Trojan Horse

[billyray65]

Ciao a tutti.
Da un po' di tempo la mia navigazione viene deviata su altri siti non richiesti.
Occasionalmente l'antivirus AVG mi segnala anche la presenza di Trojan Horse Downloader.Small.57.BA.
Allego il logfile di Hijack This.
Vi prego di spiegare in maniera dettagliata i passaggi da seguire viste le mie scarse conoscenze di informatica.
Grazie a chi mi aiuterà.

Logfile of HijackThis v1.99.1
Scan saved at 15.10.53, on 29/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Trust\305KS\Keyboard\MMKEYBD.EXE
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer fornito da Yahoo! Italia
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Programmi\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [SlipStream] "C:\Programmi\SlipStream Web Accelerator\slipcore.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: SlipStream Web Accelerator.lnk = C:\Programmi\SlipStream Web Accelerator\slipgui.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3106435198
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{676A9742-D640-4F4F-969C-C523374E29EC}: NameServer = 85.255.116.105,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{E54DD8AC-D074-4EAC-A840-57BA6C50BCEC}: NameServer = 85.255.116.105,85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.105 85.255.112.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.105 85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.105 85.255.112.63
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[/i][/u]

[Luke57]

Ciao, nel log non appare niente, scarica Gmer da qui:
http://www.majorgeeks.com/GMER_d5198.html
scompatta il file .zip e avvia gmer.exe
Per entrare in Avanzate premi il tab>>>>. Poi scegli il tab Rootkit, lascia le impostazioni di default, metti la spunta alla casella ADS, fai uno Scan completo. Chiudi, prima dello scan, tutti i programmi e le applicazioni aperti.
Al termine, premi il tasto Copy e incolla il report in un foglio di testo.
Sempre con Gmer ti sposti sul tab Autostart (non spuntare la casella show all), premi Scan. Al termine dello scan, premi Copy.
Incolli il report nel foglio precedentemente salvato e poi incolli i due report in un post nel forum.

[billyray65]

Ecco il report fatto con GMER.
Grazie dell'aiuto.

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-30 17:57:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[620] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00C44D5A
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[620] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00C44F72
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[620] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00C4508F
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[620] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00C44E74
.text C:\unzipped\gmer[1]\gmer.exe[996] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 003D4D5A
.text C:\unzipped\gmer[1]\gmer.exe[996] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 003D4F72
.text C:\unzipped\gmer[1]\gmer.exe[996] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 003D508F
.text C:\unzipped\gmer[1]\gmer.exe[996] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 003D4E74
.text C:\Programmi\Alice ti aiuta\bin\mpbtn.exe[1200] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00914D5A
.text C:\Programmi\Alice ti aiuta\bin\mpbtn.exe[1200] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00914F72
.text C:\Programmi\Alice ti aiuta\bin\mpbtn.exe[1200] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 0091508F
.text C:\Programmi\Alice ti aiuta\bin\mpbtn.exe[1200] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00914E74
.text C:\WINDOWS\EXPLORER.EXE[1792] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00B74D5A
.text C:\WINDOWS\EXPLORER.EXE[1792] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00B74F72
.text C:\WINDOWS\EXPLORER.EXE[1792] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00B7508F
.text C:\WINDOWS\EXPLORER.EXE[1792] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00B74E74
.text C:\PROGRAMMI\TRUST\305KS\KEYBOARD\MMKEYBD.EXE[1860] ntdll.dll!NtCreateThread 7C91D7D2 3 Bytes JMP 00924D5A
.text C:\PROGRAMMI\TRUST\305KS\KEYBOARD\MMKEYBD.EXE[1860] ntdll.dll!NtCreateThread + 4 7C91D7D6 1 Byte [ 84 ]
.text C:\PROGRAMMI\TRUST\305KS\KEYBOARD\MMKEYBD.EXE[1860] ntdll.dll!NtDeleteValueKey 7C91D8CE 3 Bytes JMP 00924F72
.text C:\PROGRAMMI\TRUST\305KS\KEYBOARD\MMKEYBD.EXE[1860] ntdll.dll!NtDeleteValueKey + 4 7C91D8D2 1 Byte [ 84 ]
.text C:\PROGRAMMI\TRUST\305KS\KEYBOARD\MMKEYBD.EXE[1860] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 3 Bytes JMP 0092508F
.text C:\PROGRAMMI\TRUST\305KS\KEYBOARD\MMKEYBD.EXE[1860] ntdll.dll!NtQueryDirectoryFile + 4 7C91DF62 1 Byte [ 84 ]
.text C:\PROGRAMMI\TRUST\305KS\KEYBOARD\MMKEYBD.EXE[1860] ntdll.dll!NtSetValueKey 7C91E7BC 3 Bytes JMP 00924E74
.text C:\PROGRAMMI\TRUST\305KS\KEYBOARD\MMKEYBD.EXE[1860] ntdll.dll!NtSetValueKey + 4 7C91E7C0 1 Byte [ 84 ]
.text C:\PROGRAMMI\PICASA2\PICASAMEDIADETECTOR.EXE[1896] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00944D5A
.text C:\PROGRAMMI\PICASA2\PICASAMEDIADETECTOR.EXE[1896] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00944F72
.text C:\PROGRAMMI\PICASA2\PICASAMEDIADETECTOR.EXE[1896] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 0094508F
.text C:\PROGRAMMI\PICASA2\PICASAMEDIADETECTOR.EXE[1896] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00944E74
.text C:\WINDOWS\SYSTEM32\RUNDLL32.EXE[1928] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 009F4D5A
.text C:\WINDOWS\SYSTEM32\RUNDLL32.EXE[1928] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 009F4F72
.text C:\WINDOWS\SYSTEM32\RUNDLL32.EXE[1928] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 009F508F
.text C:\WINDOWS\SYSTEM32\RUNDLL32.EXE[1928] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 009F4E74
.text C:\PROGRAMMI\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE[2024] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00F74D5A
.text C:\PROGRAMMI\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE[2024] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00F74F72
.text C:\PROGRAMMI\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE[2024] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00F7508F
.text C:\PROGRAMMI\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE[2024] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00F74E74
.text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtCreateThread 7C91D7D2 5 Bytes JMP 00914D5A
.text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtDeleteValueKey 7C91D8CE 5 Bytes JMP 00914F72
.text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 0091508F
.text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 00914E74

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F9685A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F9685A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F9685A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F9685A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F9685A] avgtdi.sys

---- Files - GMER 1.0.12 ----

File C:\WINDOWS\system32\kdhsz.exe

---- EOF - GMER 1.0.12 ----


GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-01-30 17:58:52
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@Systemkdhsz.exe = kdhsz.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
LexBceS /*LexBce Server*/@ = C:\WINDOWS\system32\LEXBCES.EXE
NVSvc /*NVIDIA Driver Helper Service*/@ = %SystemRoot%\System32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@FLMK08KBC:\Programmi\Trust\305KS\Keyboard\MMKEYBD.EXE = C:\Programmi\Trust\305KS\Keyboard\MMKEYBD.EXE
@SlipStream"C:\Programmi\SlipStream Web Accelerator\slipcore.exe" /*file not found*/ = "C:\Programmi\SlipStream Web Accelerator\slipcore.exe" /*file not found*/
@Picasa Media DetectorC:\Programmi\Picasa2\PicasaMediaDetector.exe = C:\Programmi\Picasa2\PicasaMediaDetector.exe
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@CnxTrApprundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB" = rundll32.exe "C:\Programmi\Aethra\ADSL EB1070 USB\CnxTrApp.dll",AppEntry -REG "Aethra\ADSL EB1070 USB"
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@!AVG Anti-Spyware"C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/(null) =
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{00e72351-c3bd-48cd-b090-77ea0d87a10a} /*Uw Shell Extension*/C:\PROGRA~1\REDSTR~1\ULTRAW~1\uwshext.dll = C:\PROGRA~1\REDSTR~1\ULTRAW~1\uwshext.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealOne Player\rpshellext.dll = C:\Programmi\Real\RealOne Player\rpshellext.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{23170F69-40C1-278A-1000-000100020000} /*7-Zip Shell Extension*/C:\Programmi\7-Zip\7-zip.dll = C:\Programmi\7-Zip\7-zip.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zip.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
UltraWipe@{00e72351-c3bd-48cd-b090-77ea0d87a10a} = C:\PROGRA~1\REDSTR~1\ULTRAW~1\uwshext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zip.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4EFB-9B51-7695ECA05670}C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll = C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar2.dll = c:\programmi\google\googletoolbar2.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://it.yahoo.com = http://it.yahoo.com
@Start Pagehttp://it.yahoo.com = http://it.yahoo.com
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://it.yahoo.com = http://it.yahoo.com
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
EPSON Status Monitor 3 Environment Check 2.lnk = EPSON Status Monitor 3 Environment Check 2.lnk
SlipStream Web Accelerator.lnk = SlipStream Web Accelerator.lnk
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk

---- EOF - GMER 1.0.12 ----

[Luke57]

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla (CTRL+V) le scritte in neretto:


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry values to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Systemkdhsz.exe

files to delete:
C:\WINDOWS\system32\kdhsz.exe

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script

[billyray65]

Ecco il log di avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sfavohrq

*******************

Script file located at: \??\C:\WINDOWS\system32\cclcckly.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\kdhsz.exe deleted successfully.


Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034



Could not delete registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Systemkdhsz.exe
Deletion of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon|Systemkdhsz.exe failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[Luke57]

Ciao, la voce di registro non è stata eliminata.
Apri il registro:
start>esegui>regedit (lo digiti nello spazio)>OK
Cliccando sul segno + accanto alle singole voci, segui questo percorso:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, click sulla cartella Winlogon, all'interno se trovi la voce:
Systemkdhsz.exe = kdhsz.exe
click tasto dx su di essa e scegli Elimina.

[billyray65]

Fatto tutto, ma il problema persiste! Hai altre soluzioni?

[pablo100]

Fatto tutto, ma il problema persiste! Hai altre soluzioni?

perchè non esegui una scansione online con la trendmicro il link è: http://housecall.trendmicro.com/

[Luke57]

Ciao, prova anche cwshredder da qui:
http://www.trendmicro.com/cwshredder/
lo scarichi chiudi applicazioni e programma, lo lanci premendo Fix e non scan only.

[billyray65]

Uso regolarmente cwshredder, ma non rileva nulla.
Ho provato a fare una scansione online con housecall.trendmicro, ma appena avvio la scansione la pagina si chiude da sola. Perché?