Eliminare Trojan.Vundo [era: aiuto penso di avere malware]

[quintinocavallo]

ciao a tutti vi chiedo aiuto in quanto credo di aver beccato un malware in quanto ognio volta che cerco di aprire un link su internet mi apre pagine dia ltri siti, tipo scarica bastione antivirus etc. Ho anche notato che mi fa aprire firefox e il notepad cosa posso fare.

di segiuto inserico lo scan fatto con hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.19.01, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Wireless Console 2\wcourier.exe
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Motorola\SMSERIAL\sm56hlpr.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\flciijjq.exe
C:\Programmi\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Programmi\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programmi\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Programmi\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [4c750fca] rundll32.exe "C:\WINDOWS\system32\smgndfit.dll",b
O4 - HKLM\..\Run: [BM4f463c56] Rundll32.exe "C:\WINDOWS\system32\ntllqdut.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 11\LaunchList2.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Programmi\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [WintelUpdate] C:\flciijjq.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1212941309886
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 6529 bytes


e questo è il link dopo la scansione fatta con system scan

http://www.freefilehosting.net/download/3icb5

credo che sia tutto cio' che vi serve

grazie mille a tutti

[Deifobe]

Cortesemente, il rapporto di systemscan o lo carichi su Savefile o carichi su freefilehosting il file zippato (quello caricato è compattato, non si riuscirebbe ad analizzare)

[quintinocavallo]

scusa teecco il nuovo file

http://www.freefilehosting.net/download/3id93

grazie

[Deifobe]

mi ci vorrà 1 oretta circa x analizzare il rapporto. Appena completo la procedura te la posto.
Cortesemente, però, non eseguire assolutamente altre scansioni.. aspetta una mia risposta.
Ciao

[quintinocavallo]

ok

[Deifobe]

pazienta.. sto ancora lavorando al tuo rapporto ( figurati.... poi vedrai... )
cmq tra un poco posto la procedura..

[Deifobe]

dopo ti posto il resto.. per ora fai questo..
ciao

scarica ComboFix sul desktop

apri il blocco note e copiaci dentro questo:

KillAll::
File::
C:\WINDOWS\system32\drivers\clbdriver.sys
C:\WINDOWS\system32\drivers\Ucbg21.sys
C:\WINDOWS\system32\drivers\Dlt86.sys
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\BM4f463c56.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\BM4f463c56.txt
C:\WINDOWS\system32\WinNt32.dll
C:\WINDOWS\system32\awtutTlL.dll
C:\WINDOWS\system32\WinNt32(13).dll
C:\WINDOWS\system32\WinNt32.dl_
C:\WINDOWS\system32\ayauqhqd.tmp
C:\WINDOWS\system32\efcAPjhF.dll
C:\WINDOWS\system32\WinNt32(12).dll
C:\WINDOWS\system32\WinNt32(11).dll
C:\WINDOWS\system32\WinNt32(10).dll
C:\WINDOWS\system32\WinNt32(9).dll
C:\WINDOWS\system32\WinNt32(8).dll
C:\WINDOWS\system32\WinNt32(7).dll
C:\WINDOWS\system32\WinNt32(6).dll
C:\WINDOWS\system32\WinNt32(5).dll
C:\WINDOWS\system32\WinNt32(4).dll
C:\WINDOWS\system32\WinNt32(3).dll
C:\WINDOWS\system32\WinNt32(2).dll
C:\WINDOWS\system32\WinNt32(22).dll
C:\WINDOWS\system32\WinNt32(21).dll
C:\WINDOWS\system32\WinNt32(20).dll
C:\WINDOWS\system32\WinNt32(19).dll
C:\WINDOWS\system32\avgrsstx(2)(2).dll
C:\WINDOWS\system32\WinNt32(18).dll
C:\WINDOWS\system32\WinNt32(17).dll
C:\WINDOWS\system32\WinNt32(16).dll
C:\WINDOWS\system32\WinNt32(15).dll
C:\WINDOWS\system32\WinNt32(14).dll
C:\WINDOWS\system32\YcfhkUtv.ini2
C:\WINDOWS\system32\qwbmrglo.dll
C:\WINDOWS\system32\hgocmmgi.dll
C:\WINDOWS\system32\bxuyiemp.dll
C:\WINDOWS\system32\igmmcogh.ini
C:\WINDOWS\system32\gxnmihvy.ini
C:\WINDOWS\system32\ntllqdut.dll
C:\WINDOWS\system32\vxnpqrjg.dll
C:\WINDOWS\system32\utxdvylr.ini
C:\WINDOWS\system32\smgndfit.dll
C:\WINDOWS\system32\WinNt32.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\tifdngms.ini
C:\WINDOWS\system32\clkcnt.txt
C:\WINDOWS\system32\pdpmhpjg.dll
C:\WINDOWS\system32\faevlwmp.dll
C:\WINDOWS\system32\albqssue.dll
C:\WINDOWS\system32\pmwlveaf.ini
C:\WINDOWS\system32\FhjPAcfe.ini2
C:\WINDOWS\system32\FhjPAcfe.ini
C:\WINDOWS\system32\bzsqlpa.sys
C:\WINDOWS\temp\AE8AB41F91F72503.tmp
C:\WINDOWS\temp\7CF28762C38CA0D4.tmp
C:\WINDOWS\temp\8AF12AB59DCE7145.tmp
C:\WINDOWS\temp\745C6E9ECB8F4863.tmp

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ucbg21]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Services\u cbg21]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\u cbg21]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\enum\r oot\legacy_ucbg21]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\enum\root\ legacy_ucbg21]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\enum\root\ legacy_ucbg21]
[-HKEY_LOCAL_MACHINE\SYSTEM\currentControlSet\Servic es\bzsqlpa]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Services\b zsqlpa]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\b zsqlpa]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\enum\r oot\legacy_bzsqlpa]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset001\enum\root\ legacy_bzsqlpa]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset002\enum\root\ legacy_bzsqlpa]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Services\c lbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\c lbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\clbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\enum\r oot\legacy_clbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset001\enum\root\ legacy_clbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset002\enum\root\ legacy_clbdriver]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Network\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Sa feBoot\Minimal\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Sa feBoot\Network\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Control\Sa feBoot\Minimal\clbdriver.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\controlset001\Control\Sa feBoot\Network\clbdriver.sys]
[-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtutTlL]
[-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{67325122-fbae-4111-8d85-31e0e93e36a2}]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{73673dc5-4289-4123-904b-22597f32f1ed}]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{a0b4ffea-d466-49a8-9bb0-b7bbd2fcb449}]
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{d1a54a61-bf56-4fc9-99eb-97a62d33d5ed}]
[-HKCR\CLSID\{d1a54a61-bf56-4fc9-99eb-97a62d33d5ed}]
[-HKCR\CLSID\{67325122-fbae-4111-8d85-31e0e93e36a2}]
[-HKCR\CLSID\{73673dc5-4289-4123-904b-22597f32f1ed}]
[-HKCR\CLSID\{a0b4ffea-d466-49a8-9bb0-b7bbd2fcb449}]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WintelUpdate"=-

[HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks]
"{A0B4FFEA-D466-49A8-9BB0-B7BBD2FCB449}"=-

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"BM4f463c56"=-
"4c750fca"=-

Driver::
clbdriver
bzsqlpa
ucbg21

DirLook::
C:\WINDOWS\system32\Avg(2)
C:\WINDOWS\system32\Avg(3)

salvalo sul desktop con il nome CFScript.txt
Chiudi il file

disconnetti il pc da internet, chiudi tutti i programmi e disattiva l'antivirus (è importante!)

Trascina il file sull'icona rossa di combofix (poi non toccare nulla, come prima)

NON toccare assolutamente il pc mentre combofix sta scansionando.
se vedi che ci mette tempo non preoccuparti, attendi...

Quando finisce, riattiva l'antivirus e posta il log combofix C:\ComboFix.txt e un nuovo systemscan

[quintinocavallo]

ha fatto come mi hai detto ma combifix non parte non vorrei che sia sto maledetto malware in quanto mi blocca anchge altri programmi

[hell's bells]

Aspetta istruzioni da Deifobe e non eseguire nessuna scansione con nessun programma mi raccomando.

[quintinocavallo]

ok aspetto