Olimpo Informatico

[Paolo77]

Necessito di aiuto, da qualche tempo c'è un trojan che mi tormenta.
AVG trova ogno giorni un o due files infetti: c:\windows\temp\uvxm1.exe (oppure uvxm2....). Si ripresenta ogni giorno e non riesco ad eliminare ciò che lo genera. Oltre ad AVG, utilizzo anche spybot e ad-aware. Ma nulla da fare.
Vi posto anche il log fatto con lo scan di HijackThis, magari voi potreste illuminarmi. Non so più che pesci pigliare.

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 16.04.25, on 16/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\Lexmark X74-X75\lxbbbmgr.exe
C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Lexmark X1100 Series\lxbkbmon.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Programmi\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\Programmi\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Programmi\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Microsoft Office\Office10\msoffice.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Microsoft Office\Office10\OUTLOOK.EXE
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\Programmi\Microsoft Office\Office10\EXCEL.EXE
C:\Programmi\Microsoft Office\Office10\MSACCESS.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Programmi\Anti-malware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programmi\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Programmi\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Programmi\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Programmi\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Programmi\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Programmi\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/IT/install.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/sikes/it/win/QuickTimeInstaller.exe
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/082be969912b9bdf7106/netzip/RdxIE601_it.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155213661203
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{41EDD45C-086E-443D-A148-B41FEF71A8EB}: NameServer = 151.99.125.2,151.99.0.100
O18 - Protocol: bw+0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {C6154AF1-3A37-41F6-91CE-3741E8B58DC1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

[holifay]

Ciao e benvenuto

Elinina queste voci:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/082be969912b9bdf7106/netzip/RdxIE601_it.cab

poi ti consiglio di eliminare gli aggiornamenti/offerte di logitech:

O4 - HKCU\\..\\Run: [LDM] C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe
O4 - HKCU\\..\\Run: [LogitechSoftwareUpdate] C:\\Programmi\\Logitech\\Video\\ManifestEngine.exe boot
O18 - Protocol: tutte le voci

Comunque il responsabile del file infetto che AVG ti trova non lo ho individuato dal log. Come lo chiama AVG? E che problemi hai con il PC?

[Paolo77]

Grazie per il benvenuto e per l'aiuto!
Devo fare i complimenti per il forum che ho scoperto da poco ma mi pare molto completo e mi è stato da'aiuto già in diverse occasioni. (non c'è una sezione per le presentzioni, vero?)

Comunque per quanto riguarda il trojan, mi si è ripresentato anche stamane.
Diciamo che o viene identificato attraverso lo scan che esegue tutti i giorni a mezzodì, e ciò che trova è così classificato:

file: uvxm1.exe
path: c:\windows\temp\
discovery: trojan horse generic2.AVR
source: PCA
finder: SYSTEM
size: 17.5KB
heallable: NO
source: backup copy
status: infected

Oppure viene identificato al mattino appena acceso il computer, ma le sue caratteristiche sono differenti:

finder: IO
source: Moved object

Ho scoperto di averlo tramite telecom che mi ha informato di essere collegato ad un numero 199 a mia insaputa, successivamente avg lo ha rilevato (prima avevo norton 2006 che ho tolto causa lentezza esasperante di sistema..... ). Ora i numeri 199 ovviamente sono disabilitati, ma la connessione spesso è lenta e macchinosa, idem per la gestione del sistema e spesso va in crash e mi tocca riavviare.

Ora, se si tratta di una stupidaggine chiedo scusa per il tempo che ho fatto perdere , in caso contrario i need help! (può darsi che arrivi tramite mail SPAM che di recente sto ricevendo?)

Ti ringrazio ancora per l'aiuto concessomi.

[chemicalbit]

[holifay]

Dopo che hai fatto quanto sopra, per favore fai ancora quanto segue e postami i due log che ottieni

1) Log con hijackthis degli ADS. Segui questa parte della guida, alla voce ADS spy http://www.zeusnews.it/index.php3?ar=stampa&cod=4696

2) Scarica RKR e fai un log. Non usare il PC finchè non ha finito.

Ciao

[Paolo77]

Ho eseguito ciò che mi hai detto di fare. Ho infatti cancellato le stringhe dal log di hijack che mi hai consigliato di eliminare ed ho effettuato i log con ads spy e rkr che ora ti allego.
Per chemicalbit, eseguo tutti i giorni alle 12 uno scan completo con avg e ogni mattina utilizzo spybot e ad-aware, thanks.

ADS-SPY
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c57c84e5e64d.tif : Xj1phwzh5qcwungrN45kt3kiCe (620 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c586af3a0f30.tif : Xj1phwzh5qcwungrN45kt3kiCe (656 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c58ba5b2189f.tif : Xj1phwzh5qcwungrN45kt3kiCe (672 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c5d70e0ea07d.tif : Xj1phwzh5qcwungrN45kt3kiCe (704 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c5d8b0ff4dce.tif : Xj1phwzh5qcwungrN45kt3kiCe (748 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c5e611270a5b.tif : Xj1phwzh5qcwungrN45kt3kiCe (620 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c5e6196f0756.tif : Xj1phwzh5qcwungrN45kt3kiCe (756 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c5eebba723e6.tif : Xj1phwzh5qcwungrN45kt3kiCe (660 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c5f97b86c37f.tif : Xj1phwzh5qcwungrN45kt3kiCe (628 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c5f9b079d639.tif : Xj1phwzh5qcwungrN45kt3kiCe (724 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c60f7ec6aa8e.tif : Xj1phwzh5qcwungrN45kt3kiCe (748 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c6263dc3b642.tif : Xj1phwzh5qcwungrN45kt3kiCe (684 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c62757cfd1a9.tif : Xj1phwzh5qcwungrN45kt3kiCe (708 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c6275858be00.tif : Xj1phwzh5qcwungrN45kt3kiCe (708 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c62cd0e20c14.tif : Xj1phwzh5qcwungrN45kt3kiCe (712 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c62cd1bd777f.tif : Xj1phwzh5qcwungrN45kt3kiCe (692 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c62d92cd4b31.tif : Xj1phwzh5qcwungrN45kt3kiCe (652 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c63c3d3b8436.tif : Xj1phwzh5qcwungrN45kt3kiCe (668 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c63c3f18d1b2.tif : Xj1phwzh5qcwungrN45kt3kiCe (668 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c64677a33993.tif : Xj1phwzh5qcwungrN45kt3kiCe (684 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c646790102dd.tif : Xj1phwzh5qcwungrN45kt3kiCe (684 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c64807c9f18f.tif : Xj1phwzh5qcwungrN45kt3kiCe (752 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c64d9789aa07.tif : Xj1phwzh5qcwungrN45kt3kiCe (764 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c656f467866d.tif : Xj1phwzh5qcwungrN45kt3kiCe (616 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c669014d28a1.tif : Xj1phwzh5qcwungrN45kt3kiCe (708 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c674ca085dab.tif : Xj1phwzh5qcwungrN45kt3kiCe (716 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c683452e0995.tif : Xj1phwzh5qcwungrN45kt3kiCe (716 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c68a084f5b1a.tif : Xj1phwzh5qcwungrN45kt3kiCe (684 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c68c8ee9fbb6.tif : Xj1phwzh5qcwungrN45kt3kiCe (648 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c68dfedc94d9.tif : Xj1phwzh5qcwungrN45kt3kiCe (716 bytes)
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c69eb78517ef.tif : Xj1phwzh5qcwungrN45kt3kiCe (688 bytes)
C:\Programmi\ATI Technologies\ATI.ACE\skins\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Scrollbar : Smaller.WB4 (2416 bytes)

RKR

HKLM\S-1-5-21-1844237615-1580436667-839522115-1004\RemoteAccess\InternetProfile 09/12/03 18.42 7 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1844237615-1580436667-839522115-1004\Software\Microsoft\At Work Fax\Transport Service Provider\Cover Page Editor 30/06/05 17.10 43 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\WaveFader 14/09/06 17.14 39 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0006\Config\Mixer\WaveFader 14/09/06 17.14 39 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Io\Impostazioni locali\Temporary Internet Files\Content.IE5\GT2NWP2B\hi124kl[1].jpg 18/09/06 15.35 78.44 KB Hidden from Windows API.

[Paolo77]

Stamattina mi si è ripresentato ancora!
Ho fatto uno scan completo alle 9 e non ha rilevato nulla.
Poi mentre stavo utilizzando ad-aware (ore 9.40), avg ha rilevato il solito trojan horse generic2 nella solita cartella windows\temp. Ma che devo fare?

[holifay]

Ma l´avviso te lo dà dopo che ti sei connesso ad internet? Perchè quel tipo di problema è tipico di linkoptimizer, ma dai tuoi log non risulta.

Linkoptimizer (alias gromozon) viene veicolato da molti siti internet sfruttando 5 vulnerabilità, tra cui quella wmf. Riesci a capire se dipende dalla visita a qualche sito oppure no?

Proviamo così: scarica sul desktop GMER http://www.gmer.net/gmer.zip
decomprimi sul desktop il file gmer.zip.
Esegui gmer.exe
Clicca sul Tab Rootkit
Clicca su Scan
finita la scansione clicca su Copy
Apri il Blocco Note incolla il risultato (CTRL+V)
Salva il file(rootkit.txt)

Clicca adesso sul Tab Autostart
Spunta la casella Show All
Clicca su Scan
finita la scansione clicca su Copy
Apri il Blocco Note incolla il risultato (CTRL+V)
Salva il file(autostart.txt)

Posta il contenuto dei due file

Ciao

[chemicalbit]

[Paolo77]

Effettivamente anche a me dava l'impressione di essere "dipendente" dalla connessione, infatti i files infetti vengono sempre trovati successivamente alla connessione.
In ogni caso, ieri mattina prima di poter leggere le vostre risposte, ho seguito uno dei consigli più comuni su questo forum e cioè di utilizzare un'altro antivirus. Ho così scaricato Avast e dopo avere disattivato momentaneamente AVG, ho provveduto ad avviare uno scan all'avvio in modalità provvisoria con il prode Avast. Ebbene, mi ha quasi subito beccato 4 file infetti, file che avg non aveva mai neache sfiorato. Li ho subito buttati nel cestino, insieme ci sono finiti anche altri file, non infetti ma comunque danneggiati. Alcuni sono eseguibili, ora che faccio? Credo di poterli eliminare senza ripercussioni (anche perchè non sono riparabili).
Credo che ora il problema sia risolto, ma per il futuro che mi consigliate di fare? Tengo in background Avg e controllo saltuariamente con avast, o viceversa?
Un'ultima domanda, succede spesso che ci siano differenze così marcate tra un antivirus ed un'altro?

Ora vi allego i file infetti:

- A0011100.exe file infetto da Win32: Trojan-gen. (Delphi)
- gendel32.exe file infetto da IDEM
- ugafx1.del file infetto da Win32: Agent-gen

Allego anche questi file provenienti dalla cartella system32 che pur non essendo infetti, sono stati comunque spostati nel cestino:

- kernel32.dll
- winsock.dll
- wsock32.dll

Stamattina ho rifatto uno scan approfondito con avast e ha trovato un'altro file infetto: memory.dmp Poco prima mi era stato segnalato il file di paging insufficente, e si era "allargato da solo" alla dimensione di 1.29 giga!

Thanks

[Paolo77]

Aaaaaargh!
Il virus che ha infettato il file memory.dmp è il seguente: Win32:RKDice e pare che sia sempre Linkoptimizer o Gromozon sotto mentite spoglie!
Che faccio ora, avast avrà ripulito il tutto?

[holifay]

Dubito che avast riesca a ripulirlo, usa il tool della PrevX
http://www.prevx.com/gromozon.asp

poi posta il log c:/gromozon_removal.log

[Paolo77]

Grazie mitica! L'ho appena scaricato e mi ha ripulito l'hard-disk ora la connessione è velocissima e tutto sembra funzionare per il meglio. Tu che dici, è da scaricare il loro programma di protezione completo oppure è superfluo?

Grazie ancora!

[Paolo77]

Uops, mi ero dimenticato il log:

Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: \\?\C:\WINDOWS\system32\com6.zjq
\\?\C:\WINDOWS\system32\com6.zjq
Resetting file permissions...
Clearing attributes...
Accesso negato - C:\_cleaned.tmp
Removing file...
C:\_cleaned.tmp
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\ABYXT.exe
Removing protected file: C:\Programmi\File comuni\System\bmgnw.exe
Removing protected file: C:\Programmi\File comuni\System\CBl.exe
Removing protected file: C:\Programmi\File comuni\System\cHY.exe
Removing protected file: C:\Programmi\File comuni\System\cjiHv.exe
Removing protected file: C:\Programmi\File comuni\System\cqS.exe
Removing protected file: C:\Programmi\File comuni\System\CUn.exe
Removing protected file: C:\Programmi\File comuni\System\cWv.exe
Removing protected file: C:\Programmi\File comuni\System\dBH.exe
Removing protected file: C:\Programmi\File comuni\System\DBPK.exe
Removing protected file: C:\Programmi\File comuni\System\eChRz.exe
Removing protected file: C:\Programmi\File comuni\System\ENNGR.exe
Removing protected file: C:\Programmi\File comuni\System\EtMB.exe
Removing protected file: C:\Programmi\File comuni\System\EzD.exe
Removing protected file: C:\Programmi\File comuni\System\feG.exe
Removing protected file: C:\Programmi\File comuni\System\FkgV.exe
Removing protected file: C:\Programmi\File comuni\System\FxLMr.exe
Removing protected file: C:\Programmi\File comuni\System\GJX.exe
Removing protected file: C:\Programmi\File comuni\System\GUh.exe
Removing protected file: C:\Programmi\File comuni\System\hAA.exe
Removing protected file: C:\Programmi\File comuni\System\hoi.exe
Removing protected file: C:\Programmi\File comuni\System\HOqT.exe
Removing protected file: C:\Programmi\File comuni\System\hWjX.exe
Removing protected file: C:\Programmi\File comuni\System\IgBT.exe
Removing protected file: C:\Programmi\File comuni\System\ingHX.exe
Removing protected file: C:\Programmi\File comuni\System\Jei.exe
Removing protected file: C:\Programmi\File comuni\System\KIBhbr.exe
Removing protected file: C:\Programmi\File comuni\System\KWH.exe
Removing protected file: C:\Programmi\File comuni\System\lsW.exe
Removing protected file: C:\Programmi\File comuni\System\LUK.exe
Removing protected file: C:\Programmi\File comuni\System\MFmudd.exe
Removing protected file: C:\Programmi\File comuni\System\mJz.exe
Removing protected file: C:\Programmi\File comuni\System\MnNsV.exe
Removing protected file: C:\Programmi\File comuni\System\MvWWvz.exe
Removing protected file: C:\Programmi\File comuni\System\mZP.exe
Removing protected file: C:\Programmi\File comuni\System\NcW.exe
Removing protected file: C:\Programmi\File comuni\System\NFm.exe
Removing protected file: C:\Programmi\File comuni\System\Nhk.exe
Removing protected file: C:\Programmi\File comuni\System\PlR.exe
Removing protected file: C:\Programmi\File comuni\System\puz.exe
Removing protected file: C:\Programmi\File comuni\System\qoq.exe
Removing protected file: C:\Programmi\File comuni\System\RVf.exe
Removing protected file: C:\Programmi\File comuni\System\sUr.exe
Removing directory: C:\Documents and Settings\\ChO
Removing protected file: C:\Programmi\File comuni\System\TBKD.exe
Removing protected file: C:\Programmi\File comuni\System\TdiQyq.exe
Removing protected file: C:\Programmi\File comuni\System\tjy.exe
Removing protected file: C:\Programmi\File comuni\System\uwXGE.exe
Removing protected file: C:\Programmi\File comuni\System\VBP.exe
Removing protected file: C:\Programmi\File comuni\System\VCgnNI.exe
Removing protected file: C:\Programmi\File comuni\System\vdl.exe
Removing protected file: C:\Programmi\File comuni\System\vVV.exe
Removing protected file: C:\Programmi\File comuni\System\vzKWPt.exe
Removing protected file: C:\Programmi\File comuni\System\vZZTYF.exe
Removing protected file: C:\Programmi\File comuni\System\YBL.exe
Removing protected file: C:\Programmi\File comuni\System\YjBbLy.exe
Removing protected file: C:\Programmi\File comuni\System\yZCEM.exe
Removing protected file: C:\Programmi\File comuni\System\Yzm.exe
Removing protected file: C:\Programmi\File comuni\System\Zap.exe
Removing protected file: C:\Programmi\File comuni\System\zJKu.exe


Trojan.Gromozon Removed!

Bye

[Paolo77]

Stamane, sebbene tutto sembrasse ok, sistema velocissimo e nessun problema via internet, mi si è ripresentato un file infetto, il solito per altro
c:\windows\temp\uvmx1.exe e avast l'ha riconosciuto infetto da win32 small-BTG che ho letto essere ancora Gromozon. Ho utilizzato ancora il tool di prevx ma ovviamente non ha trovato nulla.
Ora ho scaricato il loro programma completo prevx1, gratutio per un mese e lo uso contemporaneamente ad avast.
Speriamo in bene...

[holifay]

Sì, infatti è quello di gromozon. Probabilmente non fa in tempo ad installarsi dato che il file deve essere eseguito, ma il tuo AV lo riconosce e lo blocca.

Se vuoi essere sicuro, scarica GMER da www.gmer.net
Avvialo, clicca sul tab Rootkit >> Scan. Quando ha finito copia il log premendo Copy. Allo stesso modo fai il log dal tab Autostart.
Copia e incolla qui i due log

Dimmi anche quali cartelle hai in c:/documents and settings

Ma sai quali siti visiti quando ti infetti?

[Paolo77]

Ma si, la cronologia dei siti la conosco. Forse quello + a rischio è inpiega.com ma non saprei.
Comunque ecco i log:

GMER 1.0.11.11349 - http://www.gmer.net
Autostart 2006-09-21 17:41:01
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C-DillaCdaC11BA /*C-DillaCdaC11BA*/@ = C:\WINDOWS\System32\drivers\CDAC11BA.EXE
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
Iomega App Services /*Iomega App Services*/@ = "C:\PROGRA~1\Iomega\System32\AppServices.exe"
LexBceS /*LexBce Server*/@ = C:\WINDOWS\system32\LEXBCES.EXE
LogTsu /*LogTsu*/@ = "C:\Programmi\File comuni\System\KIBhbr.exe" /*file not found*/
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
PREVXAgent /*Prevx Agent*/@ = "C:\Programmi\Prevx1\PXAgent.exe" -f
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SLService /*SmartLinkService*/@ = slserv.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@AdaptecDirectCD"C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@Lexmark X74-X75"C:\Programmi\Lexmark X74-X75\lxbbbmgr.exe" = "C:\Programmi\Lexmark X74-X75\lxbbbmgr.exe"
@Lexmark X1100 Series"C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe" = "C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe"
@LVCOMSXC:\WINDOWS\system32\LVCOMSX.EXE = C:\WINDOWS\system32\LVCOMSX.EXE
@LogitechVideoRepairC:\Programmi\Logitech\Video\ISStart.exe = C:\Programmi\Logitech\Video\ISStart.exe
@LogitechVideoTrayC:\Programmi\Logitech\Video\LogiTray.exe = C:\Programmi\Logitech\Video\LogiTray.exe
@Iomega Startup OptionsC:\Programmi\Iomega\Common\ImgStart.exe = C:\Programmi\Iomega\Common\ImgStart.exe
@Iomega Drive IconsC:\Programmi\Iomega\DriveIcons\ImgIcon.exe = C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
@Tweak UIRUNDLL32.EXE TWEAKUI.CPL,TweakMeUp = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@ATIPTAC:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
@ATICCC"C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe" = "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@PrevxOne"C:\Programmi\Prevx1\PXConsole.exe" = "C:\Programmi\Prevx1\PXConsole.exe"
@TraySantaCruzC:\WINDOWS\system32\tbctray.exe = C:\WINDOWS\system32\tbctray.exe
RunOnceEx@ = /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@Iomega Active DiskC:\Programmi\Iomega\AutoDisk\AD2KClient.exe = C:\Programmi\Iomega\AutoDisk\AD2KClient.exe
@Iomega Automatic BackupC:\Programmi\Iomega\Iomega Automatic Backup\ibackup.exe /*file not found*/ = C:\Programmi\Iomega\Iomega Automatic Backup\ibackup.exe /*file not found*/
@Spamihilator"C:\Programmi\Spamihilator\spamihilator.exe" = "C:\Programmi\Spamihilator\spamihilator.exe"
@LDMC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealOne Player\rpshellext.dll = C:\Programmi\Real\RealOne Player\rpshellext.dll
@{32A9D769-5B55-4a25-9A62-86B5683FE50A} /*NikonView Drop Extension*/C:\Programmi\Nikon\NkView6\NkvDropExt.dll = C:\Programmi\Nikon\NkView6\NkvDropExt.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{FCF608CF-5716-47C3-A1A8-991D873AF72B} /*Delphi Context Menu Shell Extension Example*/C:\Programmi\Exifer\exifershellext.dll = C:\Programmi\Exifer\exifershellext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3} /*Immagini Logitech*/C:\Programmi\Logitech\Video\Namespc2.dll = C:\Programmi\Logitech\Video\Namespc2.dll
@{acb4a560-3606-11d3-aef4-00104bd0f92d} /*KodakShellExtension*/C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll = C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll
@{c7745760-8ead-11ce-b750-02608ca5202c} /*IomegaWare Shell Extension*/C:\Programmi\Iomega\Shell\ImgMenu.dll = C:\Programmi\Iomega\Shell\ImgMenu.dll
@{c7745761-8ead-11ce-b750-02608ca5202c} /*IomegaWare Shell Extension*/C:\Programmi\Iomega\Shell\ImgProp.dll = C:\Programmi\Iomega\Shell\ImgProp.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll = C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
ContMenu@{FCF608CF-5716-47C3-A1A8-991D873AF72B} = C:\Programmi\Exifer\exifershellext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll = C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar1.dll = c:\programmi\google\googletoolbar1.dll
@{EDB3FE1A-70F4-FC7E-D9C4-33D63D24E5D3}C:\WINDOWS\ugafx1.dll /*file not found*/ = C:\WINDOWS\ugafx1.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.virgilio.it/ = http://www.virgilio.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{41EDD45C-086E-443D-A148-B41FEF71A8EB} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.2 = 192.168.1.2
@NameServer151.99.125.2,151.99.0.100 = 151.99.125.2,151.99.0.100
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

C:\Documents and Settings\Io\Menu Avvio\Programmi\Esecuzione automatica = Microsoft Outlook.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Kodak EasyShare software.lnk = Kodak EasyShare software.lnk
KODAK Software Updater.lnk = KODAK Software Updater.lnk
Logitech Desktop Messenger.lnk = Logitech Desktop Messenger.lnk
Microsoft Office.lnk = Microsoft Office.lnk
NkvMon.exe.lnk = NkvMon.exe.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.11 ----


Ed ecco l'altro:

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-21 17:43:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT pxfsf.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT pxfsf.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT pxfsf.sys ZwCreatePort
SSDT pxfsf.sys ZwCreateProcess
SSDT pxfsf.sys ZwCreateProcessEx
SSDT pxfsf.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT pxfsf.sys ZwDeleteFile
SSDT pxfsf.sys ZwDeleteKey
SSDT pxfsf.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT pxfsf.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT pxfsf.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT pxfsf.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT pxfsf.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT pxfsf.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT pxfsf.sys ZwReplaceKey
SSDT pxfsf.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT pxfsf.sys ZwSetContextThread
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT pxfsf.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT pxfsf.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- Processes - GMER 1.0.11 ----

Process lsass.exe (*** hidden *** ) [804] 821DF338
Process svchost.exe (*** hidden *** ) [1076] FF6164C0
Process svchost.exe (*** hidden *** ) [1164] 81E2EBE8
Process ashWebSv.exe (*** hidden *** ) [576] 81F2D338
Process winlogon.exe (*** hidden *** ) [748] 81F369E8
Process svchost.exe (*** hidden *** ) [984] 821F82C8
Process services.exe (*** hidden *** ) [792] 81E0B500
Process svchost.exe (*** hidden *** ) [1388] 81FDA020
Process svchost.exe (*** hidden *** ) [624] 821E66C0
Process ashMaiSv.exe (*** hidden *** ) [216] FDDD5020
Process spoolsv.exe (*** hidden *** ) [1608] 81EF7378
Process avgamsvr.exe (*** hidden *** ) [1868] 81E21448
Process alg.exe (*** hidden *** ) [2664] 81D36DA0
Process ati2evxx.exe (*** hidden *** ) [1364] 81ECD020
Process ashServ.exe (*** hidden *** ) [1832] 81F45540
Process svchost.exe (*** hidden *** ) [1208] 81FE0020
Process PXAgent.exe (*** hidden *** ) [3844] F8DF4CA0
Process CDAC11BA.EXE (*** hidden *** ) [1936] 821E2558
Process mdm.exe (*** hidden *** ) [2016] FF8EC9A8
Process System (*** hidden *** ) [4] 823CA830
Process csrss.exe (*** hidden *** ) [720] 820190C0
Process avgemc.exe (*** hidden *** ) [1892] FF5D24E0

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c57c84e5e64d.tif: Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c57c84e5e64d.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c586af3a0f30.tif: Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c586af3a0f30.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c58ba5b2189f.tif: Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1844237615-1580436667-839522115-1004$201c58ba5b2189f.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.11 ----


Le cartelle in documents and settings sono:

Administrator
All Users
Guest
IO

Ciauz

[holifay]

Solo qualche residuo

Usa Avenger, come hai già fatto, con questo script:

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\LogTsu

files to delete:
C:\Programmi\File comuni\System\KIBhbr.exe

Ciao

[Paolo77]

Ecco il file di avenger, però il secondo file da eliminare non lo ha trovato.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ekrhmdes

*******************

Script file located at: \??\C:\WINDOWS\system32\cpwp^wvv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\LogTsu deleted successfully.


File C:\Programmi\File comuni\System\KIBhbr.exe not found!
Deletion of file C:\Programmi\File comuni\System\KIBhbr.exe failed!

Could not process line:
C:\Programmi\File comuni\System\KIBhbr.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Ed ecco il log di hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 9.21.46, on 25/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Prevx1\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Lexmark X74-X75\lxbbbmgr.exe
C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programmi\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programmi\Lexmark X1100 Series\lxbkbmon.exe
C:\Programmi\Logitech\Video\LogiTray.exe
C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Prevx1\PXConsole.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Iomega\AutoDisk\AD2KClient.exe
C:\Programmi\Spamihilator\spamihilator.exe
C:\Programmi\Iomega\Automatic Backup Pro\LiveSystem.exe
C:\Programmi\Logitech\Video\FxSvr2.exe
C:\Programmi\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Programmi\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Programmi\Nikon\NkView6\NkvMon.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Microsoft Office\Office10\msoffice.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Anti-malware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Class - {EDB3FE1A-70F4-FC7E-D9C4-33D63D24E5D3} - C:\WINDOWS\ugafx1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Programmi\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programmi\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programmi\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programmi\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Programmi\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Programmi\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Programmi\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Programmi\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Iomega Automatic Backup Pro] "C:\Programmi\Iomega\Automatic Backup Pro\LiveSystem.exe" -s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Programmi\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Programmi\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Programmi\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/IT/install.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/sikes/it/win/QuickTimeInstaller.exe
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155213661203
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://ww3.atlanteitaliano.it/ecwplugins/ncs.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{41EDD45C-086E-443D-A148-B41FEF71A8EB}: NameServer = 151.99.125.2,151.99.0.100
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

Ti sarò eternamente grato.
Grazie!

[holifay]

ma no, chissà se poi l´eternità esiste davvero? Mi accontento della birra adesso

Ciao!