Debellare vundo.gen

[The.Sharkita]

Ragazzi grazie ad una "cura" per Daemon tool pro advanced sono riuscito a prendermi un trojan (vundo.gen). Ho letto di vari utenti che hanno avuto stò problema e in un modo o in un'altro sono riusciti a eliminare suddetto virus grazie al vostro aiuto, quindi mi metto in vostre mani per liberarmi di stà tr**a.

Antivir me lo localizza ll'interno di gebywvu.dll, ma nonostante ripetute scansioni, anche in modalità provvisoria, dice che nn riesce ad eliminarlo. Ho utilizzato anche Spybot e ad-aware ma il risultato è il medesimo, addirittura se provo ad eliminarlo con ad-aware in modalità provvisoria il pc mi dà schermata blu.
Se provo a fixare la chiave O2 - BHO: (no name) - {58E9AC24-5A2A-4908-9E3B-0633C0F8DF30} - C:\WINDOWS\system32\gebywvu.dll mi viene dato come errore : Hijackthis is about to remove a BHO and the corresponding file from your system. Close all Internet Explorer windows AND all Windows Explorer windows before continuing for the best chance of success.
Vundofix non mi ha rilevato nulla.

[The.Sharkita]

Qui il log di Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.06.46, on 24/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Creative\Shared Files\CTAudSvc.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\Raxco\PerfectDisk\PDAgent.exe
C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmi\Netropa\Multimedia Keyboard\TrayMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Netropa\Onscreen Display\OSD.exe
C:\Programmi\ATITool\ATITool.exe
C:\WINDOWS\tsnpstd3.exe
C:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\DAEMON Tools Lite\daemon.exe
C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Programmi\Logitech\SetPoint\SetPoint.exe
C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
C:\Programmi\TG 6.0\TGOnLine.exe
C:\Programmi\File comuni\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Programmi\Teamspeak2_RC2\TeamSpeak.exe
C:\Documents and Settings\The.Shark\Desktop\FixVundo.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {58E9AC24-5A2A-4908-9E3B-0633C0F8DF30} - C:\WINDOWS\system32\gebywvu.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\3.0.1225 .9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programmi\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ATITool] "C:\Programmi\ATITool\ATITool.exe" -s
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programmi\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programmi\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [VolPanel] "C:\Programmi\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Programmi\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programmi\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmi\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Traduttore In-Linea.lnk = C:\Programmi\TG 6.0\TGOnLine.exe
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Traduttore in Internet - {C873E82E-A38B-45AB-8C74-6F4947BE77B7} - C:\Programmi\TG 6.0\TGWeb.exe
O9 - Extra 'Tools' menuitem: Traduttore in Internet - {C873E82E-A38B-45AB-8C74-6F4947BE77B7} - C:\Programmi\TG 6.0\TGWeb.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...01/CTSUEng.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5102/CTPID.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Programmi\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: gebywvu - C:\WINDOWS\SYSTEM32\gebywvu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Programmi\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programmi\File comuni\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 11893 bytes

A breve log di combofix e findawf.

Grazie

[Deifobe]

ciao,

purtroppo il log di hjt non è sufficiente..

scarica SystemScan
disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, riattiva l'antivirus

carica il rapporto che trovi sul desktop su Savefile e posta il link ottenuto.

nota: systemscan viene riconosciuto come infetto per il tipo di scansione effettuata (è un falso positivo). Te lo dico perchè, dovesse essere segnalato dall'antivirus (che non hai disattivato, come da indicazione), almeno sai il motivo. La procedura postata è sicura.

[The.Sharkita]

ecco il log di systemscan : http://www.savefile.com/files/1749555

[The.Sharkita]

ecco il log di combofix. Dopo il riavvio del pc non mi si sono ripresentate le finestre di allarme di antivir, combofix è forse riuscito a eliminare il trojan?

http://www.savefile.com/files/1749599

[hell's bells]

Combofix ha eliminato la dll incriminata, fai questa procedura:

scarica Ccleaner

1) per il download dell'ultima versione clicca a destra in alto sotto la freccia verde
2) installalo
3) clicca su "avvia pulizia", ripeti il procedimento 2 volte

riposta un nuovo systemscan.




[ot] edit: scusa tu Deifobe, era tua.. [ot]

[Deifobe]

questi due:
C:\Documents and Settings\The.Shark\Dati applicazioni\inst.exe
C:\WINDOWS\system32\gebywvu.dll
e un servizio si.

Resta da ripulire il registro + un dubbio

Scarica Avenger e CCleaner

Apri il blocco note e nella pagina copia/incolla:

Windows Registry Editor Version 5.00

[-HKey_Classes_Root\CLSID\{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}]

salvalo in c:\ con il nome nome: fix.reg
tipo di file: tutti i file


Esegui avenger e nella finestra copia/incolla tutta la citazione:

files to delete:
C:\WINDOWS\system32\gebywvu.dll

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebywvu

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks | {58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}

programs to launch on reboot:
c:\fix.reg

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu. Posta il report rilasciato

Esegui CCleaner e ripulisci i file temporanei e i cookie (eseguilo 2 volte).

Posta un nuovo systemscan

Poi, ci sono diversi file dat.. ma non so cosa siano.
Apri il blocco note e clicca su File -> apri -> apri il file C:\Programmi\.dat000001.dat
cosa c'è scritto dentro?



@ hell's: opssss scusa ...

[The.Sharkita]

ok fatto tutto :
il report appena acceso è :

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\gebywvu.dll" not found!
Deletion of file "C:\WINDOWS\system32\gebywvu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}" not found!
Deletion of registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\Browser Helper Objects\{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebywvu" not found!
Deletion of registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebywvu" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ShellExecuteHooks|{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Ex plorer\ShellExecuteHooks|{58E9AC24-5A2A-4908-9E3B-0633C0F8DF30}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Program "c:\fix.reg" successfully queued to run on reboot.

Completed script processing.

*******************

Finished! Terminate.


PERO' erà presente anche un avviso d'errore che diceva: Impossibile trovare il file "c:\fix.reg". Verificare che il percorso e il nome del file siano corretti e ritentare. Per cercare un file fare clic sul pulsante Start, quindi scegliere Trova. Chiaramente avevo creato il file, che dopo il rebot non era più presente (presumo perchè sia stato caricato).
ora passo systemscan

[The.Sharkita]

ecco il log di systemscan: http://www.savefile.com/files/1749696

[Deifobe]

è pulito.
Mi fai sapere solo di quel file dat? Giusto x sicurezza.