Olimpo Informatico

[armail]

ciao, vedo dai messaggi che non sono il primo a beccarsi questo virus. Disinstallando la toolbar di google ora funziona tutto normalmente, senza rallentamenti. Nonostante il Ccleaner vedo però regolarmente nella cronologia i soliti siti doginhispen e skitodayplease. C'è qualcuno che ha tempo ed è in grado di dirmi come risolvere il problema senza formattare tutto?
Grazie in anticipo!

Vi allego i log di hijackthis e awf:

HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.46.04, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programmi\File comuni\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Hijackthis\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet.prenatal.it;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Programmi\Web Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmi\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ACTray] C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [GLF1C8.tmp] cmd /c "rmdir /s /q "C:\Programmi\GLF1C8.tmp""
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-1421910565-2639506791-935660225-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Programmi\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Programmi\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmi\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Symantec AntiVirus.lnk = C:\Programmi\Symantec AntiVirus\VPC32.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Aggiornamento del software del ThinkPad - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmi\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmi\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Programmi\File comuni\Virtual Token\vtserver.exe

--
End of file - 12203 bytes



AWF


Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~

Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\QUICKT~1\BAK

19/10/2007 20.16 286.720 qttask.exe
1 File 286.720 byte
2 Directory 8.059.854.848 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\SPYWAR~1\BAK

02/10/2007 15.27 1.065.288 SDTrayApp.exe
1 File 1.065.288 byte
2 Directory 8.059.854.848 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\SYMANT~1\BAK

15/09/2004 16.27 124.136 VPTray.exe
1 File 124.136 byte
2 Directory 8.059.850.752 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 23.39 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 8.059.850.752 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

23/09/2004 11.41 860.160 Smax4.exe
14/10/2004 08.11 1.388.544 SMax4PNP.exe
2 File 2.248.704 byte
2 Directory 8.059.867.136 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

25/08/2004 20.52 339.968 atiptaxx.exe
1 File 339.968 byte
2 Directory 8.059.850.752 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\SYMANT~1\BAK

15/09/2004 16.30 66.680 ccApp.exe
1 File 66.680 byte
2 Directory 8.059.850.752 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

17/10/2007 14.15 68.856 GoogleToolbarNotifier.exe
1 File 68.856 byte
2 Directory 8.059.850.752 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\IBM\UPDATER\BAK

15/07/2004 00.34 36.864 ucstartup.exe
1 File 36.864 byte
2 Directory 8.059.850.752 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

14/02/2006 13.16 512.000 SynTPEnh.exe
14/02/2006 13.17 110.592 SynTPLpr.exe
2 File 622.592 byte
2 Directory 8.059.850.752 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\THINKPAD\CONNEC~1\BAK

17/05/2007 10.46 413.696 ACTray.exe
17/05/2007 10.41 126.976 ACWLIcon.exe
2 File 540.672 byte
2 Directory 8.059.850.752 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\THINKPAD\UTILIT~1\BAK

29/07/2004 09.37 20.480 BMMLREF.EXE
29/11/2006 01.30 243.248 EzEjMnAp.Exe
02/06/2006 21.00 856.064 TpKmapAp.exe
3 File 1.119.792 byte
2 Directory 8.059.846.656 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\WINDOWS\SYSTEM32\DLA\BAK

06/10/2005 04.20 122.940 DLACTRLW.EXE
1 File 122.940 byte
2 Directory 8.059.846.656 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\BAK

27/07/2004 15.50 81.920 issch.exe
27/07/2004 15.50 221.184 ISUSPM.exe
2 File 303.104 byte
2 Directory 8.059.846.656 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\PCSUITE\DATALA~1\BAK

31/03/2005 08.30 1.106.944 DataLayer.exe
1 File 1.106.944 byte
2 Directory 8.059.846.656 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\REAL\UPDATE~1\BAK

15/11/2007 10.57 185.632 realsched.exe
1 File 185.632 byte
2 Directory 8.059.846.656 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\SYMANT~1\SECURI~1\BAK

18/08/2004 22.46 218.240 UsrPrmpt.exe
1 File 218.240 byte
2 Directory 8.059.846.656 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK

02/10/2006 09.19 94.208 TPHKMGR.exe
1 File 94.208 byte
2 Directory 8.059.846.656 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\INTEL\PROSET~1\NCS\PROSET\BAK

06/08/2003 15.08 86.016 PRONoMgr.exe
1 File 86.016 byte
2 Directory 8.059.846.656 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 21 Jan 2008 "C:\Programmi\QuickTime\qttask.exe"
286720 19 Oct 2007 "C:\Programmi\QuickTime\bak\qttask.exe"
14348 21 Jan 2008 "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
1065288 2 Oct 2007 "C:\Programmi\Spyware Doctor\bak\SDTrayApp.exe"
14348 21 Jan 2008 "C:\Programmi\Symantec AntiVirus\VPTray.exe"
124136 15 Sep 2004 "C:\Programmi\Symantec AntiVirus\bak\VPTray.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
14348 21 Jan 2008 "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe"
860160 23 Sep 2004 "C:\Programmi\Analog Devices\SoundMAX\bak\Smax4.exe"
794624 26 Mar 2004 "C:\IBMTOOLS\drivers\AUDIO\SM_PANEL\SYS\SMAX4.EXE"
14348 21 Jan 2008 "C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe"
1388544 14 Oct 2004 "C:\Programmi\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
1368064 1 Apr 2004 "C:\IBMTOOLS\drivers\AUDIO\SM_PNP\SYS\SMAX4PNP.EXE"
14348 21 Jan 2008 "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 25 Aug 2004 "C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
14348 21 Jan 2008 "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
66680 15 Sep 2004 "C:\Programmi\File comuni\Symantec Shared\bak\ccApp.exe"
70760 10 Dec 2003 "C:\IBMTOOLS\APPS\NORTONAV\Support\ccCommon\ccCommon\ccApp.exe"
14348 21 Jan 2008 "C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
126136 17 Oct 2007 "C:\Programmi\Google\Google Updater\GoogleUpdater.exe"
619536 15 Nov 2007 "C:\Programmi\File comuni\Real\GToolbar\googletoolbarinstaller.exe"
138680 17 Oct 2007 "C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 17 Oct 2007 "C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
126136 17 Oct 2007 "C:\Programmi\Google\Google Updater\2.2.969.23408\GoogleUpdaterRestartManager.exe"
14348 21 Jan 2008 "C:\Programmi\IBM\Updater\ucstartup.exe"
36864 15 Jul 2004 "C:\Programmi\IBM\Updater\bak\ucstartup.exe"
512000 16 Jun 2004 "C:\IBMTOOLS\drivers\UNAV\SYNTPENH.EXE"
14348 21 Jan 2008 "C:\Programmi\Synaptics\SynTP\SynTPEnh.exe"
512000 14 Feb 2006 "C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe"
512000 14 Feb 2006 "C:\Programmi\Synaptics\SynTP\Media\SYNTPENH.EXE"
110592 16 Jun 2004 "C:\IBMTOOLS\drivers\UNAV\SYNTPLPR.EXE"
14348 21 Jan 2008 "C:\Programmi\Synaptics\SynTP\SynTPLpr.exe"
110592 14 Feb 2006 "C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe"
110592 14 Feb 2006 "C:\Programmi\Synaptics\SynTP\Media\SYNTPLPR.EXE"
14348 21 Jan 2008 "C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe"
413696 17 May 2007 "C:\Programmi\ThinkPad\ConnectUtilities\bak\ACTray.exe"
14348 21 Jan 2008 "C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe"
126976 17 May 2007 "C:\Programmi\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe"
20480 29 Jul 2004 "C:\IBMTOOLS\drivers\BMMPM\BMMLREF.EXE"
14348 21 Jan 2008 "C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE"
20480 29 Jul 2004 "C:\Programmi\ThinkPad\Utilities\bak\BMMLREF.EXE"
208896 25 Dec 2003 "C:\IBMTOOLS\drivers\EZEJECT\EZEJMNAP.EXE"
14348 21 Jan 2008 "C:\Programmi\ThinkPad\Utilities\EzEjMnAp.Exe"
243248 29 Nov 2006 "C:\Programmi\ThinkPad\Utilities\bak\EzEjMnAp.Exe"
14348 21 Jan 2008 "C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe"
856064 2 Jun 2006 "C:\Programmi\ThinkPad\Utilities\bak\TpKmapAp.exe"
14348 21 Jan 2008 "C:\WINDOWS\system32\dla\DLACTRLW.EXE"
122940 6 Oct 2005 "C:\Programmi\Sonic\DLA\install\dlactrlw.exe"
122940 6 Oct 2005 "C:\WINDOWS\system32\dla\bak\DLACTRLW.EXE"
14348 21 Jan 2008 "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe"
81920 27 Jul 2004 "C:\Programmi\File comuni\InstallShield\UpdateService\bak\issch.exe"
14348 21 Jan 2008 "C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe"
221184 27 Jul 2004 "C:\Programmi\File comuni\InstallShield\UpdateService\bak\ISUSPM.exe"
14348 21 Jan 2008 "C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe"
1106944 31 Mar 2005 "C:\Programmi\File comuni\PCSuite\DataLayer\bak\DataLayer.exe"
14348 21 Jan 2008 "C:\Programmi\File comuni\Real\Update_OB\realsched.exe"
185632 15 Nov 2007 "C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe"
14348 21 Jan 2008 "C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 18 Aug 2004 "C:\Programmi\File comuni\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
14348 21 Jan 2008 "C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe"
94208 4 Mar 2005 "C:\IBMTOOLS\drivers\HOTKEY\OSD\COMMON\TPHKMGR.EXE"
94208 2 Oct 2006 "C:\Programmi\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe"
14348 21 Jan 2008 "C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
86016 6 Aug 2003 "C:\Programmi\Intel\PROSetWired\NCS\PROSet\bak\PRONoMgr.exe"


end of report

[Sante62]

Ciao armail e benvenuto...
Scarica The Avenger
Scompattalo in una sua cartella in c:\
Avvialo
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[armail]

Ciao Sante, provvedo subito!

[armail]

Allora:
1) Log di Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rbmyfjue

*******************

Script file located at: \??\C:\WINDOWS\system32\tgualkgl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Programmi\QuickTime\qttask.exe deleted successfully.
File C:\Programmi\Spyware Doctor\SDTrayApp.exe deleted successfully.
File C:\Programmi\Symantec AntiVirus\VPTray.exe deleted successfully.
File C:\Programmi\Analog Devices\SoundMAX\Smax4.exe deleted successfully.
File C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe deleted successfully.
File C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe deleted successfully.
File C:\Programmi\File comuni\Symantec Shared\ccApp.exe deleted successfully.
File C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe deleted successfully.
File C:\Programmi\IBM\Updater\ucstartup.exe deleted successfully.
File C:\Programmi\Synaptics\SynTP\SynTPEnh.exe deleted successfully.
File C:\Programmi\Synaptics\SynTP\SynTPLpr.exe deleted successfully.
File C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe deleted successfully.
File C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe deleted successfully.
File C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE deleted successfully.
File C:\Programmi\ThinkPad\Utilities\EzEjMnAp.Exe deleted successfully.
File C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe deleted successfully.
File C:\WINDOWS\system32\dla\DLACTRLW.EXE deleted successfully.
File C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe deleted successfully.
File C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe deleted successfully.
File C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe deleted successfully.
File C:\Programmi\File comuni\Real\Update_OB\realsched.exe deleted successfully.
File C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe deleted successfully.
File C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe deleted successfully.
File C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe deleted successfully.
File move operation C:\Programmi\QuickTime\bak\qttask.exe|C:\Programmi\QuickTime\qttask.exe completed successfully.
File move operation C:\Programmi\Spyware Doctor\bak\SDTrayApp.exe|C:\Programmi\Symantec AntiVirus\VPTray.exe completed successfully.
File move operation C:\Programmi\Symantec AntiVirus\bak\VPTray.exe|C:\Programmi\Symantec AntiVirus\VPTray.exe completed successfully.
File move operation C:\Programmi\Analog Devices\SoundMAX\bak\Smax4.exe|C:\Programmi\Analog Devices\SoundMAX\Smax4.exe completed successfully.
File move operation C:\Programmi\Analog Devices\SoundMAX\bak\SMax4PNP.exe|C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe completed successfully.
File move operation C:\Programmi\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe|C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe completed successfully.
File move operation C:\Programmi\File comuni\Symantec Shared\bak\ccApp.exe|C:\Programmi\File comuni\Symantec Shared\ccApp.exe completed successfully.
File move operation C:\Programmi\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe|C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe completed successfully.
File move operation C:\Programmi\IBM\Updater\bak\ucstartup.exe|C:\Programmi\IBM\Updater\ucstartup.exe completed successfully.
File move operation C:\Programmi\Synaptics\SynTP\bak\SynTPEnh.exe|C:\Programmi\Synaptics\SynTP\SynTPEnh.exe completed successfully.
File move operation C:\Programmi\Synaptics\SynTP\bak\SynTPLpr.exe|C:\Programmi\Synaptics\SynTP\SynTPLpr.exe completed successfully.
File move operation C:\Programmi\ThinkPad\ConnectUtilities\bak\ACTray.exe|C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe completed successfully.
File move operation C:\Programmi\ThinkPad\ConnectUtilities\bak\ACWLIcon.exe|C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe completed successfully.
File move operation C:\Programmi\ThinkPad\Utilities\bak\BMMLREF.EXE|C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE completed successfully.
File move operation C:\Programmi\ThinkPad\Utilities\bak\EzEjMnAp.Exe|C:\Programmi\ThinkPad\Utilities\EzEjMnAp.Exe completed successfully.
File move operation C:\Programmi\ThinkPad\Utilities\bak\TpKmapAp.exe|C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe completed successfully.
File move operation C:\WINDOWS\system32\dla\bak\DLACTRLW.EXE|C:\WINDOWS\system32\dla\DLACTRLW.EXE completed successfully.
File move operation C:\Programmi\File comuni\InstallShield\UpdateService\bak\issch.exe|C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe completed successfully.
File move operation C:\Programmi\File comuni\InstallShield\UpdateService\bak\ISUSPM.exe|C:\Programmi\File comuni\InstallShield\UpdateService\ISUSPM.exe completed successfully.
File move operation C:\Programmi\File comuni\PCSuite\DataLayer\bak\DataLayer.exe|C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe completed successfully.
File move operation C:\Programmi\File comuni\Real\Update_OB\bak\realsched.exe|C:\Programmi\File comuni\Real\Update_OB\realsched.exe completed successfully.
File move operation C:\Programmi\File comuni\Symantec Shared\Security Center\bak\UsrPrmpt.exe|C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe completed successfully.
File move operation C:\Programmi\ThinkPad\PkgMgr\HOTKEY\bak\TPHKMGR.exe|C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe completed successfully.
File move operation C:\Programmi\Intel\PROSetWired\NCS\PROSet\bak\PRONoMgr.exe|C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe completed successfully.

Completed script processing.

*******************

Finished! Terminate.




2) Log di hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.10.05, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programmi\File comuni\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\FILECO~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\fileco~1\instal~1\update~1\isuspm.exe
C:\Programmi\File comuni\InstallShield\UpdateService\agent.exe
C:\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy/accelerated_pac_base.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet.prenatal.it;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Programmi\Web Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmi\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ACTray] C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Programmi\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Programmi\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmi\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Symantec AntiVirus.lnk = C:\Programmi\Symantec AntiVirus\VPC32.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Aggiornamento del software del ThinkPad - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmi\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmi\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Programmi\File comuni\Virtual Token\vtserver.exe

--
End of file - 13216 bytes


Ora procedo con GMER e FindAWF...

[armail]

ecco i due gmer:

[URL="http://www.freefilehosting.net/files/3b7fg"]gmer autostart5.txt[/URL]

[URL="http://www.freefilehosting.net/files/3b7fj"]gmer rootkit6.txt[/URL]

e questo è il nuovo log di AWF:


Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~

Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\QUICKT~1\BAK

0 File 0 byte
2 Directory 8.038.473.728 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\SPYWAR~1\BAK

0 File 0 byte
2 Directory 8.038.473.728 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\SYMANT~1\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 23.39 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\SYMANT~1\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\IBM\UPDATER\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\THINKPAD\CONNEC~1\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\THINKPAD\UTILIT~1\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\WINDOWS\SYSTEM32\DLA\BAK

0 File 0 byte
2 Directory 8.038.469.632 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\BAK

0 File 0 byte
2 Directory 8.038.465.536 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\PCSUITE\DATALA~1\BAK

0 File 0 byte
2 Directory 8.038.465.536 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\REAL\UPDATE~1\BAK

0 File 0 byte
2 Directory 8.038.465.536 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\FILECO~1\SYMANT~1\SECURI~1\BAK

0 File 0 byte
2 Directory 8.038.465.536 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\THINKPAD\PKGMGR\HOTKEY\BAK

0 File 0 byte
2 Directory 8.038.465.536 byte disponibili
Il volume nell'unit? C ? IBM_PRELOAD
Numero di serie del volume: D43D-0957

Directory di C:\PROGRA~1\INTEL\PROSET~1\NCS\PROSET\BAK

0 File 0 byte
2 Directory 8.038.465.536 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"


end of report



Ammiro la pazienza e l'abilità di capirci qualcosa qui dentro...

[Sante62]

Bene, Avenger ha fatto il lavoro, mentre nel log Rootkit di GMER vedo qualcosa. Nel frattempo fai queste operazioni:
Nel log di HJt compaiono queste righe, sicuramente le conosci, altrimenti selezionale a sinistra e poi clicca su fix Checked rispondendo si;

[armail]

ciao Sante,

nell'ordine:

- le tre righe che mi dicevi le conosco, quindi, come mi hai detto, non ho fatto nulla.

- ho installato DelDomains.inf e riavviato il pc

- il Symantec Antivirus non è disattivabile (la versione che mi hanno messo, malgrado abbia il profilo di administrator del mio pc, non mi permette di spuntare 'l'attiva autoprotect". Ho provato due volte a eseguire il combofix, scaricato prima da un link e poi dall'altro, ma nessuno dei due funziona e mi dà questi messaggi:

32788R2FWJFW\nircmd.com non è un'applicazionedi Win32 valida

e

Impossibile trovare il filekmd.exe


Non so se dipendano dall'antivirus.

che faccio?

[Sante62]

L'antivirus lo segnala come indesiderato per caso? Dai messaggi d'errore non sembra sia l'antivirus. Il messaggio d'errore "32788R2FWJFW\nircmd.com non è un'applicazionedi Win32 valida" potrebbe essere che non lo hai scaricato completo. Continua a provare perchè con me funziona...

[armail]

ciao Sante,

non c'è verso, ho provato a scaricarlo anche da altri pc, ma mi dà sempre gli stessi messaggi quando cerco di eseguirlo sul mio pc. Comunque da dopo che ho eseguito le attività che mi avevi indicato non ho ancora visto nella cronologia i tre siti maledetti.
Dici che può bastare così? Ti allego comunque un nuovo hijackthis:

[armail]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9.54.05, on 31/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programmi\File comuni\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\FILECO~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programmi\FreePOPs\freepopsd.exe
C:\Hijackthis\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet.prenatal.it;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Programmi\Web Accelerator\components\NOWImaging.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmi\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ACTray] C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Programmi\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Programmi\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmi\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Symantec AntiVirus.lnk = C:\Programmi\Symantec AntiVirus\VPC32.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Aggiornamento del software del ThinkPad - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmi\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmi\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Programmi\File comuni\Virtual Token\vtserver.exe

--
End of file - 12836 bytes

[Sante62]

E' strano che non giri Combofix...
Intanto avvia HJT e seleziona a sinistra queste righe che sono superflue, e clicca poi su fix Checked rispondendo si: (quella in rosso anche se la conosci, ti consiglio di selezionarla)

[armail]

ciao Sante,

ti allego il log di Hijackthis. Intanto mando avanti la scansione di Systemscan: sembra impiegarci parecchio


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.05.59, on 31/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Programmi\File comuni\Virtual Token\vtserver.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Programmi\File comuni\LightScribe\LSSrvc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\Explorer.EXE
c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Programmi\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\FILECO~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Programmi\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet.prenatal.it;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Programmi\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmi\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Programmi\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Programmi\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ACTray] C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Programmi\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Symantec AntiVirus.lnk = C:\Programmi\Symantec AntiVirus\VPC32.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Aggiornamento del software del ThinkPad - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Programmi\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = grandate.artsana.it
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programmi\File comuni\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmi\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Programmi\File comuni\Virtual Token\vtserver.exe

--
End of file - 12329 bytes

[armail]

ciao, sono finalmente riuscito (dopo 3 tentativi lunghissimi in cui si è impallato il pc) a far terminare lo scan: si inchiodava sempre alla fase 9 di 18. Col task manager ho buttato giù l'antivirus (che come ti dicevo non posso disattivare) e ha terminato.
Ti allego qui il log:
[URL="http://www.freefilehosting.net/files/3ba3j"]report39.txt[/URL]

Tieni presente che, come ti dicevo, da 3 gg (dopo il tuo aiuto) non ho più rallentamenti (avevo disabilitato la toolbar di google) nè si è più collegato ai tre siti maledetti. Dici che è risolto o è troppo presto per essere ottimisti? 8)

[Sante62]

Utilizza Avenger con questo script:

[armail]

ok, ho fatto avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qoxmrlcy

*******************

Script file located at: \??\C:\WINDOWS\qeqbuqaq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\abc123.pid not found!
Deletion of file C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\abc123.pid failed!

Could not process line:
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\abc123.pid
Status: 0xc0000034



File C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\11A7340.dmp not found!
Deletion of file C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\11A7340.dmp failed!

Could not process line:
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\11A7340.dmp
Status: 0xc0000034



File C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1464950577.exe not found!
Deletion of file C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1464950577.exe failed!

Could not process line:
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\1464950577.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Ora riprovo combofix, anche se, come ti dicevo, non riesco a disattivare il symantec se non col task manager.

Tra l'altro prima che tu mi rispondessi l'antivirus mi ha messo in quarantena un trojan:

runme.exe che si trovava in c:\Document and Settings\Administrator\Impostazioni locali\Temp\nsq15.tmp.

In attesa di istruzioni l'ho lasciato in quarantena.

Appena termino il tutto ti faccio sapere.

Grazie ancora!

[Sante62]

Avenger non ha cancellato i file...
runme.exe appartiene a Systemscan quindi puoi stare tranquillo...

[armail]

non so se è perchè ho martellato un po' in task manager ma stavolta sono riuscito a far funzionare combofix:

combofix log.txt

ora procedo con l'ultimo step che mi hai detto prima

[armail]

niente, il kaspersky non parte perchè non riesco a martellare l'antivirus...

[armail]

dici che possiamo dar per conclusa la rimozione del virus o no? A me non è più ricomparso nessuno degli indirizzi sospetti nella cronologia e internet funziona normalmente.
Comunque mi rimetto ovviamente alla tua esperienza!

[Sante62]

Purtroppo non conosco bene Symantec antivirus, e quindi non so darti indicazioni in merito. Ma dall'icona vicino all'orologio, non si disattiva? Se no prova da task manager. Sarebbe opportuno farla la scansione online per essere più tranquilli....