Schermo nero e scritta gialla warning...

[Servio]

Ciao ragazzi,
ho bisogno del vostro aiuto urgente per risolvere questo danno che ho provocato al pc cercando di aprire un crack (lo so che non è da fare, non tiratemi le orecchie) per photoimpact scaricato da Emule.
Stupidamente e senza accertarmi se il file era valido ho cliccato sul file e lo schermo è diventato nero poi si è aperta una finestrina con una scritta in giallo warning e l'avviso della presenza di spyware e altri virus.
Questo ha causato l' inibizione dell'apertura del task manager, risolto da me modificando il registro, inoltre le proprietà dello schermo sono bloccate e l'active desktop è disattivato.
Navigando in explorer si aprono diverse finestre in alto con la scitta "warning, your sistem is in danger - your computer ecc, con un link che cliccando apre realav.exe (che ovviamente non ho cliccato) e popup che explorer blocca
Ho provato a fare una scansione con Ad aware che mi ha trovato virtumonde (e non solo)ma non è possibile cancellarlo. Inoltre Spybot non parte e non è possibile installare nessun programma antispyware perchè mi escono messaggi di errore. Non posso aprire nemmeno le librerie di winrar, mi viene impedito anche questo. Credo sia superfluo aggiugere che il pc è lentissimo. Mi potete aiutare? Non sono esperto di pc e credo si sia capito.
Grazie a tutti.

[Deifobe]

Originariamente inviato da Servio
(lo so che non è da fare, non tiratemi le orecchie)

te le sei tirate da solo

se hai XP, scarica ed esegui SmitfraudFix (da modalità normale), seleziona l'opzione 1 (Search) e premi invio. Ti verra' visualizzato un file di testo con l'elenco dei file infetti (se presenti): dovresti trovare questo report anche in C:\rapport.txt (NB: process.exe da alcuni antivirus viene rilevato come virus, ovviamente non lo e')
Posta il log di SmitfraudFix


poi, scarica SystemScan - disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, riattiva l'antivirus

carica il rapporto che trovi sul desktop su Savefile e posta il link ottenuto.

nota: systemscan viene riconosciuto come infetto per il tipo di scansione effettuata (è un falso positivo). La procedura postata è sicura.

[Servio]

Ciao. Qui sempre peggio. pagine che si chiudono e si aprono, connessioni in siti che io non ho mai digitato ecc. E sono costretto ad usare Firefox per navigare ma anche questo mi fa problemi.

Comunque ecco il log:

SmitFraudFix v2.385

Scan done at 17.11.08,89, 13/12/2008
Run from E:\Programmi\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmi\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\CTsvcCDA.exe
E:\WINDOWS\system32\inetsrv\inetinfo.exe
E:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\userinit.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINDOWS\system32\MsPMSPSv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\mqsvc.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\CTHELPER.EXE
E:\Programmi\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
E:\Programmi\Creative\SBAudigy2\DVDAudio\CTDVDDet. EXE
E:\WINDOWS\Silvercrest PH 1012B.exe
E:\Programmi\Intel Audio Studio\IntelAudioStudio.exe
E:\Programmi\Real\RealPlayer\RealPlay.exe
E:\Program Files\D-Link\DSL-200\dslstat.exe
E:\Program Files\D-Link\DSL-200\dslagent.exe
E:\Programmi\QuickTime\QTTask.exe
E:\Programmi\iTunes\iTunesHelper.exe
E:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\user\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe
E:\Programmi\Nikon\PictureProject\NkbMonitor.exe
E:\Programmi\iPod\bin\iPodService.exe
E:\WINDOWS\system32\rundll32.exe
E:\Programmi\Java\jre6\bin\jqs.exe
E:\Programmi\Mozilla Firefox\firefox.exe
E:\Programmi\Java\jre6\bin\java.exe
E:\Programmi\Mozilla Firefox\SmitfraudFix\Policies.exe
E:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» E:\


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\user


»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\user\IMPOST~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\user\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\user\PREFER~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» E:\Programmi


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=",E:\\PROGRA~1\\KASPER~1\\KASPER~2. 0\\adialhk.dll emosmx.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="E:\\WINDOWS\\system32\\userinit.ex e,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 85.37.17.43
DNS Server Search Order: 85.38.28.96

Description: Pirelli Alice Gate 2 plus USB - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.1.1

Description: Intel(R) PRO/1000 PL Network Connection - Miniport dell'Utilità di pianificazione pacchetti
DNS Server Search Order: 192.168.0.99

HKLM\SYSTEM\CCS\Services\Tcpip\..\{21F64C10-4D31-4CB5-9410-DFB17526A193}: NameServer=85.37.17.43 85.38.28.96
HKLM\SYSTEM\CCS\Services\Tcpip\..\{30FDFBF1-3249-4FDD-9F6B-1534AEA1C16F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{87032265-F548-4D7A-85DF-9BCFF35AAC2F}: DhcpNameServer=192.168.0.99
HKLM\SYSTEM\CS1\Services\Tcpip\..\{21F64C10-4D31-4CB5-9410-DFB17526A193}: NameServer=85.37.17.43 85.38.28.96
HKLM\SYSTEM\CS1\Services\Tcpip\..\{30FDFBF1-3249-4FDD-9F6B-1534AEA1C16F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{87032265-F548-4D7A-85DF-9BCFF35AAC2F}: DhcpNameServer=192.168.0.99
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[Deifobe]

Ciao. Qui sempre peggio. pagine che si chiudono e si aprono, connessioni in siti che io non ho mai digitato ecc. E sono costretto ad usare Firefox per navigare ma anche questo mi fa problemi.

certo..... e il rapporto di systemscan dove sta?

.......

avvia il PC in modalità provvisoria, esegui smitfraudfix. Seleziona l'opzione 2 e premi invio. Alla domanda "Registry cleaning - Do you want to clean the registry ?" digita "Y" e dai l'invio.
Il computer si riavviera' per completare il processo di pulizia (altrimenti riavvialo tu in modalita' normale). Sul desktop verra' visualizzato il file di testo che dovrai postare (lo trovi anche in C:\rapport.txt).

[Servio]

scusa, l'ho inviato su savefile.com. E' troppo grande per incollarlo qui. Il nome del file è:

13_12_2008_18_45_report.zip

Ti va bene così o manca qualcosa?

[Deifobe]

si, manca la possibilità di scaricarlo...

devi incollare il link che ricevi......
ricaricalo e guarda nella pagina, compare un link.... devi postare quello...

[Servio]

intanto ti allego il log di smifraudfix, la scansione con l'opzione 2:


SmitFraudFix v2.385

Scan done at 19.46.09,29, 13/12/08
Run from E:\Download\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{30FDFBF1-3249-4FDD-9F6B-1534AEA1C16F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{87032265-F548-4D7A-85DF-9BCFF35AAC2F}: DhcpNameServer=192.168.0.99
HKLM\SYSTEM\CS1\Services\Tcpip\..\{30FDFBF1-3249-4FDD-9F6B-1534AEA1C16F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{87032265-F548-4D7A-85DF-9BCFF35AAC2F}: DhcpNameServer=192.168.0.99
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

[Servio]

Ecco il link: http://www.savefile.com/files/1929038
Spero ti possa essere di aiuto. Comunque grazie davvero.
Ora devo andare.
Ciao.

[Deifobe]

ok..

Scarica e installa malwarebytes.
Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completata, posta il rapporto e un nuovo systemscan


per ora non rimuovere nulla

[Servio]

Niente da fare, il virus purtroppo me lo impedisce. Il messaggio che esce è questo: "Invalid floating point operation" e si aprono una decina di finestre di errore!!! Sob...