virtumonde...

**musset** · 16-03-2008, 05:19

ho serie difficoltà nell'eliminare virtumonde.. Ho fatto tutti i precedimenti segnalati in rilievo, ma non ho ottenuto nessuno risultato. Spybot me lo segnala e me lo elimina, ma subito dopo ricompare. Questo è il log che ho ottenuto:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4.15.43, on 16/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\Programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\DOCUME~1\Admin\IMPOST~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.e xe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programmi\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\igfxext.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmi\File comuni\Logishrd\LQCVFX\COCIManager.exe
C:\Programmi\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://it.rd.yahoo.com/customize/yco...//it.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://it.rd.yahoo.com/customize/yco...//it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://it.intl.acer.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programmi\File comuni\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {214DFF14-C999-4CC1-8368-163DE104978D} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programmi\Real\RealPlayer\rpbrowserrecordplugin .dll
O2 - BHO: (no name) - {362ceec6-a077-4d8d-92a0-337606f305cd} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7cd10e3c-7e9d-4896-a11f-9591a5e17080} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8428276F-52EB-4DC1-BDC8-858F7FDF4C6A} - (no file)
O2 - BHO: (no name) - {8bd88335-9313-480e-afd4-80e849248169} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91a1bc63-afc1-4855-ab76-b760c192dee1} - (no file)
O2 - BHO: Encarta Web Companion Oggetto helper - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: (no name) - {BD098B88-C56E-4864-99CF-BA5742F4673A} - (no file)
O2 - BHO: (no name) - {ED2EEFF2-A42B-4A0C-A235-526FF4C4CC91} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: (no name) - {F501C2AB-834A-4B9D-A86B-A1EADA760B00} - (no file)
O2 - BHO: {4cccfea9-6ca8-a5d8-9ea4-df76643f298f} - {f892f346-67fd-4ae9-8d5a-8ac69aefccc4} - C:\WINDOWS\system32\xehqghyr.dll
O2 - BHO: (no name) - {F95D24B9-D7CC-40B1-A89D-D9A9177F472D} - (no file)
O3 - Toolbar: Mostra Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programmi\File comuni\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Programmi\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language. exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programmi\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programmi\File comuni\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programmi\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [d87b0960] rundll32.exe "C:\WINDOWS\system32\quwvsmad.dll",b
O4 - HKLM\..\Run: [BMdb483afc] Rundll32.exe "C:\WINDOWS\system32\xsdxdkdv.dll",s

**musset** · 16-03-2008, 05:21

O4 - HKCU\..\Run: [E06IXLRD_2772984] "C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE" -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47987C28-D2F7-4811-9B9A-3F2A42558E9B}: NameServer = 85.37.17.5 85.38.28.77
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: tuvsrrs - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eLock Service (eLockService) - - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programmi\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Convalida password di Symantec IS (ISPwdSvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.e xe

--
End of file - 16032 bytes

**Deifobe** · 16-03-2008, 13:03

Si vede che hai provato a rimuoverlo.. vediamo..
Scarica SystemScan

Disconnetti il pc da internet => esegui systemscan => spunta tutte le opzioni => clicca su "Scan Now". Finita la scansione, carica il rapporto che trovi in C:\Suspectfile su Freefilehosting e posta il link ottenuto.

Se hai problemi ad eseguirlo, disattiva l'antivirus ma ricordati di riattivarlo prima di collegare il pc ad internet

ciao

**musset** · 16-03-2008, 16:52

ho eseguito il programma, qui c'è il report

http://www.freefilehosting.net/download/3dgbb

grazue

**Deifobe** · 16-03-2008, 18:03

ho quasi finito.
non eseguire altre scansioni per piacere

edit:
scarica tutto quello che ti serve (avenger, ccleaner, vundofix ecc ecc) analizza il file e poi esegui tutta la procedura disconnesso\a da internet, mi raccomando.. Copia queste indicazioni in un file di testo.

scarica: Avenger, CCleaner, VundoFix e FixVundo

Disattiva il ripristino configurazione di sistema: start -> pannello di controllo -> sistema -> ripristino configurazione di sistema -> spunta "disattiva ripristino configuraz. di sistema"

Analizza C:\WINDOWS\pskt.ini su Virustotal. Se infetto, lo rimuovi e svuoti il cestino.
Se non lo è, crea una cartella in c:\, chimala pippo , spostaci dentro il file, poi zippalo, tieni la copia zippata nella cartella pippo ed elimina il file svuotando anche il cestino.

Da hjt fixa:
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {214DFF14-C999-4CC1-8368-163DE104978D} - (no file)
O2 - BHO: (no name) - {362ceec6-a077-4d8d-92a0-337606f305cd} - (no file)
O2 - BHO: (no name) - {7cd10e3c-7e9d-4896-a11f-9591a5e17080} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8428276F-52EB-4DC1-BDC8-858F7FDF4C6A} - (no file)
O2 - BHO: (no name) - {8bd88335-9313-480e-afd4-80e849248169} - (no file)
O2 - BHO: (no name) - {91a1bc63-afc1-4855-ab76-b760c192dee1} - (no file)
O2 - BHO: (no name) - {BD098B88-C56E-4864-99CF-BA5742F4673A} - (no file)
O2 - BHO: (no name) - {ED2EEFF2-A42B-4A0C-A235-526FF4C4CC91} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: (no name) - {F501C2AB-834A-4B9D-A86B-A1EADA760B00} - (no file)
O2 - BHO: {4cccfea9-6ca8-a5d8-9ea4-df76643f298f} - {f892f346-67fd-4ae9-8d5a-8ac69aefccc4} - C:\WINDOWS\system32\xehqghyr.dll
O2 - BHO: (no name) - {F95D24B9-D7CC-40B1-A89D-D9A9177F472D} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [d87b0960] rundll32.exe "C:\WINDOWS\system32\quwvsmad.dll",b
O4 - HKLM\..\Run: [BMdb483afc] Rundll32.exe "C:\WINDOWS\system32\xsdxdkdv.dll",s
O20 - Winlogon Notify: tuvsrrs - C:\WINDOWS\

esegui avenger e copia/incolla nel box bianco:

files to delete:
C:\WINDOWS\BMdb483afc.xml
C:\WINDOWS\BMdb483afc.txt
C:\WINDOWS\system32\ldxsipbl.dll
C:\WINDOWS\system32\xsdxdkdv.dll
C:\WINDOWS\system32\uhexiesn.dll
C:\WINDOWS\system32\hxwbgrqx.ini
C:\WINDOWS\system32\vtutrsp.dll
C:\WINDOWS\system32\hdajjvip.dll
C:\WINDOWS\system32\njglbqkh.dll
C:\WINDOWS\system32\vtutqqo.dll
C:\WINDOWS\system32\efccaax.dll
C:\WINDOWS\system32\hggfeec.dll
C:\WINDOWS\system32\jfcqrqhw.ini
C:\WINDOWS\system32\nfmsqqes.dll
C:\WINDOWS\system32\prftmfuc.dll
C:\WINDOWS\system32\tuvsssp.dll
C:\WINDOWS\system32\cbxvtsp.dll
C:\WINDOWS\system32\xsdxdkdv.dll
C:\WINDOWS\system32\khfffff.dll
C:\WINDOWS\system32\rqrspnn.dll
C:\WINDOWS\system32\hklvbwxd.ini
C:\WINDOWS\system32\qfqpiltb.dll
C:\WINDOWS\system32\bkdpqhvr.dll
C:\WINDOWS\system32\hggeded.dll
C:\WINDOWS\system32\nnkntfun.ini
C:\WINDOWS\system32\eigsiadi.dll
C:\WINDOWS\system32\nlddypih.dll
C:\WINDOWS\system32\nsuhkhct.ini
C:\WINDOWS\system32\dcjvdyba.dll
C:\WINDOWS\system32\vunphycw.dll
C:\WINDOWS\system32\qtamnkps.dll
C:\WINDOWS\system32\wcyhpnuv.ini
C:\WINDOWS\system32\vuikxeon.dll
C:\WINDOWS\system32\mvaaepbg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\damsvwuq.ini
C:\WINDOWS\system32\quwvsmad.dll
C:\WINDOWS\system32\xsdxdkdv.dll
C:\WINDOWS\system32\wuawlopf.dll
C:\WINDOWS\system32\xehqghyr.dll
C:\WINDOWS\system32\fpolwauw.ini
C:\WINDOWS\system32\xsdxdkdv.dll
C:\WINDOWS\system32\xehqghyr.dll

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | d87b0960
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | BMdb483afc

registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvsrrs
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\efccaax
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfffff
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{214DFF14-C999-4CC1-8368-163DE104978D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{362ceec6-a077-4d8d-92a0-337606f305cd}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{7cd10e3c-7e9d-4896-a11f-9591a5e17080}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{8428276F-52EB-4DC1-BDC8-858F7FDF4C6A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{8bd88335-9313-480e-afd4-80e849248169}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{91a1bc63-afc1-4855-ab76-b760c192dee1}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BD098B88-C56E-4864-99CF-BA5742F4673A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{ED2EEFF2-A42B-4A0C-A235-526FF4C4CC91}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{F501C2AB-834A-4B9D-A86B-A1EADA760B00}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{f892f346-67fd-4ae9-8d5a-8ac69aefccc4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{F95D24B9-D7CC-40B1-A89D-D9A9177F472D}

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

Esegui CCleaner e ripulisci sia i file temporanei e cookie (2 volte) che il registro.

esegui una scansione con FixVundo e VundoFix

Posta un nuovo rapporto di systemscan

NOTA x me: HKEY_LOCAL_MACHINE\system\controlset001\services\a u0pdb1x (***)

**Deifobe** · 16-03-2008, 18:34

Originariamente inviato da musset
ho serie difficoltà nell'eliminare virtumonde.. Ho fatto tutti i precedimenti segnalati in rilievo, ma non ho ottenuto nessuno risultato.

direi che l'ho ben visto

c'era un po' di confusione....
ora ascolta.. onde evitare di dover rincorrere i files che si moltiplicano e ricreano, non eseguire altro all'infuori di quello indicato... o, comunque, se lo fai, fai anche in modo che i rapporti che ti chiedo (systemscan, ad esempio) siano gli ultimi ad essere eseguiti.

ciao

**musset** · 18-03-2008, 21:19

il problema sembra risolto. Questo è il report di avenger

http://www.freefilehosting.net/download/3dj37

Questo è il report di systemscan

http://www.freefilehosting.net/download/3dj38

Grazie

**Deifobe** · 19-03-2008, 01:08

scusa.. hai disattivato il ripristino configurazione di systema?
hai fixato le voci con hjt? in parte è tutto uguale a prima...

disconnetti il pc da internet

1) entra nel registro (clicca su "start" - esegui - digita regedit e dai l'ok)
Segui questo percorso:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Notify\tuvsrrs

clicca 1 volta su tuvsrrs
Nella finestra a destra trova e prendi nota del file che viene richiamato - deve essere random, tipo quelli che hai eliminato
Poi, clicca nuovamente su tuvsrrs con il tasto destro del mouse e seleziona "elimina".
Posta il nome del file (.. scrivi il nome correttamente)

2) apri un file di testo, copiaci dentro questo:

Windows Registry Editor Version 5.00

[-HKCR\CLSID\{99B3CA44-61A6-42B1-9A7E-B8CD3BF5EEBB}]

e salvalo esattamente così:
nome: fix.reg
tipo di file: tutti i file
salvalo in c:\
chiudi il file e non aprirlo più

3) esegui avenger e copia/incolla:

files to delete:
C:\WINDOWS\system32\sstqo.dll

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{214DFF14-C999-4CC1-8368-163DE104978D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{362ceec6-a077-4d8d-92a0-337606f305cd}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{7cd10e3c-7e9d-4896-a11f-9591a5e17080}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{8428276F-52EB-4DC1-BDC8-858F7FDF4C6A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{8bd88335-9313-480e-afd4-80e849248169}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{91a1bc63-afc1-4855-ab76-b760c192dee1}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{99B3CA44-61A6-42B1-9A7E-B8CD3BF5EEBB}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BD098B88-C56E-4864-99CF-BA5742F4673A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{ED2EEFF2-A42B-4A0C-A235-526FF4C4CC91}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{F501C2AB-834A-4B9D-A86B-A1EADA760B00}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{f892f346-67fd-4ae9-8d5a-8ac69aefccc4}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{F95D24B9-D7CC-40B1-A89D-D9A9177F472D}

Programs to launch on reboot:
C:\fix.reg

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

4) esegui hjt e fixa, se presenti:

R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {214DFF14-C999-4CC1-8368-163DE104978D} - (no file)
O2 - BHO: (no name) - {362ceec6-a077-4d8d-92a0-337606f305cd} - (no file)
O2 - BHO: (no name) - {7cd10e3c-7e9d-4896-a11f-9591a5e17080} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8428276F-52EB-4DC1-BDC8-858F7FDF4C6A} - (no file)
O2 - BHO: (no name) - {8bd88335-9313-480e-afd4-80e849248169} - (no file)
O2 - BHO: (no name) - {91a1bc63-afc1-4855-ab76-b760c192dee1} - (no file)
O2 - BHO: (no name) - {99B3CA44-61A6-42B1-9A7E-B8CD3BF5EEBB} - C:\WINDOWS\system32\sstqo.dll (file missing)
O2 - BHO: (no name) - {BD098B88-C56E-4864-99CF-BA5742F4673A} - (no file)
O2 - BHO: (no name) - {ED2EEFF2-A42B-4A0C-A235-526FF4C4CC91} - (no file)
O2 - BHO: (no name) - {F501C2AB-834A-4B9D-A86B-A1EADA760B00} - (no file)
O2 - BHO: (no name) - {f892f346-67fd-4ae9-8d5a-8ac69aefccc4} - (no file)
O2 - BHO: (no name) - {F95D24B9-D7CC-40B1-A89D-D9A9177F472D} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: tuvsrrs - C:\WINDOWS\

posta una nuova scansione di systemscan

**Deifobe** · 19-03-2008, 01:13

controlla se il ripristino configurazione sistema è disattivato, per piacere

le chiavi erano state anche eliminate da avenger.. ma nel registro (anche se senza i files) ci sono ancora.. :rollo:

Discussione: virtumonde...

Strumenti discussione

Ricerca discussione

Visualizza

virtumonde...

.

report

Re: virtumonde...

ok

Permessi di invio