Olimpo Informatico

[Saimon Templar]

Ciao a tutti,
sono nuovo di questo forum pertanto spero di non aver sbagliato ad agganciarmi ad un topic esistente riguardo un trojan trovato sul mio portatile.

Ho installato sopra l'antivirus Trend Micro OfficeScan ... il 29 mi ha trovato in real time una cartella nuova killSh con all'interno tre file giudicati dall'AV dei Trojan ...:

cult.exe --> Trojan Generic
kiss.exe --> TROJ_IRCFLOOD.O
repcal.exe --> TROJ_Generic

Il sistema me li ha messi in quarantena a quanto pare io ho eliminato la cartella e le chiavi di registro sotto \Microsoft\Windows\CurrentVersione\Run ... che infettavano il sistema.

L'unico problema però che continuo ad avere anche dopo una scansione del mio PC con l'antivirus è che l'ADSL mi si collega ma dopo aver avuto accesso ad un sito non riesco più ad andare su altri siti ... come se non mi andasse più la connessione ... Ho riprovato a reinstallare l'ADSL ma niente ...

Su web non ho trovato niente per cui spero che riusciate ad aiutarmi ... prima di dover rifare il portatile ...

Grazie

Simone

[bdoriano]

Ciao Saimon Templar,

Segui le istruzioni di questo topic per postare il log di hijackthis.

PS: se vuoi, puoi presentarti qui

[Saimon Templar]

[Saimon Templar]

Ho capito che nessuno sa da cosa dipende il mio problema
Mi tocca rifare il portatile via ... Uffa !!!

Pensa te ero sul iTunes Store e ho beccato 'sto malware ....
accidenti alla 'MELA'

[bdoriano]

Calma, calma... ti abbiamo solo perso nella miriade di richieste di intervento.

Di roba strana ne hai parecchia, segui le istruzioni di questo topic per postare il log di combofix.

[Saimon Templar]

[Saimon Templar]

Ecco il log di combofix

ComboFix 08-01-04.1 - simonef 2008-01-04 12.33.42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.914 [GMT 1:00]
Eseguito da: C:\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\hosts

.
((((((((((((((((((((((((( Files Creati Da 2007-12-04 al 2008-01-04 )))))))))))))))))))))))))))))))))))
.

2008-01-04 12:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-04 12:31 . 2008-01-04 12:32 1,485,915 --a------ C:\ComboFix.exe
2008-01-01 22:49 . 2008-01-01 22:49 268 --ah----- C:\sqmdata10.sqm
2008-01-01 22:49 . 2008-01-01 22:49 244 --ah----- C:\sqmnoopt10.sqm
2008-01-01 22:46 . 2008-01-01 22:46 268 --ah----- C:\sqmdata09.sqm
2008-01-01 22:46 . 2008-01-01 22:46 244 --ah----- C:\sqmnoopt09.sqm
2008-01-01 22:28 . 2008-01-01 22:47 <DIR> d-------- C:\Programmi\NoAdware5.0
2008-01-01 22:01 . 2008-01-01 22:01 268 --ah----- C:\sqmdata08.sqm
2008-01-01 22:01 . 2008-01-01 22:01 244 --ah----- C:\sqmnoopt08.sqm
2008-01-01 21:48 . 2008-01-01 21:48 268 --ah----- C:\sqmdata07.sqm
2008-01-01 21:48 . 2008-01-01 21:48 244 --ah----- C:\sqmnoopt07.sqm
2008-01-01 21:46 . 2003-02-27 09:59 290,816 --a------ C:\WINDOWS\system32\gsi.cpl
2008-01-01 21:46 . 2003-02-24 20:12 276,458 --a------ C:\WINDOWS\system32\drivers\gwausb.sys
2008-01-01 21:46 . 2003-01-08 12:36 90,112 --a------ C:\WINDOWS\system32\gsicon.exe
2008-01-01 21:46 . 2003-02-13 13:09 24,576 --a------ C:\WINDOWS\system32\CoInst.dll
2008-01-01 21:46 . 2003-02-13 13:09 16,384 --a------ C:\WINDOWS\system32\dslagent.exe
2008-01-01 21:46 . 2003-02-27 14:24 2,976 --------- C:\WINDOWS\wwdslcfg.ini
2008-01-01 21:43 . 2008-01-01 21:43 268 --ah----- C:\sqmdata06.sqm
2008-01-01 21:43 . 2008-01-01 21:43 244 --ah----- C:\sqmnoopt06.sqm
2007-12-30 15:52 . 2007-12-30 15:52 268 --ah----- C:\sqmdata05.sqm
2007-12-30 15:52 . 2007-12-30 15:52 244 --ah----- C:\sqmnoopt05.sqm
2007-12-30 11:37 . 2007-12-30 11:37 268 --ah----- C:\sqmdata04.sqm
2007-12-30 11:37 . 2007-12-30 11:37 244 --ah----- C:\sqmnoopt04.sqm
2007-12-30 09:24 . 2007-12-30 09:24 268 --ah----- C:\sqmdata03.sqm
2007-12-30 09:24 . 2007-12-30 09:24 244 --ah----- C:\sqmnoopt03.sqm
2007-12-30 09:22 . 2007-12-30 09:22 268 --ah----- C:\sqmdata02.sqm
2007-12-30 09:22 . 2007-12-30 09:22 244 --ah----- C:\sqmnoopt02.sqm
2007-12-29 16:26 . 2007-12-29 16:26 495,616 -r-hsc--- C:\WINDOWS\system32\dllcache\windmns.exe
2007-12-29 16:25 . 2007-12-29 16:26 991,307 --a------ C:\Sh.exe
2007-12-29 16:22 . 2007-12-29 16:22 268 --ah----- C:\sqmdata01.sqm
2007-12-29 16:22 . 2007-12-29 16:22 244 --ah----- C:\sqmnoopt01.sqm
2007-12-29 16:11 . 2007-12-29 16:11 268 --ah----- C:\sqmdata00.sqm
2007-12-29 16:11 . 2007-12-29 16:11 244 --ah----- C:\sqmnoopt00.sqm
2007-12-29 14:34 . 2007-12-29 14:35 757,760 --a------ C:\WINDOWS\system32\WinTcpip.exe
2007-12-24 17:58 . 2007-12-24 17:58 <DIR> d-------- C:\[Album] - Tiziano Ferro - Nessuno È Solo (2006 )
2007-12-21 18:03 . 2007-12-21 18:03 <DIR> d-------- C:\Documents and Settings\simonef\Dati applicazioni\Nokia Multimedia Player
2007-12-21 12:49 . 2007-12-21 12:49 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\PC Suite
2007-12-21 12:47 . 2007-12-21 12:47 <DIR> d-------- C:\Programmi\File comuni\PCSuite
2007-12-21 12:47 . 2007-12-21 12:47 <DIR> d-------- C:\Programmi\File comuni\Nokia
2007-12-21 12:47 . 2007-12-21 12:47 <DIR> d-------- C:\Programmi\DIFX
2007-12-21 12:47 . 2007-12-21 12:59 <DIR> d-------- C:\Documents and Settings\simonef\Dati applicazioni\Nokia
2007-12-21 12:46 . 2007-12-21 12:46 <DIR> d-------- C:\Programmi\PC Connectivity Solution
2007-12-21 12:46 . 2007-12-21 12:47 <DIR> d-------- C:\Programmi\Nokia
2007-12-21 12:46 . 2007-12-21 12:50 <DIR> d-------- C:\Documents and Settings\simonef\Dati applicazioni\PC Suite
2007-12-21 12:46 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-21 12:46 . 2007-02-22 10:15 90,624 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2007-12-21 12:46 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-21 12:46 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-12-21 12:46 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-12-21 12:45 . 2007-12-21 12:45 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Installations
2007-12-18 09:16 . 2007-12-18 09:19 <DIR> d-------- C:\Documents and Settings\simonef\Dati applicazioni\TortoiseSVN
2007-12-14 17:23 . 2007-12-14 17:23 <DIR> d-------- C:\apache-ant-1.7.0
2007-12-11 15:30 . 2007-12-26 21:13 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-10 10:37 . 2007-12-10 10:37 <DIR> d---s---- C:\Documents and Settings\simonef\UserData
2007-12-07 17:30 . 2007-12-10 11:27 <DIR> d-------- C:\Documents and Settings\simonef\Dati applicazioni\PLSQL Developer
2007-12-05 09:42 . 2007-12-05 09:42 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2007-12-04 18:24 . 2007-12-04 14:23 11,980,506 --a------ C:\2007-Dec-04--1422.zip
2007-12-04 16:29 . 2007-12-04 16:29 4,550,846 --a------ C:\BackupIstanzaLocale.zip
2007-12-04 16:23 . 2007-12-04 16:24 40,165,746 --a------ C:\BackupIstanzaLocale.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 11:29 --------- d-----w C:\Documents and Settings\simonef\Dati applicazioni\Skype
2008-01-04 09:53 --------- d-----w C:\Programmi\eclipse
2008-01-04 06:56 --------- d-----w C:\Documents and Settings\LocalService\Dati applicazioni\VMware
2008-01-04 06:56 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\VMware
2008-01-01 20:46 --------- d-----w C:\Programmi\IPM
2007-12-27 13:45 --------- d-----w C:\Documents and Settings\simonef\Dati applicazioni\Apple Computer
2007-12-10 10:23 --------- d-----w C:\Programmi\PLSQL Developer
2007-12-05 08:50 --------- d-----w C:\Programmi\AskTBar
2007-12-03 20:29 --------- d-----w C:\Programmi\eMule
2007-12-03 12:44 --------- d-----w C:\Programmi\FeedReader30
2007-12-03 10:49 --------- d-----w C:\Documents and Settings\simonef\Dati applicazioni\Ahead
2007-12-03 10:35 --------- d-----w C:\Programmi\File comuni\Ahead
2007-12-03 10:33 --------- d-----w C:\Programmi\Nero
2007-12-03 10:33 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Nero
2007-11-28 18:16 --------- d-----w C:\Documents and Settings\simonef\Dati applicazioni\Talkback
2007-11-27 16:46 --------- d-----w C:\Documents and Settings\simonef\Dati applicazioni\Feedreader
2007-11-27 09:48 --------- d-----w C:\Programmi\iTunes
2007-11-27 09:47 --------- d-----w C:\Programmi\QuickTime
2007-11-27 09:47 --------- d-----w C:\Programmi\iPod
2007-11-27 09:47 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2007-11-27 09:46 --------- d-----w C:\Programmi\File comuni\Apple
2007-11-27 09:46 --------- d-----w C:\Programmi\Apple Software Update
2007-11-27 09:46 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2007-11-22 09:58 --------- d-----w C:\Programmi\Jasc Software Inc
2007-11-14 14:20 --------- d-----w C:\Programmi\Google
2007-11-13 16:53 --------- d-----w C:\Programmi\Java
2007-11-13 16:24 --------- d-----w C:\Programmi\Apache Software Foundation
2007-11-13 11:17 --------- d-----w C:\Programmi\TortoiseSVN
2007-11-13 11:13 --------- d-----w C:\Documents and Settings\simonef\Dati applicazioni\Subversion
2007-11-13 11:08 --------- d-----w C:\Programmi\Subversion
2007-11-13 07:51 --------- d-----w C:\Programmi\Skype
2007-11-13 07:51 --------- d-----w C:\Programmi\File comuni\Skype
2007-11-13 07:51 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Skype
2007-11-13 07:46 --------- d-----w C:\Programmi\Hattrick
2007-11-12 16:36 --------- d-----w C:\Programmi\Windows Live
2007-11-12 16:34 --------- d-----w C:\Programmi\Microsoft SQL Server Compact Edition
2007-11-12 16:30 --------- dcsh--w C:\Programmi\File comuni\WindowsLiveInstaller
2007-11-12 16:24 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2007-11-12 15:17 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-12 15:17 --------- d--h--r C:\Documents and Settings\simonef\Dati applicazioni\SecuROM
2007-11-12 14:59 --------- d--h--w C:\Programmi\Zero G Registry
2007-11-12 14:55 --------- d-----w C:\Programmi\Sports Interactive
2007-11-12 14:54 --------- d-----w C:\Documents and Settings\simonef\Dati applicazioni\Sports Interactive
2007-11-12 14:39 --------- d-----w C:\Programmi\Organizer
2007-10-23 16:49 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-18 10:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-02-27 22:51 533,648 ----a-w C:\Documents and Settings\simonef\2007-Feb-27--2351.zip
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-02-04 10:11 536576 --a------ C:\Programmi\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-02-04 10:11 536576 --a------ C:\Programmi\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-02-04 10:11 536576 --a------ C:\Programmi\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-02-04 10:11 536576 --a------ C:\Programmi\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-02-04 10:11 536576 --a------ C:\Programmi\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-02-04 10:11 536576 --a------ C:\Programmi\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-02-04 10:11 536576 --a------ C:\Programmi\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2006-02-11 23:00 1073152 --a------ C:\Programmi\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2006-02-11 23:00 1073152 --a------ C:\Programmi\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2006-02-11 23:00 1073152 --a------ C:\Programmi\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2006-02-11 23:00 1073152 --a------ C:\Programmi\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2006-02-11 23:00 1073152 --a------ C:\Programmi\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2006-02-11 23:00 1073152 --a------ C:\Programmi\TortoiseCVS\TrtseShl.dll

[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2006-02-11 23:00 1073152 --a------ C:\Programmi\TortoiseCVS\TrtseShl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\msnmsgra.exe" [2007-10-18 11:34 5724184]
"Skype"="C:\Programmi\Skype\Phone\Skype.exe" [2007-09-13 13:31 22880040]
"googletalk"="C:\Programmi\Google\Google Talk\googletalk.exe" [2007-04-19 06:40 3293184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
"Windows Service Agent"="WinTcpip.exe" [2007-12-29 14:35 757760 C:\WINDOWS\system32\WinTcpip.exe]
"PC Suite Tray"="C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 10:55 667718]
"IntelWireless"="C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 10:56 602182]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 16:44 98304]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 16:41 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 16:45 118784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 16:30 282624 C:\WINDOWS\stsystra.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"OfficeScanNT Monitor"="C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" [2004-01-19 14:50 458752]
"SunJavaUpdateSched"="C:\Programmi\Java\j2re1.4.2_11\bin\jusched.exe" [2006-02-13 11:53 32881]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2007-11-14 23:43 286720]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-11-15 13:11 267048]
"NeroFilterCheck"="C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"Windows Service Agent"="WinTcpip.exe" [2007-12-29 14:35 757760 C:\WINDOWS\system32\WinTcpip.exe]
"GSICONEXE"="gsicon.exe" [2003-01-08 12:36 90112 C:\WINDOWS\system32\gsicon.exe]
"DSLAGENTEXE"="dslagent.exe" [2003-02-13 13:09 16384 C:\WINDOWS\system32\dslagent.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service Agent"="WinTcpip.exe" [2007-12-29 14:35 757760 C:\WINDOWS\system32\WinTcpip.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"Nokia.PCSync"="C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]
"Windows Service Agent"="WinTcpip.exe" [2007-12-29 14:35 757760 C:\WINDOWS\system32\WinTcpip.exe]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Service Manager.lnk - C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-09-21 11:58:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= MSNMSGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TgbVpn]
2004-10-27 16:10 269824 --a------ C:\Programmi\SISTECH\TheGreenBow VPN\vpnconf.exe

R0 TgbVPN;TheGreenBow VPN;C:\WINDOWS\system32\Drivers\tgbvpn.sys [2004-10-27 12:23]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;C:\WINDOWS\system32\DRIVERS\CdpPacket.sys [2005-09-27 19:33]
R2 Microsoft Windows DNS Manager;Microsoft Windows DNS Manager;"C:\WINDOWS\system32\dllcache\windmns.exe" [2007-12-29 16:26]
R2 Microsoft Windows TCP Ack Timing;Microsoft Windows TCP Ack Timing;"C:\WINDOWS\system32\dllcache\wintcpack.exe" [2007-12-03 21:50]
R2 Microsoft Windows TCP Protocol;Microsoft Windows TCP Protocol;"C:\WINDOWS\system32\dllcache\wintcps.exe" [2007-12-03 21:35]
R2 TgbIKE Starter;TgbIke Starter;C:\WINDOWS\system32\tgbstarter.exe [2004-08-10 15:33]
R3 Cpmt;Cisco Media Termination;C:\WINDOWS\system32\Drivers\Cpmt.sys [2005-09-27 19:33]
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 18:34]
S3 Tomcat5;Apache Tomcat;"C:\Programmi\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" [2004-08-29 01:06]

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-04 12:42:11
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-04 12.42.57
ComboFix-quarantined-files.txt 2008-01-04 11:42:49
.
2007-12-06 17:21:07 --- E O F ---

[bdoriano]

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[Saimon Templar]

LOG DI HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 18:54, on 2008-01-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\Explorer.EXE
C:\oracle\ora92\bin\omtsreco.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\tgbstarter.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Programmi\VMware\VMware Player\vmware-authd.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\vmnat.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\stsystra.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Java\j2re1.4.2_11\bin\jusched.exe
C:\Programmi\Java\j2re1.4.2_11\bin\jucheck.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Windows Live\Messenger\msnmsgra.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Google\Google Talk\googletalk.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\distnoted.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\SyncServer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\simonef\Impostazioni locali\Temp\wz5881\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://socrate:8000/officescan/clientinstall/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 192.9.200.3 files
O1 - Hosts: 192.9.200.20 socrate
O1 - Hosts: 192.9.188.199 jira
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\msnmsgra.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Windows Service Agent] WinTcpip.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://socrate:8000/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://socrate:8000/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://socrate:8000/officescan/clientinstall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://socrate:8000/officescan/clientinstall/RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupposervizi.it
O17 - HKLM\Software\..\Telephony: DomainName = grupposervizi.it
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupposervizi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupposervizi.it
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Microsoft Windows DNS Manager - Unknown owner - C:\WINDOWS\system32\dllcache\windmns.exe (file missing)
O23 - Service: Microsoft Windows TCP Ack Timing - Unknown owner - C:\WINDOWS\system32\dllcache\wintcpack.exe (file missing)
O23 - Service: Microsoft Windows TCP Protocol - Unknown owner - C:\WINDOWS\system32\dllcache\wintcps.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Programmi\MySQL\MySQL.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TgbIke Starter (TgbIKE Starter) - Unknown owner - C:\WINDOWS\system32\tgbstarter.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Programmi\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programmi\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe

RISULTATO DI AVENGER:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qlwyrxbi

*******************

Script file located at: \??\C:\Documents and Settings\hakrjhrd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\dllcache\windmns.exe deleted successfully.
File C:\Sh.exe deleted successfully.
File C:\WINDOWS\system32\WinTcpip.exe deleted successfully.
File C:\WINDOWS\system32\dllcache\wintcpack.exe deleted successfully.
File C:\WINDOWS\system32\dllcache\wintcps.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows Service Agent deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|Windows Service Agent deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


ORA FACCIO GLI ALTRI PASSI

[Saimon Templar]

http://www.freefilehosting.net/download/3a2j6

ecco il link del report di ReportKaspersky

[bdoriano]

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[Saimon Templar]

QUESTO E' IL LOG DI AVENGER:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\walkwsaw

*******************

Script file located at: \??\C:\WINDOWS\fvbtpwsl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\System Volume Information\_restore{90CB19D1-6FE4-46F5-8443-9229B16CA511}\RP79\A0023539.exe deleted successfully.
File C:\System Volume Information\_restore{90CB19D1-6FE4-46F5-8443-9229B16CA511}\RP79\A0023540.exe deleted successfully.
File C:\System Volume Information\_restore{90CB19D1-6FE4-46F5-8443-9229B16CA511}\RP79\A0023541.exe deleted successfully.
File C:\System Volume Information\_restore{90CB19D1-6FE4-46F5-8443-9229B16CA511}\RP79\A0023543.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


QUESTO E' IL LOG DI HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 12:55, on 2008-01-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\tgbstarter.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Programmi\VMware\VMware Player\vmware-authd.exe
C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\TortoiseSVN\bin\TSVNCache.exe
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Java\j2re1.4.2_11\bin\jusched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\simonef\IMPOST~1\Temp\Rar$EX00.281\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://socrate:8000/officescan/clientinstall/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_11\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\msnmsgra.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Windows Service Agent] WinTcpip.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_11\bin\npjpi142_11.dll
O9 - Extra button: Inserisci blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: Inserisci &blog in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programmi\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://socrate:8000/officescan/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://socrate:8000/officescan/clientinstall/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://socrate:8000/officescan/clientinstall/setup.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://socrate:8000/officescan/clientinstall/RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grupposervizi.it
O17 - HKLM\Software\..\Telephony: DomainName = grupposervizi.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2AD8581-1E19-44F8-9052-7C30D2AA0A53}: NameServer = 85.37.17.5 85.38.28.77
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grupposervizi.it
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = grupposervizi.it
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programmi\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Microsoft Windows DNS Manager - Unknown owner - C:\WINDOWS\system32\dllcache\windmns.exe (file missing)
O23 - Service: Microsoft Windows TCP Ack Timing - Unknown owner - C:\WINDOWS\system32\dllcache\wintcpack.exe (file missing)
O23 - Service: Microsoft Windows TCP Protocol - Unknown owner - C:\WINDOWS\system32\dllcache\wintcps.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Programmi\MySQL\MySQL.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Ahead\Lib\NMIndexingService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TgbIke Starter (TgbIKE Starter) - Unknown owner - C:\WINDOWS\system32\tgbstarter.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Programmi\Apache Software Foundation\Tomcat 5.0\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programmi\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programmi\File comuni\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Programmi\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe

[bdoriano]

Disabilita il ripristino di sistema e avvia il pc in modalità provvisoria
esegui hijackthis
clicca su do a system scan only
metti il segno di spunta a queste voci: