Trojan: Dldr.Agent.brpo (3)

[sushimye]

Salve, anche io ho lo stesso problema di corvis86 e alexrecruit, quando apro Mozilla, Avira Antivir mi rileva questo virus:

detected in file 'C:\Windows\System32\gxvxcnxsnrpvxyobogyxyvsdxfxeb wobujibs.dll
TR/Dldr.Agent.brpo [trojan]

e anche se faccio click su Delete, quando lo riapro lo segnala di nuovo. Dopo la scansione, ho scaricato ed installato Malwarebytes' Anti-Malware come suggerisce la vostra guida, ma non funziona perché quando lo faccio partire mi appare il messaggio "Malwarebytes' Anti-Malware ha smesso di funzionare". Ho provato comunque a fare la scansione online con Kaspersky, ma nemmeno quella ha funzionato.
Allora ho scaricato HijackThis e questo è il log prodotto:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.54.20, on 23/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ntvdm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclToBTSrv.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load= C:\BC5\PIPELINE\remind.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\PROGRA~1\GOOGLE~1\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica link utilizzando Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{137A0170-9322-473C-8460-567B51305975}: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\..\{72E8F334-C0B8-48F9-A0F0-8ACB05F20A4A}: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\..\{137A0170-9322-473C-8460-567B51305975}: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CS2\Services\Tcpip\..\{137A0170-9322-473C-8460-567B51305975}: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.108,85.255.112.211
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: bhvtwqvYC - {D69F4122-7C35-EB88-2911-B1E4B4E5A363} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHCImp.exe
O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDms.exe
O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDs.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardware ResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10578 bytes

Ho fatto anche la scansione con systemscan nel caso potesse esservi utile, e questo è il link al report: http://www.filedropper.com/report_1

Uso Windows vista.

Grazie in anticipo

Massimo

[ryan atwood]

Controllo e ti faccio sapere

[ryan atwood]

Da hijack fixa:
O17 - HKLM\System\CCS\Services\Tcpip\..\{137A0170-9322-473C-8460-567B51305975}: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\..\{72E8F334-C0B8-48F9-A0F0-8ACB05F20A4A}: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CS1\Services\Tcpip\..\{137A0170-9322-473C-8460-567B51305975}: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CS2\Services\Tcpip\..\{137A0170-9322-473C-8460-567B51305975}: NameServer = 85.255.112.108,85.255.112.211
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.108,85.255.112.211

Scarica Avenger e nella finestra che si apre copia/incolla:

Files to delete:
C:\autorun.inf
C:\Users\Massimo\AppData\Local\Temp\PW21LeSC.wmv.p art
C:\Windows\system32\sgc7g1j0ev0b.dll

Folders to delete:
C:\Users\Massimo\AppData\Local\Temp\etilqs_j5aIJ2A Ac9WCQ4lra7WO

Registry keys to delete:
HKEY_LOCAL_MACHINE\system\controlset001\services\a aibftnp

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviare, altrimenti riavvialo tu. Posta il report rilasciato in c:\avenger.txt

[sushimye]

ecco qua:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gxvxcserv.sys" found!
ImagePath: \systemroot\system32\drivers\gxvxccxjpqqctrtxysvfu xikvbdcpsxdhemkp.sys
Driver disabled successfully.

Rootkit scan completed.

File "C:\autorun.inf" deleted successfully.
File "C:\Users\Massimo\AppData\Local\Temp\PW21LeSC.wmv. part" deleted successfully.
File "C:\Windows\system32\sgc7g1j0ev0b.dll" deleted successfully.

Error: folder "C:\Users\Massimo\AppData\Local\Temp\etilqs_j5aIJ2 AAc9WCQ4lra7WO" not found!
Deletion of folder "C:\Users\Massimo\AppData\Local\Temp\etilqs_j5aIJ2 AAc9WCQ4lra7WO" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\system\controlset001\services\ aaibftnp" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\system\controlset001\services\ aaibftnp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[ryan atwood]

Fai una scansione con systemscan e postala.

[sushimye]

http://www.filedropper.com/report2_1

[ryan atwood]

Esegui Aveger:

Drivers to disable:
C:\Windows\system32\drivers\gxvxccxjpqqctrtxysvfux ikvbdcpsxdhemkp.sys

Files to delete:
C:\Windows\system32\gxvxccounter

Registry keys to delete:
HKLM\system\controlset002\services\gxvxcserv.sys
HKLM\SYSTEM\ControlSet001\enum\legacy_gxvxcserv.sy s
HKLM\SYSTEM\controlset003\enum\legacy_gxvxcserv.sy s
HKLM\system\CurrentControlSet\Services\gxvxcserv.s ys
HKLM\SOFTWARE\gxvxc
HKLM\system\controlset001\services\aru6fne5

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviare, altrimenti riavvialo tu. Posta il report rilasciato in c:\avenger.txt

[sushimye]

detto fatto:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "C:\Windows\system32\drivers\gxvxccxjpqqctrtxysvfu xikvbdcpsxdhemkp.sys"
Disablement of driver "C:\Windows\system32\drivers\gxvxccxjpqqctrtxysvfu xikvbdcpsxdhemkp.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\gxvxccounter" deleted successfully.
Registry key "HKLM\system\controlset002\services\gxvxcserv. sys" deleted successfully.

Error: registry key "HKLM\SYSTEM\ControlSet001\enum\legacy_gxvxcserv.s ys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet001\enum\legacy_gxvxcserv.s ys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\controlset003\enum\legacy_gxvxcserv.s ys" not found!
Deletion of registry key "HKLM\SYSTEM\controlset003\enum\legacy_gxvxcserv.s ys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\system\CurrentControlSet\Services\gxvxcserv. sys" deleted successfully.

Error: registry key "HKLM\system\controlset001\services\aru6fne5" not found!
Deletion of registry key "HKLM\system\controlset001\services\aru6fne5" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SOFTWARE\gxvxc" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[ryan atwood]

Sempre da Avenger:

Files to delete:
C:\Windows\system32\drivers\gxvxccxjpqqctrtxysvfux ikvbdcpsxdhemkp.sys

Spunta "Automatically disable any rootkits found" e clicca su "execute".
Il pc dovrebbe riavviare, altrimenti riavvialo tu. Posta il report rilasciato in c:\avenger.txt

[sushimye]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\system32\drivers\gxvxccxjpqqctrtxysvfu xikvbdcpsxdhemkp.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.