virus tr\vundo.gen

**teo1980** · 26-11-2007, 16:27

Salve ragazzi sono infetto da questi due virus...come av ho antivir e mi compaiono sempre le finestre di avviso ma come provo a clikkare su "move to quarantine" mi dice "access deny"....risprovo dinuovo su "Move to quarantine" piuttosto che su "Delete" e va all'infinito cosi.....senza fare niente.
Ho provato con il VundoFix...mi fa l'elenco dei file infetti(axbbbzna.dll......wievopml.dll) li rimuove ma quando riavvio il pc è tutto comeprima....che faccio?
Grazie

**OYS** · 26-11-2007, 18:58

1) Scarica questi tool di rimozione, e fai la scansione senza riavviare:

VundoFix
FixVundo
FxVMonde

2) Posta un log di hijackthis.

3) Scarica ComboFix
Avvia combofix.exe, scrivi 1, premi Invio e segui le indicazioni. posta il log (C:\ComboFix.txt).

4) Scarica FindAwf, avvialo premi 1. Al termine posta il log.

**teo1980** · 27-11-2007, 11:44

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10.39.54, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\acer\epm\epm-dm.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Francesco\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26DE5D6E-F704-4AA2-85B2-5DF1D17015B5} - C:\WINDOWS\system32\ddayy.dll
O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - C:\WINDOWS\system32\pmnkijk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {58ccb866-8ad2-5459-b404-47403bc89e4a} - {a4e98cb3-0474-404b-9545-2da8668bcc85} - C:\WINDOWS\system32\ttoiomwl.dll
O2 - BHO: (no name) - {FBD1BDB8-4DA8-414E-BD37-F1147267A0DD} - C:\WINDOWS\system32\pmnnn.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\voiarggs.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: HÀ
- HÀ
(file missing)
O20 - Winlogon Notify: crehcjid - ¨Pðÿ (file missing)
O20 - Winlogon Notify: pmnkijk - C:\WINDOWS\SYSTEM32\pmnkijk.dll
O20 - Winlogon Notify: `P¨ÿ - `P¨ÿ (file missing)
O20 - Winlogon Notify: ¨Pðÿ - ¨Pðÿ (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 6478 bytes

**teo1980** · 27-11-2007, 11:50

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid]
¨Pðÿ

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkijk]
pmnkijk.dll 2007-11-23 12:13 34304 C:\WINDOWS\system32\pmnkijk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\`P¨ÿ]
`P¨ÿ

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\¨Pðÿ]
¨Pðÿ

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vturo.dll

R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRA GTLT.SYS
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.s ys
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

.
Contenuto della cartella 'Scheduled Tasks'
"2006-02-25 22:56:18 C:\WINDOWS\Tasks\Low Battery Alarm Program.job"
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 10:31:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

************************************************** ************************
.
Ora fine scansione: 2007-11-27 10:33:01 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-26 23:24
.
--- E O F ---

**OYS** · 27-11-2007, 14:35

Fixa queste:

O2 - BHO: (no name) - {26DE5D6E-F704-4AA2-85B2-5DF1D17015B5} - C:\WINDOWS\system32\ddayy.dll

O2 - BHO: (no name) - {30BAA4DF-E0AB-4AFD-B6D8-FFAA032D0468} - C:\WINDOWS\system32\pmnkijk.dll

O2 - BHO: {58ccb866-8ad2-5459-b404-47403bc89e4a} - {a4e98cb3-0474-404b-9545-2da8668bcc85} - C:\WINDOWS\system32\ttoiomwl.dll

O2 - BHO: (no name) - {FBD1BDB8-4DA8-414E-BD37-F1147267A0DD} - C:\WINDOWS\system32\pmnnn.dll (file missing)

O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\voiarggs.dll",b

Tutte le O20

**OYS** · 27-11-2007, 14:44

Ho visto ora il log si combofix. Ricordati di schiacciare sempre "Rispondi", non "Nuovo".

Scarica http://swandog46.geekstogo.com/avenger.zip

clicca su input script manually e poi sulla lente di ingrandimento.
nello spazio bianco inserisci con copia incolla questo:

files to delete:
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\ddayy.dll
C:\WINDOWS\system32\pmnkijk.dll
C:\WINDOWS\system32\voiarggs.dll

clicca su done.
poi sul semaforo con luce verde
due volte si, il pc si riavviera' e al ritorno posta il log di avenger (C:/avenger.txt).

**Habanero** · 27-11-2007, 15:00

teo1980 ribadisco quanto detto da OYS. Fa' attenzione a premere su "rispondi".

**teo1980** · 28-11-2007, 11:59

hai ragionissimoo!!!
Scusa!!!!
ma è il trojan che ho dentro che mi fa saltare da unapagina all'altra!
Appena accortomi che avevo incasinato il forum volevo cancellare il mess...ma c'è solo il pulsante modifica!
Sorry di nuovo

**teo1980** · 28-11-2007, 12:18

....ecco il log di avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\vuiyvvqy

*******************

Script file located at: \??\C:\Documents and Settings\qshjxnqb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\vturo.dll not found!
Deletion of file C:\WINDOWS\system32\vturo.dll failed!

Could not process line:
C:\WINDOWS\system32\vturo.dll
Status: 0xc0000034

File C:\WINDOWS\system32\ddayy.dll deleted successfully.
File C:\WINDOWS\system32\pmnkijk.dll deleted successfully.

File C:\WINDOWS\system32\voiarggs.dll not found!
Deletion of file C:\WINDOWS\system32\voiarggs.dll failed!

Could not process line:
C:\WINDOWS\system32\voiarggs.dll
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

**OYS** · 28-11-2007, 14:24

Hai fatto la scansione con FixVundo?

Discussione: virus tr\vundo.gen

Strumenti discussione

Ricerca discussione

Visualizza

virus tr\vundo.gen

log di hiackthis

....segue log di hiackthis

Permessi di invio