Olimpo Informatico

[baudius]

ciao a tutti,
ho passato una chiavetta usb ad un mio collega e mi ha detto che ho il virus killvbs.vbs

ho vista business con SP1, antivirus AVG e windows firewall

ho scaricato e esguito hijackthis

questo è il log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21.59.58, on 09/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\Users\CLAUDI~1.DAG\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.repubblica.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = MIRELAY:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Gestione client firewall Microsoft.lnk = C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = XISTER.local
O17 - HKLM\Software\..\Telephony: DomainName = XISTER.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FE6D838-E46B-4F3C-B7BE-444B5DC6EE50}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = XISTER.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = XISTER.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = XISTER.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8565 bytes

grazie in anticipo per il vostro aiuto!
ciao

[bdoriano]

Ciao baudius,

• Pulisci i files temporanei con ATF-Cleaner e/o CCleaner
  
• Fai una scansione con Norman Malware Cleaner.
  
• Riavvia il computer in modalità normale
  
• Segui le istruzioni di questo topic per eseguire combofix.
  
• Riferisci con un nuovo messaggio in questa discussione dell'esito: se ci sono stati problemi particolari, ecc. ecc. E riporta:
  
  • Carica il log di Norman Malware Cleaner su WikiSend e posta il Forum Link che ti viene assegnato
    
  • Il log di Combofix generalmente non è molto lungo, quindi postalo direttamente nel messaggio

PS: se vuoi, puoi presentarti qui

[baudius]

ciao,
ho fatto tutti i passaggi indicati e non mi sembra di riscontrare particolari problemi.
c'è da considerare però che prima di fare questi passaggi ho pulito le chiavi di registro cercando killvbs.vbs (e ne ho trovate diverse). dove le trovavo, ho cancellato la chiamata a killvbs

comunque [b]ho postato il log di Norman Malware Cleaner qui [/b][URL=http://forum.zeusnews.com/link/34796]NFix_2008-07-14_23-48-48.log[/URL]

[b]questo invece è il log di combofix[/b]

ComboFix 08-07-13.14 - claudio.dagostino 2008-07-15 8.17.47.1 - NTFSx86
Eseguito da: D:\sw\Combo--Fix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\system32\ACER.exe
C:\Windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://cr
.
((((((((((((((((((((((((( Files Creati Da 2008-06-15 al 2008-07-15 )))))))))))))))))))))))))))))))))))
.

2008-07-15 08:15 . 2008-07-15 08:15 <DIR> d-------- C:\327882R2FWJFW
2008-07-11 11:36 . 2008-06-26 03:45 12,240,896 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-07-11 11:36 . 2008-06-26 03:45 2,644,480 --a------ C:\Windows\System32\NlsLexicons0009.dll
2008-07-11 11:36 . 2008-06-26 05:29 801,280 --a------ C:\Windows\System32\NaturalLanguage6.dll
2008-07-10 16:39 . 2008-07-10 16:39 54,156 --ah----- C:\Windows\QTFont.qfn
2008-07-10 16:39 . 2008-07-10 16:39 1,409 --a------ C:\Windows\QTFont.for
2008-07-10 10:03 . 2008-07-10 10:03 <DIR> d-------- C:\Windows\SQL9_KB948109_ENU
2008-07-09 21:55 . 2008-07-09 21:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-07 13:17 . 2008-07-07 13:17 <DIR> d-------- C:\Users\claudio.dagostino\AppData\Roaming\Fit3DLive
2008-07-07 13:08 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-06-30 19:13 . 2008-06-30 19:14 151,935,082 --a------ C:\CATALOGO_SPHE.zip
2008-06-26 16:59 . 2008-06-30 15:40 <DIR> d-------- C:\Program Files\FlashDevelop
2008-06-26 16:54 . 2008-07-02 16:44 <DIR> d-------- C:\Program Files\Ray-Ban Agenda
2008-06-16 11:29 . 2008-06-16 11:29 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 06:10 --------- d-----w C:\ProgramData\avg7
2008-07-11 11:45 --------- d-----w C:\Program Files\Google
2008-07-10 08:13 --------- d-----w C:\Program Files\Windows Mail
2008-07-10 08:03 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-09 07:45 --------- d-----w C:\Users\claudio.dagostino\AppData\Roaming\AVG7
2008-06-30 13:37 --------- d-----w C:\Program Files\7-Zip
2008-06-27 07:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-26 11:12 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-09 09:53 --------- d-----w C:\ProgramData\WindowsSearch
2008-06-05 08:41 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-04 09:37 --------- d-----w C:\ProgramData\Skype
2008-06-04 08:07 --------- d-----w C:\Users\claudio.dagostino\AppData\Roaming\skypePM
2008-06-03 20:19 174 --sha-w C:\Program Files\desktop.ini
2008-06-03 20:12 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-03 20:12 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-03 20:12 --------- d-----w C:\Program Files\Windows Journal
2008-06-03 20:12 --------- d-----w C:\Program Files\Windows Defender
2008-06-03 20:12 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-03 20:12 --------- d-----w C:\Program Files\Windows Calendar
2008-06-03 19:58 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-03 19:58 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-03 18:54 --------- d-----w C:\ProgramData\Office Genuine Advantage
2008-06-03 06:39 --------- d-----w C:\Users\claudio.dagostino\AppData\Roaming\DNA
2008-06-02 19:53 --------- d-----w C:\Program Files\SlySoft
2008-06-02 19:49 --------- d-----w C:\ProgramData\Roxio
2008-06-02 19:49 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-05-29 13:18 --------- d-----w C:\Program Files\CDRWIN
2008-05-28 21:55 --------- d-----w C:\ProgramData\eMule
2008-05-28 21:53 --------- d-----w C:\Program Files\eMule
2008-05-19 21:30 90,112 ----a-w C:\Windows\System32\SpoonUninstall.exe
2008-05-19 21:11 --------- d---a-w C:\ProgramData\TEMP
2008-05-19 21:11 --------- d-----w C:\Program Files\Monkey's Audio
2008-05-17 17:17 --------- d-----w C:\Users\claudio.dagostino\AppData\Roaming\Roxio
2008-05-10 03:35 564,736 ----a-w C:\Windows\System32\emdmgmt.dll
2008-05-08 21:59 90,112 ----a-w C:\Windows\System32\wshext.dll
2008-05-08 21:59 430,080 ----a-w C:\Windows\System32\vbscript.dll
2008-05-08 21:59 180,224 ----a-w C:\Windows\System32\scrobj.dll
2008-05-08 21:59 172,032 ----a-w C:\Windows\System32\scrrun.dll
2008-05-08 21:59 155,648 ----a-w C:\Windows\System32\wscript.exe
2008-05-08 21:58 135,168 ----a-w C:\Windows\System32\cscript.exe
2008-04-26 08:25 3,600,952 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-04-26 08:25 3,549,240 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-23 15:17 693,792 ----a-w C:\Windows\System32\OGACheckControl.dll
2008-04-23 15:17 504,864 ----a-w C:\Windows\System32\OGAVerify.exe
2008-04-23 15:17 504,352 ----a-w C:\Windows\System32\OGAAddin.dll
2007-12-18 17:44 81,920 ----a-w C:\Users\claudio.dagostino\AppData\Roaming\ezpinst.exe
2007-12-18 17:44 47,360 ----a-w C:\Users\claudio.dagostino\AppData\Roaming\pcouffin.sys
2008-02-21 12:39 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-21 12:39 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-21 12:39 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2006-05-03 09:06 163,328 --sha-r C:\Windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\Windows\System32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\Windows\System32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F2563C2-4A53-4297-AA9A-E2DBC10F51D5}]
2008-07-11 13:44 184816 --a----t- C:\Program Files\Google\Update\1.2.121.5\GoopdateBho.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 21:00 815104]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 16:36 178712]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 16:33 457216]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-20 09:18 579584]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-14 11:55 29744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 20:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 20:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 20:13 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-29 02:29 4472832 C:\Windows\RtHDVCpl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-16 12:44 219136]

C:\Users\claudio.dagostino\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Gestione client firewall Microsoft.lnk - C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-12-09 20:56:34 117568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-11-16 12:44 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2006-09-14 08:55 61440 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-08 09:08 289088 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-05-26 13:45 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2007-02-07 16:21 54832 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a------ 2007-06-15 07:45 850704 C:\PROGRA~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaBarFileManager]
--a------ 2007-06-25 12:55 30024 C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\Windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSet]
--a------ 2007-04-24 11:49 45056 C:\Windows\PLFSet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 10:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-03-14 21:01 71216 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-06-18 21:02 2142032 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D84A95BB-87B6-428A-AB1C-E38E488EF7C2}"= C:\Program Files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{81F00A9A-054C-4806-9A88-7DC29C17DE67}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{51478431-9033-451C-A524-48DC4519D74E}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{5212015B-690E-4981-8161-BF14842A0E71}C:\\program files\\filezilla\\filezilla.exe"= UDP:C:\program files\filezilla\filezilla.exe:FileZilla
"UDP Query User{E1925426-50C2-4990-AD2A-F0FB88F16B20}C:\\program files\\filezilla\\filezilla.exe"= TCP:C:\program files\filezilla\filezilla.exe:FileZilla
"TCP Query User{4A823866-C702-4D58-BACD-4DCC672D8C60}C:\\program files\\filezilla\\filezilla.exe"= UDP:C:\program files\filezilla\filezilla.exe:FileZilla
"UDP Query User{DAE07A4A-CF51-4E98-946A-2926B9E16220}C:\\program files\\filezilla\\filezilla.exe"= TCP:C:\program files\filezilla\filezilla.exe:FileZilla
"TCP Query User{331685FE-C2DE-45DA-B76A-9BA20E7D82DA}C:\\catalogo_sphe\\catalogo trade.exe"= UDP:C:\catalogo_sphe\catalogo trade.exe:CATALOGO DIGITALE SPHE v2.1 trade
"UDP Query User{504EBDEA-5222-4825-89B5-B15B1A79D435}C:\\catalogo_sphe\\catalogo trade.exe"= TCP:C:\catalogo_sphe\catalogo trade.exe:CATALOGO DIGITALE SPHE v2.1 trade
"{2B70EEED-8436-4CB2-9529-8042111738B1}"= UDP:C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe:Google Desktop
"{EF8F4DB9-EF2C-45DF-B641-0E15BED6BEFA}"= TCP:C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe:Google Desktop
"TCP Query User{576AF585-6C0E-4F58-98AD-06E29F8254FA}C:\\program files\\filezilla\\filezilla.exe"= UDP:C:\program files\filezilla\filezilla.exe:FileZilla
"UDP Query User{052D89CF-35E8-4D11-9E15-363CA45B32CC}C:\\program files\\filezilla\\filezilla.exe"= TCP:C:\program files\filezilla\filezilla.exe:FileZilla
"TCP Query User{E8D721A1-0864-49BC-8832-22327AC37BBC}C:\\program files\\dc++\\dcplusplus.exe"= UDP:C:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{B80946E2-0461-41AA-9844-4F526AA5B99B}C:\\program files\\dc++\\dcplusplus.exe"= TCP:C:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{D470404C-0F68-432B-9C4A-CC56BEBE3988}C:\\program files\\dc++\\dcplusplus.exe"= UDP:C:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{62EBCB94-7A58-4DD2-B64A-EB4292DC580A}C:\\program files\\dc++\\dcplusplus.exe"= TCP:C:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{983A7C39-954C-4519-8DCD-168301D9AC3F}C:\\catalogo_sphe\\catalogo trade.exe"= UDP:C:\catalogo_sphe\catalogo trade.exe:CATALOGO DIGITALE SPHE v2.1 trade
"UDP Query User{A421471E-E904-4344-8B3C-FFF7EDE83CD3}C:\\catalogo_sphe\\catalogo trade.exe"= TCP:C:\catalogo_sphe\catalogo trade.exe:CATALOGO DIGITALE SPHE v2.1 trade
"{5ACCE538-6D76-41AB-AE3B-81BC3632CD96}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{86B76382-8C85-4247-BD92-AC73AE2BD235}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{9BE992EF-2D63-411F-8378-880E8E691D6F}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{E4E57181-6917-493E-9708-B901D03EB5BE}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{9FE55135-EC0C-404C-A8F4-B1EC1E3FC37B}C:\\program files\\dna\\btdna.exe"= UDP:C:\program files\dna\btdna.exe:btdna
"UDP Query User{861A6BEE-8152-4B2E-ACF5-8DB2BB077FC9}C:\\program files\\dna\\btdna.exe"= TCP:C:\program files\dna\btdna.exe:btdna
"TCP Query User{3431DC8A-E9F3-4E0E-8084-29D7CC21F11A}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{9B789CB1-2EC0-4DAD-A692-52FE67829BB6}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"{2D7525A2-8294-4FF4-9F17-82A1100D731C}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{7107B976-655A-4D5F-8A45-D21D4DAD019F}C:\\program files\\dna\\btdna.exe"= UDP:C:\program files\dna\btdna.exe:btdna
"UDP Query User{5690AFAF-E50C-4601-AF4A-849FF64284C6}C:\\program files\\dna\\btdna.exe"= TCP:C:\program files\dna\btdna.exe:btdna
"TCP Query User{BD0F0859-D87E-45A2-8F91-BE19B6A09951}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{E4FB9F84-271B-43F8-ACA6-AA84FF898B41}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{63C8E452-6C77-4174-AC8E-EBCE7A6B7205}"= UDP:54825:tcp emule
"{7C91C6BE-A10D-42E5-980F-FE5A39369AE6}"= TCP:51322:udp emule
"TCP Query User{3BD8DCC9-4B43-4D75-A8D6-CE712E40EB7E}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{983A3215-9748-446D-BFFF-3487E180AF13}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"TCP Query User{904EF6C6-AF48-4AA3-B60F-23C4E1DC1631}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{F813708C-1D2A-4D8A-8B12-343D262F42BC}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"{05C067E4-9815-43A5-B2F1-91C71D2D0AA0}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{1484BF2B-C0A1-4DED-B8BB-BDD2AC19B9BF}C:\\program files\\ray-ban agenda\\rbagenda.exe"= UDP:C:\program files\ray-ban agenda\rbagenda.exe:rbagenda
"UDP Query User{CB7DFF82-E409-4924-B9F9-B086F52375A5}C:\\program files\\ray-ban agenda\\rbagenda.exe"= TCP:C:\program files\ray-ban agenda\rbagenda.exe:rbagenda

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\[u]0[/u]00.fcl [2006-11-02 16:51]
R2 BcmSqlStartupSvc;Servizio di avvio SQL Server di Business Contact Manager;C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-16 11:41]
R2 FwcAgent;Agente client firewall;C:\Program Files\Microsoft Firewall Client 2004\FwcAgent.exe [2006-12-09 20:56]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-06-18 21:02]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-02-09 00:03]
S2 gupdate1c8e34b86e378b0;Google Update Service (gupdate1c8e34b86e378b0);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-11 13:44]
S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-02-14 11:55]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24c215a2-bdc6-11dc-ad1e-000000000000}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{83a36bb4-224e-11dd-b89c-000000000000}]
\shell\AutoRun\command - F:\Setup_Vogue_EN.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3f897b7-a3d2-11dc-8bfa-000000000000}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4221d07-2b14-11dd-9d5e-000000000000}]
\shell\AutoRun\command - gy.cmd
\shell\explore\Command - gy.cmd
\shell\open\Command - gy.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd838e2b-36c4-11dd-baf6-000000000000}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d18f485c-c4d6-11dc-9e1b-000000000000}]
\shell\AutoRun\command - F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME
.
Contenuto della cartella 'Scheduled Tasks'
"2008-07-15 06:12:48 C:\Windows\Tasks\GoogleUpdateTask.job"
- C:\Program Files\Google\Update\GoogleUpdate.exe
"2008-07-15 06:12:43 C:\Windows\Tasks\SDMsgUpdate (SD).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PSD -V921 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
"2008-07-15 06:25:00 C:\Windows\Tasks\User_Feed_Synchronization-{2E3CB3EE-EB2E-49CD-B089-D59B8C886274}.job"
- C:\Windows\system32\msfeedssync.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-CloneCDTray - C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 08:23:45
Windows 6.0.6001 Service Pack 1 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-07-15 8:26:55
ComboFix-quarantined-files.txt 2008-07-15 06:26:21

16 Directory 7,738,834,944 byte disponibili
24 Directory 8,659,009,536 byte disponibili

248 --- E O F --- 2008-07-11 09:42:26


ciao e grazie dell'aiuto

[bdoriano]

Appena puoi, fai questa scansione con SystemScan e posta il log su WikiSend e posta il Forum Link che ti viene assegnato.

[baudius]

ho provato ma il programma non mi parte, ci clicco ma non succede niente.....

[bdoriano]

Non riesci a scaricarlo?

Prova uno dei seguenti links:
sys13200.zip
sys13200.zip

[baudius]

l'ho scaricato ma quando clicco sull'exe non succede niente

[bdoriano]

Hai disabilitato l'antivirus prima di eseguire il programma?

[baudius]

ho AVG e l'ho disabilitato ma il programma non parte

[baudius]

ciao alla fine ci sono riuscito
ecco il il link del report
report.zip

[bdoriano]

Purtroppo il log è troncato.

Prova a ricaricarlo (zippandolo) e vediamo se stavolta va.