Olimpo Informatico

[Azali]

Non ho messo il firewall e infatti ho ribeccato schifezze

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22.41.17, on 20/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Trust\450LR Mouse Wireless Optical\Amoumain.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Microsoft IntelliPoint\ipoint.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
D:\eMule\eMule.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {651718EB-C627-415D-9C5F-A389953654B9} - C:\WINDOWS\system32\activedsw.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [Versato] C:\Programmi\MediaKey\MagicRun.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [3COM] C:\Programmi\3COM Technology Corporation\3COM Wireless USB Utility\Wlan.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92DF6BBA-7DE5-47B4-9C0D-8CACFBBC62E5}: NameServer = 192.168.1.1
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 5178 bytes

da VirIt:
[SCANSIONE DEL REGISTRO]
OK

[A:]
BOOT SECTOR: OK


[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\WINDOWS\system32\AppCert\wnl32.dll Infetto da Trojan.Win32.Agent.BHY

[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


[E:]


Chiavi Registro infette: 0.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 112632.
Files Totali: 112632.

Aiuto!

[Azali]

aggiungo kaspersky

Sunday, January 20, 2008 7:51:27 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/01/2008
Kaspersky Anti-Virus database records: 524076


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases false

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 112807
Number of viruses found 3
Number of infected objects 18
Number of suspicious objects 0
Duration of the scan process 01:02:51

Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Valentina\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Cronologia\History.IE5\MSHist012008011920080120\index.dat Object is locked skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\F2KVJ9CL\48160921[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\ILCFA925\72190140[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\O18T2Z05\56170656[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\12918406[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\12924093[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\16923890[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\16929421[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\20929531[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\20934859[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\24966140[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\24974421[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\831687[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\840312[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\Impostazioni locali\Temporary Internet Files\Content.IE5\UY7NLSJJ\8913468[1].txt Infected: Trojan.Win32.Dialer.tl skipped

C:\Documents and Settings\Valentina\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Valentina\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Valentina\UserData\index.dat Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\VEXPLITE\reg_ecc.dat Object is locked skipped

C:\VEXPLITE\Valentina\reg.dat Object is locked skipped

C:\VEXPLITE\VIRITMON.LOG Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\AppCert\wsil32.dll Infected: Trojan-Downloader.Win32.Agent.hkb skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\zeus prog\avenger\backup.zip/avenger/igfxsvc.exe Infected: Trojan-Downloader.Win32.Nurech.bd skipped

C:\zeus prog\avenger\backup.zip/avenger/spoolw.exe Infected: Trojan-Downloader.Win32.Nurech.bd skipped

C:\zeus prog\avenger\backup.zip ZIP: infected - 2 skipped

D:\System Volume Information\MountPointManagerRemoteDatabase

[bdoriano]

Ciao Azali,

Segui le istruzioni di questo topic per postare il log di combofix.

Fai queste Scansioni con GMER e posta i logs su FreeFileHosting come indicato qui.

PS: se vuoi, puoi presentarti qui

[Azali]

CIAO!
Ecco i log di gmer
http://www.freefilehosting.net/download/3ak2l
http://www.freefilehosting.net/download/3ak30

combofix non mi funziona

[bdoriano]

[Azali]

nel primo link non scarica niente e nel secondo non trova la pagina internet

[Azali]

Serve per forza combofix per sapere come toglierlo?
Ogni tanto mi si aprono delle pagine internet e la richiesta di un downloader non richiesti, altri problemi non ne riscontro per adesso.

[bdoriano]

Diciamo che combofix facilita il lavoro, puoi riprovare a utilizzarlo?
io, intanto, mi guardo i logs di gmer.

[bdoriano]

Riecchime... manca il log rootkit di gmer.

[Azali]

Sono riuscita a scaricare combofix
ecco il log:
ComboFix 08-01-23.1 - Valentina 2008-01-22 21.51.30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.616 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Valentina\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\drivers\CNO57.sys
C:\WINDOWS\system32\drivers\symavc32.sys

----- BITS: Possible infected sites -----

hxxp://crunet.info
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CNO57


((((((((((((((((((((((((( Files Creati Da 2007-12-23 al 2008-01-23 )))))))))))))))))))))))))))))))))))
.

2008-01-22 21:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-19 21:52 . 19,584 C:\WINDOWS\system32\drivers\pwspmpvj.dat
2008-01-19 21:51 . 2008-01-22 12:38 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-19 21:51 . 2008-01-19 21:51 29 --a------ C:\WINDOWS\system32\eydyohuh.tmp
2008-01-19 21:50 . 2004-08-19 13:00 83,968 --a------ C:\WINDOWS\system32\activedsw.dll
2007-12-30 22:05 . 2007-12-30 22:05 <DIR> d-------- C:\Programmi\File comuni\Thraex Software
2007-12-30 22:05 . 2007-12-30 22:05 153,003 --a------ C:\WINDOWS\Photo Pos Pro Uninstaller.exe
2007-12-30 21:01 . 2001-08-30 23:07 86,528 --a------ C:\WINDOWS\system32\dllcache\dc240usd.dll
2007-12-30 21:01 . 2001-08-30 23:07 86,528 --a------ C:\WINDOWS\system32\dc240usd.dll
2007-12-30 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-30 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-25 21:24 . 2007-12-25 21:25 <DIR> d-------- C:\Programmi\Microsoft IntelliPoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 20:45 36,096 ----a-w C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2007-12-27 20:30 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-12-13 12:34 210,416 ----a-w C:\zaSetup_it.exe
2007-12-12 21:21 134 ----a-w C:\fix.reg
2007-12-12 12:02 2,216,448 ----a-w C:\vnlt6241.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{651718EB-C627-415D-9C5F-A389953654B9}]
2004-08-19 13:00 83968 --a------ C:\WINDOWS\system32\activedsw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Versato"="C:\Programmi\MediaKey\MagicRun.exe" [ ]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00 15360]
"3COM"="C:\Programmi\3COM Technology Corporation\3COM Wireless USB Utility\Wlan.exe" [ ]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheelMouse"="Amoumain.exe" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-02 13:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-02 13:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-02 13:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 13:00 455168]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-01-18 21:39 245760]
"IntelliPoint"="C:\Programmi\Microsoft IntelliPoint\ipoint.exe" [2007-05-19 00:47 849288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk
backup=C:\WINDOWS\pss\Avvio veloce di Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
--a------ 2002-11-02 07:33 45056 C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2002-12-02 15:17 73728 C:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-09 14:29 7561216 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-03-09 14:29 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-03-09 14:29 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Timer]
C:\WINDOWS\msncomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolControl]
C:\WINDOWS\volumec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\sessionmanager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 11:43]
R0 pvjahvfb;pvjahvfb;C:\WINDOWS\system32\drivers\pwspmpvj.dat []
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-01-15 21:45]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2001-11-21 18:29]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-01-18 21:39]
S3 Amps2prt;Trust Ami PS/2 Port Mouse Driver (11);C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2003-01-07 18:16]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-19 13:00]
S3 ZD1211U(3COM Corporation);3COM OfficeConnect Wireless 11g Compact USB Adapter(3COM Corporation);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-10-06 17:49]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 21:57:40
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\AppCert\hb13a.dll
.
Ora fine scansione: 2008-01-23 21:59:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 20:59:01

oddio la scritta rossa che vuol dire????

[Azali]

il rootkit di gmer
http://www.freefilehosting.net/download/3am39

[bdoriano]

Ehm... il link che hai postato riguarda ancora combofix..

Comunque, crea un file di testo con le seguenti istruzioni:

[Azali]

scusa devo aver fatto confusione nel caricare i file su freefilehosting

ora ho fatto il passaggio che mi hai detto ecco il log :

ComboFix 08-01-23.1 - Valentina 2008-01-24 11.36.06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.684 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Valentina\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Valentina\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\msncomm.exe
C:\WINDOWS\system32\AppCert\hb13a.dll
C:\WINDOWS\system32\AppCert\wsil32.dll
C:\WINDOWS\system32\drivers\pwspmpvj.dat
C:\WINDOWS\system32\eydyohuh.tmp
C:\WINDOWS\volumec.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\AppCert\hb13a.dll
C:\WINDOWS\system32\AppCert\wsil32.dll
C:\WINDOWS\system32\drivers\pwspmpvj.dat
C:\WINDOWS\system32\eydyohuh.tmp

.
((((((((((((((((((((((((( Files Creati Da 2007-12-24 al 2008-01-24 )))))))))))))))))))))))))))))))))))
.

2008-01-22 21:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-19 21:51 . 2008-01-24 11:37 <DIR> d-------- C:\WINDOWS\system32\AppCert
2008-01-19 21:50 . 2004-08-19 13:00 83,968 --a------ C:\WINDOWS\system32\activedsw.dll
2007-12-30 22:05 . 2007-12-30 22:05 <DIR> d-------- C:\Programmi\File comuni\Thraex Software
2007-12-30 22:05 . 2007-12-30 22:05 153,003 --a------ C:\WINDOWS\Photo Pos Pro Uninstaller.exe
2007-12-30 21:01 . 2001-08-30 23:07 86,528 --a------ C:\WINDOWS\system32\dllcache\dc240usd.dll
2007-12-30 21:01 . 2001-08-30 23:07 86,528 --a------ C:\WINDOWS\system32\dc240usd.dll
2007-12-30 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-12-30 21:01 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2007-12-25 21:24 . 2007-12-25 21:25 <DIR> d-------- C:\Programmi\Microsoft IntelliPoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 20:39 36,480 ----a-w C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2007-12-27 20:30 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-12-13 12:34 210,416 ----a-w C:\zaSetup_it.exe
2007-12-12 21:21 134 ----a-w C:\fix.reg
2007-12-12 12:02 2,216,448 ----a-w C:\vnlt6241.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-23_21.58.44.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 20:51:14 540,672 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 10:35:52 540,672 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 20:51:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 10:35:52 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 20:51:14 540,672 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 10:35:53 540,672 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 20:51:14 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 10:35:53 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 20:51:14 4,304,896 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 10:35:53 4,304,896 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 20:51:14 16,384 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 10:35:53 16,384 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{651718EB-C627-415D-9C5F-A389953654B9}]
2004-08-19 13:00 83968 --a------ C:\WINDOWS\system32\activedsw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Versato"="C:\Programmi\MediaKey\MagicRun.exe" [ ]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00 15360]
"3COM"="C:\Programmi\3COM Technology Corporation\3COM Wireless USB Utility\Wlan.exe" [ ]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheelMouse"="Amoumain.exe" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-02 13:00 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-02 13:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-02 13:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-02 13:00 455168]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-01-23 22:27 245760]
"IntelliPoint"="C:\Programmi\Microsoft IntelliPoint\ipoint.exe" [2007-05-19 00:47 849288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk
backup=C:\WINDOWS\pss\Avvio veloce di Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
--a------ 2002-11-02 07:33 45056 C:\Programmi\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2002-12-02 15:17 73728 C:\Programmi\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-03-09 14:29 7561216 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-03-09 14:29 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-03-09 14:29 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Timer]
C:\WINDOWS\msncomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolControl]
C:\WINDOWS\volumec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\sessionmanager\appcertdlls]
appsecdll REG_EXPAND_SZ C:\WINDOWS\system32\AppCert\wsil32.dll

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys [2002-11-28 11:43]
R0 VIRAGTLT;VIRAGTLT;C:\WINDOWS\system32\drivers\VIRAGTLT.SYS [2008-01-18 21:39]
R1 kbfilter;Keyboard Filter Driver;C:\WINDOWS\system32\drivers\kbfilter.sys [2001-11-21 18:29]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2008-01-23 22:27]
S0 pvjahvfb;pvjahvfb;C:\WINDOWS\system32\drivers\pwspmpvj.dat []
S3 Amps2prt;Trust Ami PS/2 Port Mouse Driver (11);C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2003-01-07 18:16]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-19 13:00]
S3 ZD1211U(3COM Corporation);3COM OfficeConnect Wireless 11g Compact USB Adapter(3COM Corporation);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-10-06 17:49]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 11:38:51
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-24 11:40:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-24 10:40:05
ComboFix2.txt 2008-01-23 20:59:05

[bdoriano]

Non li ha eliminati tutti... proviamo un'altra strada:

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[Azali]

Ecco Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pbxnixol

*******************

Script file located at: \??\C:\WINDOWS\system32\aaqvgrbd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\msncomm.exe not found!
Deletion of file C:\WINDOWS\msncomm.exe failed!

Could not process line:
C:\WINDOWS\msncomm.exe
Status: 0xc0000034



File C:\WINDOWS\volumec.exe not found!
Deletion of file C:\WINDOWS\volumec.exe failed!

Could not process line:
C:\WINDOWS\volumec.exe
Status: 0xc0000034



File C:\WINDOWS\system32\AppCert\hb13a.dll not found!
Deletion of file C:\WINDOWS\system32\AppCert\hb13a.dll failed!

Could not process line:
C:\WINDOWS\system32\AppCert\hb13a.dll
Status: 0xc0000034



File C:\WINDOWS\system32\AppCert\wsil32.dll not found!
Deletion of file C:\WINDOWS\system32\AppCert\wsil32.dll failed!

Could not process line:
C:\WINDOWS\system32\AppCert\wsil32.dll
Status: 0xc0000034



Could not open file C:\WINDOWS\system32\drivers\pwspmpvj.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\pwspmpvj.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\pwspmpvj.dat
Status: 0xc0000022



File C:\WINDOWS\system32\eydyohuh.tmp not found!
Deletion of file C:\WINDOWS\system32\eydyohuh.tmp failed!

Could not process line:
C:\WINDOWS\system32\eydyohuh.tmp
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

e HJT
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20.58.59, on 24/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Trust\450LR Mouse Wireless Optical\Amoumain.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Microsoft IntelliPoint\ipoint.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Hijackthis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BDABA7E-2450-4593-B970-EC9F158E73B0} - C:\WINDOWS\system32\activedsw.dll
O2 - BHO: (no name) - {651718EB-C627-415D-9C5F-A389953654B9} - C:\WINDOWS\system32\activedsw.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.5000.1021\it\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmi\Microsoft IntelliPoint\ipoint.exe"
O4 - HKCU\..\Run: [Versato] C:\Programmi\MediaKey\MagicRun.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [3COM] C:\Programmi\3COM Technology Corporation\3COM Wireless USB Utility\Wlan.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92DF6BBA-7DE5-47B4-9C0D-8CACFBBC62E5}: NameServer = 192.168.1.1
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

[Azali]

questo e' il primo passaggio di gmer
http://www.freefilehosting.net/download/3b077

strano non riesco a salvare il log dello scan rootkit di gmer. clicco su scan e parte (per circa 15 minuti), quindi faccio copy ma non copia.
mi sento un po' imbranata sbaglio qualcosa?

[Sante62]

Prova a tenere disattivato l'antivirus mentre fai la scansione; se non va, collegati a Panda Active Scan e procedi con la scansione online del PC.

[Azali]

Ciao Sante

Ho fatto la scansione con Panda. Ecco il risultato:


Incidente Stato Percorso

Virus:Bck/Dumador.GM Disinfettato Sistema Operativo
Spyware:Cookie/YieldManager Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@adrevolver[1].txt
Spyware:Cookie/Adrevolver Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@adrevolver[3].txt
Spyware:Cookie/Serving-sys Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@burstnet[2].txt
Spyware:Cookie/Cgi-bin Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@cgi-bin[7].txt
Spyware:Cookie/Enhance Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@enhance[1].txt
Spyware:Cookie/GoClick Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@goclick[1].txt
Spyware:Cookie/Serving-sys Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@serving-sys[2].txt
Spyware:Cookie/Statcounter Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@statcounter[2].txt
Spyware:Cookie/Tradedoubler Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@tradedoubler[2].txt
Spyware:Cookie/Tribalfusion Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@tribalfusion[2].txt
Spyware:Cookie/Xiti Non Disinfettato C:\Documents and Settings\Valentina\Cookies\valentina@xiti[1].txt
Strumenti indesiderati:Application/NirCmd.A Non Disinfettato C:\Documents and Settings\Valentina\Desktop\ComboFix.exe[nircmd.com]
Strumenti indesiderati:Application/NirCmd.A Non Disinfettato C:\Documents and Settings\Valentina\Desktop\ComboFix.exe[nircmd.cfexe]
Strumenti indesiderati:Application/NirCmd.A Non Disinfettato C:\WINDOWS\Nircmd.exe
Virus:Bck/Dumador.GM Disinfettato C:\WINDOWS\system32\activedsw.dll
Virus:Trj/Downloader.RDL Disinfettato C:\WINDOWS\system32\AppCert\wnl32.dll
Virus:Bck/Rshot.E Disinfettato C:\zeus prog\avenger\backup-12.12.2007-22.30.13,15.zip[avenger/4935265.exe]
Virus:Bck/Rshot.E Disinfettato C:\zeus prog\avenger\backup-12.12.2007-22.30.13,15.zip[avenger/844750.exe]
Virus:Bck/Rshot.E Disinfettato C:\zeus prog\avenger\backup-12.12.2007-22.30.13,15.zip[avenger/846875.exe]
Virus:Bck/Rshot.E Disinfettato C:\zeus prog\avenger\backup-12.12.2007-22.30.13,15.zip[avenger/859359.exe]
Virus:Bck/Rshot.E Disinfettato C:\zeus prog\avenger\backup-12.12.2007-22.30.13,15.zip[avenger/870843.exe]
Virus:Bck/Rshot.E Disinfettato C:\zeus prog\avenger\backup-12.12.2007-22.30.13,15.zip[avenger/877031.exe]
Virus:Bck/Rshot.E Disinfettato C:\zeus prog\avenger\backup-12.12.2007-22.30.13,15.zip[avenger/889062.exe]
Virus:Bck/Rshot.E Disinfettato C:\zeus prog\avenger\backup-12.12.2007-22.30.13,15.zip[avenger/MSATL32.exe]
Adware:Adware/XmlLib Non Disinfettato C:\zeus prog\avenger\backup.zip[avenger/igfxsvc.exe]
Adware:Adware/XmlLib Non Disinfettato C:\zeus prog\avenger\backup.zip[avenger/spoolw.exe]

[bdoriano]

Collegati a Kaspersky on-line scanner e fai la scansione estesa, come indicato qui.
Salva il risultato della scansione in un file (in formato HTML), carica il file su Freefilehosting e posta qui il link che ti viene assegnato.

[Azali]

Qui c'e' Kaspersky

http://www.freefilehosting.net/download/3b23i