Olimpo Informatico

[Irnerio]

Ciao a tutti, ho il seguente problema.

La mia connessione internet viene improvvisamente interrotta da una nuova connessione, autogeneratasi, col nome Internet Connection.

Questa non pare in effetti collegarmi ad alcun sito: il numero che compone è di sole tre cifre "000" e la linea telefonica è libera.

Questo disturbo, non colpisce il mio pc per la prima volta oggi.

Si era in effetti già presentato alla fine di gennaio scorso, ma pensavo di averlo eliminato all?inizio del mese di febbraio.

Purtroppo non è così.

Oggi la nefasta Internet Connection è tornata a colpire.

C?è una novità rispetto a due mesi fa: sul desktop è comparsa un?icona, assente sino a ieri, che corrisponde al seguente file:

rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

Chiunque voglia e/o possa aiutarmi, suggerendomi cosa fare per risolvere questo problema, ha sin d?ora la mia riconoscenza.

Allego il log di hijackthis, nel quale compare il file sospetto di cui sopra



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.34.22, on 18/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programmi\Sony\VAIO Event Service\VESMgr.exe
C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Programmi\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\Casio\Photo Loader\Plauto.exe
C:\Programmi\Sony\VAIO Action Setup\VAServ.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.com/en/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\PROGRA~1\GOOGLE~1\BAE.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Liquid Surf for VAIO TV Entertainment - {EC5BB10A-FDA1-41d6-8CE4-C00C1E5DC464} - C:\Programmi\Portrait Displays\Liquid Surf for VAIO TV Entertainment\sybil.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmi\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Programmi\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Programmi\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Programmi\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [AppMon Utility] "C:\Programmi\Sony\AppMonUtil\AppMonUtility.exe" @@@Start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Audio Filter.lnk = C:\Programmi\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader residente.lnk = C:\Programmi\Casio\Photo Loader\Plauto.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Programmi\Sony\VAIO Action Setup\VAServ.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Programmi\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Programmi\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Programmi\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Programmi\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Programmi\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Programmi\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Programmi\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 12414 bytes

[bdoriano]

Ciao Irnerio,

• Disabilita il ripristino di sistema.
  
• Pulisci i files temporanei con ATF-Cleaner e/o CCleaner
  
• Scarica Norman Malware Cleaner e NOD32 Scanner.
  
• Avvia il pc in modalità provvisoria.
  
• Avvia NOD32 e fagli fare la scansione completa.
  
• Avvia Norman Malware Cleaner e fagli fare la scansione completa.
  Viene generato un log sul desktop chiamandolo NFix_2008-03-gg_hh-mm-ss.log, alla fine della scansione caricalo su FreeFileHosting come indicato qui e posta il link che ti viene assegnato.
  
• Segui le istruzioni di questo topic per postare il log di combofix.

PS: ti sposto al Pronto Soccorso Virus.

[Irnerio]

Ciao Bdoriano

di nuovo tu...confesso che ci speravo!

Grazie sin d'ora per l'aiuto che mi dai!!

Mi metto subito al lavoro e ti faccio sapere quanto prima.

Ciao

[Irnerio]

Ciao bdoriano,

eccomi qui di nuovo.

Ho seguito le tue istruzioni, ma non sono riuscito a scaricare nod 32 : il server chiude il download prima dello scaricamento.

Ho invece scaricato Norman Malware e l'ho eseguito in modalità provvisoria.

Il log che è stato generato, si trova su free file hosting.

Questo è l'indirizzo:

Forum Link:

NFix_2008-03-26_20-45-07.log

Spero che tu possa suggerirmi sul da farsi.

Nel frattempo, provvedo a scaricare combofix, così da postare quanto prima il log che verrà generato.

Ciao

[Irnerio]

Ciao bdoriano,

ho scaricato ed eseguito anche combofix , questo è il log generato:




ComboFix 08-03-25.4 - LORENZO 2008-03-27 22.10.45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.566 [GMT 1:00]
Eseguito da: C:\Documents and Settings\LORENZO\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-02-27 al 2008-03-27 )))))))))))))))))))))))))))))))))))
.

2008-03-20 21:06 . 2008-03-20 21:06 16,648,248 --a------ C:\Programmi\Norman_Malware_Cleaner.exe
2008-03-19 21:24 . 2008-03-19 21:24 <DIR> d-------- C:\Programmi\CCleaner
2008-03-19 21:10 . 2008-03-19 21:10 671,968 --a------ C:\Programmi\ccsetup205_slim.exe
2008-03-19 21:05 . 2008-03-19 21:05 50,688 --a------ C:\Programmi\ATF-Cleaner.exe
2008-03-18 22:11 . 2008-03-18 20:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops .exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 19:41 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-21 11:40 --------- d-----w C:\Programmi\Norton Internet Security
2008-03-18 19:34 12,416 ----a-w C:\Programmi\hijackthis.log
2008-03-15 14:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-03-15 14:12 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-03-15 14:12 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-03-15 14:12 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-08 22:18 53,248 ----a-w C:\Programmi\Process.exe
2008-01-25 17:19 127,378 ----a-w C:\Programmi\avenger.zip
2008-01-24 21:17 189,718 ----a-w C:\Programmi\FindAWF.exe
2008-01-15 21:47 143,428 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2008-01-15 14:09 401,720 ----a-w C:\Programmi\HiJackThis.exe
2008-01-13 11:45 17,990,864 ----a-w C:\Programmi\AAW2007.EXE
2007-03-18 17:11 35,248 ------w C:\Documents and Settings\LORENZO\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

[bdoriano]

Crea un file di testo con le seguenti istruzioni:

[Irnerio]

Ciao

ho fatto quanto mi hai consigliato .

Posto qui per primo il log di combofix, poi a seguire quello di hijackthis:

ComboFix 08-03-25.4 - LORENZO 2008-03-28 17.46.18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.511 [GMT 1:00]
Eseguito da: C:\Documents and Settings\LORENZO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LORENZO\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-02-28 al 2008-03-28 )))))))))))))))))))))))))))))))))))
.

2008-03-20 21:06 . 2008-03-20 21:06 16,648,248 --a------ C:\Programmi\Norman_Malware_Cleaner.exe
2008-03-19 21:24 . 2008-03-19 21:24 <DIR> d-------- C:\Programmi\CCleaner
2008-03-19 21:10 . 2008-03-19 21:10 671,968 --a------ C:\Programmi\ccsetup205_slim.exe
2008-03-19 21:05 . 2008-03-19 21:05 50,688 --a------ C:\Programmi\ATF-Cleaner.exe
2008-03-18 22:11 . 2008-03-18 20:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 16:50 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-27 21:19 12,393 ----a-w C:\Programmi\hijackthis.log
2008-03-21 11:40 --------- d-----w C:\Programmi\Norton Internet Security
2008-03-15 14:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-03-15 14:12 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-03-15 14:12 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-08 22:18 53,248 ----a-w C:\Programmi\Process.exe
2008-01-25 17:19 127,378 ----a-w C:\Programmi\avenger.zip
2008-01-24 21:17 189,718 ----a-w C:\Programmi\FindAWF.exe
2008-01-15 14:09 401,720 ----a-w C:\Programmi\HiJackThis.exe
2008-01-13 11:45 17,990,864 ----a-w C:\Programmi\AAW2007.EXE
2007-03-18 17:11 35,248 ------w C:\Documents and Settings\LORENZO\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

[bdoriano]

Ha funzionato parzialmente...
Rifacciamo. Crea un file di testo con le seguenti istruzioni:

[Irnerio]

Ciao

ho creato il file di testo che mi hai indicato e l'ho trascinato su combofix.

Questo è il log che ne è uscito:

ComboFix 08-03-29.1 - LORENZO 2008-03-29 21.04.33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.391 [GMT 1:00]
Eseguito da: C:\Documents and Settings\LORENZO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LORENZO\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Creati Da 2008-02-28 al 2008-03-29 )))))))))))))))))))))))))))))))))))
.

2008-03-29 20:55 . 2008-03-29 20:55 <DIR> d-------- C:\Programmi\TechSmith
2008-03-29 20:50 . 2008-03-29 20:50 <DIR> d-------- C:\WINDOWS\system32\it-IT
2008-03-29 20:49 . 2008-03-29 20:49 <DIR> d-------- C:\Programmi\MSBuild
2008-03-29 20:46 . 2008-03-29 20:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-29 20:45 . 2008-03-29 20:45 <DIR> d-------- C:\Programmi\Reference Assemblies
2008-03-29 20:45 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-29 20:42 . 2008-03-29 20:42 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-29 17:06 . 2008-03-29 17:07 2,945,816 --a------ C:\Programmi\Net Framework 3.0 dotnetfx3setup.exe
2008-03-29 15:08 . 2008-03-29 15:08 5,549,888 --a------ C:\Programmi\jing_setup.exe
2008-03-20 21:06 . 2008-03-20 21:06 16,648,248 --a------ C:\Programmi\Norman_Malware_Cleaner.exe
2008-03-19 21:24 . 2008-03-19 21:24 <DIR> d-------- C:\Programmi\CCleaner
2008-03-19 21:10 . 2008-03-19 21:10 671,968 --a------ C:\Programmi\ccsetup205_slim.exe
2008-03-19 21:05 . 2008-03-19 21:05 50,688 --a------ C:\Programmi\ATF-Cleaner.exe
2008-03-18 22:11 . 2008-03-18 20:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 20:08 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-29 15:47 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-03-28 18:17 12,629 ----a-w C:\Programmi\hijackthis.log
2008-03-21 11:40 --------- d-----w C:\Programmi\Norton Internet Security
2008-03-15 14:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-03-15 14:12 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-03-15 14:12 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-08 22:18 53,248 ----a-w C:\Programmi\Process.exe
2008-01-25 17:19 127,378 ----a-w C:\Programmi\avenger.zip
2008-01-24 21:17 189,718 ----a-w C:\Programmi\FindAWF.exe
2008-01-15 14:09 401,720 ----a-w C:\Programmi\HiJackThis.exe
2008-01-13 11:45 17,990,864 ----a-w C:\Programmi\AAW2007.EXE
2007-03-18 17:11 35,248 ------w C:\Documents and Settings\LORENZO\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

[bdoriano]

Che nervi... si sta moltiplicando...
Altro giro. Crea un file di testo con le seguenti istruzioni:

[Irnerio]

Il virus si sta moltiplicando...

Credi che riusciremo ad eliminarlo

Ho eseguito le tue istruzioni, e il file di testo di combofix si trova su free file hosting, qui


log_31_marzo_2008.txt

P.S.

Ho anche scaricato jing, per fare la screencast del desktop, ma non sono sicuro di averne compreso il funzionamento : non ho capito come posso inviarti l'immagine dopo averla effettuata.

Se ci riesco, ti invio anche quella.

Ciao

[bdoriano]

Per inviare le immagini, devi caricarle su ImageShack e poi postare qui il link che ti viene assegnato.

Ah! Forse ho beccato il "replicante".
Crea un file di testo con le seguenti istruzioni:

[Irnerio]

Ciao

ti posto l'ultimo log di combofix, come da tue istruzioni:

ComboFix 08-03-29.1 - LORENZO 2008-04-01 20.59.08.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.470 [GMT 2:00]
Eseguito da: C:\Documents and Settings\LORENZO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LORENZO\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier .exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched .exe
.

((((((((((((((((((((((((( Files Creati Da 2008-03-01 al 2008-04-01 )))))))))))))))))))))))))))))))))))
.

2008-03-31 21:43 . 2008-03-18 21:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops .exe
2008-03-30 00:14 . 2008-03-30 21:43 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-29 21:55 . 2008-03-29 21:55 <DIR> d-------- C:\Programmi\TechSmith
2008-03-29 21:50 . 2008-03-29 21:50 <DIR> d-------- C:\WINDOWS\system32\it-IT
2008-03-29 21:49 . 2008-03-29 21:49 <DIR> d-------- C:\Programmi\MSBuild
2008-03-29 21:46 . 2008-03-29 21:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-29 21:45 . 2008-03-29 21:45 <DIR> d-------- C:\Programmi\Reference Assemblies
2008-03-29 21:45 . 2006-06-29 14:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-29 21:42 . 2008-03-29 21:50 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-29 18:06 . 2008-03-29 18:07 2,945,816 --a------ C:\Programmi\Net Framework 3.0 dotnetfx3setup.exe
2008-03-29 16:08 . 2008-03-29 16:08 5,549,888 --a------ C:\Programmi\jing_setup.exe
2008-03-28 20:08 . 2008-03-18 21:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops.exe
2008-03-20 22:06 . 2008-03-20 22:06 16,648,248 --a------ C:\Programmi\Norman_Malware_Cleaner.exe
2008-03-19 22:24 . 2008-03-19 22:24 <DIR> d-------- C:\Programmi\CCleaner
2008-03-19 22:10 . 2008-03-19 22:10 671,968 --a------ C:\Programmi\ccsetup205_slim.exe
2008-03-19 22:05 . 2008-03-19 22:05 50,688 --a------ C:\Programmi\ATF-Cleaner.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-01 18:39 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-29 21:20 13,067 ----a-w C:\Programmi\hijackthis.log
2008-03-29 15:47 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-03-21 11:40 --------- d-----w C:\Programmi\Norton Internet Security
2008-03-15 14:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-03-15 14:12 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-03-15 14:12 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-03-15 14:12 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-08 22:18 53,248 ----a-w C:\Programmi\Process.exe
2008-01-25 17:19 127,378 ----a-w C:\Programmi\avenger.zip
2008-01-24 21:17 189,718 ----a-w C:\Programmi\FindAWF.exe
2008-01-15 21:47 143,428 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2008-01-15 14:09 401,720 ----a-w C:\Programmi\HiJackThis.exe
2008-01-13 11:45 17,990,864 ----a-w C:\Programmi\AAW2007.EXE
2007-03-18 17:11 35,248 ------w C:\Documents and Settings\LORENZO\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

[bdoriano]

Finalmente sta funzionando...

• Crea un file di testo con le seguenti istruzioni:
  

  Codice:

  RenV:: C:\Windows\System32\bthprops .exe File:: C:\Documents and Settings\LORENZO\rundll32.exe C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe

  
  Salva il file sul desktop con il nome CFScript.txt e trascinalo sull'icona di ComboFix, come indicato in seguito:
  
  Attendi pazientemente la fine dei lavori senza toccare tastiera, mouse o altro.
  
• Scarica avenger e scompattalo in una sua cartella non temporanea e non sul desktop
  
  Avvia AVENGER
  Clicca Ok
  Inserisci queste righe nel riquadro bianco:
  

  Codice:

  Files to move: C:\Programmi\Java\jre1.5.0_06\bin\bak\jusched.exe | C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe | C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

  
  Clicca su Execute
  Il pc dovrebbe riavviarsi, se così non fosse, riavvialo tu.
  
• Al termine dell'operazione, posta qui il risultato di Avenger con il log aggiornato di combofix

[Irnerio]

Grazie per il chiarimento sul file nascosto

Ti posto in successione i file di combofix ed avenger:



ComboFix 08-03-29.1 - LORENZO 2008-04-02 22.31.15.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.429 [GMT 2:00]
Eseguito da: C:\Documents and Settings\LORENZO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LORENZO\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\LORENZO\rundll32.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
.

((((((((((((((((((((((((( Files Creati Da 2008-03-02 al 2008-04-02 )))))))))))))))))))))))))))))))))))
.

2008-03-31 21:43 . 2008-03-18 21:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops .exe
2008-03-30 00:14 . 2008-04-02 22:05 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-29 21:55 . 2008-03-29 21:55 <DIR> d-------- C:\Programmi\TechSmith
2008-03-29 21:50 . 2008-03-29 21:50 <DIR> d-------- C:\WINDOWS\system32\it-IT
2008-03-29 21:49 . 2008-03-29 21:49 <DIR> d-------- C:\Programmi\MSBuild
2008-03-29 21:46 . 2008-03-29 21:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-29 21:45 . 2008-03-29 21:45 <DIR> d-------- C:\Programmi\Reference Assemblies
2008-03-29 21:45 . 2006-06-29 14:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-29 21:42 . 2008-03-29 21:50 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-29 18:06 . 2008-03-29 18:07 2,945,816 --a------ C:\Programmi\Net Framework 3.0 dotnetfx3setup.exe
2008-03-29 16:08 . 2008-03-29 16:08 5,549,888 --a------ C:\Programmi\jing_setup.exe
2008-03-28 20:08 . 2008-03-18 21:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops.exe
2008-03-20 22:06 . 2008-03-20 22:06 16,648,248 --a------ C:\Programmi\Norman_Malware_Cleaner.exe
2008-03-19 22:24 . 2008-03-19 22:24 <DIR> d-------- C:\Programmi\CCleaner
2008-03-19 22:10 . 2008-03-19 22:10 671,968 --a------ C:\Programmi\ccsetup205_slim.exe
2008-03-19 22:05 . 2008-03-19 22:05 50,688 --a------ C:\Programmi\ATF-Cleaner.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 20:07 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-29 21:20 13,067 ----a-w C:\Programmi\hijackthis.log
2008-03-29 15:47 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-03-21 11:40 --------- d-----w C:\Programmi\Norton Internet Security
2008-03-15 14:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-03-15 14:12 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-03-15 14:12 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-03-15 14:12 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-08 22:18 53,248 ----a-w C:\Programmi\Process.exe
2008-01-25 17:19 127,378 ----a-w C:\Programmi\avenger.zip
2008-01-24 21:17 189,718 ----a-w C:\Programmi\FindAWF.exe
2008-01-15 21:47 143,428 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2008-01-15 14:09 401,720 ----a-w C:\Programmi\HiJackThis.exe
2008-01-13 11:45 17,990,864 ----a-w C:\Programmi\AAW2007.EXE
2007-03-18 17:11 35,248 ------w C:\Documents and Settings\LORENZO\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

[bdoriano]

Ciao Irnerio,

scusa se ti rispondo solo ora.
Vedo che il ragazzaccio continua a replicarsi.
Appena puoi, posta un log aggiornato di combofix. Così vediamo di trovare la soluzione definitiva.

[Irnerio]

Ciao bdoriano

ti posto il log di combofix; l'ho fatto con il seguente file di testo



RenV::
C:\Windows\System32\bthprops .exe

File::
C:\Documents and Settings\LORENZO\rundll32.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe


Spero sia corretto...

Il log di Combofix, dicevamo, eccolo qua:


ComboFix 08-03-29.1 - LORENZO 2008-04-04 21.24.23.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.515 [GMT 2:00]
Eseguito da: C:\Documents and Settings\LORENZO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LORENZO\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\LORENZO\rundll32.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
.
TimedOut: Windir.dat

((((((((((((((((((((((((( Files Creati Da 2008-03-04 al 2008-04-04 )))))))))))))))))))))))))))))))))))
.

2008-03-31 21:43 . 2008-03-18 21:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops .exe
2008-03-30 00:14 . 2008-04-02 22:05 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-29 21:55 . 2008-03-29 21:55 <DIR> d-------- C:\Programmi\TechSmith
2008-03-29 21:50 . 2008-03-29 21:50 <DIR> d-------- C:\WINDOWS\system32\it-IT
2008-03-29 21:49 . 2008-03-29 21:49 <DIR> d-------- C:\Programmi\MSBuild
2008-03-29 21:46 . 2008-03-29 21:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-29 21:45 . 2008-03-29 21:45 <DIR> d-------- C:\Programmi\Reference Assemblies
2008-03-29 21:45 . 2006-06-29 14:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-29 21:42 . 2008-03-29 21:50 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-29 18:06 . 2008-03-29 18:07 2,945,816 --a------ C:\Programmi\Net Framework 3.0 dotnetfx3setup.exe
2008-03-29 16:08 . 2008-03-29 16:08 5,549,888 --a------ C:\Programmi\jing_setup.exe
2008-03-28 20:08 . 2008-03-18 21:28 14,348 --a------ C:\Documents and Settings\LORENZO\rundll32.exe bthprops.exe
2008-03-20 22:06 . 2008-03-20 22:06 16,648,248 --a------ C:\Programmi\Norman_Malware_Cleaner.exe
2008-03-19 22:24 . 2008-03-19 22:24 <DIR> d-------- C:\Programmi\CCleaner
2008-03-19 22:10 . 2008-03-19 22:10 671,968 --a------ C:\Programmi\ccsetup205_slim.exe
2008-03-19 22:05 . 2008-03-19 22:05 50,688 --a------ C:\Programmi\ATF-Cleaner.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 19:01 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-29 21:20 13,067 ----a-w C:\Programmi\hijackthis.log
2008-03-29 15:47 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-03-21 11:40 --------- d-----w C:\Programmi\Norton Internet Security
2008-03-15 14:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-03-15 14:12 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-03-15 14:12 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-03-15 14:12 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-08 22:18 53,248 ----a-w C:\Programmi\Process.exe
2008-01-25 17:19 127,378 ----a-w C:\Programmi\avenger.zip
2008-01-24 21:17 189,718 ----a-w C:\Programmi\FindAWF.exe
2008-01-15 21:47 143,428 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2008-01-15 14:09 401,720 ----a-w C:\Programmi\HiJackThis.exe
2008-01-13 11:45 17,990,864 ----a-w C:\Programmi\AAW2007.EXE
2007-03-18 17:11 35,248 ------w C:\Documents and Settings\LORENZO\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

[bdoriano]

Ciao Irnerio,
scusa il ritardo, ma sono abbastanza incasinato.

Comincio a rispondere alle tue domande

[Irnerio]

Ciao e grazie per le tue risposte!

Non so se installare la Console di ripristino , ma credo che possa essere utile, e quindi forse lo farò.

Non sono invece riuscito a vedere l' elenco di files tra i tag <pre></pre> che mi hai segnalato.

Ho dato però solo un'occhiata approssimativa all'ultimo log, pertanto me lo devo essere perso: appena postato questo messaggio, guardo l'elenco con maggiore attenzione.

Ho creato il file di testo che mi hai indicato e l'ho trascinato su combofix.

Questo è il log che ne è uscito:


ComboFix 08-03-29.1 - LORENZO 2008-04-05 15.01.28.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.522 [GMT 2:00]
Eseguito da: C:\Documents and Settings\LORENZO\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\LORENZO\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\LORENZO\rundll32.exe bthprops .exe
C:\Documents and Settings\LORENZO\rundll32.exe bthprops.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched .exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LORENZO\rundll32.exe bthprops .exe
C:\Documents and Settings\LORENZO\rundll32.exe bthprops.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched .exe

.
((((((((((((((((((((((((( Files Creati Da 2008-03-05 al 2008-04-05 )))))))))))))))))))))))))))))))))))
.

2008-04-04 23:19 . 2008-04-04 23:19 <DIR> d-------- C:\Programmi\MSXML 6.0
2008-03-30 00:14 . 2008-04-02 22:05 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-29 21:55 . 2008-03-29 21:55 <DIR> d-------- C:\Programmi\TechSmith
2008-03-29 21:50 . 2008-03-29 21:50 <DIR> d-------- C:\WINDOWS\system32\it-IT
2008-03-29 21:49 . 2008-03-29 21:49 <DIR> d-------- C:\Programmi\MSBuild
2008-03-29 21:46 . 2008-03-29 21:50 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-03-29 21:45 . 2008-03-29 21:45 <DIR> d-------- C:\Programmi\Reference Assemblies
2008-03-29 21:45 . 2006-06-29 14:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-03-29 21:42 . 2008-03-29 21:50 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-03-29 18:06 . 2008-03-29 18:07 2,945,816 --a------ C:\Programmi\Net Framework 3.0 dotnetfx3setup.exe
2008-03-29 16:08 . 2008-03-29 16:08 5,549,888 --a------ C:\Programmi\jing_setup.exe
2008-03-20 22:06 . 2008-03-20 22:06 16,648,248 --a------ C:\Programmi\Norman_Malware_Cleaner.exe
2008-03-19 22:24 . 2008-03-19 22:24 <DIR> d-------- C:\Programmi\CCleaner
2008-03-19 22:10 . 2008-03-19 22:10 671,968 --a------ C:\Programmi\ccsetup205_slim.exe
2008-03-19 22:05 . 2008-03-19 22:05 50,688 --a------ C:\Programmi\ATF-Cleaner.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 13:05 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-03-29 21:20 13,067 ----a-w C:\Programmi\hijackthis.log
2008-03-29 15:47 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-03-21 11:40 --------- d-----w C:\Programmi\Norton Internet Security
2008-03-15 14:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-03-15 14:12 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-03-15 14:12 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-02-08 22:18 53,248 ----a-w C:\Programmi\Process.exe
2008-01-25 17:19 127,378 ----a-w C:\Programmi\avenger.zip
2008-01-24 21:17 189,718 ----a-w C:\Programmi\FindAWF.exe
2008-01-15 14:09 401,720 ----a-w C:\Programmi\HiJackThis.exe
2008-01-13 11:45 17,990,864 ----a-w C:\Programmi\AAW2007.EXE
2007-03-18 17:11 35,248 ------w C:\Documents and Settings\LORENZO\Dati applicazioni\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-04-01_20.45.39,25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-30 18:25:18 59,904 ----a-r C:\WINDOWS\Installer\{0AF0F8DC-7C92-4B7C-A376-127B9AD061D2}\IconA3AFE979.exe
+ 2008-04-04 20:44:35 59,904 ----a-r C:\WINDOWS\Installer\{0AF0F8DC-7C92-4B7C-A376-127B9AD061D2}\IconA3AFE979.exe
- 2008-03-31 19:07:39 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-05 13:15:13 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-31 19:07:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
+ 2008-04-05 13:15:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\index.dat
- 2008-03-31 19:07:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-05 13:15:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat
- 2006-09-01 11:08:02 1,334,032 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2007-05-15 13:43:10 1,320,800 ----a-w C:\WINDOWS\system32\msxml6.dll
- 2008-04-01 18:44:21 77,808 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-05 13:09:41 77,808 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-01 18:44:21 91,594 ----a-w C:\WINDOWS\system32\perfc010.dat
+ 2008-04-05 13:09:41 91,594 ----a-w C:\WINDOWS\system32\perfc010.dat
- 2008-04-01 18:44:21 454,326 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-05 13:09:41 454,326 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-04-01 18:44:21 504,598 ----a-w C:\WINDOWS\system32\perfh010.dat
+ 2008-04-05 13:09:41 504,598 ----a-w C:\WINDOWS\system32\perfh010.dat
+ 2008-04-05 13:05:16 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1d8.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,019,392 2004-09-23 09:33:44 C:\Programmi\File comuni\PCSuite\DataLayer\bak\DATALA~1.EXE

----a-w 49,152 2004-02-12 12:38:56 C:\Programmi\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 241,664 2004-05-12 14:18:56 C:\Programmi\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 148,992 2004-09-15 14:36:06 C:\Programmi\Nokia\Nokia PC Suite 6\bak\TRAYAP~1.EXE

----a-w 29,696 2006-06-22 14:11:18 C:\Programmi\Sony\AppMonUtil\bak\AppMonUtility.exe

----a-w 69,632 2005-12-27 11:58:10 C:\Programmi\Sony\VAIO Camera Utility\bak\VCUServe.exe

----a-w 151,552 2005-10-11 19:36:38 C:\Programmi\Sony\VAIO Update 2\bak\VAIOUpdt.exe

----a-w 64,512 2005-08-17 20:40:06 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 59,392 2004-08-10 03:04:42 C:\WINDOWS\ehome\ehtray.exe

----a-w 15,360 2004-09-07 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-09-07 12:00:00 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-07 14:00 15360]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2008-02-09 00:12 81920]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-27 17:49 171448]
"Jing"="C:\Programmi\TechSmith\Jing\Jing.exe" [2008-01-28 13:48 709888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-23 01:32 7561216]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04 59392]
"ccApp"="C:\Programmi\File comuni\Symantec Shared\ccApp.exe" [2007-02-22 13:11 52840]
"URLLSTCK.exe"="C:\Programmi\Norton Internet Security\UrlLstCk.exe" [2007-02-01 18:21 23168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-09-07 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"Symantec PIF AlertEng"="C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 10:22 517768]
"Acrobat Assistant 7.0"="C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 21:47 483328]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPWuSchd2.exe" [ ]
"VAIOCameraUtility"="C:\Programmi\Sony\VAIO Camera Utility\VCUServe.exe" [ ]
"VAIO Update 2"="C:\Programmi\Sony\VAIO Update 2\VAIOUpdt.exe" [ ]
"HP Component Manager"="C:\Programmi\HP\hpcoretech\hpcmpmgr.exe" [ ]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"Norton Ghost 10.0"="C:\Programmi\Norton Ghost\Agent\GhostTray.exe" [ ]
"AppMon Utility"="C:\Programmi\Sony\AppMonUtil\AppMonUtility.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-07 14:00 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Audio Filter.lnk - C:\Programmi\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe [2006-08-19 09:16:02 5649408]
Avvio rapido di HP Image Zone.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-29 00:06:36 53248]
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 23:31:38 241664]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]
Photo Loader residente.lnk - C:\Programmi\Casio\Photo Loader\Plauto.exe [2006-12-29 19:03:56 229376]
VAIO Action Setup (Server).lnk - C:\Programmi\Sony\VAIO Action Setup\VAServ.exe [2006-07-17 15:21:26 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 17:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 17:56]
R2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 18:45]
R3 AVerM115S;AVerM115S service;C:\WINDOWS\system32\DRIVERS\AVerM115S.sys [2006-06-14 10:22]
R3 SonyImgF;Sony Image Conversion Filter Driver;C:\WINDOWS\system32\DRIVERS\SonyImgF.sys [2006-03-06 11:39]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2006-02-21 11:32]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Programmi\Sony\Image Converter 2\IcVzMon.exe [2005-07-14 19:10]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Programmi\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 usbscan;Driver scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 23:58]
S3 USBSTOR;Driver archiviazione di massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 00:08]

*Newly Created Service* - COMHOST
.
Contenuto della cartella 'Scheduled Tasks'
"2008-03-21 21:55:13 C:\WINDOWS\Tasks\Norton AntiVirus - Esegui scansione completa del sistema - LORENZO.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exei/TASK:
"2007-06-16 07:00:41 C:\WINDOWS\Tasks\WebReg 20070616090041.job"
- C:\Programmi\HP\Digital Imaging\bin\hpqwrg.exe`/TaskName 20070616090041 /N
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 16:40:47
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Sony\VAIO Event Service\VESMgr.exe
C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Programmi\File comuni\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Ora fine scansione: 2008-04-05 16:44:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-05 14:44:22
ComboFix2.txt 2008-04-04 19:28:24
ComboFix3.txt 2008-04-02 20:34:21
ComboFix4.txt 2008-04-01 19:01:04
ComboFix5.txt 2008-04-01 18:46:03
12 Directory 126,628,233,216 byte disponibili
15 Directory 126,634,881,024 byte disponibili
.
2008-04-04 21:19:23 --- E O F ---


Io riesco solo avedere che non ci sono files nascosti.

Tuttavia ieri, dopo un paio di giorni di tregua, Internet Connection mi ha nuovamente disconnesso .

Ho dovuto riavviare il pc per riprendere il lavoro.

L'osso è duro, ma sono sicuro di riuscire a masticarlo col tuo aiuto.

Ciao

[bdoriano]

Ok, ci siamo.
In quest'ultimo log non compaiono più le voci tipo queste qui di seguito: