Eliminato Trojan,rimangono file sospetti

[markmoon]

Dopo aver visitato un sito ho preso un trojan,dopo averlo eliminato con Ad Aware ,ho controllato con Hijjackthis e risultano questi file sospetti:
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\qqszlmfrt.dll

Di fianco c'è questo consiglio:
Effettuate una scansione del disco fisso con Spybot S&D (Kolla.de) o con LSPFix (Cexx.org). Purtroppo quest'oggetto non può essere eliminato! Il modo migliore per risolvere il problema consiste nell'uso dell'utility LSPFix di Cexx.org.

purtroppo rimangono anche dopo la scnasione con Spybot,il pc si impalla a volte con la solita schermata blu!
Inoltre ho questo file in C: che mi preoccupa cp1041.nls
cosa mi consigliate?

[Luke57]

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla (ctrl+v) le scritte in neretto:


files to delete:
c:\windows\system32\qqszlmfrt.dll
C:\cp1041.nls



Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script più un log di hijackthis (scarica la versione della trendmicro)

[markmoon]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\oekmlpan

*******************

Script file located at: \??\C:\WINDOWS\system32\yfjmkrqf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\system32\qqszlmfrt.dll deleted successfully.
File C:\cp1041.nls deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 17.26.36, on 19/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
C:\Programmi\F-Secure\Anti-Virus\FSGK32.EXE
C:\Programmi\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Programmi\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\F-Secure\Common\FSMA32.EXE
C:\Programmi\F-Secure\Common\FSMB32.EXE
C:\Programmi\F-Secure\Common\FCH32.EXE
C:\Programmi\F-Secure\Common\FAMEH32.EXE
C:\Programmi\F-Secure\Common\FNRB32.EXE
C:\Programmi\F-Secure\Common\FIH32.EXE
C:\Programmi\F-Secure\Anti-Virus\fsav32.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\F-Secure\Common\FSM32.EXE
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\hijackthis_199\HijackThis.exe
C:\WINDOWS\system32\netsh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Programmi\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programmi\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con Download &Express - D:\CD1\INTERNET\FTP\Download Express\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Programmi\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programmi\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programmi\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Programmi\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programmi\F-Secure\Common\FSMA32.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programmi\HPQ\SHARED\HPQWMI.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe




Sembra che abbia eliminato quello che doveva,il problema è che quando mi si è riavviato mi comparsa la solita maschera blu che dice:

'Si è verificato un problema e windows è stato arrestato per impedire danni al pc.
DRIVER_IRQL_NOT_LESS_OR_EQUAL
Se il problema persiste...etc...

info tecniche:
STOP: 0X000000D1(0XF7420070,0X00000008,0X00000000,0XF740DEC2)

NDIS.sys- Address F7420070 base at F73F5000,DateStamp 41107ec3
NDIS.sys- Address F740DEC2 base at F73F5000,DateStamp 41107ec3

Adesso provo a riavviare se lo fa ancora!

[markmoon]

fra parentesi è ricomparso il caz*utisssimo file cp1041.nls!

[markmoon]

La schermata blu da riavvio non compare più mentre il file è rimasto!altra soluzione?
eppure era un innoquo sito di copertine musicali...

[Luke57]

Ciao, hai anche questo file nel computer
c:\windows\SYSTEM32\TOTOUR.EXE?

[markmoon]

no ma prima dell'eliminazione con Adaware lo vedevo nel taskmanager!

[Luke57]

Ciao, prova a seguire queste indicazioni:
http://forum.assistenzafree.com/empty-t ... ml;msg7073

[markmoon]

Ho risolto,grazie cmq dell'aiuto!
Ho scansionato con Superantispyware ma non mi ha trovato niente,poi magicamente Combofix mi ha fatto un ripulisti dei file ndis.sys corrotti...
Spero sia da aiuto ad altri!