E}: NameServer = 151.99.125.2,151.99.0.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{27B64346-109A-48E9-AA36-FA05E5F6AE0E}: NameServer = 151.99.125.2,151.99.0.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programmi\SiteAdvisor\6253\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programmi\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programmi\Firebird\Firebird_1_5\bin\fbserver.ex e
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Servizio SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programmi\SiteAdvisor\6253\SAService.exe

Dall'analisi risultano esserci due oggetti da eliminare:

O4 - HKLM\..\Run: [qzreaa.exe] C:\WINDOWS\TEMP\qzreaa.exe
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\shellexp.exe en

Il primo oggetto sono risucito ad eliminarlo ma il secondo "shellexp.exe en" sulla cartella system32 non è presente! o almeno non lo vedo...
Come posso fare?
Aiutatemi per favore!
Ciao e grazie!
Gigi

[Demonios@]

Con HijackThis fix queste:

-O4 - HKLM\..\Run: [qzreaa.exe] C:\WINDOWS\TEMP\qzreaa.exe
-O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\system32\shellexp.exe en

Scarica the Avenger
http://swandog46.geekstogo.com/avenger.zip
lo salvi in una cartella, scompatti il file .zip.
Esegui il file avenger.exe

inserisci questo script nel box bianco

folders to delete:
C:\WINDOWS\temp
C:\WINDOWS\Tasks


Clicca su Execute
Il pc dovrebbe riavviarsi ( se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

FAi una scansione con VirIT. (aggiornalo)
http://www.tgsoft.it/italy/download.htm
posta il report

[gippi73]

Ciao Demonios, grazie mille...questi sono il log e il report:
Avenger:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Apr 14 09:09:07 2008

09:09:07: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Apr 14 09:09:20 2008

09:09:20: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Mon Apr 14 09:09:31 2008

09:09:31: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\WINDOWS\temp" deleted successfully.
Folder "C:\WINDOWS\Tasks" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

VirIT:
VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
14/04/2008 - 09:17:50

[SCANSIONE DEL REGISTRO]
{25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} Infetto da BHO.Softomate.G
* * * RIMOSSO * * *

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Documents and Settings\Admin\Menu Avvio\exsplorer.lnk Infetto da Trojan.Win32.Agent.SP
* * * RIMOSSO * * *

Chiavi Registro infette: 1.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 40707.
Files Totali: 40707.
Chiavi Registro rimosse: 1.
Virus Rimossi: 1.

Cosa devo fare ora?
Ciao e grazie..
Gigi

[Demonios@]

ok... nod32 ti rileva ancora WIN32/Dialer.RU cavallo di troia,?

setta nod in questo modo:
http://www.wilderssecurity.com/showt...587#post264587
ciao

[gippi73]

Ciao ho seguito le tue istruzioni per il settaggio del nod32, fatta la scansione non rileva per ora il virus...resto in attesa!
Devo eseguire altre operazioni?
Ciao e grazie mille!
Gigi

[gippi73]

Ciao, cosa devo fare ora? Pensi che il virus sia sparito? Ciao e grazie!
Gigi