Finestre pop-up, non va in google e pc lento

[Il Pazzo]

Come da titolo... non mi pare succeda altro.... posto il logo di Hijackthis:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22.47.29, on 28/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCap Svc.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmi\Eset\nod32krn.exe
C:\PROGRA~1\Trust\280KSK~1\Mouse\Amoumain.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\VM_STI.EXE
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSch ed.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
D:\Programmi\Vari\Anti- RootKit\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = fritz.box;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load="C:\\Server.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3EC6F0B2-2EFE-4C0C-982F-5F84D845C5DB} - C:\WINDOWS\system32\tuvWpNhg.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A95A610-97C2-462E-9298-9CCF9C1DF98C} - C:\WINDOWS\system32\pmnnLbaW.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9FDA66D4-8467-B2B7-17E4-A58F73227DC9} - C:\WINDOWS\system32\swuuh.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\vtUnnlJa.dll
O2 - BHO: (no name) - {B326F61E-73D5-4DA5-A2A0-05C0C49D520C} - (no file)
O2 - BHO: (no name) - {B406DCE9-1F37-4606-8582-BFD67BF20F04} - (no file)
O2 - BHO: {17c20721-4dd9-e299-e814-4d605ab7dc5b} - {b5cd7ba5-06d4-418e-992e-9dd412702c71} - C:\WINDOWS\system32\ltnauuhy.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Trust\280KSK~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 302
O4 - HKLM\..\Run: [BM07600494] Rundll32.exe "C:\WINDOWS\system32\ivywpqmi.dll",s
O4 - HKLM\..\Run: [04533708] rundll32.exe "C:\WINDOWS\system32\rkouwmlh.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE08211F-D702-47A2-BC98-14B8D365BA0C}: NameServer = 62.94.0.1,62.94.0.2
O20 - Winlogon Notify: vtUnnlJa - C:\WINDOWS\SYSTEM32\vtUnnlJa.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCap Svc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSch ed.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Programmi\MySQL\MySQL.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe

--
End of file - 6826 bytes

[Il Pazzo]

ah si... poi ci sono diversi tentativi di modifica a qualche chiave d iregistro... è un paio di processi che però ho terminato.... ricordo uno che si chiama WINSPOOL, IEXPLORE (quando il browser è chiuso) e !UPDATES....

credo il problema sia sorto quando ho installato windows dicovery live... o na cosa del genere....

[Deifobe]

si, il log non e' pulito ma serve vedere tutti i files presenti, quindi scarica SystemScan, disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, riattiva l'antivirus, carica il rapporto che trovi sul desktop su Freefilehosting e posta il link ottenuto.

[Il Pazzo]

Originariamente inviato da Deifobe
si, il log non e' pulito ma serve vedere tutti i files presenti, quindi scarica SystemScan, disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, riattiva l'antivirus, carica il rapporto che trovi sul desktop su Freefilehosting e posta il link ottenuto.

Fatto:

report246.txt

[Deifobe]

tra 1 oretta posterò la procedura.
ho dimenticato di dirti di non eseguire scansioni cortesemente.

[Deifobe]

scarica CCleaner e Avenger

Disattiva il ripristino configurazione di sistema: start -> pannello di controllo -> sistema -> ripristino configurazione di sistema -> spunta "disattiva ripristino configuraz. di sistema"

apri il blocco note e copiaci dentro questo:

Windows Registry Editor Version 5.00

[-HKCR\CLSID\{A6C54318-5AC7-477D-B0A7-49AF5189300C}]

[-HKCR\CLSID\{486414B0-D1F3-4F19-9549-32D6319F5008}]

salvalo così:
nome: fix.reg
tipo di file: tutti i file
salvalo in c:\
e chiudi il file


esegui avenger e nella finestra principale copia/incolla:

files to delete:
C:\WINDOWS\pskt.ini
C:\WINDOWS\BM07600494.xml
C:\WINDOWS\BM07600494.txt
C:\WINDOWS\system32\vtUnnlJa.dll
C:\WINDOWS\system32\iifgFYsr.dll
C:\WINDOWS\system32\byXQGWoo.dll
C:\WINDOWS\system32\hrfadglm.tmp
C:\WINDOWS\system32\hrfadglm.ini
C:\WINDOWS\system32\hrfadglm.ini2
C:\WINDOWS\system32\WabLnnmp.ini2
C:\WINDOWS\system32\WabLnnmp.ini
C:\WINDOWS\system32\tuvWpNhg.dll
C:\WINDOWS\system32\garecakf.dll
C:\WINDOWS\system32\xuklpnmt.dll
C:\WINDOWS\system32\wrypenjy.dll
C:\WINDOWS\system32\yjnepyrw.tmp
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\ivywpqmi.dll
C:\WINDOWS\system32\rkouwmlh.dll
C:\WINDOWS\system32\hlmwuokr.ini
C:\WINDOWS\system32\ltnauuhy.dll
C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000E-00001102-00000002-80651102}.dat
C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000E-00001102-00000002-80651102}.dat
C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-0000000E-00001102-00000002-80651102}.rfx
C:\WINDOWS\system32\BMXCtrlState-{00000000-00000000-0000000E-00001102-00000002-80651102}.rfx
C:\WINDOWS\system32\BMXState-{00000000-00000000-0000000E-00001102-00000002-80651102}.rfx
C:\WINDOWS\system32\settingsbkup.sfm
C:\WINDOWS\system32\settings.sfm
C:\WINDOWS\system32\BMXBkpCtrlState-{00000000-00000000-0000000E-00001102-00000002-80651102}.rfx
C:\WINDOWS\system32\ghNpWvut.ini2
C:\WINDOWS\system32\ghNpWvut.ini
C:\DOCUME~1\Admin\IMPOST~1\Temp\ymsgr2
C:\DOCUME~1\Admin\IMPOST~1\Temp\yazzsnet.exe
C:\DOCUME~1\Admin\IMPOST~1\Temp\S6000428(1).JPG
C:\DOCUME~1\Admin\IMPOST~1\Temp\!update.exe
C:\WINDOWS\system32\vtUnnlJa.dll
C:\WINDOWS\system32\tuvWpNhg.dll
C:\DOCUME~1\Admin\IMPOST~1\Temp\winvsnet.exe

folders to delete:
C:\WINDOWS\system32\pnVes01
C:\WINDOWS\system32\p7
C:\WINDOWS\system32\n4

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks | {A6C54318-5AC7-477D-B0A7-49AF5189300C}

registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtUnnlJa
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{486414B0-D1F3-4F19-9549-32D6319F5008}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A6C54318-5AC7-477D-B0A7-49AF5189300C}

programs to launch on reboot:
c:\fix.reg

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

Esegui CCleaner e ripulisci i file temporanei e i cookie (eseguilo 2 volte).

Riposta un nuovo systemscan

[Il Pazzo]

Originariamente inviato da Deifobe
esegui avenger

Spunta "Automatically disable any rootkits found" e clicca su "execute".

Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

Non trovo da nessuna parte un qualcosa da spuntare.... comunque l'ho eseguito e il report è il seguente:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\chdtxplg

*******************

Script file located at: \??\C:\Documents and Settings\ucnmmfdx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\pskt.ini deleted successfully.
File C:\WINDOWS\BM07600494.xml deleted successfully.
File C:\WINDOWS\BM07600494.txt deleted successfully.
File C:\WINDOWS\system32\vtUnnlJa.dll deleted successfully.
File C:\WINDOWS\system32\iifgFYsr.dll deleted successfully.
File C:\WINDOWS\system32\byXQGWoo.dll deleted successfully.
File C:\WINDOWS\system32\hrfadglm.tmp deleted successfully.
File C:\WINDOWS\system32\hrfadglm.ini deleted successfully.
File C:\WINDOWS\system32\hrfadglm.ini2 deleted successfully.
File C:\WINDOWS\system32\WabLnnmp.ini2 deleted successfully.
File C:\WINDOWS\system32\WabLnnmp.ini deleted successfully.


File C:\WINDOWS\system32\tuvWpNhg.dll not found!
Deletion of file C:\WINDOWS\system32\tuvWpNhg.dll failed!

Could not process line:
C:\WINDOWS\system32\tuvWpNhg.dll
Status: 0xc0000034



File C:\WINDOWS\system32\garecakf.dll not found!
Deletion of file C:\WINDOWS\system32\garecakf.dll failed!

Could not process line:
C:\WINDOWS\system32\garecakf.dll
Status: 0xc0000034



File C:\WINDOWS\system32\xuklpnmt.dll not found!
Deletion of file C:\WINDOWS\system32\xuklpnmt.dll failed!

Could not process line:
C:\WINDOWS\system32\xuklpnmt.dll
Status: 0xc0000034



File C:\WINDOWS\system32\wrypenjy.dll not found!
Deletion of file C:\WINDOWS\system32\wrypenjy.dll failed!

Could not process line:
C:\WINDOWS\system32\wrypenjy.dll
Status: 0xc0000034

File C:\WINDOWS\system32\yjnepyrw.tmp deleted successfully.
File C:\WINDOWS\system32\clkcnt.txt deleted successfully.


File C:\WINDOWS\system32\ivywpqmi.dll not found!
Deletion of file C:\WINDOWS\system32\ivywpqmi.dll failed!

Could not process line:
C:\WINDOWS\system32\ivywpqmi.dll
Status: 0xc0000034



File C:\WINDOWS\system32\rkouwmlh.dll not found!
Deletion of file C:\WINDOWS\system32\rkouwmlh.dll failed!

Could not process line:
C:\WINDOWS\system32\rkouwmlh.dll
Status: 0xc0000034

File C:\WINDOWS\system32\hlmwuokr.ini deleted successfully.


File C:\WINDOWS\system32\ltnauuhy.dll not found!
Deletion of file C:\WINDOWS\system32\ltnauuhy.dll failed!

Could not process line:
C:\WINDOWS\system32\ltnauuhy.dll
Status: 0xc0000034

File C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000E-00001102-00000002-80651102}.dat deleted successfully.
File C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000E-00001102-00000002-80651102}.dat deleted successfully.
File C:\WINDOWS\system32\BMXStateBkp-{00000000-00000000-0000000E-00001102-00000002-80651102}.rfx deleted successfully.
File C:\WINDOWS\system32\BMXCtrlState-{00000000-00000000-0000000E-00001102-00000002-80651102}.rfx deleted successfully.
File C:\WINDOWS\system32\BMXState-{00000000-00000000-0000000E-00001102-00000002-80651102}.rfx deleted successfully.
File C:\WINDOWS\system32\settingsbkup.sfm deleted successfully.
File C:\WINDOWS\system32\settings.sfm deleted successfully.
File C:\WINDOWS\system32\BMXBkpCtrlState-{00000000-00000000-0000000E-00001102-00000002-80651102}.rfx deleted successfully.
File C:\WINDOWS\system32\ghNpWvut.ini2 deleted successfully.
File C:\WINDOWS\system32\ghNpWvut.ini deleted successfully.
File C:\DOCUME~1\Admin\IMPOST~1\Temp\ymsgr2 deleted successfully.
File C:\DOCUME~1\Admin\IMPOST~1\Temp\yazzsnet.exe deleted successfully.
File C:\DOCUME~1\Admin\IMPOST~1\Temp\S6000428(1).JPG deleted successfully.


File C:\DOCUME~1\Admin\IMPOST~1\Temp\!update.exe not found!
Deletion of file C:\DOCUME~1\Admin\IMPOST~1\Temp\!update.exe failed!

Could not process line:
C:\DOCUME~1\Admin\IMPOST~1\Temp\!update.exe
Status: 0xc0000034



File C:\WINDOWS\system32\vtUnnlJa.dll not found!
Deletion of file C:\WINDOWS\system32\vtUnnlJa.dll failed!

Could not process line:
C:\WINDOWS\system32\vtUnnlJa.dll
Status: 0xc0000034



File C:\WINDOWS\system32\tuvWpNhg.dll not found!
Deletion of file C:\WINDOWS\system32\tuvWpNhg.dll failed!

Could not process line:
C:\WINDOWS\system32\tuvWpNhg.dll
Status: 0xc0000034

File C:\DOCUME~1\Admin\IMPOST~1\Temp\winvsnet.exe deleted successfully.
Folder C:\WINDOWS\system32\pnVes01 deleted successfully.
Folder C:\WINDOWS\system32\p7 deleted successfully.
Folder C:\WINDOWS\system32\n4 deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks|{A6C54318-5AC7-477D-B0A7-49AF5189300C} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtUnnlJa deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{486414B0-D1F3-4F19-9549-32D6319F5008} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A6C54318-5AC7-477D-B0A7-49AF5189300C} deleted successfully.
Program c:\fix.reg successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

[Il Pazzo]

Originariamente inviato da Deifobe
Esegui CCleaner e ripulisci i file temporanei e i cookie (eseguilo 2 volte).

Fatto

Originariamente inviato da Deifobe
Riposta un nuovo systemscan

Non riesco più a caricare file su internet (non riesco più a visitare neanche alcuni siti, come google e yahoo)... e ancora mi compare la finestra di spyboot che mi dice che c'è un tentativo di modificare una chiave di registro

voce: BM07600494
Modifica: valore aggiunto
Categoria: System startup global entry
Nuovi dati: Rundll32.exe "C:\Windows...."

Tante voci simili... nego tutto ma continua ad apparire

[Il Pazzo]

ce l'ho fatta ecco il systemscan

report252.txt

Ora rifunziona google però fa na cosa nuova.... usando Mozilla FF.... quando inserisco il nome del sito (es.: tiscali ) invece di reindirizzarmi su tiscali mi reindirizza su crawler

[Deifobe]

dopo aver avenger si è ricreato tutto...

da hjt fixa:
O2 - BHO: (no name) - {942E6100-2349-456C-99F5-65903B8818D6} - C:\WINDOWS\system32\yayvVPHB.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\system32\vtUnnlJa.dll (file missing)
O4 - HKLM\..\Run: [BM07600494] Rundll32.exe "C:\WINDOWS\system32\wgyrgcoo.dll",s


crea un altro file in c:\ chiamato fix2.reg

Windows Registry Editor Version 5.00

[-HKCR\CLSID\{486414B0-D1F3-4F19-9549-32D6319F5008}]

[-HKCR\CLSID\{942E6100-2349-456C-99F5-65903B8818D6}]

[-HKCR\CLSID\{A6C54318-5AC7-477D-B0A7-49AF5189300C}]

esegui avenger:

files to delete:
C:\WINDOWS\BM07600494.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\BM07600494.txt
C:\WINDOWS\system32\xuklpnmt.dll_old
C:\WINDOWS\system32\yayvVPHB.dll
C:\WINDOWS\system32\wgyrgcoo.dll
C:\WINDOWS\system32\gkdtlpvj.dll
C:\WINDOWS\system32\ywqebvbd.dll
C:\WINDOWS\system32\dbvbeqwy.tmp
C:\WINDOWS\system32\BHPVvyay.ini2
C:\WINDOWS\system32\BHPVvyay.ini
C:\WINDOWS\system32\wgyrgcoo.dll
C:\WINDOWS\system32\tuvWpNhg.dll
C:\WINDOWS\system32\yayvVPHB.dll
C:\WINDOWS\system32\vtUnnlJa.dll
C:\DOCUME~1\Admin\IMPOST~1\Temp\NDR13A.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\NDR141.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\NDR13E.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\NDR144.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\NDR147.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\NDR15A.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\bacdnrai.dll
C:\DOCUME~1\Admin\IMPOST~1\Temp\wsdrowff.dll
C:\DOCUME~1\Admin\IMPOST~1\Temp\lkmkfiam.dll
C:\DOCUME~1\Admin\IMPOST~1\Temp\b728x90.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b300x100.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b300x250.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b160x600.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b180x150.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b250x250.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b240x400.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b234x60.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b720x300.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b120x240.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b336x280.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b468x60.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b125x125.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b120x90.tmp
C:\DOCUME~1\Admin\IMPOST~1\Temp\b120x600.tmp
C:\Server.exe

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | BM07600494

registri keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{486414B0-D1F3-4F19-9549-32D6319F5008}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{942E6100-2349-456C-99F5-65903B8818D6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A6C54318-5AC7-477D-B0A7-49AF5189300C}
HKLM\Software\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}

programs to launch on reboot:
c:\fix2.reg

clicca su execute.
Posta nuovamente systemscan e avenger.


Poi, appena puoi, vai su Virustotal e analizza questi file per sicurezza. Se qualcuno risulta infetto, posta i risultati.
C:\WINDOWS\system32\pncrt.dll
C:\WINDOWS\system32\msvcp71.dll
C:\WINDOWS\system32\pndx5016.dll
C:\WINDOWS\system32\pndx5032.dll
C:\WINDOWS\system32\rmoc3260.dll