Olimpo Informatico

[void]

ragazzi dove devo kiedere aiuto credo di essere infetto ho fatto una scansione kon hijackthis ed e uscito un mare di kose.. potreste darci una kontrollata x favore ..




Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19.14.20, on 20/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\bacio\Desktop\HiJackThis_v2\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: (no name) - {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} - c:\windows\system32\ggdaggd.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] C:\Programmi\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [7H28X9M91L] C:\WINDOWS\winlogon32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\programmi\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\programmi\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\programmi\spyware doctor\filterlsp.dll
O15 - Trusted Zone: *.rossoalice.it
O15 - Trusted Zone: *.rossoalice.virgilio.it
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177097832890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177267763562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F1752FE9-FF70-46BB-9A94-7C61FAB9FD81} - http://sxuqxwxuaa4.com/db07cdffa36931b3f280/baiej/TrueVideos.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rkyvcdpi - C:\WINDOWS\SYSTEM32\ggdaggd.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Convalida password di Symantec IS (ISPwdSvc) - Unknown owner - C:\Programmi\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe

--
End of file - 7132 bytes

[solaria]

[Orange]

ciao, benvenuto!

scarica questi tool:Vundofix e FxVmonde

avviali uno alla volta, seleziona scan for vundo
quando ha finito lo scan clicca su remove vundo
posta qui i logs generati

per il log di HJT:
apri il registro (Start/Esegui digita regedit/OK)
controlla se sono presenti le seguenti chiavi:
HKEY_LOCAL_MACHINE\SOFTWARE\7H28X9M91L
HKEY_CLASSES_ROOT\CLSID\{14D1A72D-8705-11D8-B120-0040F46CB696}
HKEY_CURRENT_USER\Software\fid
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\policies\Explorer?7H28X9M91L = C:\WINDOWS\winlogon32.exe?
se ci sono: clic con tasto destro e scegli elimina

Disattiva il ripristino
avvia in mod. provvisoria
avvia HiJack, seleziona "Do a system scan only", metti la spunta a queste voci e premi "Fix checked":

O2 - BHO: (no name) - {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} - c:\windows\system32\ggdaggd.dll
O4 - HKLM\..\Policies\Explorer\Run: [7H28X9M91L] C:\WINDOWS\winlogon32.exe
O16 - DPF: {F1752FE9-FF70-46BB-9A94-7C61FAB9FD81} - http://sxuqxwxuaa4.com/db07cdffa36931b3f280/baiej/TrueVideos.cab
O20 - Winlogon Notify: rkyvcdpi - C:\WINDOWS\SYSTEM32\ggdaggd.dll

posta i log dei tools e uno aggiornato di HJT

[void]

Orange grazie x l'aiuto.. ma nn so se è servito questo e il mio rapporto....

ScanVudo... eseguita e il file che esce... equesto:C:\WINDOWS\SYSTEM32\ggdaggd.dll

finita lascansione ho fatto kome da suggerito.. clicco su remove Vudo ed appare una finestra kon scritto: are you sure you want to remove these file?.... clicco ok ed esce una nuova finestra ....

C:\WINDOWS\SYSTEM32\ggdaggd.dll could not be deleted, VudoFix will load rebot to attempt removal. plese click remove Vudo one Your machine has reboted.

riclicco ok..
il pc si riavvia e riparte il VudoScan e rifacendo la scansione riesce sempre lo stesso file..C:\WINDOWS\SYSTEM32\ggdaggd.dll

COSA FACCIO???

poi...

FxVmonde.... Scansione eseguita.... risultati....: nessuno.

Ho eliminato tutte le chiavi elencate..

invece kon:
hijack in modalita provvisoria.ho fatto la scansione ho selezionato i file elencati in modo da fixarli.. .. e clikko su Fix-Cheched e mi appare una scritta:....
( Hijackithis about to remove a BHO and the corresponding file from your system. close all internet expolere before continuing for the best change of success.

ho cliccato su ok.. ma sembra nn essere successo nulla .. vi riporto la hijack aggiornata ..sperando ke qualkuno mi possa aiutare..
AAAAA.. mi sono anke accorto ke nn riesco piu a modificare lo sfondo desktop .. pratikamente.. nn si kambia..






Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16.45.19, on 25/05/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\bacio\Desktop\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prevx.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.prevx.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} - c:\windows\system32\ggdaggd.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [italy] C:\WINDOWS\smernic.exe --start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177097832890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177267763562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rkyvcdpi - C:\WINDOWS\SYSTEM32\ggdaggd.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Convalida password di Symantec IS (ISPwdSvc) - Unknown owner - C:\Programmi\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 4916 bytes
grazie ragazzi....

[Orange]

come non è successo niente? intanto winlogon32.exe non è più presente...
però vedo che è spuntata un'altra cosa...

di VundoFix è uscita la versione più aggiornata (grazie Bdoriano!.. )
fai lo scan e posta il log generato.
con Hijack fissa questa voce:
O4 - HKLM\..\Run: [italy] C:\WINDOWS\smernic.exe --start

riposta il log di HJT aggiornato

[void]

allora Oeange grazie del tuo aiuto innanzi tutto....

qui ti riporto.. il log. di vVudoFix ke e semre lo stesso.. ke rabbia... mi a dinuovo lo stesso fatto e sempre.. quel maledetto ggadggd.dll ke si trova nel sytem32...

ma adesso come ho detto prima n posso piu cambiare lo sfondo desktop.. ke nerviiiii..... nn posso modificare.. l'imaggine dekstop...ufffff

e questo e il nuovo log hijack dopo aver fixato..



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21.33.12, on 25/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\bacio\Desktop\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: (no name) - {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} - c:\windows\system32\ggdaggd.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.rossoalice.it
O15 - Trusted Zone: *.rossoalice.virgilio.it
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177097832890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177267763562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rkyvcdpi - C:\WINDOWS\SYSTEM32\ggdaggd.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Convalida password di Symantec IS (ISPwdSvc) - Unknown owner - C:\Programmi\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 5764 bytes

[void]

Ornag ti posto anke.. il log di Vudo Fox.. cerca Di fare Qualkosa ti pregooooooo..





VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 15.26.18 25/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\ggdaggd.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ggdaggd.dll
C:\WINDOWS\system32\ggdaggd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ggdaggd.dll
C:\WINDOWS\system32\ggdaggd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 15.38.29 25/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\ggdaggd.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ggdaggd.dll
C:\WINDOWS\system32\ggdaggd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ggdaggd.dll
C:\WINDOWS\system32\ggdaggd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 20.38.01 25/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\ggdaggd.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ggdaggd.dll
C:\WINDOWS\system32\ggdaggd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ggdaggd.dll
C:\WINDOWS\system32\ggdaggd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Sun Java not detected
Scan started at 21.26.41 25/05/2007

Listing files found while scanning....

[Orange]

ecchecaspita... è tenace questo Vundo.

proviamo altro metodo:
crea eventualmente un punto di ripristino
-Doppio clic sul file VundoFix.exe: sarà creata una cartella con i files estratti;
-Riavvia in Modalità Provvisoria, clicca su KillVundo.bat.
-Premi invio all'avviso che lo utilizzi a tuo rishio
-Apparirà questa richiesta: Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix
-Devi inserire il percorso del file infetto: C:\WINDOWS\system32\ggdaggd.dll
-Dopo aver inserito il percorso, come richiesto, premi Invio--F6--Invio
-Ti verrà richiesto, con le stesse modalità, di inserire il secondo percorso, metti: C:\WINDOWS\system32\ggdaggd.* (metti proprio * a posto di .dll)
-Il programma avvierà adesso automaticamente HijackThis, nel quale devi fixare le voci riguardanti il Vundo:
O2 - BHO: (no name) - {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} - c:\windows\system32\ggdaggd.dll
O20 - Winlogon Notify: rkyvcdpi - C:\WINDOWS\SYSTEM32\ggdaggd.dll,
poi premi un tasto che forzerà il reboot
-E' probabile che dopo quest'ultima azione appare una "schermata blu" di errore: è normale, non ti preoccupare e concludi la procedura.

[void]

HELPPPPP!!!!! ORANGE nn trovo KillVundo dopo aver clikkato 2 volte su vudofix.exe....!!! kosa faccio???

[Orange]

ufffaaa...

proviamo quest'ultimo rimedio, dopo di che passiamo alle maniere forti...

scarica VirtumundoBegone e fai lo scan in modalità provvisoria...
facci sapere

[void]

Orange.. amiko.. ho provato kon questo tuo ultimo programma ma nn so se si e risolto o meno.. mi appare un log ke ti posto qui sotto.. spero.. ke tu kontinui ad aiutarmi.. grazie.. di tutto..


[05/27/2007, 17:00:17] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator.W-1A0A5E8E5AB94\Desktop\VirtumundoBeGone\VirtumundoBeGone.exe" )
[05/27/2007, 17:00:26] - Detected System Information:
[05/27/2007, 17:00:26] - Windows Version: 5.1.2600, Service Pack 2
[05/27/2007, 17:00:26] - Current Username: Administrator (Admin)
[05/27/2007, 17:00:26] - Windows is in SAFE mode with Networking.
[05/27/2007, 17:00:26] - Searching for Browser Helper Objects:
[05/27/2007, 17:00:26] - BHO 1: {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} ()
[05/27/2007, 17:00:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/27/2007, 17:00:26] - Checking for HKLM\...\Winlogon\Notify\ggdaggd
[05/27/2007, 17:00:26] - Key not found: HKLM\...\Winlogon\Notify\ggdaggd, continuing.
[05/27/2007, 17:00:26] - Finished Searching Browser Helper Objects
[05/27/2007, 17:00:26] - Finishing up...
[05/27/2007, 17:00:26] - Nothing found! Exiting...

[Orange]

[void]

Orang scusa x i ritardo adeso sono tornato cmq...

ho scaricato il prog.. e ti posto il log hjk.. aspetto tue istruzioni.. grazie amiko..


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21.23.39, on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Windows Media Player\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\Documents and Settings\bacio\Desktop\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: bho3 Class - {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} - C:\Documents and Settings\bacio\52882040.dll
O2 - BHO: (no name) - {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} - c:\windows\system32\ggdaggd.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: cwfpmvz.exe
O4 - Startup: fwsgu.exe
O4 - Startup: imfe.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.rossoalice.it
O15 - Trusted Zone: *.rossoalice.virgilio.it
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177097832890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177267763562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rkyvcdpi - C:\WINDOWS\SYSTEM32\ggdaggd.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Convalida password di Symantec IS (ISPwdSvc) - Unknown owner - C:\Programmi\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 6133 bytes

[Orange]

sono saltate fuori altre cose.

avvia in modalita provvisoria e fissa queste voci con HiJack:

O2 - BHO: bho3 Class - {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} - C:\Documents and Settings\bacio\52882040.dll
O2 - BHO: (no name) - {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} - c:\windows\system32\ggdaggd.dll
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - Startup: cwfpmvz.exe
O4 - Startup: fwsgu.exe
O4 - Startup: imfe.exe
O20 - Winlogon Notify: rkyvcdpi - C:\WINDOWS\SYSTEM32\ggdaggd.dll


trova ed elimina C:\Documents and Settings\bacio\52882040.dll

riavvia il PC
avvia Avenger
Seleziona "Input Script Manually"
Clicca sulla lente d'ingrandimento
Ti si apre la finestra "View/edit script"
All'interno del box bianco, copia e incolla il seguente codice:

[void]

Orange amiko.. ti posto gli aggiornamenti di hijack e di evanger
sperando ke si sia risolto.. qualkosa...

Orange ke Firewall mi suggerisci???


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xhxluuvp

*******************

Script file located at: \??\C:\WINDOWS\p^fehfla.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\spoolw.exe deleted successfully.
File C:\WINDOWS\system32\igfxsvc.exe deleted successfully.


Could not open file c:\windows\system32\ggdaggd.dll for deletion
Deletion of file c:\windows\system32\ggdaggd.dll failed!

Could not process line:
c:\windows\system32\ggdaggd.dll
Status: 0xc0000022



File C:\WINDOWS\cwfpmvz.exe not found!
Deletion of file C:\WINDOWS\cwfpmvz.exe failed!

Could not process line:
C:\WINDOWS\cwfpmvz.exe
Status: 0xc0000034



File C:\WINDOWS\fwsgu.exe not found!
Deletion of file C:\WINDOWS\fwsgu.exe failed!

Could not process line:
C:\WINDOWS\fwsgu.exe
Status: 0xc0000034



File C:\WINDOWS\imfe.exe not found!
Deletion of file C:\WINDOWS\imfe.exe failed!

Could not process line:
C:\WINDOWS\imfe.exe
Status: 0xc0000034



Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} failed!
Status: 0xc0000034



Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | {58FB2CBB-C874-45FC-A1C9-B62CC9E3BED9} failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.





Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13.45.43, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\sistray.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\bacio\Desktop\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O2 - BHO: (no name) - {5CEE173A-29E9-42B6-A376-8B3C620FD6C9} - c:\windows\system32\ggdaggd.dll
O3 - Toolbar: Coolstreaming Tool-Bar v1.0 Toolbar - {bd0e4d83-654e-4213-965b-fcbe887061f4} - C:\Programmi\Coolstreaming_Tool-Bar_v1.0\tbCoo1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.rossoalice.it
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177097832890
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177267763562
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DC0604F-BDFC-4B8C-8A5C-93E885DF65DE}: NameServer = 85.37.17.11 85.38.28.69
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rkyvcdpi - C:\WINDOWS\SYSTEM32\ggdaggd.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Convalida password di Symantec IS (ISPwdSvc) - Unknown owner - C:\Programmi\Norton AntiVirus\isPwdSvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 5985 bytes

[Orange]

non c'è riuscito nemmeno Avenger...

scarica Gmer, avvialo
seleziona Tab >>> e poi scegli Processes
clicca su Safe
rispondi Yes
il Pc si riavvierà, una finestra avviserà che gmer è in safe mode clicca su Ok,
sempre nella scheda Processes in fondo trovi la voce Command, nello spazio bianco digita cmd e clicca su Run.
si aprirà il prompt dei comandi
digita Attrib -a -s -h -r c:\windows\system32\ggdaggd.dll
del /q c:\windows\system32\ggdaggd.dll e dai l'OK.

sempre dal Command digita regedit
trova e cancella la chiave HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CEE173A-29E9-42B6-A376-8B3C620FD6C9}

riposta il log di HJT che ci sono altre cose da eliminare.

come firewall ti consiglio Firewall Plus

[void]

Orang sono Insorti 2 prblemi.. il BUT mi dice : Formato Del Parametro NN corretto -

e la kiave di registro nn puo esser cancellata.. kosa faccio???

[Orange]

ciao.

mi sà che abbiamo incontrato un qualcosa di particolarmente tenace....
fai una cosa: scarica SystemScan, spunta tutte le opzioni, disattiva il tuo antivirus durante la scansione.
carica il log su http://www.easy-share.com/
e metti qui il link per poterlo scaricare.

[void]

orange amiko-. ho fatto kome.. hai detto qui.. ti riporto il link.. del post.-.. aspetto tue risposte grazie..

http://w13.easy-share.com/1143895.html

[Orange]

ciao.

allora: siccome sto ancora cercando di imparare a usare SystemScan (con scarso successo, devo ammettere.. 8) ), avevo inoltrato la richiesta direttamente ai suoi "creatori" al Suspect File.

il responso non è molto confortante: hai le infezioni multiple di non sicura rimozione... forse la strada migliore è quella del format, ma se vuoi tentare, ti metto qui le istruzioni:

scarica questo tool
una volta installato dovrai riavviare il PC per farlo partire.
alla fine della scansione posta il log generato.

avvia Avenger e con lo stesso metodo spiegato prima, inserisci questo script: