Variante Modificata Win32/DIALER.RU

[Aieiie]

Ciao a tutti!!!
Sfortunatamente mi sono imbattuto in questo virus che non riesco a levare...in alcun modo Ho provato con molti antispywere ma non c'è stato niente da fare. Appena accendo il pc dopo qualche istante mi fa errore il file service32.exe e dopo 1 pò di minuti mi esce il virus maledetto.
Questo è il messaggio di nod32:

C:\WINDOWS\TEMP\vizsda.exe Virus:
variante modificata di Win32/Dialer.RU cavallo di tr**a
Commento:
Evento occorso su un nuovo file creato da un'applicazione: c:\windows\system32\services.exe. Il file è stato inserito nella quarantena. Puoi chiudere questa finestra.


Sareste cosi gentili da darmi una mano? Vi ringrazio anticipatamente,
Saluti Andrea

[Aieiie]

a Proposito ho fatto lo scan di HijackThis :s



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16.15.48, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
d:\windows\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ehome\ehtray.exe
D:\Programmi\Eset\nod32kui.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
D:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programmi\VIA\RAID\raid_tool.exe
D:\Programmi\a-squared Free\a2service.exe
D:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
D:\Programmi\Eset\nod32krn.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Programmi\MSN Messenger\msnmsgr.exe
D:\Programmi\eMule\emule.exe
D:\Programmi\MSN Messenger\usnsvc.exe
D:\WINDOWS\system32\cmd.exe
D:\Programmi\Windows Media Player\wmplayer.exe
D:\Programmi\Internet Explorer\iexplore.exe
D:\Documents and Settings\Andrea\Impostazioni locali\Temporary Internet Files\Content.IE5\TQ5ZN74U\HiJackThis_v2[1].exe
D:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "D:\Programmi\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Adsgone] d:\programmi\adsgone\adsgone.exe -s
O4 - HKCU\..\Run: [MSMSGS] "D:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Policies\Explorer\Run: [4F27V1D89M] D:\WINDOWS\service32.exe
O4 - HKLM\..\Policies\Explorer\Run: [Service] D:\WINDOWS\sysnet32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = D:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1193007812713
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193007805119
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Programmi\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programmi\Eset\nod32krn.exe

--
End of file - 6485 bytes

[Topdrake]

disattiva il ripristino configurazione sistema
fixa:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: [4F27V1D89M] D:\WINDOWS\service32.exe
O4 - HKLM\..\Policies\Explorer\Run: [Service] D:\WINDOWS\sysnet32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Programmi\Messenger\msmsgs.exe (file missing)

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio

Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,
copi e incolli


files to delete:
D:\WINDOWS\service32.exe
D:\WINDOWS\sysnet32.exe

clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Fai pulizia temp, cache.cooKies ecc.. con CCleaner
posta log di avenger e nuovo log di HJT

[Aieiie]

Allora Topdrake, intanto ti ringrazio per l'assistenza...
Posto i vari report.


Per cominciare il log di Avenger
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\cwyqwgwo

*******************

Script file located at: \??\D:\WINDOWS\okkhujrr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

File D:\WINDOWS\service32.exe deleted successfully.


File D:\WINDOWS\sysnet32.exe not found!
Deletion of file D:\WINDOWS\sysnet32.exe failed!

Could not process line:
D:\WINDOWS\sysnet32.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Ecco il log di HJT


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21.36.52, on 24/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
d:\windows\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\ehome\ehtray.exe
D:\Programmi\Eset\nod32kui.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Programmi\TomTom HOME 2\HOMERunner.exe
D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
D:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Programmi\DAEMON Tools\daemon.exe
D:\Programmi\VIA\RAID\raid_tool.exe
D:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\eHome\ehRecvr.exe
D:\WINDOWS\eHome\ehSched.exe
D:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
D:\Programmi\Eset\nod32krn.exe
D:\WINDOWS\system32\dllhost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\eHome\ehmsas.exe
D:\Programmi\MSN Messenger\msnmsgr.exe
D:\Programmi\eMule\emule.exe
D:\Programmi\MSN Messenger\usnsvc.exe
D:\Programmi\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\svchost.exe
D:\Documents and Settings\Andrea\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "D:\Programmi\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Programmi\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = D:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = D:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = D:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1193007812713
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193007805119
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programmi\Eset\nod32krn.exe

--
End of file - 5402 bytes

Che dici ho risolto?
Ciauuu

[Topdrake]

il log è pulito anche se avenger non ha trovato sysnet32.exe, vedi come va il pc per alcuni giorni se tutto ok riattiva il ripristino configurazione sistema

[Aieiie]

Ok proverò... vi faccio sapere tra qualche giorno...sperando di avere buone notizie

[Aieiie]

Rieccomi quà,
speravo di non dover + postare in questa sezione... e invece... stamattina sorpresa... ora il virus mi agisce su winlogon.exe

Allego foto...

Topdrake ... come se fa?

[Demonios@]

Scarica ATF cleaner
http://www.atribune.org/ccount/click.php?id=1
Avvia ATF Cleaner
(se usi Firefox o Opera, selezionali dal menu in alto)
metti la spunta su "Select All" per ogni browser
e clicca su "Empty Select"

FAi una scansione con l'ultima versione di VirIT.
http://www.tgsoft.it/italy/download.htm
Installalo, avvialo, aspetta il termine del controllo della memoria,
e aggiornalo

controlla questa cartella: D:\windows\tasks\ e dimmi che cosa hai all'interno

Svuota completamente
D:\WINDOWS\TEMP
D:\Document and setting\Andrea\Impostazioni locali\Temp
Ciao

[Topdrake]

fai una scansione on line con Panda:
http://www.pandasoftware.com/actives..._principal.htm

[Aieiie]

Ciao ragazzi...allora ho seguito entrambe le procedure.

La procedura di Demonios@ mi ha fatto trovare 3 files infetti con la scansione di virIT...
di seguito il report dei files rimossi..

MASTER BOOT RECORD: OK
BOOT SECTOR: OK

D:\WINDOWS\snet32.exe Infetto da Trojan.Win32.Small.RJ
* * * RIMOSSO * * *
D:\WINDOWS\svchost.dll Infetto da Trojan.Win32.Small.RI
* * * RIMOSSO * * *
D:\WINDOWS\system32\srvotgfb.exe Infetto da Trojan.Win32.Agent.AUF
* * * RIMOSSO * * *


La scansione con panda invece non ha dato risultati...
che dite ? ce l'ho fatta?
Ciaooooooooooooo