Olimpo Informatico

[botty]

Ciao ragazzi.
Dopo qualche settimana da "autodidatta" mi sono reso conto che senza l'aiuto di qualcuno non sarei mai riuscito a ripulire il mio pc. Ringraziando in anticipo chi mi darà aiuto vi espongo il mio problema.
Utilizzo Spyware Doctor (versione a pagamento) che mi segnala il virtumonde in particolare relativamente al file c:\windows\system32\gebya.dll
I problemi che riscontro sono 2:
1. finestre explorer che si aprono da sole (in particolare un ricorrente "powered by zedo");
2. su alcuni siti in alcuni riquadri del sito (non si apre un'apposita finestra, ma sembra proprio un riquadro fatto apposta nellpagina del sito stesso) mi viene segnalato che il mio pc è infetto e vengo invitato a cliccare, cosa che ovviamente nn faccio.
Prendendo spunto da altre risposte che avete dato a chi ha problemi simili al mio ho fatto così:
1. eseguito Vundofix che ha cancellato un pò di schifezze,
2. eseguito cclenear,
3. rieseguito Vundofix che nn ha più trovate nulla,
4. in modalità provvisoria eseguito hijack di cui posto il log attendendo vs illuminato parere:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17.00.50, on 26/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Proprietario\Desktop\Nuova cartella (3)\hijack\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - TELE2Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {46b9910e-15cf-03da-0144-be4601b4c936} - {639c4b10-64eb-4410-ad30-fc51e0199b64} - C:\WINDOWS\system32\vtqpydgo.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {84F4C903-E31C-478F-BA73-6C0F1BAFF25F} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [386be97d] rundll32.exe "C:\WINDOWS\system32\wphvrwim.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.it/redirect/startpage/dial_up/ita
O15 - Trusted Zone: http://www.adobe.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.inforiviera.it/new_webcam/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5175/mcfscan.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe

--
End of file - 7196 bytes

[bdoriano]

Ciao botty,

Segui le istruzioni di questo topic per postare il log di combofix.

PS: se vuoi, puoi presentarti qui

[botty]

Mamma mia, 6 velocissimo: complimenti e grazie.

Ecco il log:

ComboFix 07-12-26.4 - Proprietario 2007-12-26 18.40.58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.180 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Proprietario\Desktop\Nuova cartella (3)\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Proprietario\Preferiti\Online Security Guide.lnk
C:\Programmi\Temporary
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cictoghc.ini
C:\WINDOWS\system32\eylljpgh.ini
C:\WINDOWS\system32\hpyrndwr.ini
C:\WINDOWS\system32\jhmuyinh.ini
C:\WINDOWS\system32\klhibmti.ini
C:\WINDOWS\system32\lyepfdck.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nuygiphb.ini
C:\WINDOWS\system32\qnkvyfgc.ini
C:\WINDOWS\system32\smpimvly.ini
C:\x.dat
C:\z.dat
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((( Files Creati Da 2007-11-26 al 2007-12-26 )))))))))))))))))))))))))))))))))))
.

2007-12-26 14:56 . 2006-02-03 08:49 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2007-12-26 14:56 . 2006-02-03 08:49 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2007-12-26 14:56 . 2006-02-03 08:49 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2007-12-26 14:56 . 2006-02-03 08:12 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2007-12-26 14:56 . 2006-02-03 08:49 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2007-12-26 14:56 . 2007-12-26 18:43 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2007-12-26 14:56 . 2006-02-03 08:49 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2007-12-26 14:56 . 2006-02-03 08:49 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2007-12-26 14:33 . 2007-12-26 16:11 1,025,128 ---hs---- C:\WINDOWS\system32\miwrvhpw.ini
2007-12-26 13:41 . 2007-12-26 13:41 <DIR> d-------- C:\Programmi\iPod
2007-12-26 13:31 . 2007-12-26 14:24 1,025,523 ---hs---- C:\WINDOWS\system32\tdltdkui.ini
2007-12-24 18:19 . 2007-12-24 18:19 1,010,192 ---hs---- C:\WINDOWS\system32\idobatya.ini
2007-12-20 15:52 . 2007-12-26 17:36 <DIR> d-------- C:\Programmi\Spyware Doctor
2007-12-20 15:52 . 2007-12-20 15:52 <DIR> d-------- C:\Documents and Settings\Proprietario\Dati applicazioni\PC Tools
2007-12-20 15:52 . 2007-12-20 16:04 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-20 15:52 . 2007-12-20 16:04 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-20 15:52 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-20 15:52 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-16 20:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-16 20:48 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-16 20:48 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-13 19:05 . 2007-12-13 19:05 <DIR> d-------- C:\Programmi\Microsoft CAPICOM 2.1.0.2
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-02 22:57 . 2007-12-02 22:57 3,072 --a------ C:\WINDOWS\system32\OEMINFO.PNF
2007-12-02 19:26 . 2007-12-02 19:26 <DIR> d-------- C:\WINDOWS\system32\bits
2007-12-02 19:26 . 2007-03-29 13:58 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2007-12-02 19:26 . 2007-03-29 13:58 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2007-11-30 21:52 . 2007-11-30 21:52 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-11-30 21:25 . 2007-11-30 21:25 <DIR> d-------- C:\Programmi\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 17:45 --------- d---a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-26 12:41 --------- d-----w C:\Programmi\iTunes
2007-12-26 12:39 --------- d-----w C:\Programmi\QuickTime
2007-12-02 20:00 --------- d-----w C:\Programmi\Google
2007-11-25 14:33 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-11-25 14:31 --------- d-----w C:\Programmi\Pinnacle
2007-11-25 14:30 --------- d-----w C:\Programmi\eMule
2007-11-25 14:23 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\VoipCheapCom
2007-11-24 22:59 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Prevx
2007-11-24 22:45 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\LimeWire
2007-11-24 22:44 120 ----a-w C:\n.bat
2007-11-24 22:43 790 ----a-w C:\Documents and Settings\Proprietario\z.dat
2007-11-24 22:43 40,960 ----a-w C:\Documents and Settings\Proprietario\f.exe
2007-11-24 22:43 0 ----a-w C:\Documents and Settings\Proprietario\x.dat
2007-11-18 10:13 --------- d-----w C:\Documents and Settings\Proprietario\Dati applicazioni\Dcads Advanced Toolbar
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-04 19:26 41,656 ----a-w C:\Documents and Settings\Proprietario\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{639c4b10-64eb-4410-ad30-fc51e0199b64}]
C:\WINDOWS\system32\vtqpydgo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84F4C903-E31C-478F-BA73-6C0F1BAFF25F}]
C:\WINDOWS\system32\gebya.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00]
"updateMgr"="C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 09:53 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-19 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-06-15 10:20 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-19 13:00 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"HP Component Manager"="C:\Programmi\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 00:18]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"QuickTime Task"="C:\Programmi\QuickTime\QTTask.exe" [2007-12-11 10:56]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2007-12-11 12:10]
"SDTray"="C:\Programmi\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]
"386be97d"="C:\WINDOWS\system32\wphvrwim.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:00]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma Loader.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-09-09 00:12:44]
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2007-01-24 23:16:25]
VIA RAID TOOL.lnk - C:\Programmi\VIA\RAID\raid_tool.exe [2006-02-03 08:37:59]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"Ptipbmf"=rundll32.exe ptipbmf.dll,SetWriteCacheMode

R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys [2003-10-31 04:22]

.
Contenuto della cartella 'Scheduled Tasks'
"2007-09-24 19:28:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 18:46:16
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2007-12-26 18:47:22 - machine was rebooted
.
2007-12-13 18:05:17 --- E O F ---

[bdoriano]

Scarica questo e avvia il pc in modalità provvisoria.
Al termine riavvia il pc e copia qui il log che verrà creato.

Nota: Durante l'operazione di scansione è importante non usare il PC e attendere pazientemente la fine delle operazioni.


Fai anche queste scansioni con GMER e posta i logs su FreeFileHosting come indicato qui.
Posta anche un log aggiornato di hijackthis.

[botty]

grazie bdoriano,
leggo il tuo post dal pc dell'ufficio. spero nel pomeriggio, non appena a casa, di accedere al mio (quello infetto) per seguire le tue indicazioni.
per il momento grazie.

[botty]

Virtumondebegone al lancio dell'eseguibile ha fatto la scansione (in modalità provvisoria) in pochissimo tempo (1, forse 2 secondi); ecco il log:

[12/26/2007, 13:51:30] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Proprietario\Desktop\Nuova cartella (3)\VirtumundoBeGone.exe" )
[12/26/2007, 13:51:34] - Detected System Information:
[12/26/2007, 13:51:34] - Windows Version: 5.1.2600, Service Pack 2
[12/26/2007, 13:51:34] - Current Username: Proprietario (Admin)
[12/26/2007, 13:51:34] - Windows is in NORMAL mode.
[12/26/2007, 13:51:34] - Searching for Browser Helper Objects:
[12/26/2007, 13:51:34] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/26/2007, 13:51:34] - BHO 2: {761e3252-22ed-437b-b083-70b996940df6} ()
[12/26/2007, 13:51:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/26/2007, 13:51:34] - Checking for HKLM\...\Winlogon\Notify\epnwjuwq
[12/26/2007, 13:51:34] - Key not found: HKLM\...\Winlogon\Notify\epnwjuwq, continuing.
[12/26/2007, 13:51:34] - BHO 3: {7B359139-462B-407D-9D84-E91523DE7B9C} ()
[12/26/2007, 13:51:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/26/2007, 13:51:34] - Checking for HKLM\...\Winlogon\Notify\gebya
[12/26/2007, 13:51:34] - Key not found: HKLM\...\Winlogon\Notify\gebya, continuing.
[12/26/2007, 13:51:34] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[12/26/2007, 13:51:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/26/2007, 13:51:34] - No filename found. Continuing.
[12/26/2007, 13:51:34] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[12/26/2007, 13:51:34] - Finished Searching Browser Helper Objects
[12/26/2007, 13:51:34] - Finishing up...
[12/26/2007, 13:51:34] - Nothing found! Exiting...

[12/26/2007, 13:52:10] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Proprietario\Desktop\Nuova cartella (3)\VirtumundoBeGone.exe" )
[12/26/2007, 13:52:14] - Detected System Information:
[12/26/2007, 13:52:14] - Windows Version: 5.1.2600, Service Pack 2
[12/26/2007, 13:52:14] - Current Username: Proprietario (Admin)
[12/26/2007, 13:52:14] - Windows is in NORMAL mode.
[12/26/2007, 13:52:14] - Searching for Browser Helper Objects:
[12/26/2007, 13:52:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/26/2007, 13:52:14] - BHO 2: {761e3252-22ed-437b-b083-70b996940df6} ()
[12/26/2007, 13:52:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/26/2007, 13:52:14] - Checking for HKLM\...\Winlogon\Notify\epnwjuwq
[12/26/2007, 13:52:14] - Key not found: HKLM\...\Winlogon\Notify\epnwjuwq, continuing.
[12/26/2007, 13:52:14] - BHO 3: {7B359139-462B-407D-9D84-E91523DE7B9C} ()
[12/26/2007, 13:52:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/26/2007, 13:52:14] - Checking for HKLM\...\Winlogon\Notify\gebya
[12/26/2007, 13:52:14] - Key not found: HKLM\...\Winlogon\Notify\gebya, continuing.
[12/26/2007, 13:52:14] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[12/26/2007, 13:52:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/26/2007, 13:52:14] - No filename found. Continuing.
[12/26/2007, 13:52:14] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[12/26/2007, 13:52:14] - Finished Searching Browser Helper Objects
[12/26/2007, 13:52:14] - Finishing up...
[12/26/2007, 13:52:14] - Nothing found! Exiting...

[12/27/2007, 14:31:18] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Proprietario\Desktop\Nuova cartella (3)\VirtumundoBeGone.exe" )
[12/27/2007, 14:31:26] - Detected System Information:
[12/27/2007, 14:31:26] - Windows Version: 5.1.2600, Service Pack 2
[12/27/2007, 14:31:26] - Current Username: Proprietario (Admin)
[12/27/2007, 14:31:26] - Windows is in SAFE mode with Networking.
[12/27/2007, 14:31:26] - Searching for Browser Helper Objects:
[12/27/2007, 14:31:26] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/27/2007, 14:31:26] - BHO 2: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[12/27/2007, 14:31:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/27/2007, 14:31:26] - No filename found. Continuing.
[12/27/2007, 14:31:26] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[12/27/2007, 14:31:26] - Finished Searching Browser Helper Objects
[12/27/2007, 14:31:26] - Finishing up...
[12/27/2007, 14:31:26] - Nothing found! Exiting...

Per quanto riguarda gmer:
gmer11.txt
gmer21.txt

E infine il log di hijackthis:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.43.06, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Spyware Doctor\SDTrayApp.exe
C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Proprietario\Desktop\Nuova cartella (3)\hijack\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.it/redirect/startpage/dial_up/ita
O15 - Trusted Zone: http://www.adobe.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.inforiviera.it/new_webcam/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5175/mcfscan.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe

--
End of file - 7792 bytes

[bdoriano]

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[botty]

ok fatto tutto.

RISULTATO AVENGER

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wkvpwhds

*******************

Script file located at: \??\C:\WINDOWS\system32\ifrkxagl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\wphvrwim.dll not found!
Deletion of file C:\WINDOWS\system32\wphvrwim.dll failed!

Could not process line:
C:\WINDOWS\system32\wphvrwim.dll
Status: 0xc0000034



File C:\WINDOWS\system32\gebya.dll not found!
Deletion of file C:\WINDOWS\system32\gebya.dll failed!

Could not process line:
C:\WINDOWS\system32\gebya.dll
Status: 0xc0000034



File C:\WINDOWS\system32\vtqpydgo.dll not found!
Deletion of file C:\WINDOWS\system32\vtqpydgo.dll failed!

Could not process line:
C:\WINDOWS\system32\vtqpydgo.dll
Status: 0xc0000034

File C:\Documents and Settings\Proprietario\x.dat deleted successfully.
File C:\Documents and Settings\Proprietario\f.exe deleted successfully.
File C:\Documents and Settings\Proprietario\z.dat deleted successfully.
File C:\n.bat deleted successfully.
File C:\WINDOWS\system32\idobatya.ini deleted successfully.
File C:\WINDOWS\system32\tdltdkui.ini deleted successfully.
File C:\WINDOWS\system32\miwrvhpw.ini deleted successfully.


Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{639c4b10-64eb-4410-ad30-fc51e0199b64} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{639c4b10-64eb-4410-ad30-fc51e0199b64} failed!
Status: 0xc0000034



Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84F4C903-E31C-478F-BA73-6C0F1BAFF25F} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84F4C903-E31C-478F-BA73-6C0F1BAFF25F} failed!
Status: 0xc0000034



Could not delete registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|386be97d
Deletion of registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|386be97d failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

LOG AGGIORNATO HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20.27.26, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Proprietario\Desktop\Nuova cartella (3)\hijack\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Programmi\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tele2.it/redirect/startpage/dial_up/ita
O15 - Trusted Zone: http://www.adobe.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.inforiviera.it/new_webcam/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5175/mcfscan.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe

--
End of file - 7595 bytes

FILE KASPERSKY

log kaspersky.html

[bdoriano]

Il log di hijackthis sembra pulito e anche dal log di Kaspersky non rilevo cose pericolose. (c'è solo un riferimento a un tool di recupero password).
Riscontri ancora problemi?
Installa un antivirus, ora.

Ti chiedo una cortesia: una volta fatte le operazioni con Avenger, troverai uno o più files backup*.zip in C:\avenger. Se puoi, caricali su freefilehosting e mandami, via , il link che ti viene assegnato.

[botty]

nn riscontro più problemi. grazie
ti ho mandato messaggio in mp.
ciao