Eliminare CoolWebSearch e VirtuMonde

[Deifobe]

Prendi nota del contenuto di queste cartelle (credo siano da eliminare ma per ora non le ho inserite):
C:\WINDOWS\system32\cTMO
C:\WINDOWS\system32\pRI
C:\WINDOWS\system32\yrt
C:\WINDOWS\system32\ert
C:\WINDOWS\system32\RI

Scarica Avenger, Norman Malware Cleaner e CCleaner
Scarica, installa e aggiorna malwarebytes

Stampa queste indicazioni e disconnetti il pc da internet

Apri il blocco note e nella pagina copia/incolla:

Windows Registry Editor Version 5.00

[-HKCR\CLSID\{84A46358-4001-4E42-A966-A3CAC5F91716}]

[-HKCR\CLSID\{84A46358-4001-4E42-A966-A3CAC5F91716}]

[-HKCR\CLSID\{BC646E96-A23D-4A44-A597-01219C5C633A}]

salvalo in c:\ con il nome nome: fix.reg
tipo di file: tutti i file


Esegui avenger e nella finestra copia/incolla tutta la citazione:

files to delete:
C:\zip.exe
C:\WINDOWS\b156.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\BM2f79df53.txt
C:\WINDOWS\BM2f79df53.xml
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\system32\HijackThis.exe
C:\WINDOWS\system32\hgGwUoMd.dll
C:\WINDOWS\system32\xxyxYrSj.dll
C:\WINDOWS\system32\xxyxVpMG.dll
C:\WINDOWS\system32\ceeccaeecdde.dll
C:\WINDOWS\system32\ypmritsj.ini
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\qxqiahyj.dll
C:\WINDOWS\system32\lyqlmium.dll
C:\WINDOWS\system32\muimlqyl.ini
C:\WINDOWS\system32\GMpVxyxx.ini2
C:\WINDOWS\system32\GMpVxyxx.ini
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\khqyxfvc.ini
C:\WINDOWS\system32\wvUnnLCV.dll
C:\WINDOWS\system32\oadrlhhe.dll
C:\WINDOWS\system32\vtdlmldr.dll
C:\WINDOWS\system32\awtsTKax.dll
C:\WINDOWS\system32\opnlMcAq.dll
C:\WINDOWS\system32\geBuUkiF.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rdlmldtv.ini
C:\WINDOWS\system32\ddcArRji.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\fccaBQiG.dll
C:\WINDOWS\system32\tsuyhnhe.dll
C:\WINDOWS\system32\opnnnNhG.dll
C:\WINDOWS\system32\ibmgxmga.dll
C:\WINDOWS\system32\whbckvxe.ini
C:\WINDOWS\system32\ssqOICSl.dll
C:\WINDOWS\system32\fccbYQJD.dll
C:\WINDOWS\system32\fccyvTKd.dll
C:\WINDOWS\system32\cbXPjJaX.dll
C:\WINDOWS\system32\yayvWoNE.dll
C:\WINDOWS\system32\nnnkLCRl.dll
C:\WINDOWS\system32\hpmdyjrp.ini
C:\WINDOWS\system32\opnKawwx.dll
C:\WINDOWS\system32\wimhuovo.dll
C:\WINDOWS\system32\qoMggebB.dll
C:\WINDOWS\system32\efcASjhH.dll
C:\WINDOWS\system32\byXnlkLe.dll
C:\WINDOWS\system32\ssqRHBSL.dll
C:\WINDOWS\system32\vpkjjwrd.dll
C:\WINDOWS\system32\jgjttdel.ini
C:\WINDOWS\system32\xqfnxkll.dll
C:\WINDOWS\system32\dwwcspaq.ini
C:\WINDOWS\system32\qrtwueev.dll
C:\WINDOWS\system32\nnnmmjIY.dll
C:\WINDOWS\system32\wdxxicql.ini
C:\WINDOWS\system32\atjjkxqh.dll
C:\WINDOWS\system32\yayyWonk.dll
C:\WINDOWS\system32\ggdvlmwb.dll
C:\WINDOWS\system32\nektbtre.ini
C:\WINDOWS\system32\wqkmnkop.dll
C:\WINDOWS\system32\tuvULDtT.dll
C:\WINDOWS\system32\efcBqoPI.dll
C:\WINDOWS\system32\hgyrvsdw.dll
C:\WINDOWS\system32\rvxhckoc.ini
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\system32\svnfhtmu.ini
C:\WINDOWS\system32\qoMfgFxu.dll
C:\WINDOWS\system32\nsdybhme.ini
C:\WINDOWS\system32\qgkscyrh.dll
C:\WINDOWS\system32\hgGvuULE.dll
C:\WINDOWS\system32\wmatiofa.ini
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\g67.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\temp\zw6osiln.TMP
C:\WINDOWS\temp\mb833aki.TMP
C:\WINDOWS\temp\ffy5hy20.TMP
C:\DOCUME~1\riccardo\IMPOST~1\Temp\jar_cache6437.t mp
C:\WINDOWS\444.470.exe
C:\WINDOWS\portsv.exe

folders to delete:
C:\Programmi\File comuni\ProtezioneSoft
C:\Programmi\ProtezioneSoft
C:\Programmi\Spcron
C:\WINDOWS\system32\modtrux18

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | 2c4aeccf
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | BM2f79df53
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks | {84A46358-4001-4E42-A966-A3CAC5F91716}

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{84A46358-4001-4E42-A966-A3CAC5F91716}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BC646E96-A23D-4A44-A597-01219C5C633A}
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyxYrSj
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ceeccaeecdde
HKLM\system\currentcontrolset\services\MsSecurity1 .209.4
HKLM\system\controlset001\services\MsSecurity1.209 .4
HKLM\system\controlset002\services\MsSecurity1.209 .4
HKLM\system\currentcontrolset\enum\root\legacy_MsS ecurity1.209.4
HKLM\system\controlset001\enum\root\legacy_MsSecur ity1.209.4
HKLM\system\controlset002\enum\root\legacy_MsSecur ity1.209.4
HKLM\system\currentcontrolset\services\PlugPlayRPC
HKLM\system\controlset001\services\PlugPlayRPC
HKLM\system\controlset002\services\PlugPlayRPC
HKLM\system\currentcontrolset\enum\root\legacy_Plu gPlayRPC
HKLM\system\controlset001\enum\root\legacy_PlugPla yRPC
HKLM\system\controlset002\enum\root\legacy_PlugPla yRPC

programs to launch on reboot:
c:\fix.reg

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

Esegui CCleaner e ripulisci i file temporanei e i cookie (eseguilo 2 volte).

Svuota C:\WINDOWS\Prefetch

Esegui hijackthis e fixa, se ancora presenti:

O1 - Hosts: 89.149.200.219 l2authd.lineage2.com
O1 - Hosts: 89.149.200.219 l2testauthd.lineage2.com
O1 - Hosts: 216.107.250.194 nprotect.lineage2.com
O2 - BHO: (no name) - {84A46358-4001-4E42-A966-A3CAC5F91716} - C:\WINDOWS\system32\xxyxYrSj.dll
O2 - BHO: (no name) - {BC646E96-A23D-4A44-A597-01219C5C633A} - C:\WINDOWS\system32\xxyxVpMG.dll
O4 - HKLM\..\Run: [BM2f79df53] Rundll32.exe "C:\WINDOWS\system32\qxqiahyj.dll",s
O4 - HKLM\..\Run: [2c4aeccf] rundll32.exe "C:\WINDOWS\system32\lyqlmium.dll",b
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\riccardo\Menu Avvio\Programmi\IMVU\Run IMVU.lnk
O20 - Winlogon Notify: ceeccaeecdde - C:\WINDOWS\system32\ceeccaeecdde.dll
O20 - Winlogon Notify: xxyxYrSj - C:\WINDOWS\SYSTEM32\xxyxYrSj.dll
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)

Esegui malwarebytes e fai una scansione completa.

Avvia il PC in modalità provvisoria (*) ed esegui Norman Malware Cleaner.
Finita la scansione, rimuovi i files infetti trovati e posta il log che viene generato sul desktop.

Posta il log di malwarebytes, quello di Norman Malware Cleaner e un nuovo systemascan e il rapporto di avenger


(*) Per entrare in modalità provvisoria: all'avvio del pc, prima che inizi a caricare Windows, premi ripetutamente F8. Uscirà la finestra del menu Opzioni avanzate di Windows
=> scegli modalità provvisoria (usa il tasto freccia ^).