variante modificata di Win32/Dialer.RU

**ginge90** · 01-08-2007, 18:37

ho cambiato antivirus e ho messo nod32...prima avs mi trovava un not-a-virus-porndialer nella cartella temp del mio account e anche in quella di windows...invece con la stessa modalità nod32 mi trova "variante modificata di Win32/Dialer.RU".
Come posso rimuoverlo? Ho visto che i file che si creano nelle cartelle temp hanno sempre nomi diversi e appare in momenti diversi...su diversi siti....
Grazie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.39.03, on 01/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Comodo\Firewall\CPF.exe
C:\windows\system32\winlogon.exe
C:\Programmi\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\a-squared Free\a2service.exe
C:\Programmi\Comodo\Firewall\cmdagent.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://giovani.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ctfqnmcw] "c:\windows\system32\ctfqnmcw.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ginge\Menu Avvio\Programmi\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase8300.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar...ackToolbar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programmi\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programmi\File comuni\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6185 bytes

**ste_95** · 01-08-2007, 18:51

ho dei sospetti su questo:

O4 - HKLM\..\Run: [ctfqnmcw] "c:\windows\system32\ctfqnmcw.exe

fai una scansione online con kaspersky e postane il relativo log...

**ste_95** · 01-08-2007, 19:00

prova a svuotare le cartelle temp e tasks in windows... abilitando la visualizzazione dei files nacosti...

**ginge90** · 01-08-2007, 21:23

le cartelle temp le svuoto sempre ma si ricreano i files
report di kaspersky

Scan Statistics
Total number of scanned objects 48889
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 00:43:38

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.da t Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.da t Object is locked skipped
C:\Documents and Settings\Ginge\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ginge\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\cert8.db Object is locked skipped
C:\Documents and Settings\Ginge\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\formhistory.dat Object is locked skipped
C:\Documents and Settings\Ginge\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\history.dat Object is locked skipped
C:\Documents and Settings\Ginge\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\key3.db Object is locked skipped
C:\Documents and Settings\Ginge\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\parent.lock Object is locked skipped
C:\Documents and Settings\Ginge\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\search.sqlite Object is locked skipped
C:\Documents and Settings\Ginge\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ginge\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Dati applicazioni\Mozilla\Firefox\Profiles\vnjwre5u.def ault\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Temp\~DFDD64.tmp Object is locked skipped
C:\Documents and Settings\Ginge\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ginge\ntuser.dat Object is locked skipped
C:\Documents and Settings\Ginge\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programmi\ESET\cache\CACHE.NDB Object is locked skipped
C:\Programmi\ESET\logs\virlog.dat Object is locked skipped
C:\Programmi\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{60D3A3 C6-D131-4B52-9FBF-3A2779008740}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ctfqnmcw.exe Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Tasks\czzhjo.job Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

**ste_95** · 02-08-2007, 07:59

il log è pulito... non dovrebbe essere molto difficile... vai in C:\WINDOWS e trova la cartella tasks, entraci e CON la visualizzazione dei files nascosti elimina tutti i files... nella stessa sessione svuota la cartella Temp...

risolvi qualcosa...?

**amvinfe** · 02-08-2007, 10:32

questo C:\WINDOWS\system32\ctfqnmcw.exe è infetto, si tratta di una nuova variante di LinkOptimizer, molti antivirus lo classificano come normale dialer.

L'eseguibile della nuova variante è composta da 8 lettere, le prime 3 vengono prese da file leggitimi di sistema le altre 5 sono random, l'estensione è sempre .exe e la directory in cui si trova è sempre %SysDir%
La presenza di file .job ne è la conferma C:\WINDOWS\Tasks\czzhjo.job

Dalla scansione fatta con Kaspersky sicuramente non vengono evidenziati tutti i valori presenti.

Scarica
http://www.suspectfile.com/systemscan
aprilo ed assicurati che tutte le opzioni siano spuntate, clicca su "Scan Now" al termine della scansione verrà rilasciato in C:\suspectfile un file con estensione .zip (data+ora+.zip)
Vai su www.sendmefile.com carica il file e nella tua prossima risposta scrivi l'URL per scaricarlo.

Io personalmente non so quando potrò vedere il report se questa notte o nel pomeriggio di domani, ma tu intanto inizia ad eseguire questi passaggi.

Scarica anche http://swandog46.geekstogo.com/avenger.zip servirà poi per le rimozioni

**ginge90** · 02-08-2007, 12:05

url http://www.sendmefile.com/00564964

**ginge90** · 02-08-2007, 21:29

e adesso che faccio?

**ste_95** · 02-08-2007, 22:19

devi aspettare che amvinfe analizzi il log e ti dia indiazioni...

**BilloKenobi** · 03-08-2007, 03:01

Ora estrai e avvia Avenger.exe

disattiva antivirus, firewall, eventuali moduli hips

Cliica su "Input Script Manually". E poi sulla lente di ingrandimento. così si aprira una finestra,"View/edit script"
devi copiarci e incollarci queste scritte in grassetto:

Files to delete:
C:\WINDOWS\system32\ctfqnmcw.exe
C:\WINDOWS\Tasks\czzhjo.job

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run |ctfqnmcw

Dopo di che, clicca sul pulsante Done, poi sul semaforo, e dai due consensi. Il pc si riavvierà da solo, altrimenti fallo a mano

Il programma rilascia un log con le operazioni eseguite.

Allegami il log di Avenger (che si trova in C:\avenger.txt) con l´esito dello script.

Discussione: variante modificata di Win32/Dialer.RU

Strumenti discussione

Ricerca discussione

Visualizza

variante modificata di Win32/Dialer.RU

Permessi di invio