Olimpo Informatico

[Silent Runner]

Urge consulto: mi hanno consegnato un pc con un dialer che impedisce la regolare connessione via modem, malgrado sul pc fosse installato un antidialer il quale non rivela niente: il pc semplicemente si disconnette e tenta inutilmente di connettersi ad un altro numero ma senza successo.

con una scanzione AVG ho trovato in file infetto denominato winsys.dll che si ripresenta ad ogni riavvio. AVG ha inoltre trovato un file in .../user/impostazioni locali/temp/dm_0233.exe

Inoltre, ieri, dopo un tentativo di spegnimento il pc sì è riacceso da solo e dopo svariati infruttuosi tentativi ho dovuto spegnerlo con il pulsante sul case.
Al riavvio si è riaperto come se avessi appena installato, senza registrarlo, il S.O. Ho rifatto la registrazione online (avevo installato provvisoramente una connessione wireless) e la registrazione è andata a buon fine. Riavviatosi regolarmente e ritrovatto tuttii settaggi intatti, AVG è andato il tilt ed ho dovuto reinstallarlo di nuovo.

Ho fatto una scansione coin Hijackthis e questo è il risultato:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.05.19, on 13/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\lwsys32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Programmi\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OM_Monitor] C:\Programmi\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Flash Driver] C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Programmi\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKLM\..\Policies\Explorer\Run: [7F45W5T68K] C:\WINDOWS\wsysst32.exe
O4 - HKLM\..\Policies\Explorer\Run: [update32] C:\WINDOWS\lwsys32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Salva oggetto con Star Downloader - C:\Programmi\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153862948531
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://marsillairomod.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 8403 bytes

[bdoriano]

Ciao Silent,

• Disabilita il ripristino di sistema.
  
• Scarica ATF-Cleaner.
  Avvia ATF-Cleaner (serve a eliminare i files temporanei)
  Metti il segno di spunta a Select All (come indicato in figura)
  (se vuoi conservare i files del cestino, togli il segno di spunta a Recycle bin)
  
  Clicca su
  
  Se attiva, clicca sulla voce FireFox
  Metti il segno di spunta a Firefox caches e Firefox cookies (come indicato in figura)
  
  Clicca su
  
  Se attiva, clicca sulla voce Opera
  Metti il segno di spunta a Opera caches e Opera cookies (come indicato in figura)
  
  Clicca su
  
• Scarica Norman Malware Cleaner e drWeb CureIt.
  
• Avvia il pc in modalità provvisoria.
  
• Avvia drWeb CureIt e fagli fare la scansione completa.
  
• Avvia Norman Malware Cleaner e fagli fare la scansione completa.
  Viene generato un log sul desktop chiamandolo NFix_2008-03-gg_hh-mm-ss.log, alla fine della scansione caricalo su FreeFileHosting come indicato qui e posta il link che ti viene assegnato.
  
• Segui le istruzioni di questo topic per postare il log di combofix.

[Silent Runner]

Uh, mamma mia quante cose da fare! Ci provo subito e poi torno.
Grazie bdoriano!

[bdoriano]

Buon lavoro!!!

[Silent Runner]

Che strano: ho fatto tutto quanto mi hai detto (prima ATF Cleaner e, ovviamente, solo dopo aver disattivato il ripristino di sistema drWeb CureIt con il pc in modalità provvisoria ) e quasi verso la fine della scansione il pc si è riavviato da solo.
E' normale? devo ricominciare da capo?

[bdoriano]

No, non è normale...
Prova a vedere se ti fa lo stesso scherzo anche con Norman

[Silent Runner]

Ok, ricomincio da capo (senza ripetere la procedura della disattivazione del ripristino di sistema, adesso ancora disattivata? voglio dire: devo ripassare di nuovo con ATF Cleaner? Suppongo che male non faccia).
P.s. sto facendo un controllo con AVG e sembra non trovare niente..
vado e poi ti dico coem è andata.
Grazie per la celerità.

[bdoriano]

Se ti si blocca ancora, vai direttamente al passaggio di combofix, almeno abbiamo un log più aggiornato su cui lavorare.

[Silent Runner]

Ok, ha trovato questo: C:\svcipa.exe (infettato da Zonebac.gen.1) e sta facendo lo scannig dei file inseriti dall'utente. Sembra andare avanti bene... almeno per ora.

Edit: Macché sta trovando altra roba...

...e tutta nei file temp. Strano, nella scansione che ho fatto prima di far partire Norman non c'erano più file temp.

Per ora sta continuando ma credo che impiegherà almeno un altro paio d'ore..
Semmai ci risentiamo domani.

Grazie di tutto, per ora.

[Silent Runner]

Ma scusa... non doveva rilasciami un file log?

ah, no.. forse è Dr.Web che rilascia un file log.. adesso ci riprovo...

Ok, fatto nessun virus trovato (li ha eliminati l'altro programma)
Adesso chiudo e domani provo a ripassare l'ultimo tool chemi hai segnalato.

Ciao

[Silent Runner]

RIECCOCI:

Dopo numerose peripezie (il pc si riavviava da solo anche durante le scansioni) sono riuscito a ottenere questa risposta da combofix.

ComboFix 08-03-10.1 - User 2008-03-14 15:45:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.640 [GMT 1:00]
Eseguito da: C:\Documents and Settings\User\Desktop\SCARICAMENTO SICUREZZA\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-02-14 al 2008-03-14 )))))))))))))))))))))))))))))))))))
.

2008-03-14 15:37 . 2008-03-14 15:43 5,120 --a------ C:\WINDOWS\winsyn.dll
2008-03-13 16:04 . 2008-03-13 16:04 <DIR> d-------- C:\Documents and Settings\User\DoctorWeb
2008-03-13 16:01 . 2006-07-24 20:18 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-03-13 16:01 . 2006-07-25 22:29 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-03-13 16:01 . 2006-07-24 21:50 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-03-13 16:01 . 2006-07-24 21:50 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-03-13 16:01 . 2006-07-26 23:28 <DIR> dr------- C:\Documents and Settings\Administrator\Preferiti
2008-03-13 16:01 . 2006-07-24 19:53 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-03-13 16:01 . 2006-07-24 21:50 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-03-13 16:01 . 2006-07-24 21:50 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-03-13 16:01 . 2006-07-26 23:28 <DIR> dr------- C:\Documents and Settings\Administrator\Documenti
2008-03-13 16:01 . 2006-07-26 23:28 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-03-13 16:01 . 2008-02-05 15:21 0 --ah----- C:\Documents and Settings\Administrator\hpothb07.dat
2008-03-13 12:04 . 2008-03-13 12:04 <DIR> d-------- C:\Programmi\Trend Micro
2008-03-12 16:18 . 2008-03-12 16:18 12,598 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-12 12:01 . 2008-03-12 12:01 <DIR> d-------- C:\Programmi\CCleaner
2008-03-12 10:47 . 2008-03-12 10:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-12 10:47 . 2008-03-12 10:49 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-12 10:02 . 2008-03-12 10:21 <DIR> d-------- C:\WINDOWS\system32\it-it
2008-03-12 09:45 . 2005-10-19 18:19 1,327,189 --a------ C:\WINDOWS\system32\odSupp_M.dll
2008-03-12 09:45 . 2005-11-22 20:56 630,784 --a------ C:\WINDOWS\system32\ANIWZCS2.dll
2008-03-12 09:45 . 2005-11-22 20:55 237,568 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-03-12 09:45 . 2005-10-19 18:19 204,800 --a------ C:\WINDOWS\system32\aIPH.dll
2008-03-12 09:45 . 2005-11-23 10:10 163,840 --a------ C:\WINDOWS\system32\WlanApp.dll
2008-03-12 09:45 . 2005-10-19 18:19 57,407 --a------ C:\WINDOWS\system32\ANICtl.dll
2008-03-12 09:45 . 2005-10-27 08:55 49,152 --a------ C:\WINDOWS\system32\JJAKEn.dll
2008-03-12 09:45 . 2005-10-19 18:19 49,152 --a------ C:\WINDOWS\system32\AQCKGen.dll
2008-03-12 09:44 . 2008-03-12 09:44 <DIR> d-------- C:\Programmi\D-Link
2008-03-12 09:44 . 2008-03-12 09:45 <DIR> d-------- C:\Programmi\ANI
2008-03-12 09:44 . 2005-11-10 07:13 50,176 --a------ C:\WINDOWS\system32\ANIO64.sys
2008-03-12 09:44 . 2005-10-21 15:56 36,864 --a------ C:\WINDOWS\system32\ANIOApi.dll
2008-03-12 09:44 . 2005-11-09 15:44 24,288 --a------ C:\WINDOWS\system32\ANIO.sys
2008-03-12 09:44 . 2004-10-14 10:29 16,997 --a------ C:\WINDOWS\system32\ANIO.VXD
2008-03-12 09:44 . 2004-10-14 10:29 11,904 --a------ C:\WINDOWS\system32\anio4.sys
2008-02-26 20:01 . 2001-09-30 19:10 246,784 --a------ C:\WINDOWS\system32\ActiveSkin.ocx
2008-02-26 20:01 . 2001-05-24 12:59 162,304 --a------ C:\UNWISE.EXE
2008-02-26 20:01 . 2002-01-18 18:12 112 --a------ C:\WINDOWS\ActiveSkin.INI
2008-02-25 17:10 . 2008-02-25 17:09 15,872 --a------ C:\WINDOWS\wsysst32.exe
2008-02-25 17:09 . 2008-02-25 17:09 15,872 --a------ C:\Documents and Settings\User\kvernq.exe
2008-02-25 09:24 . 2008-02-25 09:24 <DIR> d-------- C:\Programmi\MSXML 4.0
2008-02-20 18:14 . 2008-02-20 18:14 <DIR> d-------- C:\Programmi\Passion Audio Player
2008-02-19 21:25 . 2008-02-20 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Messenger Plus!
2008-02-19 20:05 . 2008-02-19 20:05 <DIR> d-------- C:\Programmi\Windows Live
2008-02-19 20:05 . 2008-02-19 20:05 <DIR> d-------- C:\Programmi\Messenger Plus! Live
2008-02-19 08:31 . 2008-03-12 10:09 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-02-19 08:27 . 2007-07-30 19:19 38,232 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-02-19 08:27 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-02-19 08:27 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-02-19 08:27 . 2007-07-30 19:18 21,336 --a------ C:\WINDOWS\system32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 08:01 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\AVG7
2008-03-13 16:49 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\U3
2008-03-12 15:43 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\avg7
2008-03-12 14:38 --------- d-----w C:\Programmi\Star Downloader
2008-03-12 09:51 --------- d-----w C:\Programmi\Windows Media Connect 2
2008-03-12 09:10 --------- d-----w C:\Programmi\Digisoft AntiDialer
2008-03-12 08:45 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-03-09 19:02 1,581 ---ha-w C:\hpothb07.dat
2008-02-24 12:47 230,432 ----a-w C:\StiImg.dat
2008-02-19 19:05 --------- d-----w C:\Programmi\MSN Messenger
2008-02-05 14:21 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
2008-02-05 14:21 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2008-01-21 16:25 --------- d-----w C:\Programmi\EA GAMES
2008-01-21 14:32 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-01-21 14:32 --------- d--h--r C:\Documents and Settings\User\Dati applicazioni\SecuROM
2008-01-16 00:19 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\Babylon
2008-01-16 00:19 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Babylon
2008-01-02 13:51 77,728 ----a-w C:\Documents and Settings\User\Dati applicazioni\GDIPFONTCACHEV1.DAT
2007-06-18 10:57 498,688 ----a-w C:\Programmi\FLV PlayerRCSetup.exe
2006-11-21 17:07 0 -c--a-w C:\Documents and Settings\User\Dati applicazioni\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-14_15.36.20,01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-14 14:43:17 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_458.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"OM_Monitor"="C:\Programmi\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-11-29 19:19 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 10:09 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 16:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 16:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 16:22 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-05-28 01:04 122939]
"UpdateManager"="C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-12 16:45 579072]
"OM_Monitor"="C:\Programmi\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-11-29 19:19 40960]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-09-06 09:38 282624]
"ANIWZCS2Service"="C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-12 16:43 219136]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Digisoft AntiDialer.lnk - C:\Programmi\Digisoft AntiDialer\AntiDialer.exe [2003-08-19 15:53:40 730112]
hp psc 1000 series.lnk - C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"7F45W5T68K"= C:\WINDOWS\wsysst32.exe
"update32"= C:\WINDOWS\lwsys32.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"C:\\DOCUME~1\\User\\IMPOST~1\\Temp\\winlogon.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Programmi\\Grisoft\\AVG7\\avgemc.exe"=

S3 PAC207;Trust WB-1400T Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-02-24 11:29]
S3 PortlUSB;PortlUSB;C:\WINDOWS\system32\DRIVERS\YH920GS.sys [2004-06-24 13:52]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 22:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0c9385c0-5f96-11dc-ac17-0016ecdc6174}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{362fec0f-4fc7-11dc-abf1-0016ecdc6174}]
\Shell\Auto\command - fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5954fb42-e92e-11dc-ad92-0016ecdc6174}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97e6d61b-4677-11dc-abd6-0016ecdc6174}]
\Shell\Auto\command - fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cae46d80-4a71-11dc-abe1-0016ecdc6174}]
\Shell\Auto\command - fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-09 23:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-02-26 08:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-12 09:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-12 10:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-13 11:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-13 12:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-13 13:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-13 14:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-12 15:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-13 16:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-10 17:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-02-25 00:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-10 18:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-10 19:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-10 20:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-10 21:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-03-10 22:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-02-25 01:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-01-27 10:52:35 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-01-27 10:52:35 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-01-27 10:52:35 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-01-27 10:52:35 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-02-24 06:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2008-02-26 07:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\wKNLXNW0.exe
"2007-03-03 11:13:24 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1164189699.job"
- C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-14 15:48:34
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

? [4012]

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-03-14 15:49:07
.
2008-03-14 08:03:15 --- E O F ---

_____________________________________________________________


e questo è l'ultimo hijackthis...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16.04.21, on 14/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\lwsys32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OM_Monitor] C:\Programmi\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Flash Driver] C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Programmi\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKLM\..\Policies\Explorer\Run: [7F45W5T68K] C:\WINDOWS\wsysst32.exe
O4 - HKLM\..\Policies\Explorer\Run: [update32] C:\WINDOWS\lwsys32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Salva oggetto con Star Downloader - C:\Programmi\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153862948531
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://marsillairomod.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 8203 bytes


_____________________________________________________________

queste ultime scanzioni le ho fatte senza cancellare il troian che AVG segnalava (tanto era inutile)

Combofix è stato eseguito con l'antivirus spento.

[bdoriano]

Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop

Avvia AVENGER
Clicca Ok
Inserisci queste righe nel riquadro bianco:

[Silent Runner]

Grazie, lo farò subito: a tiutolo di informazione ti mostro questi dati che provengono da Dr. Web



inoltre qui di seguito i due file log di morman ieri (con alcuni virus) e oggi. (senza). ma all'avvio AVG ritrova sempre lo stesso problema.

Norman Malware Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/03/09 20:10:13

Norman Scanner Engine Version: 5.91.10
Nvcbin.def Version: 5.90.00, Date: 2008/03/09 20:10:13, Variants: 1383781

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600(Safe mode) Service Pack 2
Logged on user: NXT\User

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe" -> "C:\WINDOWS\System32\userinit.exe,"

Scan started: 13/03/2008 17:53:52


Scanning running processes and process memory...

Number of processes/threads found: 603
Number of processes/threads scanned: 603
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 18s


Scanning file system...

Scanning: C:\*.*

C:\svcipa.exe (Infected with Zonebac.gen1)
Deleted file

C:\Documents and Settings\User\Impostazioni locali\Temp\jar_cache31513.tmp/DialerMiniComando.exe (Infected with W32/Diamin.AKD)
Deleted file

C:\Documents and Settings\User\Impostazioni locali\Temp\jar_cache31514.tmp/DialerMiniComando.exe (Infected with W32/Diamin.AKD)
Deleted file

C:\Documents and Settings\User\Impostazioni locali\Temp\Temporary Internet Files\Content.IE5\4XU70LYJ\f9c193a04b1b40d4c63eac1ab321bb2a[1] (Infected with Zonebac.gen1)
Deleted file

Scanning: D:\*.*

Scanning: c:\System Volume Information\*.*


Running post-scan cleanup routine:
Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe" -> "C:\WINDOWS\System32\userinit.exe,"

Number of files found: 97850
Number of archives unpacked: 6173
Number of files scanned: 97828
Number of files not scanned: 22
Number of files skipped due to exclude list: 0
Number of infected files found: 4
Number of infected files repaired/deleted: 4
Number of infections removed: 4
Total scanning time: 49m 22s


+++++++++++++++++++++++++++++++++++++++++



Norman Malware Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/03/09 20:10:13

Norman Scanner Engine Version: 5.91.10
Nvcbin.def Version: 5.90.00, Date: 2008/03/09 20:10:13, Variants: 1383781

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Home 5.1.2600(Safe mode) Service Pack 2
Logged on user: NXT\Administrator

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe" -> "C:\WINDOWS\System32\userinit.exe,"

Scan started: 14/03/2008 18:11:39


Scanning running processes and process memory...

Number of processes/threads found: 705
Number of processes/threads scanned: 705
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 20s


Scanning file system...

Scanning: C:\*.*

Scanning: D:\*.*


Running post-scan cleanup routine:

Number of files found: 89082
Number of archives unpacked: 5638
Number of files scanned: 89061
Number of files not scanned: 21
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 46m 0s


++++++++++++++++++++++++++++++++++++++++++++++

[Silent Runner]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Fri Mar 14 19:30:13 2008

19:30:13: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Fri Mar 14 19:31:31 2008

19:31:31: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Documents and Settings\User\kvernq.exe" deleted successfully.
File "C:\WINDOWS\lwsys32.exe" deleted successfully.
File "C:\WINDOWS\wsysst32.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\wKNLXNW0.exe" not found!
Deletion of file "C:\WINDOWS\system32\wKNLXNW0.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\Tasks\At1.job" deleted successfully.
File "C:\WINDOWS\Tasks\At10.job" deleted successfully.
File "C:\WINDOWS\Tasks\At11.job" deleted successfully.
File "C:\WINDOWS\Tasks\At12.job" deleted successfully.
File "C:\WINDOWS\Tasks\At13.job" deleted successfully.
File "C:\WINDOWS\Tasks\At14.job" deleted successfully.
File "C:\WINDOWS\Tasks\At15.job" deleted successfully.
File "C:\WINDOWS\Tasks\At16.job" deleted successfully.
File "C:\WINDOWS\Tasks\At17.job" deleted successfully.
File "C:\WINDOWS\Tasks\At18.job" deleted successfully.
File "C:\WINDOWS\Tasks\At19.job" deleted successfully.
File "C:\WINDOWS\Tasks\At2.job" deleted successfully.
File "C:\WINDOWS\Tasks\At20.job" deleted successfully.
File "C:\WINDOWS\Tasks\At21.job" deleted successfully.
File "C:\WINDOWS\Tasks\At22.job" deleted successfully.
File "C:\WINDOWS\Tasks\At23.job" deleted successfully.
File "C:\WINDOWS\Tasks\At24.job" deleted successfully.
File "C:\WINDOWS\Tasks\At3.job" deleted successfully.
File "C:\WINDOWS\Tasks\At4.job" deleted successfully.
File "C:\WINDOWS\Tasks\At5.job" deleted successfully.
File "C:\WINDOWS\Tasks\At6.job" deleted successfully.
File "C:\WINDOWS\Tasks\At7.job" deleted successfully.
File "C:\WINDOWS\Tasks\At8.job" deleted successfully.
File "C:\WINDOWS\Tasks\At9.job" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | 7F45W5T68K" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | 7F45W5T68K" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | update32" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run | update32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



++++++++++++++++++++++++++++++++++++++++



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.37.49, on 14/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OM_Monitor] C:\Programmi\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Flash Driver] C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Programmi\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKLM\..\Policies\Explorer\Run: [7F45W5T68K] C:\WINDOWS\wsysst32.exe
O4 - HKLM\..\Policies\Explorer\Run: [update32] C:\WINDOWS\lwsys32.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Salva oggetto con Star Downloader - C:\Programmi\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153862948531
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://marsillairomod.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programmi\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 8145 bytes

[Silent Runner]

Non mi è possibile eseguire la scansione online come mi hai suggerito.
All'avvio mi da errore e mi rimanda ad una pagina nella quale con ci capisco una zampogna!


Edit:
boh, visto che non si può eseguire la scansione online ho provato a scaricare il programma BitDefender e l'ho installato.
Mi ha chiesto di disinstallare AVG cosa che ho fatto. Poi con fatica ho capito come fare una scansione offline. Cosa che sta facendo mooolto lentamente.
Ma una volta installato il programma è diventato impossibile connettersi ad internet.
Credo che a questo punto mi convenga spianare tutto e ripartire da capo formattando perché da questo incubo non se ne esce. E' tutto tempo perso! Sono due giorni che sto cercando di ripulire questo pc e non vedo la fine del tunnel.

Che ne dici?

Mi conviene spianare tutto con il disco di installazione di win 98 a fat 32 (così si mangia tutte le eventuali partizioni) e poi ripassarci sopra riformattando a NTFS?

Sono veramente stufo di perdere altro tempo.

[bdoriano]

Ciao Silent,

rimuovere virus è un lavoro che richiede pazienza e un pò di tempo.
Ti chiedo scusa, ma ieri è stata una giornata campale e mi sono sfuggiti alcuni dettagli dei tuoi logs.

Se non hai già piallato tutto:

1. Disabilita il ripristino di sistema. (ero convinto di avertelo già fatto fare).
   
2. disinstalla BitDefender (probabilmente il messaggio che ricevevi riguardava il mancato salvataggio dell'ActiveX)
   
3. disinstalla Avast! (come mai ci sono 2 antivirus installati?)
   
4. Avvia il pc in modalità provvisoria
   Avvia RegEdit
   cerca la chiave HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Che deve contenere solo questa stringa: C:\WINDOWS\System32\userinit.exe,
   Eventualmente, elimina tutto quello che trovi dopo la virgola.
   Riavvia il pc
   
5. Avvia AVENGER
   Clicca Ok
   Inserisci queste righe nel riquadro bianco:
   

   Citazione:

   Files to delete: C:\WINDOWS\lwsys32.exe C:\WINDOWS\wsysst32.exe C:\DOCUME~1\User\IMPOST~1\Temp\winlogon.exe

   
   Clicca su Execute
   Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
   Al termine dell'operazione, posta qui il risultato di Avenger
   
6. scarica VirIt, installalo, aggiornalo (importante) e fai lo scan completo.
   
7. posta un log aggiornato di hijackthis.

[Silent Runner]

Ma non ti scusare, per carità... tutti abbiamo dei problemi, milioni di cose da fare e la tua disponibilità è fuori discussione.

Sono solo imbufalito per il tempo perso! Se la gente fosse più attenta quando naviga ed avesse cura dei suoi pc non si perderebbe tanto tempo (il pc non è mio! Non lo avrei mai lasciato così scoperto).

Un'ultima cosa: il programma antivisus che ho scaricato (BitDefender) si è impadronito della macchina e non posso più nemmeno disinstallarlo. Non c'è alcun modo di farlo: ieri sera si è bloccato sulla schermata di disinstallazione e non si è più mosso. Questa mattina ho tentato di disinstallarlo ma mi dice che non è possibile perché secondo il programma di uninstall, Bitdefender non sarebbe più installato nel sistema. Ho provato a reinstallarlo ma niente da fare, mi chiede di fare la scansione online.
Inoltre mi ha praticamente isolato dal mondo eliminando la connessione wireless che avevo installato per collegarmi via router adsl. Ho provato a reinstallare i driver della chiavetta wireless ma non era più possibile farlo. Fortunatamente, spostando la chiavetta wireless mi ha di nuovo riconosciuto la connessione e per il momento sono di nuovo online...
Come faccio a disinstallare questo infernale (e lentissimo) antivirus?

Intanto provo a fare come mi hai consigliato.

[bdoriano]

Ri-ciao Silent,

prova con questo programmino

Le istruzioni... in inglese.

[Silent Runner]

Ciao Bdoriano... non so se ho fatto un danno: le tue indicazioni sull'uso di RegEdit erano forse un po' scarne per un inesperto per cui quando sono andato in mod provvisoria (con uso di RegEdit) ho cercato non senza le idee confuse, disperatamente quella striga che mi dicevi (mi aspettavo una finestra dos): invece ho trovato una pagina a cartelle e con una certa incertezza ho finalmente trovato qualcosa che richiamava le indicazioni.
Però, inavvertitamente ho cancellato una chiave di registro
VmApplet seguita da: REg_SZ rundll32 shell32 Control_RunDLL "sysdm.cpl".
Ho fatto qualche danno irreparabile? O posso riscrivere la chiave di registro? Nel caso come devo fare?

In ogni caso non c'era niente dopo la virgola di userinit.exe

P.s.
Avviando AVG per un controllo ho notato che sono spariti i primi file che di solito segnala in cima, compreso quelllo che diceva che c'era un errore in winlogon.


p.s.2

Grazie per l'aiuto: sono riuscito a eliminare l'antivirus micidiale che mi bloccava tutto grazie al tool che mi hai segnalato.

Ti ringrazio per la pazienza con la quale mi leggi e mi segui.

Silent.

[bdoriano]

E c'hai ragione.
Mi metto un promemoria a uso futuro:


Per quanto riguarda la chiave che hai cancellato, ricreala seguendo questi passaggi:

1. Clicca Start
   Clicca Esegui...
   Digita:

   Codice:

   regedit

   
   Clicca su ok
   
2. cerca la chiave HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   
3. nella finestra alla tua destra, clicca con il tasto destro del mouse in un punto vuoto:
   Nuovo > Valore stringa
   Chiamalo VmApplet
   Doppio click sul valore appena creato, ti si apre una nuova finestra.
   Inserisci: rundll32 shell32,Control_RunDLL "sysdm.cpl"
   Clicca OK
   Chiudi il registro

Fammi sapere come va con i restanti controlli.