trojan vari

[ziGno]

penso che il mio pc sia infestato di trojan che non riesco a debellare nonostante abbia seguito le istruzioni della discussione in rilievo
non sono molto esperto.. vi metto il log di avast

02/09/2008 14.42.05 SYSTEM 1188 Sign of "Win32:Adware-gen [Adw]" has been found in "D:\Documents and Settings\Documenti - ziGno\Exe\DivXPro505GAINBundle.exe" file.
08/09/2008 4.34.32 SYSTEM 1064 Sign of "Win32:Adware-gen [Adw]" has been found in "D:\Documents and Settings\Documenti - ziGno\Exe\DivXPro505GAINBundle.exe" file.
29/09/2008 2.05.19 SYSTEM 1196 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
08/10/2008 13.39.02 SYSTEM 1192 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: G:\foto 164.jpg (G:\foto 164.jpg) returning error, 00000005.
01/12/2008 14.17.31 SYSTEM 1220 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\ZIGNO~1.1TE\IMPOST~1\Temp\TFR2F.tmp\m IRCKeygen.exe" file.
01/12/2008 14.21.04 SYSTEM 1220 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\ZIGNO~1.1TE\IMPOST~1\Temp\TFR3D.tmp\m IRCKeygen.exe" file.
21/12/2008 18.06.06 SYSTEM 1224 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Downloads\mirc_6.35_key.exe\serial.exe" file.
21/12/2008 18.06.14 SYSTEM 1224 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Downloads\mirc_6.35_key.exe\number.exe" file.
21/12/2008 18.06.49 SYSTEM 1224 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Downloads\mirc 6.35-key.exe\serial.exe" file.
21/12/2008 18.06.55 SYSTEM 1224 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Downloads\mirc 6.35-key.exe\number.exe" file.
22/12/2008 16.51.39 ziGno 528 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
22/12/2008 17.37.45 ziGno 528 Sign of "Win32:Agent-ITS [Trj]" has been found in "D:\Documents and Settings\Documenti - Cristina\Chrissss\GameSetup.exe" file.
22/12/2008 19.50.06 ziGno 528 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\Documents and Settings\Documenti - Cristina\Chrissss\mccnxc.exe" file.
22/12/2008 20.36.18 ziGno 528 Sign of "Java:OpenStream-J [Trj]" has been found in "E:\Backup 26082008\Documents and Settings\crisim\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0 \file\omfg.class-3fd5a84b-1df94868.class" file.
22/12/2008 21.04.05 ziGno 528 Sign of "Java:OpenStream-J [Trj]" has been found in "E:\RECYCLER\S-1-5-21-1715567821-1957994488-854245398-1004\Di5\Dati applicazioni\Sun\Java\Deployment\cache\javapi\v1.0 \file\omfg.class-3fd5a84b-1df94868.class" file.
22/12/2008 21.28.35 SYSTEM 1344 Sign of "HTML:Iframe-inf" has been found in "http://bigmp3online.com/?sid=aff0043\?sid=aff0043" file.
23/12/2008 8.29.08 SYSTEM 1344 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\LUWZSY.DLL" file.
23/12/2008 8.29.55 SYSTEM 1344 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\SSQOHXVV.DLL" file.
23/12/2008 8.30.24 SYSTEM 1344 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\ssqOHxvv.dll" file.
23/12/2008 8.30.32 SYSTEM 1344 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\ssqOHxvv.dll" file.
23/12/2008 17.57.27 SYSTEM 1344 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\SSQOHXVV.DLL" file.
23/12/2008 17.58.11 SYSTEM 1344 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\ssqOHxvv.dll" file.
23/12/2008 17.58.15 SYSTEM 1344 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\ssqOHxvv.dll" file.
24/12/2008 0.52.47 SYSTEM 1180 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\YIJAKOSU.DLL" file.
24/12/2008 18.20.06 SYSTEM 1160 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\rqRLcDTl.dll" file.
25/12/2008 18.54.43 SYSTEM 1272 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\CZYMIC.DLL" file.
25/12/2008 19.14.20 fabros 924 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "c:\windows\system32\czymic.dll" file.
26/12/2008 3.53.36 SYSTEM 1112 Sign of "HTML:Iframe-inf" has been found in "http://bigmp3online.com/?sid=aff0043\?sid=aff0043" file.

[ziGno]

e quello di hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.33.15, on 26/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Telecom Italia\WanMiniport1st\WanMiniport1st_srv.exe
C:\WINDOWS\system32\IoctlSvc.exe
D:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\Programmi\Java\jre6\bin\jusched.exe
D:\Programmi\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\templ ate\driven~1\syncer\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://virgilio.alice.it/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl8] C:\Programmi\CyberLink\PowerDVD8\PDVD8Serv.exe
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] C:\Programmi\CyberLink\PowerDVD8\Language\Language .exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programmi\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AliceRE_McciTrayApp] C:\PROGRA~1\ALICET~1\vendors\AliceRE\content\templ ate\driven~1\syncer\McciTrayApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "D:\Programmi\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica tutti i video usando BitComet - res://D:\Programmi\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Scarica tutto usando BitComet - res://D:\Programmi\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Scarica usando &BitComet - res://D:\Programmi\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Programmi\BitComet\tools\BitCometBHO_1.2.2.28.d ll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1219748880073
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O20 - AppInit_DLLs: ,C:\WINDOWS\system32\yijakosu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Network WanMiniport First Position - Unknown owner - C:\Programmi\Telecom Italia\WanMiniport1st\srvany.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8595 bytes

[Deifobe]

scarica SystemScan, disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now".

Finita la scansione, riattiva l'antivirus, carica il rapporto che trovi sul desktop su Freefilehosting e posta il link ottenuto.

Nota: systemscan viene riconosciuto come infetto per il tipo di scansione effettuata, ovviamente non lo è.

[ziGno]

ecco qua il link

http://freefilehosting.net/download/43b0d

[Deifobe]

sei sicuro di avere ancora problemi al pc? in effetti non vedo molto..

Scarica ed esegui Avenger e nella finestra che si apre copia/incolla:

files to delete:
C:\WINDOWS\system32\03a503ed-.txt
C:\WINDOWS\system32\muhudonu
C:\WINDOWS\system32\yijakosu.dll

registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqOHxvv
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{66b239e5-9f0e-40b4-b33b-ebb3418fff6a}

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviarsi da solo, altrimenti riavvialo tu.

[ziGno]

in effetti il pc sembra andare normalmente se è disconnesso, i problemi iniziano a verificarsi quando mi connetto.. dopo un paio d'ore (adesso sono connesso da un altro pc)

comunque ho eseguito anche questa procedura.. vediamo se funziona tutto adesso

[Deifobe]

ok, quando lo colleghi fai anche questo:

Scarica e installa malwarebytes.
Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completata, posta il rapporto.

per ora non rimuovere nulla

ciao

[ziGno]

lo faccio da connesso o disconnesso?

[ziGno]

vabè
ho fatto partire la scansione da disconnesso
stanotte o domani posto i risultati

grazie per adesso
ciao!

[Deifobe]

scusa ma non ero già più collegata...
guardo il rapporto quando lo posti

'notte