Olimpo Informatico

[3iolo]

Quando navigo in IE mi escono finestrelle popup anche se ho il blocco...Navigando ho scoperto che è un virus e viene dal sito: rond.starsdoor.com...Vi posto il log di Hijackthis...
Qualcuno può aiutarmi...Grazie anticipatamente

3iolo

Logfile of HijackThis v1.99.1
Scan saved at 9.14.32, on 04/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\File comuni\System\msdeva.exe
C:\WINDOWS\system32\dllcache\ivchost.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\drivers\spoolsv32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\WinPop\winpop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Administrator\Desktop\is1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {226453A1-0578-4788-A2B0-420346FD3221} - C:\WINDOWS\system32\nnnom.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8D7E4555-1237-4DEA-BF40-1977FCA588E1} - C:\WINDOWS\system32\yayvstt.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu420.exe 61A847B5BBF72816309B284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinPop] C:\Programmi\WinPop\winpop.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://elearning5.unibg.it/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://innoallavita.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153733870215
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\Software\..\Telephony: DomainName = samedeutz-fahr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC6FFF59-915C-4254-8089-F514BF8925E7}: NameServer = 85.37.17.40 85.38.28.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: nnnom - C:\WINDOWS\system32\nnnom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayvstt - C:\WINDOWS\SYSTEM32\yayvstt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Applicazione di sistema COM+ (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: Windows Time Service (CSRRS) - Unknown owner - C:\WINDOWS\system\csrrs.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: msdeva (msdev) - Unknown owner - C:\Programmi\File comuni\System\msdeva.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe
O23 - Service: Print Scheduler (prtsch) - Unknown owner - C:\WINDOWS\system\usnsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spooler SubSystem App (SPOOLSV32) - Unknown owner - C:\WINDOWS\system32\drivers\spoolsv32.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows System Service (SYSTEMSVC) - Unknown owner - C:\WINDOWS\system\system.exe (file missing)
O23 - Service: Windows NT Logon Application (WINLOGON32) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)

[bdoriano]

Ciao 3iolo,
Di ospiti indesiderati ne hai più d'uno.
Comincia a scaricare ed eseguire questo.
- Clicca Scan for Vundo.
- al termine della scansione, clicca Remove Vundo.
- ti chiede se vuoi eliminare i files infetti, clicca YES
- il tuo video diventerà nero durante la rimozione di Vundo.
- al termine ti chiederà di riavviare il pc, clicca OK.

Per sicurezza, fai una passata anche con questo

Finito con i primi due, utilizza quest'altro

Al termine, rifai il log di hijackthis e postalo qui insieme al log di VundoFix (che trovi in C:\vundofix.txt).

PS: se vuoi, puoi presentarti qui

Edit: dimenticato un passaggio... la vecchiaia avanza...

[3iolo]

Ciao scusa il ritardo ma avevo gli esami...
Ti metto i 2 log!
Non so km mai ma mi si apre una finestra di "Windows Installer" ogni volta che utilizzo il tasto destro del mouse dicendo di installare "Symantec Antivirus" e dice che il file si trova in Z:\ che non esiste e quindi sicuramente è un virus e non so come eliminarlo...
Grazie mille x l'aiuto!!!!!!!!!!!!!!!!!!!


VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 14.44.59 04/07/2007

Listing files found while scanning....

C:\windows\system32\eineifxq.dll
C:\windows\system32\gciermll.dll
C:\windows\system32\iifddcc.dll
C:\windows\system32\llmreicg.ini
C:\WINDOWS\system32\monnn.ini
C:\WINDOWS\system32\nnnom.dll
C:\windows\system32\qxfienie.ini
C:\windows\system32\urkplaea.exe
C:\WINDOWS\system32\yayvstt.dll

Beginning removal...

Attempting to delete C:\windows\system32\eineifxq.dll
C:\windows\system32\eineifxq.dll Has been deleted!

Attempting to delete C:\windows\system32\gciermll.dll
C:\windows\system32\gciermll.dll Has been deleted!

Attempting to delete C:\windows\system32\iifddcc.dll
C:\windows\system32\iifddcc.dll Has been deleted!

Attempting to delete C:\windows\system32\llmreicg.ini
C:\windows\system32\llmreicg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\monnn.ini
C:\WINDOWS\system32\monnn.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnom.dll
C:\WINDOWS\system32\nnnom.dll Has been deleted!

Attempting to delete C:\windows\system32\qxfienie.ini
C:\windows\system32\qxfienie.ini Has been deleted!

Attempting to delete C:\windows\system32\urkplaea.exe
C:\windows\system32\urkplaea.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayvstt.dll
C:\WINDOWS\system32\yayvstt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 12.31.20 08/07/2007

Listing files found while scanning....

No infected files were found.

-------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18.19.16, on 16/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\File comuni\System\msdeva.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programmi\eMule\emule.exe
C:\Documents and Settings\Administrator\Desktop\is1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://elearning5.unibg.it/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://innoallavita.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153733870215
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\Software\..\Telephony: DomainName = samedeutz-fahr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC6FFF59-915C-4254-8089-F514BF8925E7}: NameServer = 85.37.17.40 85.38.28.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Applicazione di sistema COM+ (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: Windows Time Service (CSRRS) - Unknown owner - C:\WINDOWS\system\csrrs.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: msdeva (msdev) - Unknown owner - C:\Programmi\File comuni\System\msdeva.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe (file missing)
O23 - Service: Print Scheduler (prtsch) - Unknown owner - C:\WINDOWS\system\usnsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spooler SubSystem App (SPOOLSV32) - Unknown owner - C:\WINDOWS\system32\drivers\spoolsv32.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows System Service (SYSTEMSVC) - Unknown owner - C:\WINDOWS\system\system.exe (file missing)
O23 - Service: Windows NT Logon Application (WINLOGON32) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)













-----------------------------3iolo------------------------------------------

[Orange]

andati bene gli esami?

scrica Avenger e scompattalo sul desktop
avvialo, seleziona "Input Script Manually" e clicca sulla lente d'ingrandimento
nella finestra che si aprirà "View/edit script" copia/incolla seguente:

[AlfredoBenni]

Scusa bdoriano, a che serve SysProtect Remover ?
Io ho sia Kaspersky che Nod32. Può interferire ?

Altra cosa... i tool contro Vundo si possono usare anche su 2003 Server ?

Grazie

Ciao

Alfredo

[bdoriano]

Qui trovi informazioni su SysProtect Remover. Non è che un altro modo di approcciare all'infezione.
Di solito, è meglio disattivare temporaneamente gli antivirus durante le operazioni di pulizia.
Sinceramente non so se puoi utilizzarli anche sulle versioni Server di Windows.
Potresti fare prima un backup completo del server e poi procedere con un tentativo... anche se non ci conto. Le architetture sono diverse rispetto alle versioni Workstation di Windows.

[3iolo]

GLi esami sono andati bene grazie!!!!!!!!!!!

Il problema persiste: ogni volta che uso il tasto destro del mouse mi esce la solita scritta di WIndows Installer che da un fastidio assusdo!!!!

Ti posto i 2 log:


Logfile of HijackThis v1.99.1
Scan saved at 20.53.08, on 22/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\File comuni\System\msdeva.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\is1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - http://elearning5.unibg.it/qp2.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://innoallavita.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153733870215
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\Software\..\Telephony: DomainName = samedeutz-fahr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC6FFF59-915C-4254-8089-F514BF8925E7}: NameServer = 85.37.17.40 85.38.28.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = samedeutz-fahr.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Applicazione di sistema COM+ (COMSysApp) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: Windows Time Service (CSRRS) - Unknown owner - C:\WINDOWS\system\csrrs.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: msdeva (msdev) - Unknown owner - C:\Programmi\File comuni\System\msdeva.exe
O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe (file missing)
O23 - Service: Print Scheduler (prtsch) - Unknown owner - C:\WINDOWS\system\usnsvc.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spooler SubSystem App (SPOOLSV32) - Unknown owner - C:\WINDOWS\system32\drivers\spoolsv32.exe (file missing)
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\System32\dllhost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows System Service (SYSTEMSVC) - Unknown owner - C:\WINDOWS\system\system.exe (file missing)
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: Windows NT Logon Application (WINLOGON32) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)



---------------------------------------------------------------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vquvdyxj

*******************

Script file located at: \??\C:\djrnibcb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system\csrrs.exe not found!
Deletion of file C:\WINDOWS\system\csrrs.exe failed!

Could not process line:
C:\WINDOWS\system\csrrs.exe
Status: 0xc0000034



File C:\WINDOWS\system32\dllcache\ivchost.exe not found!
Deletion of file C:\WINDOWS\system32\dllcache\ivchost.exe failed!

Could not process line:
C:\WINDOWS\system32\dllcache\ivchost.exe
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\spoolsv32.exe not found!
Deletion of file C:\WINDOWS\system32\drivers\spoolsv32.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\spoolsv32.exe
Status: 0xc0000034



File C:\WINDOWS\system\system.exe not found!
Deletion of file C:\WINDOWS\system\system.exe failed!

Could not process line:
C:\WINDOWS\system\system.exe
Status: 0xc0000034



File C:\WINDOWS\system\winlogon.exe not found!
Deletion of file C:\WINDOWS\system\winlogon.exe failed!

Could not process line:
C:\WINDOWS\system\winlogon.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.






GRAZIE!!!!!

[3iolo]

Qualcuno mi può aiutare? nel mex precedente ho postato 2 log se vi possono interessare...

Grazie

[bdoriano]

Periodo di superlavoro (o di ferie?)...

Avvia il pc in modalità provvisoria
esegui hijackthis
clicca su do a system scan only
metti il segno di spunta a queste voci:
(Ho un dubbio sulle voci segnate in rosso, se ti servono non "spuntarle")

[ste_95]

penso che visto che sono servizi già disabilitati e quindi non più funzionanti che i file relativi non esistano più....