Olimpo Informatico

[GX Style]

E' da un pò di tempo che ogni tanto ricevo un messaggio improvviso e "random" di "Avast Script Blocker", lo script di Avast! che regola Internet Explorer.

Infatti, spesso si "avvia da solo" proprio come fa quando si apre IE.

Per di più, qualora io sia disconesso, quando si avvia si connette ad Internet da solo (a modem acceso, ovvio).


Cos'è? Trojan?? Consigli??

[Orange]

Hmm...
Una bella controllatina "anti-schifezze" di routine se fossi in te la farei
Dai un'occhiata qua e comincia a postare tutto il necessario.



P.S. Non aprire altre discussioni, casomai spostiamo questa, ok?

[GX Style]

Grazie Orange. Ecco il log di HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.22.38, on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programmi\TomTom HOME 2\HOMERunner.exe
C:\Programmi\QuickTime\bak\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Programmi\PC-TV\WinManager\WinManager.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\User\Desktop\flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\User\Desktop\flexlm\SolidWorks SolidNetWork License Manager\SW_D.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
C:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclIrSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programmi\PC Connectivity Solution\Transports\NclMSBTSrv.exe
D:\Programmi\eMule\emule.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\javaw.exe
C:\Documents and Settings\User\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 212.216.112.112
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BearShare] "D:\Programmi\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [TomTomHOME.exe] "d:\Programmi\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\bak\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PC Suite Tray] "D:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinManager.lnk = C:\Programmi\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197804961984
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F673A63-BDBF-4B7B-9693-1ECA9A470115}: NameServer = 85.37.17.8 85.38.28.73
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Documents and Settings\User\Desktop\flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe

--
End of file - 7593 bytes



PS: Scusate se ho sbagliato sezione...

[bdoriano]

Ciao GX Style,

Il log di hijackthis pare pulito.
Segui le istruzioni di questo topic per postare il log di combofix.

[GX Style]

ComboFix 08-01-09.2 - User 2008-01-19 12.11.19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.906 [GMT 1:00]
Eseguito da: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Dati applicazioni\ezpinst.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ROSA


((((((((((((((((((((((((( Files Creati Da 2007-12-19 al 2008-01-19 )))))))))))))))))))))))))))))))))))
.

2008-01-19 12:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 22:23 . 2008-01-18 22:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 22:23 . 2008-01-18 22:23 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-18 21:20 . 2008-01-18 21:20 74,752 --a------ C:\WINDOWS\temp.000
2008-01-14 15:01 . 2008-01-14 15:01 <DIR> d-------- C:\Documents and Settings\User\Dati applicazioni\Media Player Classic
2008-01-02 20:53 . 2008-01-02 20:53 <DIR> d-------- C:\Programmi\Nokia
2007-12-30 17:13 . 2008-01-02 18:53 <DIR> d-------- C:\Documents and Settings\User\Tracing
2007-12-30 16:52 . 2007-12-30 16:52 <DIR> d-------- C:\Programmi\Microsoft SQL Server Compact Edition
2007-12-30 16:42 . 2007-12-30 16:49 <DIR> d--hsc--- C:\Programmi\File comuni\WindowsLiveInstaller
2007-12-30 16:42 . 2008-01-02 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WLInstaller
2007-12-29 19:41 . 2007-12-29 19:41 <DIR> d-------- C:\WINDOWS\system32\bak
2007-12-28 18:36 . 2007-12-29 19:48 <DIR> d-------- C:\Programmi\Multimedia Card Reader
2007-12-27 21:37 . 2007-12-27 21:37 <DIR> d-------- C:\Programmi\File comuni\Nokia
2007-12-27 21:36 . 2007-12-27 21:36 <DIR> d-------- C:\Programmi\PC Connectivity Solution
2007-12-26 15:33 . 2007-12-26 15:33 <DIR> d-------- C:\Programmi\Google
2007-12-25 11:44 . 2007-12-25 11:44 <DIR> d-------- C:\Documents and Settings\User\Dati applicazioni\Nokia Multimedia Player
2007-12-24 14:07 . 2004-05-25 17:06 417,792 --a------ C:\WINDOWS\system32\ac3filter.ax
2007-12-24 14:07 . 2005-02-27 21:48 356,352 --a------ C:\WINDOWS\system32\RealMediaSplitter.ax
2007-12-24 14:07 . 2004-01-10 17:02 258,048 --a------ C:\WINDOWS\system32\GplMpgDec.ax
2007-12-24 09:03 . 2007-12-24 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SimCity Societies
2007-12-23 19:07 . 2007-12-23 19:07 <DIR> d-------- C:\Programmi\iPod
2007-12-23 19:06 . 2007-12-29 19:48 <DIR> d-------- C:\Programmi\QuickTime
2007-12-23 19:05 . 2007-12-23 19:05 <DIR> d-------- C:\Programmi\File comuni\Apple
2007-12-23 19:05 . 2007-12-23 19:05 <DIR> d-------- C:\Programmi\Apple Software Update
2007-12-23 19:05 . 2007-12-23 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Apple
2007-12-23 19:05 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 11:10 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\SolidWorks
2008-01-18 20:20 253,952 ------w C:\WINDOWS\Setup1.exe
2008-01-14 14:17 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\DivX
2008-01-02 19:55 --------- d-----w C:\Programmi\Windows Live
2007-12-28 17:37 --------- d--h--w C:\Programmi\InstallShield Installation Information
2007-12-27 20:37 --------- d-----w C:\Programmi\File comuni\PCSuite
2007-12-23 19:59 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\dvdcss
2007-12-23 18:06 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2007-12-20 18:39 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-16 11:34 --------- d-----w C:\Programmi\Windows Media Bonus Pack for Windows XP
2007-12-16 11:22 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Installations
2007-12-13 20:31 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\Ahead
2007-12-08 12:20 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\PC Suite
2007-12-05 19:49 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\Nokia
2007-12-05 18:09 --------- d-----w C:\Programmi\TomTom DesktopSuite
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-02 17:06 --------- d-----w C:\Programmi\DivX
2007-12-02 13:41 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\TomTom
2007-12-02 13:41 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\InstallShield
2007-12-02 13:41 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\TomTom
2007-12-01 17:45 --------- d-----w C:\Programmi\Electronic Arts
2007-11-25 09:35 --------- d-----w C:\Programmi\EA SPORTS
2007-11-07 16:22 73,216 ------w C:\WINDOWS\ST6UNST.EXE
2007-04-05 19:20 87,608 ----a-w C:\Documents and Settings\User\Dati applicazioni\ezpinst.exe
2007-04-05 19:20 47,360 ----a-w C:\Documents and Settings\User\Dati applicazioni\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 79,224 2007-12-04 13:00:23 C:\Programmi\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-12-04 13:00:23 C:\Programmi\Alwil Software\Avast4\ashDisp.exe

----a-w 139,264 2004-12-10 10:49:08 C:\Programmi\Multimedia Card Reader\bak\shwicon2k.exe
----a-w 14,348 2007-12-29 18:46:20 C:\Programmi\Multimedia Card Reader\shwicon2k.exe

----a-w 286,720 2007-12-11 09:56:54 C:\Programmi\QuickTime\bak\QTTask.exe
----a-w 14,348 2007-12-29 18:46:20 C:\Programmi\QuickTime\QTTask.exe

----a-w 5,728,112 2007-10-19 17:02:35 C:\Programmi\Windows Live\Messenger\bak\MsnMsgr.Exe
----a-w 5,724,184 2008-01-02 20:02:05 C:\Programmi\Windows Live\Messenger\msnmsgr.exe

----a-w 15,360 2004-08-19 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-19 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 267,048 2007-12-11 11:10:26 D:\Programmi\iTunes\bak\iTunesHelper.exe
----a-w 14,348 2007-12-29 18:46:20 D:\Programmi\iTunes\iTunesHelper.exe

----a-w 695,808 2007-12-10 09:12:22 D:\Programmi\Nokia\Nokia PC Suite 6\bak\PCSuite.exe
----a-w 695,808 2007-12-10 09:12:22 D:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe

----a-w 378,784 2007-10-31 09:19:50 D:\Programmi\TomTom HOME 2\bak\HOMERunner.exe
----a-w 14,348 2007-12-29 18:46:20 D:\Programmi\TomTom HOME 2\HOMERunner.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 13:00 15360]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.exe" [2008-01-02 21:02 5724184]
"PC Suite Tray"="D:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"BearShare"="D:\Programmi\BearShare\BearShare.exe" [ ]
"TomTomHOME.exe"="d:\Programmi\TomTom HOME 2\HOMERunner.exe" [2007-12-29 19:46 14348]
"QuickTime Task"="C:\Programmi\QuickTime\bak\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="D:\Programmi\iTunes\iTunesHelper.exe" [2007-12-29 19:46 14348]
"Sunkist2k"="C:\Programmi\Multimedia Card Reader\shwicon2k.exe" [2007-12-29 19:46 14348]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 13:00 15360]
"Nokia.PCSync"="D:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
WinManager.lnk - C:\Programmi\PC-TV\WinManager\WinManager.exe [2007-11-18 13:28:55]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

La chiave di registro SafeBoot ha bisogno di essere riparata. Questo pc non pu? avviarsi in Modalit? Provvisoria.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^Avvio veloce di Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\Avvio veloce di Adobe Reader.lnk
backup=C:\WINDOWS\pss\Avvio veloce di Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-29 19:46 14348 C:\Programmi\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-06-28 07:54 16248320 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe

R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2006-10-13 21:53]
R2 SolidWorks SolidNetWork License Manager;SolidWorks SolidNetWork License Manager;C:\Documents and Settings\User\Desktop\flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe [2003-03-26 08:00]
R3 axvbusx;axvbusx;C:\WINDOWS\system32\DRIVERS\axvbusx.sys [2003-01-31 20:43]
R3 axvscsi;axvscsi;C:\WINDOWS\system32\DRIVERS\axvscsi.sys [2003-01-31 20:43]
S3 UDTT7049;DTV-DVB UDTT7049 - USB 2.0 DVB-T Receiver;C:\WINDOWS\system32\Drivers\UDTT7049.sys [2006-06-29 08:58]
S3 UDTT7049HID;UDTT7049HID - HID Driver;C:\WINDOWS\system32\drivers\UDTT7049HID.sys [2006-06-29 03:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{285466f7-7e3b-11dc-b819-00138ff990b8}]
\Shell\AutoRun\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{879b04ba-9db3-11dc-b844-00138ff990b8}]
\Shell\AutoRun\command - G:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cf82794b-a0da-11dc-b849-00138ff990b8}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-19 12:14:54
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-19 12:17:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 11:17:33



Ecco il log di ComboFix....

Che faccio?

[bdoriano]

Hai almeno 2 ospiti indesiderati...

Comincia a seguire queste istruzioni per EliBaglA.
Al termine, fai questa scansione con FindAWF

[GX Style]

Ecco quanto dice EliBagla:


Wed Jul 11 11:39:54 2007
EliBagle v10.44 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
Restaurada Clave: "SafeBoot\Minimal y Network"

Wed Jul 11 11:40:37 2007
EliBagle v10.44 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\
C:\WINDOWS\system32\FLEC003.EXE --> Eliminado Bagle.dldr

Sat Jan 19 18:28:06 2008
EliBagle v10.89 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
Restaurada Clave: "SafeBoot\Minimal y Network"

Sat Jan 19 18:28:16 2008
EliBagle v10.89 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

Nº Total de Directorios: 7776
Nº Total de Ficheros: 67343
Nº de Ficheros Analizados: 9308
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

Sat Jan 19 18:31:11 2008
EliBagle v10.89 (c)2008 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad D:\

Nº Total de Directorios: 1547
Nº Total de Ficheros: 31707
Nº de Ficheros Analizados: 2145
Nº de Ficheros Infectados: 0
Nº de Ficheros Limpiados: 0

[GX Style]

Ecco invece FindAWF:


Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~

Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 3C1D-4E26

Directory di C:\PROGRA~1\MULTIM~1\BAK

10/12/2004 11.49 139.264 shwicon2k.exe
1 File 139.264 byte
2 Directory 32.745.885.696 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 3C1D-4E26

Directory di C:\PROGRA~1\QUICKT~1\BAK

11/12/2007 10.56 286.720 QTTask.exe
1 File 286.720 byte
2 Directory 32.745.885.696 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 3C1D-4E26

Directory di C:\WINDOWS\SYSTEM32\BAK

19/08/2004 13.00 15.360 ctfmon.exe
1 File 15.360 byte
2 Directory 32.745.881.600 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 3C1D-4E26

Directory di C:\PROGRA~1\ALWILS~1\AVAST4\BAK

04/12/2007 14.00 79.224 ashDisp.exe
1 File 79.224 byte
2 Directory 32.745.881.600 byte disponibili
Il volume nell'unit? C non ha etichetta.
Numero di serie del volume: 3C1D-4E26

Directory di C:\PROGRA~1\WI1F86~1\MESSEN~1\BAK

19/10/2007 18.02 5.728.112 MsnMsgr.Exe
1 File 5.728.112 byte
2 Directory 32.745.881.600 byte disponibili
Il volume nell'unit? D non ha etichetta.
Numero di serie del volume: 7C5A-2317

Directory di D:\PROGRA~1\BEARSH~1\BAK

0 File 0 byte
2 Directory 99.279.245.312 byte disponibili
Il volume nell'unit? D non ha etichetta.
Numero di serie del volume: 7C5A-2317

Directory di D:\PROGRA~1\ITUNES\BAK

11/12/2007 12.10 267.048 iTunesHelper.exe
1 File 267.048 byte
2 Directory 99.279.245.312 byte disponibili
Il volume nell'unit? D non ha etichetta.
Numero di serie del volume: 7C5A-2317

Directory di D:\PROGRA~1\TOMTOM~1\BAK

31/10/2007 10.19 378.784 HOMERunner.exe
1 File 378.784 byte
2 Directory 99.279.245.312 byte disponibili
Il volume nell'unit? D non ha etichetta.
Numero di serie del volume: 7C5A-2317

Directory di D:\PROGRA~1\NOKIA\NOKIAP~1\BAK

10/12/2007 10.12 695.808 PCSuite.exe
1 File 695.808 byte
2 Directory 99.279.245.312 byte disponibili


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 29 Dec 2007 "C:\Programmi\Multimedia Card Reader\shwicon2k.exe"
139264 10 Dec 2004 "C:\Programmi\Multimedia Card Reader\bak\shwicon2k.exe"
14348 29 Dec 2007 "C:\Programmi\QuickTime\QTTask.exe"
286720 11 Dec 2007 "C:\Programmi\QuickTime\bak\QTTask.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 19 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
79224 4 Dec 2007 "C:\Programmi\Alwil Software\Avast4\ashDisp.exe"
79224 4 Dec 2007 "C:\Programmi\Alwil Software\Avast4\bak\ashDisp.exe"
5724184 2 Jan 2008 "C:\Programmi\Windows Live\Messenger\msnmsgr.exe"
5728112 19 Oct 2007 "C:\Programmi\Windows Live\Messenger\bak\MsnMsgr.Exe"
102400 23 Dec 2007 "C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe"
116008 11 Dec 2007 "C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
14348 29 Dec 2007 "D:\Programmi\iTunes\iTunesHelper.exe"
267048 11 Dec 2007 "D:\Programmi\iTunes\bak\iTunesHelper.exe"
196608 22 Jun 2004 "D:\Programmi\iTunes\iTunes Art Importer\iTunesArtImport.exe"
14348 29 Dec 2007 "D:\Programmi\TomTom HOME 2\HOMERunner.exe"
378784 31 Oct 2007 "D:\Programmi\TomTom HOME 2\bak\HOMERunner.exe"
695808 10 Dec 2007 "D:\Programmi\Nokia\Nokia PC Suite 6\PCSuite.exe"
695808 10 Dec 2007 "D:\Programmi\Nokia\Nokia PC Suite 6\bak\PCSuite.exe"


end of report

[bdoriano]

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca su input script manually
Clicca sulla lente d'ingrandimento
Inserisci queste righe:

[GX Style]

Il log di Avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tnpbaewl

*******************

Script file located at: \??\C:\WINDOWS\system32\omfbnytt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Programmi\Multimedia Card Reader\shwicon2k.exe deleted successfully.
File C:\Programmi\QuickTime\QTTask.exe deleted successfully.
File D:\Programmi\iTunes\iTunesHelper.exe deleted successfully.
File D:\Programmi\TomTom HOME 2\HOMERunner.exe deleted successfully.
File move operation C:\Programmi\Multimedia Card Reader\bak\shwicon2k.exe|C:\Programmi\Multimedia Card Reader\shwicon2k.exe completed successfully.
File move operation C:\Programmi\QuickTime\bak\QTTask.exe|C:\Programmi\QuickTime\QTTask.exe completed successfully.
File move operation D:\Programmi\iTunes\bak\iTunesHelper.exe|D:\Programmi\iTunes\iTunesHelper.exe completed successfully.
File move operation D:\Programmi\TomTom HOME 2\bak\HOMERunner.exe|D:\Programmi\TomTom HOME 2\HOMERunner.exe completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[GX Style]

I due log di GMer.

Autostart Scan: http://www.freefilehosting.net/download/3ailj
Rootkit Scan: http://www.freefilehosting.net/download/3ailk

PS: Al momento il problema di avast! script blocker pare non esserci più ma vediamo se ci sono altre schifezze...XD

[Orange]

Ciao

i log di Gmer non evidenziano nulla di sospetto
ma per sicurezza segui le istruzioni di bdoriano: