trojan virtumonde/rootkit

[rucker]

Ho un problema con Virtumonde
Spybot S&D me lo segnala, lo rimuove e io melo ritrovo da capo.
Ho fatto una scansione con hijackthis ma non so interpretarla.
Qualcuno sa aiutarmi?
Grazie
Rucker

LOG di HJT==================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.16.43, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
C:\Programmi\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\luigi.PC-LUIGI\Desktop\RootkitRevealer.exe
C:\DOCUME~1\LUIGI~1.PC-\IMPOST~1\Temp\MWFTQ.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Programmi\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programmi\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: www.bwash.it
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://server/ConnectComputer/nshelp.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://62.149.175.43:4643/vz/rdp/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bej...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A044C3AD-B301-4B04-A5DD-11C58EEF9AE7}: NameServer = 192.168.0.2,192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Programmi\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KNZPZX - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LUIGI~1.PC-\IMPOST~1\Temp\KNZPZX.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Programmi\File comuni\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MWFTQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\LUIGI~1.PC-\IMPOST~1\Temp\MWFTQ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 52\StarWind\StarWindService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 10729 bytes

[OYS]

Hai scaricato qualcosa di Sysinternals?


Fai una scansione con questo:

http://securityresponse.symantec.com...r/FxVMonde.exe

[rucker]

Non trova nulla ma spybot invece continua a beccarlo...
Se uso rootkit revealer mi indica delle chiavi di registro ma non mi dice come modificarle...
Rootkit Revealer================================
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Adobe\MediaBrowser\MRU\illustrator\A pplicationPath 12/12/2007 17.42 87 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Count 12/12/2007 20.05 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Time 12/12/2007 20.05 16 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{1CF319AC-C8DB-4711-8CA6-E1F2677109C2}\iexplore\Count 12/12/2007 20.05 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{1CF319AC-C8DB-4711-8CA6-E1F2677109C2}\iexplore\Time 12/12/2007 20.05 16 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{22BF413B-C6D2-4D91-82A9-A0F997BA588C}\iexplore\Count 12/12/2007 20.05 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{22BF413B-C6D2-4D91-82A9-A0F997BA588C}\iexplore\Time 12/12/2007 20.05 16 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{53707962-6F74-2D53-2644-206D7942484F}\iexplore\Count 12/12/2007 20.05 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{53707962-6F74-2D53-2644-206D7942484F}\iexplore\Time 12/12/2007 20.05 16 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{9B8C96CB-8926-4FD1-9EF3-6A50BE3E3682}\iexplore\Count 12/12/2007 20.05 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{9B8C96CB-8926-4FD1-9EF3-6A50BE3E3682}\iexplore\Time 12/12/2007 20.05 16 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{AE7CD045-E861-484F-8273-0445EE161910}\iexplore\Count 12/12/2007 20.05 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{AE7CD045-E861-484F-8273-0445EE161910}\iexplore\Time 12/12/2007 20.05 16 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{B285004D-6D02-4212-91FC-B8F47B68C254}\iexplore\Count 12/12/2007 20.05 4 bytes Data mismatch between Windows API and raw hive data.
HKU\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{B285004D-6D02-4212-91FC-B8F47B68C254}\iexplore\Time 12/12/2007 20.05 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 16/05/2005 8.58 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 16/05/2005 8.58 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Pa rameters\FirewallPolicy\StandardProfile\Authorized Applications\List\C:\WINDOWS\system32\xyrptsni.exe 12/12/2007 15.22 47 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Pa rameters\FirewallPolicy\StandardProfile\Authorized Applications\List\C:\WINDOWS\system32\aepvwvvj.exe 12/12/2007 15.22 47 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 06/03/2007 11.33 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Pa rameters\FirewallPolicy\StandardProfile\Authorized Applications\List\C:\WINDOWS\system32\xyrptsni.exe 12/12/2007 15.22 47 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Pa rameters\FirewallPolicy\StandardProfile\Authorized Applications\List\C:\WINDOWS\system32\aepvwvvj.exe 12/12/2007 15.22 47 bytes Data mismatch between Windows API and raw hive data.


Qualcuno sa dirmi come intervenire?
Grazie
Rucker

[OYS]

Potresti postare un rapporto, oppure nello specifico quello che blocca spybot?



Fai una scansione anche con questi due:


http://www.softpedia.com/get/Antivirus/VundoFix.shtml
http://www.symantec.com/content/it/i...s/FixVundo.exe




Poi scarica GMER

a) clicca su > > >
Clicca su Autostart
spunta Show All
clicca Scan
al termine della scansione clicca su Copy
Apri il blocco note e premi CTRL+V.
Salva il file e caricalo su http://www.savefile.com
Posta qui il link che esce.

b) clicca su Rootkit
clicca su Scan
al termine della scansione, clicca su Copy
Apri il blocco note e premi CTRL+V.
Salva il file e caricalo su http://www.savefile.com
Posta qui il link che esce.

[rucker]

Allora:
Innanzitutto OYS, grazie per l'attenzione.

Poi:
Ho scansionato con Avast anti-virus, AVG Anti-spyware, Ad-aware e Spybot S&D.
Poi ho usato Vundofix, Fixvundo e FXVMonde.

Solo Spybot trova qualcosa cioè:

Virtumonde: [SBI $42352499] Impostazioni utente (Chiave di registro, nothing done)
HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Impostazioni (Chiave di registro, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $72423952] Impostazioni (Chiave di registro, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainServic e

Virtumonde: [SBI $08956178] Servizio di sistema (Chiave di registro, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService

Virtumonde: [SBI $7342F9D9] Impostazioni (Chiave di registro, nothing done)
HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd

Virtumonde.ddc: [SBI $6DAC5CA3] Eseguibile (File, nothing done)
C:\WINDOWS\system32\nxtsjvpd.exe

Virtumonde.ddc: [SBI $530AFE4F] Impostazioni (Valore di registro, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService\ImagePath

Virtumonde.ddc: [SBI $B451B415] Impostazioni (Valore di registro, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S haredAccess\Parameters\FirewallPolicy\StandardProf ile\AuthorizedApplications\List\C:\WINDOWS\SYSTEM3 2\NXTSJVPD.EXE


La scansione di GMER la ho eseguita, i file sono caricati a questi indirizzi:

http://www.savefile.com/files/1264163

http://www.savefile.com/files/1264165

Grazie ancora
Rucker

[OYS]

1) start-->esegui--> ora copia incolla i seguenti comandi uno alla volta:

sc stop DomainService (invio)
sc delete DomainService (invio)



2) Scarica http://swandog46.geekstogo.com/avenger.zip

clicca su input script manually e poi sulla lente di ingrandimento.
nello spazio bianco inserisci con copia incolla questo:


registry keys to delete:
HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainServic e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService
HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd

files to delete:
C:\WINDOWS\system32\nxtsjvpd.exe


clicca su done.
poi sul semaforo con luce verde
due volte si, il pc si riavviera' e al ritorno posta il log di avenger (C:/avenger.txt).


3)Scarica SmitFraudFix. Avvialo scrivi 2, quando ti fa una domanda premi y e poi posta il log.

P.S. È possibile che eliminando "DomainService" la connessione internet non vadi più, perchè infatti cambia l'IP, il Subnet Mask ed i DNS. Basta rimetterli a posto e sarai ok.

[rucker]

Ecco il log di Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\vdrrvnxl

*******************

Script file located at: \??\C:\ydfyhcdv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService deleted successfully.
File C:\WINDOWS\system32\wlfjkwkp.exe deleted successfully.


Registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa not found!
Deletion of registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainServic e deleted successfully.


Registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd not found!
Deletion of registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.




Quello di Smitfraudfix è troppo lungo per postarlo ma si trova Qui

[OYS]

Ora come va?

[rucker]

....
Niente...
continua ad aprirmi le pop-up di "zedo".....
Non so più che fare.
Ho notato che nulla rimuove

Registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd not found!
Deletion of registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd failed!
Status: 0xc0000034


e


Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService deleted successfully.
File C:\WINDOWS\system32\wlfjkwkp.exe deleted successfully.


Registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa not found!
Deletion of registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa failed!
Status: 0xc0000034

Non riesco a capire cosa non funziona...
Rucker

[OYS]

Fai una scansione con vari antispyware.

FIREFOX:

.1 Installate il plugin che trovate al seguente indirizzo:http://www.extenzilla.org/scheda_estensione.php?id=154
(Questo plugin aggiunge a firefox un pulsante
"Rimuovi il cookie e blocca il sito"
Nella form Opzioni->Privacy->Cookie)

.2 Andate in Strumenti->Opzioni

.3 Cliccate su "Privacy"

.4 Cliccate su "Mostra i cookie"

.5 Selezionate nella lista tutti quelli relativi a zedo

.6 Cliccate su "Rimuovi il cookie e blocca il sito"

.7 Cercate nella lista tutti i cookie che contengono zedo
e ripetete l'operazione.


Probabilmente accadrà che metteranno altri cookie con nomi diversi che mandano sempre alla stessa pagina. In quel caso, se il problema si ripresenta, basta ripetere la procedura e bloccare il sito.

La versione 3 di firefox (che ora è in beta) consentirà di bloccare un sito a scelta. In quel caso non dovrebbe essere più necessario installare il plugin (che nella versione corrente è compatibile solo con firefox 2 e non con il prossimo firefox 3)



Per IE:

Strumenti -->Opzioni Internet.


Clic sulla scheda Privacy (Media) --> Siti.


Nella casella Indirizzo sito Web digiti i siti a cui reindirizza zedo --> clic su Blocca.
Durante la digitazione dell'indirizzo verrà visualizzato un elenco di pagine Web già visitate. È possibile fare clic su una voce dell'elenco, che verrà visualizzata nell'elenco Indirizzo sito Web.