Maledetto SuperJuan!

[ilkruz]

Avevo un mucchio di virus e dopo aver seguito tt le vostre indikazioni mi è rimasto solo qst SuperJuan...
Ecco il log di Hijackthis...se potete aiutatemi..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0.07.44, on 30/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programmi\Norton Ghost\Agent\VProSvc.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
C:\Programmi\Lavasoft\Ad-Aware\AAWTray.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1231796536464
O20 - AppInit_DLLs: tuljmz.dll
O20 - Winlogon Notify: nnnononk - nnnononk.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmi\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 6602 bytes

[Deifobe]

si, c'è qualcosa da rimuovere..

prova a fixare:
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe
O20 - AppInit_DLLs: tuljmz.dll
O20 - Winlogon Notify: nnnononk - nnnononk.dll (file missing)

elimina C:\Documents and Settings\Administrator\reader_s.exe
cerca ed elimina: tuljmz.dll


poi, scarica SystemScan - disconnetti il pc da internet => disattiva l'antivirus => esegui systemscan => clicca su "Scan Now". Finita la scansione, riattiva l'antivirus

carica il rapporto che trovi sul desktop su Savefile e posta il link ottenuto.

nota: systemscan viene riconosciuto come infetto per il tipo di scansione effettuata (è un falso positivo). La procedura postata è sicura.

[ilkruz]

grzie mille...eseguo e ti farò sapere..ciao!

[ilkruz]

Allora...C:\Documents and Settings\Administrator\reader_s.exe nn esiste

tuljmz.dll nn lo riesco ad eliminare manualmente!

Ho fatto poi la scansione con SystemScan...ecco il link del report


http://www.savefile.com/files/2060064

[Deifobe]

ciao.. un po' in ritardo ... ma ecco la procedura..

Esegui systemscan, clicca sul pulsante "Removal Script" e, nella finestra che si apre, copia/incolla questo script:

files to delete:
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\ovfsthtsbphxrqr a.tmp
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\ovfsthddxxtitui g.tmp
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\vb236453.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\581745344.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1387192284.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\3273253330.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1665731520.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\2385542566.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\789583256.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\2650331802.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1050934992.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1776996038.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1652086704.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\4202991500.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1205211704.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\jkkLFywU.bat
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\462006756.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\433881756.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\removefiles.txt temp
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\TMP12.tmp
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\TMP11.tmp
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\TMPF.tmp
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\TMP2A.tmp
C:\WINDOWS\temp\tmp87.exe
C:\WINDOWS\system32\ovfstheecfqrmwviasvkcfwbxthwmw mttimovp.dll
C:\WINDOWS\system32\drivers\ovfsthsubnybnamdxypxjs tyxujnswqtbyxitl.sys
C:\WINDOWS\system32\ovfsthiabdyiynsdxhyuwqvgudngmu xbcykonn.dat
C:\WINDOWS\system32\ovfsthhowfmorriudsaorxfefhepay pmibwyyl.dll
C:\WINDOWS\system32\ovfsthjueensegqofimcraqscrwpkr dxxfvnrf.dll
C:\WINDOWS\system32\ovfsthkpguwntprnxtvgmutehcyafv hchchmee.dat
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\p74cnc.exe
C:\RECYCLER\service.exe
C:\WINDOWS\system32\uafkkkvi.dll
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\2374884809.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\p74cnc.exe
C:\Documents and Settings\Administrator\reader_s.exe

registry keys to delete:
HKEY_LOCAL_MACHINE\system\controlset003\services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr\main
HKEY_LOCAL_MACHINE\system\controlset003\services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr\modules
HKEY_LOCAL_MACHINE\system\controlset003\services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr\main
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr\modules
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr\main
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr\modules
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\o vfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ovfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr\main
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ovfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr\modules
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\ovfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\enum\root\ legacy_ovfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\enum\root\ legacy_ovfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\enum\r oot\legacy_ovfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr
HKEY_LOCAL_MACHINE\system\controlset003\enum\root\ legacy_ovfsthvkibsbvpasplypaxnriqfxmkpdpjnbnr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\MSConfig\startupreg\12ZFG94-F641-2SF-K31P-5N1ER6H6L2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\MSConfig\startupreg\287df97b
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\MSConfig\startupreg\Diagnostic Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\MSConfig\startupreg\Windows Resurections

Clicca su "Proceed with removal" e il pc si riavviera' per eseguire lo script (procedi finchè non si avvia).
Al riavvio troveri la finestra di SystemScan con un messaggio (blu se lo script e' stato eseguito correttamente - rossa in caso contrario): controlla l'esito e rieseguilo se necessario.


scarica questa Utility ed attiva solo:
16) Abilita servizio "Centro sicurezza PC" (Wscsvc)


Apri il blocco note e nella pagina copia/incolla:

@echo off
dir "C:\679344596">C:\679344596.txt

salvalo sul desktop come:
nome: pippo.bat
tipo di file: tutti i file
chiudilo ed eseguilo (dura un attimo)

Posta un nuovo systemscan e anche il contenuto del file 679344596.txt

[ilkruz]

http://www.savefile.com/files/2060681

Domande
1. Il file 679344596.txt nn lo trovo...dov'è?
2. Posso eliminare l'utility?
3. Ed il file pippo.bat?
4. Dottoressa come sta il malato?

[Deifobe]

quasi guarito..

il file C:\679344596.txt sta.. in c:\
puoi eliminare l'utility e il file pippo.bat

Apri un file di testo e copiaci dentro:

Windows Registry Editor Version 5.00

[HKey_Current_User\Software\Microsoft\Windows\Curre ntVersion\Run]
"Windows Resurections"=-
"Diagnostic Manager"=-
"12ZFG94-F641-2SF-K31P-5N1ER6H6L2"=-
"p74cnc"=-
;

salvalo come:
nome: fix.reg
tipo di file: tutti i file
chiudi ed eseguilo. accetta le modifiche (dura solo un attimo)


riesegui systemscan con questo scritp:

files to delete:
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\p74cnc.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\642365.tmp
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\jd9847imnf.tmp
C:\WINDOWS\system32\drivers\d2df38ec.sys
C:\WINDOWS\system32\uafkkkvi.dll
C:\RECYCLER\S-1-5-21-4071871085-9166607407-319397207-5554\service.exe
C:\RECYCLER\service.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\2374884809.exe

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | 287df97b

registry keys to delete:
HKEY_LOCAL_MACHINE\system\controlset001\services\d 2df38ec

riesegui il file fix.reg


posta un nuovo systemscan

[ilkruz]

In C:\679344596.txt c'è

Il volume nell'unit… C Š WinXp
Numero di serie del volume: 287D-F9D4

Directory di C:\

27/03/2009 19.13 2 679344596
1 File 2 byte
0 Directory 57.828.814.848 byte disponibili


fix.reg mi dice: L'editor del registro di sistema è stato disabilitato dall' amministartore di sistema

[ilkruz]

http://www.savefile.com/files/2060788

[Deifobe]

scarica questa Utility ed attiva solo:
2) Abilita task manager e regedit

riprova con il fix.reg e vedi se ti da ancora quell'avviso..
se non te lo da, riesegui systemscan..