Olimpo Informatico

[giuseppeeeeee]

Ciao a tutti carissimi angeli custodi di tutti i pc,
sono ahi mè l'ennesima vittima di questo maledetto di Istant Access.
Dopo aver seguito diversissime istruzioni su come eliminarlo,
come è evidente non ci sono riuscito per diverse ragioni,credo che la principale sia il fatto che FindAWF non mi trova nulla!come mostrato dal testo che vi mando:


Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report


Ho provato poi hijackthis che mi da il seguente risultato:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.20.00, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Giuseppe\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Programmi\File comuni\ToolSicuro\strpmon.exe" dm=http://toolsicuro.com; ad=http://toolsicuro.com
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [Spyware-Secure] C:\Programmi\Spyware-Secure\Spyware-Secure_trial.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ooze soap] C:\DOCUME~1\Giuseppe\DATIAP~1\FILEBY~1\software4mess.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alice.it
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46DA56E5-3B03-42BC-9C48-F52EE5CDE7FF}: NameServer = 85.37.17.9 85.38.28.75
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 5897 bytes

Dopo aver provato ,si lo ammetto ,stupidamente a scaricare diversi antivirus che ora convivono contemporaneamente sul mio pc distrutto e affranto ...e lentissimo, non so piu' cosa fare.

ah....dimenticavo il sistema operativo e windows Xp!
Grazie mille a tutti voi nella speranza che ci sia qualcosa da fare!

[bdoriano]

Ciao giuseppeeeeee,

Direi che hai caricato troppi antivirus e anche diversi finti anti-malware (toolsicuro ad esempio).

Disabilita il ripristino di sistema e avvia il pc in modalità provvisoria
esegui hijackthis
clicca su do a system scan only
metti il segno di spunta a queste voci:

[giuseppeeeeee]

Ecco qui il risultato delle operazioni effettuate:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.43.17, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Ahead\InCD\InCD.exe
C:\Programmi\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Giuseppe\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\nsinet.exe /res
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alice.it
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe

--
End of file - 5387 bytes


E questo è il log di combo fix:

ComboFix 08-01-29.3 - Giuseppe 2008-01-29 17.54.15.1 - NTFSx86
Eseguito da: C:\Documents and Settings\Giuseppe\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\Documents and Settings\Giuseppe\Impostazioni locali\Dati applicazioni\argedcikfy.dat
C:\Documents and Settings\Giuseppe\Impostazioni locali\Dati applicazioni\argedcikfy.exe
C:\Documents and Settings\Giuseppe\Impostazioni locali\Dati applicazioni\argedcikfy_nav.dat
C:\Documents and Settings\Giuseppe\Impostazioni locali\Dati applicazioni\argedcikfy_navps.dat
C:\Programmi\instant access
C:\Programmi\instant access\Center\Crazy Girls.lnk
C:\Programmi\instant access\Center\Crazy Girls.upd
C:\Programmi\instant access\Center\tray1.ico
C:\Programmi\instant access\DesktopIcons\Crazy Girls.lnk
C:\Programmi\instant access\Multi\20080129150122\Common\module.php
C:\Programmi\instant access\Multi\20080129150122\dialerexe.ini
C:\Programmi\instant access\Multi\20080129150122\instant access.exe
C:\Programmi\instant access\Multi\20080129150122\js\js_api_dialer.php
C:\Programmi\instant access\Multi\20080129150122\medias\4239_dialer.ico
C:\Programmi\instant access\Multi\20080129150122\medias\button1.gif
C:\Programmi\instant access\Multi\20080129150122\medias\button2.gif
C:\Programmi\instant access\Multi\20080129150122\medias\button3.gif
C:\Programmi\instant access\Multi\20080129150122\medias\button4.gif
C:\Programmi\instant access\Multi\20080129150122\medias\Thumbs.db
C:\WINDOWS\dialerexe.ini
C:\WINDOWS\system32\nsinet.exe
C:\WINDOWS\system32\nvs2.inf

.
((((((((((((((((((((((((( Files Creati Da 2007-12-28 al 2008-01-29 )))))))))))))))))))))))))))))))))))
.

2008-01-29 15:35 . 2008-01-29 15:35 <DIR> dr------- C:\Documents and Settings\Giuseppe\Preferiti
2008-01-28 02:10 . 2008-01-28 02:10 <DIR> d-------- C:\Documents and Settings\Giuseppe\Dati applicazioni\Grisoft
2008-01-28 02:06 . 2008-01-28 02:06 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Grisoft
2008-01-28 02:06 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 01:40 . 2008-01-28 01:41 <DIR> d-------- C:\Programmi\PC Registry Cleaner
2008-01-28 01:40 . 2008-01-28 01:40 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-01-26 16:07 . 2008-01-26 17:35 <DIR> d-------- C:\QUARANTENA_VIRIT
2008-01-26 14:58 . 2008-01-16 16:53 36,480 --a------ C:\WINDOWS\system32\drivers\VIRAGTLT.SYS
2008-01-26 14:57 . 2008-01-29 17:35 <DIR> d-------- C:\VEXPLITE
2008-01-23 18:24 . 2008-01-26 11:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-23 18:24 . 2008-01-23 18:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-20 12:06 . 2008-01-06 15:17 1,266,902 --a------ C:\WINDOWS\system32\drivers\imbbpf002.bmp
2008-01-20 12:06 . 2007-08-10 02:00 780,278 --a------ C:\WINDOWS\system32\drivers\imgbns01.bmp
2008-01-20 12:06 . 2008-01-20 12:06 0 --a------ C:\WINDOWS\system32\enviado.flg
2008-01-20 12:05 . 2007-11-30 03:00 1,843,398 --a------ C:\WINDOWS\system32\drivers\imbbpf001.bmp
2008-01-20 12:05 . 2007-05-10 17:52 1,348,398 --a------ C:\WINDOWS\system32\drivers\verde1.bmp
2008-01-20 12:05 . 2007-09-13 12:41 1,228,150 --a------ C:\WINDOWS\system32\drivers\imgbrdchave01.bmp
2008-01-20 12:05 . 2007-09-13 14:47 1,228,150 --a------ C:\WINDOWS\system32\drivers\imgbrd03.bmp
2008-01-20 12:05 . 2007-12-23 01:52 1,113,654 --a------ C:\WINDOWS\system32\drivers\nossa22.bmp
2008-01-20 12:05 . 2007-05-15 00:42 929,038 --a------ C:\WINDOWS\system32\drivers\uni1.bmp
2008-01-20 12:05 . 2008-01-20 12:05 508,504 --a------ C:\WINDOWS\system32\imagens111.exe
2008-01-20 12:05 . 2007-05-15 01:16 373,014 --a------ C:\WINDOWS\system32\drivers\eletronica.bmp
2008-01-20 12:05 . 2007-05-13 02:11 134,670 --a------ C:\WINDOWS\system32\drivers\unitc1.bmp
2008-01-20 12:05 . 2007-05-13 02:15 133,722 --a------ C:\WINDOWS\system32\drivers\unitc2.bmp
2008-01-19 20:44 . 2008-01-19 20:44 22,528 --a------ C:\WINDOWS\system32\Partizan.exe
2008-01-17 21:25 . 2008-01-17 21:25 <DIR> d-------- C:\EPSON
2008-01-17 20:16 . 2008-01-17 20:16 <DIR> d-------- C:\Programmi\EPSON
2008-01-17 20:15 . 2008-01-17 20:17 15,838 --a------ C:\WINDOWS\EPSTPLOG.BAK
2008-01-02 16:04 . 2008-01-02 16:04 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-01-02 16:04 . 2008-01-02 16:04 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-01-02 15:23 . 2008-01-02 15:41 <DIR> d-------- C:\Programmi\Windows Media Connect 2
2008-01-02 15:23 . 2004-08-19 14:39 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-02 15:19 . 2008-01-02 15:20 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 14:23 --------- d-----w C:\Programmi\eMule
2008-01-24 00:33 --------- d-----w C:\Documents and Settings\Giuseppe\Dati applicazioni\Azureus
2008-01-03 10:50 --------- d-----w C:\Programmi\Azureus
2007-12-31 00:51 --------- d-----w C:\Programmi\Google
2007-12-22 14:56 --------- d-----w C:\Programmi\Messenger Plus! Live
2007-12-16 10:08 --------- d-----w C:\Programmi\Windows Live Safety Center
2007-12-12 19:45 --------- d-----w C:\Programmi\Sandro Carnevali
2007-12-08 02:10 --------- d-----w C:\Programmi\Java
2007-12-08 01:59 --------- d-----w C:\Programmi\File comuni\Java
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-12-02 03:20 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Azureus
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,292,800 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 14:39 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"InCD"="C:\Programmi\Ahead\InCD\InCD.exe" [2004-09-07 15:39 1450094]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-05-02 23:09 77824]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"WinampAgent"="C:\Programmi\Winamp3\winampa.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"!AVG Anti-Spyware"="C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R3 als4k;Avance Wave Audio Miniport Driver (WDM);C:\WINDOWS\system32\drivers\als4000.sys [2000-01-14 10:10]
R3 ALS4KMF;ALS4KMF;C:\WINDOWS\system32\drivers\mf.sys [2004-08-19 14:50]
R3 alsgame;Gameport for ALS4000 (WDM);C:\WINDOWS\system32\drivers\alsgame.sys [1999-09-10 06:46]
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys [2001-08-08 17:52]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys [2002-09-02 10:10]
S3 DCamUSBMke2;Panasonic USB Video Camera;C:\WINDOWS\system32\Drivers\Mkeusbi2.sys [2002-11-06 08:48]
S3 lg3gbus;LGE KU580 driver (WDM);C:\WINDOWS\system32\DRIVERS\lg3gbus.sys [2007-04-26 13:35]
S3 lg3gmdfl;LGE KU580 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\lg3gmdfl.sys [2007-04-26 13:36]
S3 lg3gmdm;LGE KU580 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\lg3gmdm.sys [2007-04-26 13:36]
S3 lg3gmgmt;LGE KU580 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\lg3gmgmt.sys [2007-04-26 13:36]
S3 lg3gnd5;LGE KU580 USB Ethernet Emulation (NDIS);C:\WINDOWS\system32\DRIVERS\lg3gnd5.sys [2007-04-26 13:36]
S3 lg3gobex;LGE KU580 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\lg3gobex.sys [2007-04-26 13:36]
S3 lg3gunic;LGE KU580 USB Ethernet Emulation (WDM);C:\WINDOWS\system32\DRIVERS\lg3gunic.sys [2007-04-26 13:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 18:05:03
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Ora fine scansione: 2008-01-29 18:16:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 17:16:27
.
2008-01-27 23:54:37 --- E O F ---

E ora?li tolgo tutti gli spyware?mi consigli quale tenere?e anche quale antivirus lascire?Prima di installarli gli altri avevo solo avast!
grazie ancora!

[bdoriano]

Si, per il momento togli tutto. Poi vedremo cosa installare.

Scarica Norman Malware Cleaner e drWeb CureIt.
Disabilita il ripristino di sistema e avvia il pc in modalità provvisoria.
Avvia drWeb CureIt e fagli fare la scansione completa.
Avvia Norman Malware Cleaner e fagli fare la scansione completa.
Viene generato un log sul desktop chiamandolo NFix_2008-01-gg_hh-mm-ss.log, alla fine della scansione caricalo su FreeFileHosting come indicato qui e posta il link che ti viene assegnato.

[giuseppeeeeee]

ecco fatto...scusa il ritardo!


NFix_2008-01-30_13-02-14.log

[Sante62]

Un po di roba è stata tolta. Per sicurezza fai girare anche RogueRemover e dimmi se trova qualcosa, perchè mi sembra che non rilascia log. Dopo fai anche questi passaggi:
Scansione con GMER
Ricorda che i log di GMER sono due: Autostart e Rootkit. Postali su www.freefilehosting.net come indicato quì

[giuseppeeeeee]

ben ritrovati cari amici,scusate il ritardo ancora una volta, ma tra impegni e lentezza del mio vetusto pc solo ora riesco a fare il lavoro che sapientemente mi avete affidato per risolvere i problemi sul mio scassone!ahi me però ho uplodato solo il primo log di gmer perchè quando avvio rootkit il pc mi si riavvia da solo!non credo che sia normale.Vi dico sinceramente che questa battaglia contro le forze del male mi ha alquanto spossato sia in termini di forza che di tempo.aiutatemi ancora una volta....che faccio lo incendio?gli dò fuoco?lo scaravento dalla finestra o lo lascio cadere dolcemente dal primo piano?un caro saluto!

[giuseppeeeeee]

gmer11.log

[mdweb]

io ci sono risucito ho avuto anche io il prblema alcune settimane fa!Bisogna solo avere calma e fare tutto piano

[bdoriano]

Ciao giuseppeeeeee,

Manca il log autostart di gmer.
Rifai le scansioni con GMER (autostart e rootkit) e posta i logs su FreeFileHosting come indicato qui.
Posta anche un log aggiornato di hijackthis.

[giuseppeeeeee]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1.28.32, on 02/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Giuseppe\Desktop\EroiDellaPatria\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alice.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Programmi\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: µTorrent.lnk = C:\Programmi\uTorrent\uTorrent.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alice.it
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{46DA56E5-3B03-42BC-9C48-F52EE5CDE7FF}: NameServer = 85.37.17.9 85.38.28.75
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe

--
End of file - 4921 bytes




gmerlog2.txt

[bdoriano]

Il log che hai inviato tramite freefilehosting è ancora hijackthis.

Fai queste scansioni con GMER e posta i logs su FreeFileHosting come indicato qui.

[giuseppeeeeee]

gmer32.txt

[giuseppeeeeee]

rootkit15.txt

scusate sempre gli errori!