Olimpo Informatico

[ciotolino]

Ho avast 4.8 Professional. Mi ha trovato un virus nella memoria (Rootkit) e mi chiede di eliminarlo , poi mi dice che devo ravviare il pc e di eseguire una scansione all riavvio prima che il virus si attivi. Ma quando eseguo il tutto il virus non viene eliminato . Chi mi aiuta a risolvere il caso .

[Sante62]

Ciao Ciotolino...

Puoi indicare per favore il nome del rootkit che indica Avast ed eventualmente anche il percorso?

Più informazioni fornisci e meglio è;

intanto lancia Combofix seguendo le istruzioni di questa discussione;

Scaricati anche Virit
Aggiornalo mediante l'icona della parabola posta nella barra in alto e fagli fare la scansione completa del PC.
Fai in modo che rimuova automaticamente i file infetti trovati.
Non dimenticare di disattivare momentaneamente il tuo antivirus.
Incolla poi quì il risultato.

Posta anche un log di Hijackthis mediante questo topic

[ciotolino]

Logfile of Trend Micro HijackThis v2.0.2.
Scan saved at 20.28.20, on 01/04/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{382BFE22-24EF-4F6D-B303-85DDF1321989}: NameServer = 212.216.112.112 212.216.172.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{382BFE22-24EF-4F6D-B303-85DDF1321989}: NameServer = 212.216.112.112 212.216.172.62
O17 - HKLM\System\CS2\Services\Tcpip\..\{382BFE22-24EF-4F6D-B303-85DDF1321989}: NameServer = 212.216.112.112 212.216.172.62
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\Program Files\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\Program Files\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: Wrapper Dll for Richedit 1.0 (riched) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

--
End of file - 4799 bytes


Questo è quello che dice Hijackthis

[Sante62]

Ma ce l'hai l'antivirus?

dal log di HJT non ne vedo;

ti conviene comunque installarlo;

aspetto gli altri logs...

[ciotolino]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.54.18, on 01/04/2008..
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ::1 localhost
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{382BFE22-24EF-4F6D-B303-85DDF1321989}: NameServer = 212.216.112.112 212.216.172.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{382BFE22-24EF-4F6D-B303-85DDF1321989}: NameServer = 212.216.112.112 212.216.172.62
O17 - HKLM\System\CS2\Services\Tcpip\..\{382BFE22-24EF-4F6D-B303-85DDF1321989}: NameServer = 212.216.112.112 212.216.172.62
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\Program Files\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\Program Files\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: Wrapper Dll for Richedit 1.0 (riched) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe

--
End of file - 4603 bytes

[Sante62]

Questo log l'hai già postato;

aspetto quello di Virit e di Combofix...

[ciotolino]

ComboFix 08-04-01.2 - 2008-04-02 20.57.41.5 - NTFSx86
Microsoft® Windows Vista? Home Basic 6.0.6000.0.1251.7.1040.18.114 [GMT 2:00]
Eseguito da: C:\Users\MARSILIO \Downloads\ComboFix.exe.
.

((((((((((((((((((((((((( Files Creati Da 2008-03-02 al 2008-04-02 )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 18:59 --------- d-----w C:\Users\MARSILIO \AppData\Roaming\Free Download Manager
2008-04-01 19:55 --------- d-----w C:\Program Files\Free Download Manager
2008-04-01 18:28 --------- d-----w C:\Program Files\Trend Micro
2008-03-30 21:34 --------- d-----w C:\Program Files\Audacity
2008-03-30 21:11 --------- d-----w C:\Program Files\Azureus
2008-03-30 20:28 --------- d-----w C:\Users\MARSILIO SCIARPEGNA\AppData\Roaming\Azureus
2008-03-30 19:35 --------- d-----w C:\Program Files\FDF
2008-03-29 17:00 --------- d-----w C:\Program Files\Alwil Software
2008-03-29 16:53 --------- d-----w C:\ProgramData\Symantec
2008-03-29 16:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-29 16:52 --------- d-----w C:\Program Files\Java
2008-03-24 20:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-24 19:52 --------- d-----w C:\ProgramData\Apple Computer
2008-03-24 14:39 --------- d-----w C:\Program Files\Windows Live
2008-03-24 12:13 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-03-24 12:10 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-24 11:55 --------- d-----w C:\ProgramData\WLInstaller
2008-03-22 20:03 --------- d-----w C:\ProgramData\Azureus
2008-03-22 17:28 --------- d-----w C:\Program Files\Azureus Razorback3 Edition
2008-03-19 18:38 --------- d-----w C:\Users\MARSILIO SCIARPEGNA\AppData\Roaming\ReGet Software
2008-03-18 18:20 --------- d-----w C:\Users\MARSILIO SCIARPEGNA\AppData\Roaming\BitTorrent
2008-03-17 19:46 --------- d-----w C:\Users\MARSILIO SCIARPEGNA\AppData\Roaming\BitTorrent DNA
2008-03-17 17:23 39,808 ----a-w C:\Windows\system32\drivers\VIRAGTLT.SYS
2008-03-16 17:49 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-03-16 17:47 --------- d-----w C:\Users\MARSILIO SCIARPEGNA\AppData\Roaming\DAEMON Tools
2008-03-16 16:22 --------- d-----w C:\Program Files\eMule
2008-03-15 19:36 --------- d-----w C:\Program Files\OO Software
2008-03-15 16:26 --------- d-----w C:\Program Files\Xi
2008-03-15 15:55 --------- d-----w C:\ProgramData\eMule
2008-03-12 21:01 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2008-03-12 21:01 --------- d-----w C:\Program Files\ATI
2008-03-12 18:06 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-12 17:43 --------- d-----w C:\Program Files\Windows Mail
2008-03-11 20:21 --------- d-----w C:\Users\MARSILIO SCIARPEGNA\AppData\Roaming\Earthsim
2008-03-11 20:08 --------- d-----w C:\ProgramData\Earthsim
2008-03-11 19:42 --------- d-----w C:\ProgramData\ATI
2008-03-11 19:34 --------- d-----w C:\Program Files\ATI Technologies
2008-03-06 20:32 706 ----a-w C:\Windows\system32\drivers\COH_Mon.inf
2008-03-06 20:32 23,904 ----a-w C:\Windows\system32\drivers\COH_Mon.sys
2008-03-06 20:32 10,537 ----a-w C:\Windows\system32\drivers\COH_Mon.cat
2008-03-02 11:31 --------- d-----w C:\Program Files\Roxio
2008-03-02 11:31 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-02-24 19:52 --------- d-----w C:\Users\MARSILIO SCIARPEGNA\AppData\Roaming\Skype
2008-02-24 01:28 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-02-24 01:10 --------- d-----w C:\Program Files\Common Files\Ulead
2008-02-24 00:28 --------- d-----w C:\Users\MARSILIO SCIARPEGNA\AppData\Roaming\Packard Bell
2008-02-23 09:44 --------- d-----w C:\Program Files\Microsoft Works
2008-02-23 09:43 --------- d-----w C:\Program Files\MSBuild
2008-02-23 09:35 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-02-22 18:17 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-18 20:24 --------- d-----w C:\ProgramData\InterVideo
2008-02-13 22:52 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-02-13 22:50 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-02-13 22:50 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-02-13 22:50 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-02-13 22:50 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-02-13 22:50 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-02-13 22:50 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-02-13 22:50 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-02-13 22:47 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 22:47 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-02-13 22:47 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-02-13 22:47 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-02-13 22:47 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-02-13 22:47 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-02-13 22:47 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-02-13 22:46 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 22:46 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 22:46 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 22:46 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 22:11 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-11 19:32 --------- d-----w C:\ProgramData\Roxio
2008-02-10 20:51 --------- d-----w C:\Users\MARSILIO AppData\Roaming\Roxio
2008-02-10 16:50 --------- d-----w C:\ProgramData\5Spice Analysis
2008-02-06 21:29 --------- d-----w C:\ProgramData\TEMP
2008-02-01 10:17 586,752 ----a-w C:\Windows\WLXPGSS.SCR
2008-01-06 15:21 174 --sha-w C:\Program Files\desktop.ini
2008-01-06 14:46 4 --sha-w C:\Windows\Fonts\ARIAL.TCX
2008-01-06 14:46 2,923,520 ----a-w C:\Windows\explorer.exe
2007-01-15 21:39 65,536 --sha-w C:\Windows\Oem\mp\boot\bootstat.dat
.

((((((((((((((((((((((((((((( snapshot_2008-04-02_20.53.48.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-02 18:52:15 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-02 18:54:01 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FAST Defrag"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIRIT LITE MONITOR"="C:\VEXPLITE\MONLITE.EXE" [2008-03-20 19:31 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 04:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\devenv]
--a------ 2008-02-02 23:03 34816 C:\Windows\system\smvss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
--------- 2006-12-18 17:50 90112 C:\Program Files\Atlantis Land\Adsl\dslagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
--------- 2006-12-18 18:05 376832 C:\Program Files\Atlantis Land\Adsl\dslstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fssui]
--a------ 2007-12-17 12:12 243240 C:\Program Files\Windows Live\Family Safety\fssui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 08:00 33648 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqjssmv]
c:\users\marsilio sciarpegna\appdata\local\hpqjssmv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 18:34 213936 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2006-03-20 18:34 213936 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-03-20 18:34 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 12:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 03:08 2512392 C:\Windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2006-11-15 16:49 151552 c:\Program Files\Powercinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\riched]
--a------ 2004-09-03 05:16 8704 C:\Windows\System32\riched.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2006-11-09 11:57 3784704 C:\Windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
--a------ 2006-10-23 16:49 1092152 C:\Program Files\Packard Bell\SetupmyPC\SmpSys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
--a------ 2006-10-09 21:43 729088 C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-06 16:44 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2137495815-3229748933-823588873-1002]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8CD9CFFF-5733-4954-BCF0-18EAF0D36F4F}"= UDP:C:\Program Files\eMule\emule.exe:eMule
"{95A3B169-ECA2-4783-8716-4636D63D1FA8}"= TCP:C:\Program Files\eMule\emule.exe:eMule
"TCP Query User{DCE551F3-ECC9-4635-B00B-85F6D24D5623}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C5A45223-2ED1-4B2F-9004-4EE31DFE956C}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{66C48463-A257-465E-A023-67BB2F8317DB}"= Disabled:UDP:C:\Program Files\Powercinema\PowerCinema.exe:CyberLink PowerCinema
"{D7662B42-904A-4221-80D4-575BD1CD8F86}"= Disabled:TCP:C:\Program Files\Powercinema\PowerCinema.exe:CyberLink PowerCinema
"{62740181-AAFD-4F91-B237-4A9A1743964C}"= Disabled:UDP:C:\Program Files\Powercinema\PCMService.exe:CyberLink PowerCinema Resident Program
"{6D356493-5AC9-40E7-9DA8-8E8DE964F167}"= Disabled:TCP:C:\Program Files\Powercinema\PCMService.exe:CyberLink PowerCinema Resident Program
"{91945CDF-DD0A-4714-92A8-121F56B209FC}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{02043741-4785-4F1D-B6AF-BB0ED52CE731}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{A31D1422-4C97-45A1-8D6A-4AD7EA74EFFD}C:\\users\\marsilio sciarpegna\\desktop\\emule\\emule.exe"= UDP:C:\users\marsilio sciarpegna\desktop\emule\emule.exe:emule.exe
"UDP Query User{F46FBB06-EB2D-4DB8-8CF3-CF9FF4B9AB08}C:\\users\\marsilio sciarpegna\\desktop\\emule\\emule.exe"= TCP:C:\users\marsilio sciarpegna\desktop\emule\emule.exe:emule.exe
"{D3109E88-2161-4FE3-824D-49EBEEFFF4BD}"= UDP:C:\Program Files\Windows Mail\WinMail.exe:Windows Mail
"{6996D99D-D021-4E32-AA86-7F0629E5139B}"= TCP:C:\Program Files\Windows Mail\WinMail.exe:Windows Mail
"{1C0AC7F3-1E71-4EE2-AA07-C25E3BE310F2}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4E1EB17F-ABEF-489E-B415-5ACA937CAE3E}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2181A0DA-3382-4658-8A63-FD54C9950C39}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{846E97AD-8100-4C27-8890-372FC3DD29AB}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{AC922628-0113-4F2B-BD87-E67653C74BB8}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{A6C58271-B69E-4B20-863A-665CFD9245FB}C:\\program files\\firebird\\firebird_2_0\\bin\\fbserver.exe"= UDP:C:\program files\firebird\firebird_2_0\bin\fbserver.exe:Firebird SQL Server
"UDP Query User{DA581997-5FE3-4FC4-A24B-CB491E4CFDAF}C:\\program files\\firebird\\firebird_2_0\\bin\\fbserver.exe"= TCP:C:\program files\firebird\firebird_2_0\bin\fbserver.exe:Firebird SQL Server
"TCP Query User{EB0E1686-C371-41F9-A9B7-90FC9401C976}C:\\users\\marsilio sciarpegna\\desktop\\emule.exe"= UDP:C:\users\marsilio sciarpegna\desktop\emule.exe:emule.exe
"UDP Query User{0E2DFC30-CE52-4F56-8D6A-70E690515480}C:\\users\\marsilio sciarpegna\\desktop\\emule.exe"= TCP:C:\users\marsilio sciarpegna\desktop\emule.exe:emule.exe
"TCP Query User{E04BAE9A-35D0-4925-A7A8-9C7D239B4CEA}C:\\program files\\nuova cartella\\emule.exe"= UDP:C:\program files\nuova cartella\emule.exe:eMule
"UDP Query User{54F24824-7897-4BDF-B42A-F56683A278F8}C:\\program files\\nuova cartella\\emule.exe"= TCP:C:\program files\nuova cartella\emule.exe:eMule
"TCP Query User{0D6F5AD9-21C0-4B7C-A73E-664461FC5432}C:\\program files\\emule\\nuova cartella\\emule.exe"= UDP:C:\program files\emule\nuova cartella\emule.exe:eMule
"UDP Query User{C1EFFC66-2906-46E2-9991-6737740FFCC7}C:\\program files\\emule\\nuova cartella\\emule.exe"= TCP:C:\program files\emule\nuova cartella\emule.exe:eMule
"TCP Query User{CD2D698E-2BB1-4460-B2EB-758ED46F3DF7}C:\\users\\marsilio sciarpegna\\appdata\\emule.exe"= UDP:C:\users\marsilio sciarpegna\appdata\emule.exe:emule.exe
"UDP Query User{29620933-C628-445B-857F-15E13E5BEB74}C:\\users\\marsilio sciarpegna\\appdata\\emule.exe"= TCP:C:\users\marsilio sciarpegna\appdata\emule.exe:emule.exe
"TCP Query User{CEDCCF62-EA9C-46D8-A66A-6209762EF75F}C:\\users\\marsilio sciarpegna\\appdata\\local\\temp\\rar$ex00.281\\emule.exe"= UDP:C:\users\marsilio sciarpegna\appdata\local\temp\rar$ex00.281\emule.exe:emule.exe
"UDP Query User{1516FF55-5A0D-4355-B76E-63D850A72D99}C:\\users\\marsilio sciarpegna\\appdata\\local\\temp\\rar$ex00.281\\emule.exe"= TCP:C:\users\marsilio sciarpegna\appdata\local\temp\rar$ex00.281\emule.exe:emule.exe
"{E1E0DB5E-11E8-45B9-BB47-05573AE38D29}"= UDP:C:\Program Files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{A20E58DE-80B8-4697-A9B7-92E3985FE429}"= TCP:C:\Program Files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{7746782A-03AC-4495-9712-3D3F8E60820C}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{26E92A81-0077-4E1C-A71E-F28B6F7B1E68}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{ACA41556-F900-40B1-8541-3E57AF33C5D7}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{98333CEF-2A29-4D1D-B29D-FB1B49D8B070}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"TCP Query User{5566ABBE-BE36-4A56-9F0C-160F4B89E9EB}C:\\program files\\free download manager\\fdm.exe"= UDP:C:\program files\free download manager\fdm.exe:Free Download Manager
"UDP Query User{ADE0AAF8-362E-4EA5-A24D-33C86A3606C9}C:\\program files\\free download manager\\fdm.exe"= TCP:C:\program files\free download manager\fdm.exe:Free Download Manager
"TCP Query User{82F6F437-DF31-4582-A1CE-24A1F005C965}C:\\users\\marsilio sciarpegna\\program files\\dna\\btdna.exe"= UDP:C:\users\marsilio sciarpegna\program files\dna\btdna.exe:btdna.exe
"UDP Query User{7A75F695-8F13-4D42-ACC3-E267106A0F63}C:\\users\\marsilio sciarpegna\\program files\\dna\\btdna.exe"= TCP:C:\users\marsilio sciarpegna\program files\dna\btdna.exe:btdna.exe
"TCP Query User{5164BCEF-AE77-4FB7-9B97-5BB2B028A68C}C:\\program files\\utorrent\\utorrent.exe"= UDP:C:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{B4BB240C-FF03-4D58-8A20-4925B1049C9C}C:\\program files\\utorrent\\utorrent.exe"= TCP:C:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{0570960D-5022-44EB-A758-E0E39C55D337}C:\\program files\\azureus razorback3 edition\\azureus.exe"= UDP:C:\program files\azureus razorback3 edition\azureus.exe:Azureus
"UDP Query User{84F989B8-B10F-42E4-AD1C-0F74D81199E8}C:\\program files\\azureus razorback3 edition\\azureus.exe"= TCP:C:\program files\azureus razorback3 edition\azureus.exe:Azureus
"TCP Query User{CC2F967A-055A-4E7B-8975-3AD026026157}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{374075CB-F1FB-4724-9722-0C0F16CEFFDB}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{857E509F-F517-4556-91B3-364B521DD788}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 AtiPcie;ATI PCI Express (3GIO) Filter;C:\Windows\system32\DRIVERS\AtiPcie.sys [2006-10-30 17:22]
R0 VIRAGTLT;VIRAGTLT;C:\Windows\system32\drivers\VIRAGTLT.SYS [2008-03-17 19:23]
R2 fssfltr;FssFltr;C:\Windows\system32\DRIVERS\fssfltr.sys [2007-10-17 14:53]
R2 fsssvc;Windows Live OneCare Family Safety;"C:\Program Files\Windows Live\Family Safety\fsssvc.exe" [2007-12-17 12:13]
R2 riched;Wrapper Dll for Richedit 1.0;rundll32.exe C:\Windows\system32\riched.dll,amip []
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R2 viritsvclite;Virit eXplorer Lite;C:\VEXPLITE\viritsvc.exe [2007-10-10 12:12]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-01-22 23:39]
S2 Utilita di pianificazione di LiveUpdate automatico;Utilita di pianificazione di LiveUpdate automatico;"C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" []
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2008-01-22 23:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

.
Contenuto della cartella 'Scheduled Tasks'
"2008-04-01 20:30:00 C:\Windows\Tasks\Garanzia estesa.job"
- C:\Program Files\Packard Bell\SetupmyPC\PBCarNot.exe
"2008-04-01 20:30:00 C:\Windows\Tasks\Recovery DVD Creator.job"
- C:\Program Files\Packard Bell\SetupMyPc\MCDCheck.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 21:00:48
Windows 6.0.6000 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-04-02 21.01.56
ComboFix-quarantined-files.txt 2008-04-02 19:01:51
ComboFix2.txt 2008-04-02 18:54:06
ComboFix3.txt 2008-04-01 19:16:48
ComboFix4.txt 2008-04-01 18:43:37
Impossibile trovare il testo del messaggio per il numero di messaggio 0x2379 nel file di messaggio per Application.
Impossibile trovare il testo del messaggio per il numero di messaggio 0x2379 nel file di messaggio per Application.
.
2008-03-28 20:34:07 --- E O F ---





VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
01/04/2008 - 20:49:06

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Users\MARSILIO SCIARPEGNA\Favorites\PC\Software Scaricare - Software controllato da antivirus.url Infetto da HTML.LinkShare.A
* * * RIMOSSO * * *

Chiavi Registro infette: 0.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 34058.
Files Totali: 34058.
Chiavi Registro rimosse: 0.
Virus Rimossi: 1.

--------------------------------------------------------
01/04/2008 - 21:03:47

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
01/04/2008 - 21:23:59

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
01/04/2008 - 22:06:21

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: Non analizzato, mancano i privilegi di amministratore
BOOT SECTOR: Non analizzato, mancano i privilegi di amministratore

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
01/04/2008 - 22:16:42

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
02/04/2008 - 19:19:04

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Windows\system\smvss.exe Possibile variante da Trojan.Win32.Horst.C

[D:]


Chiavi Registro infette: 0.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 72689.
Files Totali: 72689.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
02/04/2008 - 19:52:03

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
02/04/2008 - 19:52:53

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Windows\system\smvss.exe Possibile variante da Trojan.Win32.Horst.C
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
02/04/2008 - 20:41:08

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

[SCANSIONE DELLA MEMORIA]
OK
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
02/04/2008 - 21:06:21

[SCANSIONE DEL REGISTRO]
OK

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK


Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 74.
Files Totali: 74.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

[Sante62]

Ci sarebbe qualcosa da rimuovere...

prima però fai queste operazioni:

Utilizza CCleaner; Avvialo e clicca su opzioni->Avanzate, e togli la spunta da "elimina file solo se più vecchi di 48 ore"
Utilizza l'opzione Pulizia e poi clicca su Analizza; alla fine clicca su Avvia Pulizia. Fai la stessa cosa con l'opzione Trova problemi; eliminerà una serie di chiavi di registro inutili.

fai la scansione con Systemscan e posta il log generato come
indicato quì