Procedo subito! Per quanto riguarda gli antivirus attualmente ho solo Avira AntiVir e Kaspersky SOS che sono sicuro che può convivere con altri antivirus... cmq dopo aver tolto vundo lascerò solo AntiVir e stavolta lo abbino ad un firewall o ad uno antispyware!
Ecco fatto. Allora...
Iniziamo dal primo punto. Subito dopo aver cliccato "Proceed with removal" è apparsa una finestra di errore di regedit.exe e diceva che il processo non poteva essere inizializzato perché era in corso la chiusura del sistema, o qualcosa di simile.
Dopodiché il computer si è riavviato da solo. All'avvio mi è apparso ancora l'alert di Avir Antivir (l'avevo disabilitato prima della rimozione ma la real time protection si è riattivata all'avvio del sistema) che ha individuato ancora vundo.gen in hsqqedin.dll e in ddabc.dll. Si è poi aperta una finestra di dos (cmd.exe) che eseguiva delle operazioni (non so di che tipo, c'entrava cmq avenger) dando una serie di errori. Dopodiché non si è aperta la finestra di systemscan per darmi il risultato dell'operazione, bensì si è aperto notepad con il file avenger.txt aperto. Il contenuto del file avenger.txt è questo:
Poi ho fatto la pulizia con CCleaner che mi ha buttato via quasi 1 giga di roba inutile (penso) e ora eccomi qui a postare. Adesso riprovo a fare la scansione con SystemScan come mi hai segnalato te...//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Syntax error in line --- no registry value to delete found. Line will be ignored.
Error code: 0
Line: HKLM\Software\Microsoft\Windows\CurrentVersion\Run \34cc591f
prova a ripetere la rimozione con lo script che ti ho indicato, ricordati di disabilitare l'antivirus (entrambi) e di non essere connesso.
Ora riprovo. Intanto, questo è l'url dello scan: http://www.sendmefile.com/00610638.
Una nota: quando ho aperto SystemScan in basso c'era la scritta blu con scritto che lo script era stato eseguito con successo. Cmq ora riprovo.
Stavolta è andata meglio. Ho momentaneamente disinstallato AntiVir perché anche se disattivavo il controllo real time rimaneva sempre il processo attivo e da task manager non riuscivo a terminarlo.
Cmq... quando ho fatto partire lo script è uscita ancora la finestra di errore. Regedit.exe - Inizializzazione dll non riuscita: Impossibile inizializzare l'applicazione perché è in corso la chiusura dell'oggetto finestra (o qualcosa di simile). Dopo il riavvio mi è apparsa la finestra di SystemScan dove diceva che lo script era stato processato correttamente. Poi ancora la finestra dos cmd.exe che dava qualche errore, e poi il log avenger.txt:
Procedo con un altro scan tramite SystemScan?Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\gwcqncmk
*******************
Script file located at: \??\C:\Documents and Settings\embkomdg.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\mmjxydvu.ini deleted successfully.
File C:\WINDOWS\system32\ddabc.dll deleted successfully.
File C:\WINDOWS\system32\hsqqedin.dll deleted successfully.
File C:\WINDOWS\system32\syhjwsiv.dll deleted successfully.
File C:\WINDOWS\system32\ijbueckf.dll not found!
Deletion of file C:\WINDOWS\system32\ijbueckf.dll failed!
Could not process line:
C:\WINDOWS\system32\ijbueckf.dll
Status: 0xc0000034
File C:\WINDOWS\system32\fkceubji.ini deleted successfully.
File C:\WINDOWS\system32\gjilaygb.dll deleted successfully.
File C:\WINDOWS\system32\cbadd.ini2 deleted successfully.
File C:\WINDOWS\system32\cbadd.ini deleted successfully.
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX308.tmp not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX308.tmp failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX308.tmp
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\3q93E3.tmp not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\3q93E3.tmp failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\3q93E3.tmp
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX13D.tmp not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX13D.tmp failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX13D.tmp
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX3AE.tmp not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX3AE.tmp failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX3AE.tmp
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX29.tmp not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX29.tmp failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX29.tmp
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\3169644 not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\3169644 failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\3169644
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX49.tmp not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX49.tmp failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX49.tmp
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX381.tmp not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX381.tmp failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\AAX381.tmp
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\removalfile.bat not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\removalfile.bat failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\removalfile.bat
Status: 0xc0000034
File C:\WINDOWS\system32\spoolw.exe not found!
Deletion of file C:\WINDOWS\system32\spoolw.exe failed!
Could not process line:
C:\WINDOWS\system32\spoolw.exe
Status: 0xc0000034
File C:\WINDOWS\system32\igfxsvc.exe not found!
Deletion of file C:\WINDOWS\system32\igfxsvc.exe failed!
Could not process line:
C:\WINDOWS\system32\igfxsvc.exe
Status: 0xc0000034
File C:\WINDOWS\system32\iifcawx.dll not found!
Deletion of file C:\WINDOWS\system32\iifcawx.dll failed!
Could not process line:
C:\WINDOWS\system32\iifcawx.dll
Status: 0xc0000034
File C:\WINDOWS\system32\mlljk.dll not found!
Deletion of file C:\WINDOWS\system32\mlljk.dll failed!
Could not process line:
C:\WINDOWS\system32\mlljk.dll
Status: 0xc0000034
File C:\WINDOWS\system32\hsqqedin.dll not found!
Deletion of file C:\WINDOWS\system32\hsqqedin.dll failed!
Could not process line:
C:\WINDOWS\system32\hsqqedin.dll
Status: 0xc0000034
File C:\WINDOWS\system32\gjilaygb.dll not found!
Deletion of file C:\WINDOWS\system32\gjilaygb.dll failed!
Could not process line:
C:\WINDOWS\system32\gjilaygb.dll
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\win13C.exe not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\win13C.exe failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\win13C.exe
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\win154.bat not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\win154.bat failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\win154.bat
Status: 0xc0000034
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\{9AA57522-2ECD-47DF-BD38-20E7E577A464} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\{9AA57522-2ECD-47DF-BD38-20E7E577A464} failed!
Status: 0xc0000034
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{38253AA1-B7CB-4562-BBDE-AB0341B440B5} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{38253AA1-B7CB-4562-BBDE-AB0341B440B5} failed!
Status: 0xc0000034
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{799C1013-489B-42C4-A344-86D700895700} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{addaf5bf-de45-443a-99a8-dfb32b02cd95} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{addaf5bf-de45-443a-99a8-dfb32b02cd95} failed!
Status: 0xc0000034
Program C:\Documents and Settings\Cicco\Desktop\sys24275.exe successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
Edit: nel dubbio faccio lo scan e poi posto l'url.
aspetta che proviamo a chiudere explorer.exe e lanciare l'applicazione da questa posizione, dammi due minnuti e ti preparo tutto.
NB
alcuni valori non sono stati trovati perchè rimossi con CCleaner
Vundo ha iniettato due librerie in explorer.exe ecco perchè termineremo il processo di sistema.
fai attenzione alla procedura, stampatela, se puoi, perchè quando termineremo explorer.exe le icone dal desktop sparirano.
sempre non connesso e con l'antivirus disabilitato:
- apri la task manager (CTRL+ALT+CANC)
- seleziona explorer.exe e Termina il processo
- sempre con la task aperta clicca in alto a sx su "File" e poi su "Nuova operazione". Clicca su "Sfoglia" cerca il file sys24275.exe, se non l'hai spostato la ricerca falla sul desktop (è l'eseguibile di SystemScan)
- con aperto SystemScan clicca su "Removal Script" nel box aggiungi la parte in rosso riportata più sotto:
ora selezionaRegistry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | 34cc591f
Files to delete:
C:\WINDOWS\bootstat.dat
C:\WINDOWS\mximnvby.txt
C:\WINDOWS\system32\mmjxydvu.ini
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\hsqqedin.dll
C:\WINDOWS\system32\syhjwsiv.dll
C:\WINDOWS\system32\gjilaygb.dll
C:\WINDOWS\system32\fkceubji.ini
C:\WINDOWS\system32\vstwwvge.dll
C:\WINDOWS\system32\cdcdcojy.dll
C:\WINDOWS\system32\yjocdcdc.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\hsqqedin.dllbox
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\iifcawx.dll
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\vstwwvge.dll
C:\DOCUME~1\Cicco\IMPOST~1\Temp\win13C.exe
registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{541A59AB-181B-41AF-8403-C0E8B50AA974}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{799C1013-489B-42C4-A344-86D700895700}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{871f54ce-6c4f-43a2-ae6d-16aa80fad360}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9AA57522-2ECD-47DF-BD38-20E7E577A464}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\{9AA57522-2ECD-47DF-BD38-20E7E577A464}
"Proceed with removal" e dai l'OK.
dopo il riavvio posta il contenuto di avenger.txt
Fatto! Ecco il log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\miwpwjxr
*******************
Script file located at: \??\C:\WINDOWS\system32\cfymkfae.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\bootstat.dat deleted successfully.
File C:\WINDOWS\mximnvby.txt deleted successfully.
File C:\WINDOWS\system32\mmjxydvu.ini not found!
Deletion of file C:\WINDOWS\system32\mmjxydvu.ini failed!
Could not process line:
C:\WINDOWS\system32\mmjxydvu.ini
Status: 0xc0000034
File C:\WINDOWS\system32\ddabc.dll not found!
Deletion of file C:\WINDOWS\system32\ddabc.dll failed!
Could not process line:
C:\WINDOWS\system32\ddabc.dll
Status: 0xc0000034
File C:\WINDOWS\system32\hsqqedin.dll not found!
Deletion of file C:\WINDOWS\system32\hsqqedin.dll failed!
Could not process line:
C:\WINDOWS\system32\hsqqedin.dll
Status: 0xc0000034
File C:\WINDOWS\system32\syhjwsiv.dll not found!
Deletion of file C:\WINDOWS\system32\syhjwsiv.dll failed!
Could not process line:
C:\WINDOWS\system32\syhjwsiv.dll
Status: 0xc0000034
File C:\WINDOWS\system32\gjilaygb.dll not found!
Deletion of file C:\WINDOWS\system32\gjilaygb.dll failed!
Could not process line:
C:\WINDOWS\system32\gjilaygb.dll
Status: 0xc0000034
File C:\WINDOWS\system32\fkceubji.ini not found!
Deletion of file C:\WINDOWS\system32\fkceubji.ini failed!
Could not process line:
C:\WINDOWS\system32\fkceubji.ini
Status: 0xc0000034
File C:\WINDOWS\system32\vstwwvge.dll deleted successfully.
File C:\WINDOWS\system32\cdcdcojy.dll deleted successfully.
File C:\WINDOWS\system32\yjocdcdc.ini deleted successfully.
File C:\WINDOWS\system32\cbadd.ini2 not found!
Deletion of file C:\WINDOWS\system32\cbadd.ini2 failed!
Could not process line:
C:\WINDOWS\system32\cbadd.ini2
Status: 0xc0000034
File C:\WINDOWS\system32\hsqqedin.dllbox deleted successfully.
File C:\WINDOWS\system32\cbadd.ini not found!
Deletion of file C:\WINDOWS\system32\cbadd.ini failed!
Could not process line:
C:\WINDOWS\system32\cbadd.ini
Status: 0xc0000034
File C:\WINDOWS\system32\spoolw.exe not found!
Deletion of file C:\WINDOWS\system32\spoolw.exe failed!
Could not process line:
C:\WINDOWS\system32\spoolw.exe
Status: 0xc0000034
File C:\WINDOWS\system32\igfxsvc.exe not found!
Deletion of file C:\WINDOWS\system32\igfxsvc.exe failed!
Could not process line:
C:\WINDOWS\system32\igfxsvc.exe
Status: 0xc0000034
File C:\WINDOWS\system32\iifcawx.dll not found!
Deletion of file C:\WINDOWS\system32\iifcawx.dll failed!
Could not process line:
C:\WINDOWS\system32\iifcawx.dll
Status: 0xc0000034
File C:\WINDOWS\system32\mlljk.dll not found!
Deletion of file C:\WINDOWS\system32\mlljk.dll failed!
Could not process line:
C:\WINDOWS\system32\mlljk.dll
Status: 0xc0000034
File C:\WINDOWS\system32\vstwwvge.dll not found!
Deletion of file C:\WINDOWS\system32\vstwwvge.dll failed!
Could not process line:
C:\WINDOWS\system32\vstwwvge.dll
Status: 0xc0000034
File C:\DOCUME~1\Cicco\IMPOST~1\Temp\win13C.exe not found!
Deletion of file C:\DOCUME~1\Cicco\IMPOST~1\Temp\win13C.exe failed!
Could not process line:
C:\DOCUME~1\Cicco\IMPOST~1\Temp\win13C.exe
Status: 0xc0000034
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run |34cc591f deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{541A59AB-181B-41AF-8403-C0E8B50AA974} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{541A59AB-181B-41AF-8403-C0E8B50AA974} failed!
Status: 0xc0000034
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{799C1013-489B-42C4-A344-86D700895700} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{799C1013-489B-42C4-A344-86D700895700} failed!
Status: 0xc0000034
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{871f54ce-6c4f-43a2-ae6d-16aa80fad360} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9AA57522-2ECD-47DF-BD38-20E7E577A464} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} failed!
Status: 0xc0000034
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\{9AA57522-2ECD-47DF-BD38-20E7E577A464} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\{9AA57522-2ECD-47DF-BD38-20E7E577A464} failed!
Status: 0xc0000034
Program C:\Documents and Settings\Cicco\Desktop\sys24275.exe successfully set up to run once on reboot.
Completed script processing.
*******************
Finished! Terminate.
Non vorrei esultare troppo presto... ma Kasper non ha trovato virus dopo il riavvio!!
mi serve un nuovo report di SystemScancosì procediamo anche alla rimozione manuale di alcune chiavi del registro.
Permessi di invio
Rispondi quotando