Condividi:        

help x trojan

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

help x trojan

Postdi nero » 10/06/07 20:41

ragazzi vi posto il mio log....

Logfile of HijackThis v1.99.1
Scan saved at 21.39.14, on 10/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\Programmi\Trust\Trust 235A USB ADSL MODEM\CnxDslTb.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Documents and Settings\admin\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {0309638F-93F8-44D3-84CF-240EB1AB7F1F} - C:\WINDOWS\system32\vtuvwuu.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16919E97-B5FD-478D-B28C-F5DF42CE8A67} - C:\WINDOWS\system32\jkklj.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\cmvlbbbb.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Trust\Trust 235A USB ADSL MODEM\CnxDslTb.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Programmi\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\jgpsrgau.dll",realset
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{306E2894-4F1B-4489-B582-5BF1DCD86577}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{306E2894-4F1B-4489-B582-5BF1DCD86577}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll
O20 - Winlogon Notify: vtuvwuu - C:\WINDOWS\SYSTEM32\vtuvwuu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe


mi dite se notate qualcosa di strano? si aprono conitnuamente pagine web su indirizzi più vari...come devo fare?

grazie
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Sponsor
 

Postdi Luke57 » 10/06/07 21:04

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla (ctrl+V) le scritte in neretto:




registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0309638F-93F8-44D3-84CF-240EB1AB7F1F}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16919E97-B5FD-478D-B28C-F5DF42CE8A67}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD3447D4-CA39-4377-8084-30E86331D74C}

registry values to delete:
HKLM\Software\Microsoft\Windows\Current\Run | Genuine


Files to delete:
C:\WINDOWS\system32\vtuvwuu.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\cmvlbbbb.dll
C:\WINDOWS\system32\jgpsrgau.dll



Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script.

Inoltre scarica anche vundofix da qui:
http://www.atribune.org/ccount/click.php?id=4
mettilo sul desktop
lancialo metti la spunta su "Run VundoFix as a task"
riceverai un messaggio che vundofix si chiuderà e riaprirà in un minuto o meno, quando il programma si riaprirà clicca OK
clicca su "Scan for Vundo" quando ha finito di fare la scansione clicca su "Remove vundo"
clicca YES alla domanda se vuoi rimuovere i files,quindi inizierà a rimuovere le dll del vundo ,quando ha finito ti dirà che dovrà spegnere il pc clicca OK.

Riaccendi il pc e allega il file C:\vundofix.txt in un post
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi nero » 10/06/07 21:33

luke ho seguito i tuoi consigli...

ecco il log di hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 22.32.41, on 10/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\Programmi\Trust\Trust 235A USB ADSL MODEM\CnxDslTb.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\PopUp Killer\popupkiller.EXE
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\admin\Desktop\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Trust\Trust 235A USB ADSL MODEM\CnxDslTb.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Programmi\PopUp Killer\popupkiller.EXE
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{306E2894-4F1B-4489-B582-5BF1DCD86577}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{306E2894-4F1B-4489-B582-5BF1DCD86577}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CS2\Services\Tcpip\..\{306E2894-4F1B-4489-B582-5BF1DCD86577}: NameServer = 193.70.152.15 193.70.152.25
O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll (file missing)
O20 - Winlogon Notify: vtuvwuu - vtuvwuu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe

ecco il log di avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lkjmdxkg

*******************

Script file located at: \??\C:\vauvwdud.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\vtuvwuu.dll deleted successfully.
File C:\WINDOWS\system32\jkklj.dll deleted successfully.


File C:\WINDOWS\system32\cmvlbbbb.dll not found!
Deletion of file C:\WINDOWS\system32\cmvlbbbb.dll failed!

Could not process line:
C:\WINDOWS\system32\cmvlbbbb.dll
Status: 0xc0000034

File C:\WINDOWS\system32\jgpsrgau.dll deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0309638F-93F8-44D3-84CF-240EB1AB7F1F} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16919E97-B5FD-478D-B28C-F5DF42CE8A67} deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD3447D4-CA39-4377-8084-30E86331D74C} deleted successfully.


Could not delete registry value HKLM\Software\Microsoft\Windows\Current\Run|Genuine
Deletion of registry value HKLM\Software\Microsoft\Windows\Current\Run|Genuine failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

ecco il log di VundoFix


VundoFix V6.5.0

Checking Java version...

Sun Java not detected
Scan started at 22.24.57 10/06/2007

Listing files found while scanning....

C:\WINDOWS\system32\cmvlbbbb.dll
C:\WINDOWS\system32\dioayndu.dll
C:\WINDOWS\system32\edvmvngo.dll
C:\WINDOWS\system32\jgpsrgau.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\uagrspgj.ini
C:\WINDOWS\system32\vtuvwuu.dll
C:\WINDOWS\system32\xfsuusgj.dll
C:\WINDOWS\system32\xmljtsrd.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\uagrspgj.ini
C:\WINDOWS\system32\uagrspgj.ini Has been deleted!

Performing Repairs to the registry.
Done!


è tutto ok? che dici? grazie
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59

Postdi Luke57 » 10/06/07 21:38

Ciao, pare di sì, apri hijackthis, premi " do a system scan only", cerchi e spunti le voci seguenti:
O20 - Winlogon Notify: jkklj - C:\WINDOWS\system32\jkklj.dll (file missing)
O20 - Winlogon Notify: vtuvwuu - vtuvwuu.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

premi fix checked.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi nero » 10/06/07 21:47

fatto...speriamo bene :lol:
nero
Utente Junior
 
Post: 45
Iscritto il: 06/06/05 18:59


Torna a Sicurezza e Privacy


Topic correlati a "help x trojan":

trojan win32/sirefef
Autore: marzianu
Forum: Sicurezza e Privacy
Risposte: 27

Chi c’è in linea

Visitano il forum: Nessuno e 68 ospiti