Utility
Home Messaggi odierni FAQ Ricerca avanzata Lo staff del forum Regolamento Utenti Archivio
Visualizzazione dei risultati da 1 a 5 su 5

Discussione: Trojan Vundo.AT

  1. 29-03-2007, 20:02 #1
    favvy70
    favvy70 non è in linea
    Utente di HTML.it
    Registrato dal
    Sep 2006
    Messaggi
    26

    Trojan Vundo.AT

    Da stupido ho avviato un file exe scaricato con FrostWire, mi sono beccato un maledetto trojan che non riesco piu' a togliere, ho provato i vari ADAware, Spybot, VirIT ecc... aggiornati ma niente. Vengono creati in continuazione file dll e si aprono finestre di explorer!
    Vi allego i vari log, come da voi richiesto, se qualcuno ha consigli sono i benvenuti.

    GMER 1.0.10.10122 - http://www.gmer.net
    Rootkit 2007-03-29 19:34:59
    Windows 5.0.2195 Service Pack 4


    ---- System - GMER 1.0.10 ----

    SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
    SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

    ---- EOF - GMER 1.0.10 ----




    GMER 1.0.10.10122 - http://www.gmer.net
    Autostart 2007-03-29 19:15:17
    Windows 5.0.2195 Service Pack 4


    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
    jkhfg@DLLName = C:\WINNT\system32\jkhfg.dll
    vtusssr@DLLName = vtusssr.dll
    wzcnotif@DLLName = wzcdlg.dll

    HKLM\SYSTEM\CurrentControlSet\Services\ >>>
    ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe
    OutpostFirewall /*Outpost Firewall Service*/@ = C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /service
    Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
    Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
    StiSvc /*Still Image Service*/@ = %systemroot%\system32\stisvc.exe
    viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe
    WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
    @Synchronization Managermobsync.exe /logon = mobsync.exe /logon
    @PinnacleDriverCheckC:\WINNT\system32\PSDrvCheck.e xe = C:\WINNT\system32\PSDrvCheck.exe
    @Outpost FirewallC:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice /*file not found*/ = C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice /*file not found*/
    @QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
    @pdfSaver3 /*file not found*/ = /*file not found*/
    @VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE
    @SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_10\ bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe "
    @SoundServicerundll32.exe "C:\WINNT\system32\wislbcsb.dll",setvm = rundll32.exe "C:\WINNT\system32\wislbcsb.dll",setvm

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run @pdfSaver3 = "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks >>>
    @{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll
    @{27CA571B-14D3-4937-B387-BE72FA7A0F87}C:\WINNT\system32\vtusssr.dll = C:\WINNT\system32\vtusssr.dll

    HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved >>>
    @{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll
    @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
    @{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
    @{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
    @{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
    @{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
    @{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
    @{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
    @{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
    @{F5D92341-0A64-11D0-9956-0000E8096023} /*CD Copy Shell Extension*/C:\WINNT\system32\Shellext\CDWshext.dll = C:\WINNT\system32\Shellext\CDWshext.dll
    @{F5D92342-0A64-11D0-9956-0000E8096023} /*CD Wizard Shell Extension*/C:\WINNT\system32\Shellext\CDWshext.dll = C:\WINNT\system32\Shellext\CDWshext.dll
    @{F5D92344-0A64-11D0-9956-0000E8096023} /*InstantWrite Shellextension*/C:\WINNT\system32\ShellExt\iwshex.dll = C:\WINNT\system32\ShellExt\iwshex.dll
    @{D3796116-94D3-4009-96D7-51578411CC7D} /*Outpost Shell Extension*/C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll = C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll
    @{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
    @{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
    @{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
    @{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
    @{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) =

    HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L

    HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ >>>
    ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
    WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
    ZONERMenu@{BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B} = C:\Programmi\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL

    HKLM\Software\Classes\*\shellex\ContextMenuHandler s@{BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B} = C:\Programmi\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL

    HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ >>>
    ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
    WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
    ZONERMenu@{BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B} = C:\Programmi\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL

    HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ >>>
    WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
    ZONERMenu@{BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B} = C:\Programmi\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects >>>
    @{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    @{17E1173F-274E-4F10-9711-B4B2F8994662}C:\WINNT\system32\jkhfg.dll = C:\WINNT\system32\jkhfg.dll
    @{27CA571B-14D3-4937-B387-BE72FA7A0F87}C:\WINNT\system32\vtusssr.dll = C:\WINNT\system32\vtusssr.dll
    @{57E218E6-5A80-4f0c-AB25-83598F25D7E9}C:\WINNT\system32\hhrrnkja.dll = C:\WINNT\system32\hhrrnkja.dll
    @{689AB811-E7FD-4097-A207-6A9C37295775}C:\WINNT\system32\wyadtbyh.dll = C:\WINNT\system32\wyadtbyh.dll
    @{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_10\bin\ssv .dll = C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll

    HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\system32\ssstars.scr

    HKLM\Software\Microsoft\Internet Explorer\Main >>>
    @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=hom e
    @Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

    HKCU\Software\Microsoft\Internet Explorer\Main >>>
    @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    @Start Pagehttp://www.startrekitalia.com/public/active.asp = http://www.startrekitalia.com/public/active.asp
    @Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

    HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
    its@CLSID = C:\WINNT\system32\itss.dll
    mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
    ms-its@CLSID = C:\WINNT\system32\itss.dll
    vnd.ms.radio@CLSID = C:\WINNT\system32\msdxm.ocx

    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\000000 000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ >>>
    000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000018@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000019@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000020@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000021@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000022@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
    000000000023@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00024@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

    C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica >>>
    SpamPal.lnk = SpamPal.lnk
    Stop Dialers.lnk = Stop Dialers.lnk

    C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
    ~Disabled = ~Disabled
    Microsoft Office.lnk = Microsoft Office.lnk

    ---- EOF - GMER 1.0.10 ----






    Sky's the Limit!
    Rispondi quotando Rispondi quotando
  2. 29-03-2007, 20:03 #2
    favvy70
    favvy70 non è in linea
    Utente di HTML.it
    Registrato dal
    Sep 2006
    Messaggi
    26
    Logfile of HijackThis v1.99.1
    Scan saved at 19.36.28, on 29/03/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Programmi\ewido anti-spyware 4.0\guard.exe
    C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\VEXPLITE\viritsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\VEXPLITE\MONLITE.EXE
    C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\PDF\pdfSaver\pdfSaver3.exe
    C:\Programmi\SpamPal\spampal.exe
    C:\Programmi\StopDialers\StopDialers.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startrekitalia.com/public/active.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Outpost Firewall] C:\Programmi\Agnitum\Outpost Firewall 1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe "
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINNT\system32\wislbcsb.dll",setvm
    O4 - HKCU\..\Run: [pdfSaver3] "c:\Program Files\PDF\pdfSaver\pdfSaver3.exe"
    O4 - Startup: SpamPal.lnk = C:\Programmi\SpamPal\spampal.exe
    O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialers.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1170883647296
    O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
    O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
    Sky's the Limit!
    Rispondi quotando Rispondi quotando
  3. 29-03-2007, 20:11 #3
    tognazzi
    tognazzi non è in linea
    Utente di HTML.it L'avatar di tognazzi
    Registrato dal
    Jan 2007
    Messaggi
    1,489
    il log di hijackthis è pulito.
    contro vundo mi pare ci sia uno strumento di rimozione specifico
    http://www.softpedia.com/get/Antivirus/VundoFix.shtml
    Rispondi quotando Rispondi quotando
  4. 29-03-2007, 22:46 #4
    favvy70
    favvy70 non è in linea
    Utente di HTML.it
    Registrato dal
    Sep 2006
    Messaggi
    26
    Mah, ho fatto girare Vundofix e anche FixVundo della Symantec.
    Quest'ultimo non lo trova, mentre il primo evidenza il file C:\WINNT\system32\vtusssr.dll che tento di eliminare ma mi dice: IMPOSSIBILE IMPORTARE C:\vundofix.reg. Errore nellapertura file, potrebbe esserci errore nel sistema o nel file.
    E quel maledetto dll ad ogni apertura me lo ritrovo nei file in esecuzione automatica!
    Quando il pc si accende viene fuori un msg di errore RUNDLL wislbcsb.dll: mipossibile trovare il modulo specificato.
    Ho provato a far girare i programmi anche in mod. provvisoria, ma non succede nulla di meglio.


    Aggiungo un'ultima cosa: ho visto che nei file di avvio c'è un prg chiamato IEHELPER.DLL che cercando su google mi rimanda ad un'altro malware chiamato Agent.AOO, per il quale pero' non ho trovato removal kit, qualcuno sa come affrontare anche quest'ultimo maledetto trojan?
    Sky's the Limit!
    Rispondi quotando Rispondi quotando
  5. 30-03-2007, 10:51 #5
    tognazzi
    tognazzi non è in linea
    Utente di HTML.it L'avatar di tognazzi
    Registrato dal
    Jan 2007
    Messaggi
    1,489
    prova a lanciare il vundofix dalla modalità provvisoria se non lo hai ancora fatto.
    al riavvio di winzoz premi ripetutamente il tasto F8 prima che compaia la schermata nera con la scritta windows. per il resto la procedura è uguale.
    Rispondi quotando Rispondi quotando
« Discussione precedente | Prossima discussione »

Permessi di invio

  • Non puoi inserire discussioni
  • Non puoi inserire repliche
  • Non puoi inserire allegati
  • Non puoi modificare i tuoi messaggi
  •  

Regole del Forum

Powered by vBulletin® Version 4.2.1
Copyright © 2026 vBulletin Solutions, Inc. All rights reserved.