Trojan.Spy.Bzub.NGP (cryptsv.dll)

[shenandoa]

BitDefender mi ha trovato un Trojan, ma non lo disinfetta/muove in quarantena...
E' sufficiente che lo elimini?
Nota che in System info di BitDefender nella Load Items/Application InitDLLs trovo una sockspy.dll
Potete aiutarmi a fare pulizia di questo e/o quant'altro che si nasconde nel PC ???
Grazie mille

// ProductBitDefender Antivirus Plus v10
// Product10.2
Summary:
C:\WINDOWS\system32\cryptsv.dll Infected: Trojan.Spy.Bzub.NGP
C:\WINDOWS\system32\cryptsv.dll Disinfection failed
C:\WINDOWS\system32\cryptsv.dll Move failed

GMER

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-07 14:30:02
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwClose
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwCreateKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwDeleteKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwDeleteValueKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwEnumerateKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwEnumerateValueKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwFlushKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwLoadKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdfsdrv.sys ZwOpenFile
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwOpenKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwQueryKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwQueryValueKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwSetValueKey
SSDT \??\C:\Programmi\Softwin\BitDefender10\bdrsdrv.sys ZwUnloadKey

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!_abnormal_termination + 16C 804E2E3D 3 Bytes [ 9E, 4A, EE ]
PAGE ntoskrnl.exe!RtlCopySid + 38 80567B83 7 Bytes JMP F78802C6 nzvwmjpy.dat
? nzvwmjpy.dat Impossibile trovare il file specificato.

---- User code sections - GMER 1.0.13 ----

.text C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[496] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A93090 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe[608] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1580] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A83090 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1736] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C63090 C:\WINDOWS\system32\sockspy.dll
.text C:\Documents and Settings\***\Documenti\***\SOFT\# Security\GMer\gmer.exe[1872] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text ...
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!sendto 71A32C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!recvfrom 71A32D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!bind 71A33E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!connect 71A3406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!send 71A3428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!gethostbyname 71A34FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!listen 71A388D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\pnagent.exe[2568] WS2_32.dll!accept 71A41028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\ssonsvr.exe[3068] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Citrix\PNAgent\Wfcrun32.exe[3296] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!sendto 71A32C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!recvfrom 71A32D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!bind 71A33E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!connect 71A3406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!send 71A3428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!gethostbyname 71A34FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!listen 71A388D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE[3312] WS2_32.dll!accept 71A41028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!sendto 71A32C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!recvfrom 71A32D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!bind 71A33E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!connect 71A3406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!send 71A3428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!gethostbyname 71A34FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!listen 71A388D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[3396] WS2_32.dll!accept 71A41028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\System32\igfxtray.exe[3580] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00853090 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\hkcmd.exe[3588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00843090 C:\WINDOWS\System32\sockspy.dll
.text C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe[3596] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Launch Manager\QtZgAcer.EXE[3644] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00933090 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C83090 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!sendto 71A32C69 5 Bytes JMP 00C82D10 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!recvfrom 71A32D0F 5 Bytes JMP 00C82CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00C83020 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00C82DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!send 71A3428A 5 Bytes JMP 00C82AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!gethostbyname 71A34FD4 5 Bytes JMP 00C82D70 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!listen 71A388D3 5 Bytes JMP 00C82A60 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 00C83060 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe[3692] WS2_32.dll!accept 71A41028 5 Bytes JMP 00C82F30 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BA3090 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!sendto 71A32C69 5 Bytes JMP 00BA2D10 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!recvfrom 71A32D0F 5 Bytes JMP 00BA2CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00BA3020 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00BA2DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!send 71A3428A 5 Bytes JMP 00BA2AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!gethostbyname 71A34FD4 5 Bytes JMP 00BA2D70 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!listen 71A388D3 5 Bytes JMP 00BA2A60 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 00BA3060 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe[3704] WS2_32.dll!accept 71A41028 5 Bytes JMP 00BA2F30 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe[3716] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00923090 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!sendto 71A32C69 5 Bytes JMP 00922D10 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!recvfrom 71A32D0F 5 Bytes JMP 00922CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00923020 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00922DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!send 71A3428A 5 Bytes JMP 00922AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!gethostbyname 71A34FD4 5 Bytes JMP 00922D70 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!listen 71A388D3 5 Bytes JMP 00922A60 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 00923060 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE[3764] WS2_32.dll!accept 71A41028 5 Bytes JMP 00922F30 C:\WINDOWS\system32\sockspy.dll
.text C:\Programmi\Softwin\BitDefender10\bdagent.exe[3800] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00993090 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00363090 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!sendto 71A32C69 5 Bytes JMP 00362D10 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!recvfrom 71A32D0F 5 Bytes JMP 00362CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00363020 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00362DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!send 71A3428A 5 Bytes JMP 00362AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!gethostbyname 71A34FD4 5 Bytes JMP 00362D70 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!listen 71A388D3 5 Bytes JMP 00362A60 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 00363060 C:\WINDOWS\system32\sockspy.dll
.text C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE[3984] WS2_32.dll!accept 71A41028 5 Bytes JMP 00362F30 C:\WINDOWS\system32\sockspy.dll

---- Devices - GMER 1.0.13 ----

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F796F486] bdpredir.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F796F486] bdpredir.sys

Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CREATE [F7B19C98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CLOSE [F7B19C98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_DEVICE_CONTROL [F7B194A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B193D2] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_POWER [F7B19386] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SYSTEM_CONTROL [F7B194A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_PNP [F7B19E88] SMBCLASS.SYS

---- EOF - GMER 1.0.13 ----

HIJACKT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.30.28, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Update Service\livesrv.exe
C:\Programmi\Citrix\PNAgent\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Programmi\Softwin\BitDefender10\bdmcon.exe
C:\Programmi\Softwin\BitDefender10\bdagent.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Citrix\PNAgent\pnagent.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\Citrix\PNAgent\Wfcrun32.exe
C:\PROGRA~1\Citrix\PNAgent\WFICA32.EXE
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Softwin\BitDefender10\vsserv.exe
C:\Documents and Settings\***\Documenti\***\SOFT\# Security\HijackThis 2.0.2\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intra/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File

comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O2 - BHO: (no name) - {AFE33DBB-1B56-4FDA-9E02-1B01F1F39F6B} - C:\WINDOWS\system32\cryptsv.dll
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [BgInfo] c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Programmi\Softwin\BitDefender10\bdagent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Programmi\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ***.network
O17 - HKLM\Software\..\Telephony: DomainName = ***.network
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ***.network
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Programmi\File comuni\Softwin\BitDefender Update

Service\livesrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Programmi\Softwin\BitDefender10\vsserv.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6749 bytes

[Luke57]

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte seguenti:



files to delete:
C:\WINDOWS\system32\cryptsv.dll

registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\\Browser Helper Objects\ {AFE33DBB-1B56-4FDA-9E02-1B01F1F39F6B}

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi ok e poi yes.
Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Posta poi il log generato da avenger, lo trovi in C:\avenger.txt è un file di testo.

[shenandoa]

Niente da fare...
peraltro BitDefender é "expired"


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gfmufrhy

*******************

Script file located at: \??\C:\WINDOWS\hhlhhmfa.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\cryptsv.dll for deletion
Deletion of file C:\WINDOWS\system32\cryptsv.dll failed!

Could not process line:
C:\WINDOWS\system32\cryptsv.dll
Status: 0xc0000022



Could not open registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\\Browser Helper Objects\ {AFE33DBB-1B56-4FDA-9E02-1B01F1F39F6B} for deletion
Deletion of registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\\Browser Helper Objects\ {AFE33DBB-1B56-4FDA-9E02-1B01F1F39F6B} failed!
Status: 0xc000000d

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.

[robby17]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19.04.04, on 07/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Roberto\Desktop\Collegamenti desktop inutilizzati\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goglee.it/
O2 - BHO: (no name) - {379F6C30-56F5-48DC-8082-B5B141EF1906} - C:\WINDOWS\system32\ati3duagf.dll
O2 - BHO: (no name) - {3BE21349-6DE5-4214-9001-F898535C366A} - c:\windows\system32\ecbtegt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9EF56D0-4062-4B19-8F3C-579FBE12F150}: NameServer = 85.37.17.47 85.38.28.82
O20 - Winlogon Notify: zhgyagze - C:\WINDOWS\SYSTEM32\ecbtegt.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://digilander.libero.it/sfondigratuiti/cartoon4.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Roberto/IMPOST~1/Temp/msohtml1/03/clip_image001.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/Roberto/IMPOST~1/Temp/msohtml1/01/clip_image001.gif

--
End of file - 2941 bytes
Ciao ragazzi ho postato il log,già analizzato,e pulito,sicuramente ci sarà ancora altro di porcheria presa da mia figlia di tre anni che gioca su internet..mannaggia.grazie

[Luke57]

@ robby17 e @ shenandoa
Scaricate il file - combofix.exe da qui http://www.techsupportforum.com/sect...s/ComboFix.exe
o da qui
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
SALVALO SU DESKTOP
Doppio click su combofix.exe e segui le istruzioni a video (non fare altre manovre durante la scansione)
Quando avrà finito, creerà un file di log in C:
Posta qui il log C:\combofix.txt .
Tieni presente che durante la scansione verranno creati alcuni file sul desktop che poi spariranno automaticamente.
Durante la scansione spariranno tutte le icone del desktop
Durante la scansione il firewall potrebbe avvisarti che verranno rimossi alcuni driver (in tal caso acconsenti)

[shenandoa]

Come richiesto....

ComboFix 08-01-07.5 - XXXXXXXX 2008-01-08 9.04.04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.163 [GMT 1:00]
Eseguito da: C:\Documents and Settings\XXXXXXXX\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Creati Da 2007-12-08 al 2008-01-08 )))))))))))))))))))))))))))))))))))
.

2008-01-08 09:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 02:12 . 2008-01-07 19:18 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-01-06 01:47 . 2008-01-06 01:47 <DIR> d-------- C:\Documents and Settings\XXXXXXXX\Dati applicazioni\Bitdefender
2008-01-06 01:39 . 2008-01-06 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\BitDefender
2008-01-06 01:15 . 2008-01-06 01:26 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-05 23:13 . 19,456 C:\WINDOWS\system32\drivers\nzvwmjpy.dat
2008-01-05 23:12 . 2004-08-19 14:39 84,992 --a------ C:\WINDOWS\system32\cryptsv.dll
2007-12-29 18:53 . 2007-12-29 18:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 18:53 . 2007-12-29 18:53 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 07:59 --------- d-----w C:\Programmi\Launch Manager
2008-01-06 22:42 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFE33DBB-1B56-4FDA-9E02-1B01F1F39F6B}]
2004-08-19 14:39 84992 --a------ C:\WINDOWS\system32\cryptsv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 18:51 118784]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 10:52 40960]
"BgInfo"="c:\windows\bginfo.exe" [2004-09-22 14:46 741421]
"LManager"="C:\Programmi\Launch Manager\QtZgAcer.EXE" [2004-07-05 11:52 315392]
"IntelZeroConfig"="C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 23:38 802816]
"IntelWireless"="C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 23:32 696320]
"bgsmsnd.exe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe" [2006-05-06 10:58 151552]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2004-09-14 10:42 98304]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 07:49 217088]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"BDMCon"="C:\Programmi\Softwin\BitDefender10\bdmcon.exe" [2008-01-06 01:54 290816]
"BDAgent"="C:\Programmi\Softwin\BitDefender10\bdagent.exe" [2008-01-06 01:54 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 14:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Bluetooth Manager.lnk - C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 10:11:42]
Post-it© Software Notes Lite.lnk - C:\Programmi\3M\PSNLite\PsnLite.exe [2004-06-02 12:04:58]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-08-01 07:56:34]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-08-07 16:26:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" -atboottime

R0 ojyhhhgw;ojyhhhgw;C:\WINDOWS\system32\drivers\nzvwmjpy.dat []
R1 SMBHC;Driver del controller host del bus di gestione sistema Microsoft;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 21:57]
R3 SMBBATT;Driver di Microsoft Smart Battery;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-03 22:07]
S3 pwalker;Process Walker Driver;C:\DOCUME~1\XXXXXXXX\IMPOST~1\Temp\nsb30.tmp\pwalker.sys []

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 09:06:03
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-08 9.06.49

[Luke57]

@shenandoa
Ciao, prendi questo codice

File::
C:\WINDOWS\system32\drivers\nzvwmjpy.dat
C:\WINDOWS\system32\cryptsv.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFE33DBB-1B56-4FDA-9E02-1B01F1F39F6B}]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ojyhhhgw]


copialo e incollalo in un file di testo che chiamerai obbligatoriamente CFScript.txt.
Trascina poi, con il mouse, tale file sull'icona di combofix, attendi la fine della nuova scansione ed eventuale riavvio, posta il nuovo report generato.

[shenandoa]

Fatto... fammi sapere

Curiosita:
Process Walker Driver è del ComboFix ... oppure c'è da preoccuparsi ?!??

ComboFix 08-01-07.5 - XXXXXXXX 2008-01-08 11:37:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.159 [GMT 1:00]
Eseguito da: C:\Documents and Settings\XXXXXXXX\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\XXXXXXXX\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

FILE
C:\WINDOWS\system32\cryptsv.dll
C:\WINDOWS\system32\drivers\nzvwmjpy.dat
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cryptsv.dll
C:\WINDOWS\system32\drivers\nzvwmjpy.dat

.
((((((((((((((((((((((((( Files Creati Da 2007-12-08 al 2008-01-08 )))))))))))))))))))))))))))))))))))
.

2008-01-08 09:02 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-06 02:12 . 2008-01-08 11:40 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-01-06 01:47 . 2008-01-06 01:47 <DIR> d-------- C:\Documents and Settings\XXXXXXXX\Dati applicazioni\Bitdefender
2008-01-06 01:39 . 2008-01-06 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\BitDefender
2008-01-06 01:15 . 2008-01-06 01:26 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-29 18:53 . 2007-12-29 18:53 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-29 18:53 . 2007-12-29 18:53 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 10:35 --------- d-----w C:\Programmi\Launch Manager
2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 18:55 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-02-10 18:51 118784]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 10:52 40960]
"BgInfo"="c:\windows\bginfo.exe" [2004-09-22 14:46 741421]
"LManager"="C:\Programmi\Launch Manager\QtZgAcer.EXE" [2004-07-05 11:52 315392]
"IntelZeroConfig"="C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 23:38 802816]
"IntelWireless"="C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 23:32 696320]
"bgsmsnd.exe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe" [2006-05-06 10:58 151552]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2004-09-14 10:42 98304]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 07:49 217088]
"Adobe Reader Speed Launcher"="C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"BDMCon"="C:\Programmi\Softwin\BitDefender10\bdmcon.exe" [2008-01-06 01:54 290816]
"BDAgent"="C:\Programmi\Softwin\BitDefender10\bdagent.exe" [2008-01-06 01:54 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 14:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Bluetooth Manager.lnk - C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-06-16 10:11:42]
Post-it© Software Notes Lite.lnk - C:\Programmi\3M\PSNLite\PsnLite.exe [2004-06-02 12:04:58]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [2007-08-01 07:56:34]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-08-07 16:26:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" -atboottime

R1 SMBHC;Driver del controller host del bus di gestione sistema Microsoft;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 21:57]
R3 SMBBATT;Driver di Microsoft Smart Battery;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2004-08-03 22:07]
S3 pwalker;Process Walker Driver;C:\DOCUME~1\XXXXXXXX\IMPOST~1\Temp\nsb30.tmp\pwalker.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 11:42:49
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\sockspy.dll
.
Ora fine scansione: 2008-01-08 11:45:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-08 10:44:47
ComboFix2.txt 2008-01-08 08:06:50

[Luke57]

Ciao, sembra andato a buon fine, quel processo è un rilevatore di rootkit ed è incluso anche in systemscan.

[shenandoa]

Grazie mille !!!
... il tuo aiuto è sempre prezioso.

[robby17]

ok fatto tuttoora posto il log.ComboFix 08-01-09.2 - Roberto 2008-01-08 21.59.38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.164 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Roberto\Impostazioni locali\Temporary Internet Files\Content.IE5\DTBVY9FX\ComboFix[1].exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Dati applicazioni.\Starware
C:\Documents and Settings\Roberto\Dati applicazioni\setup_it[1].exe
C:\Programmi\GamesBar\oberontb.dll
C:\WINDOWS\hosts
C:\WINDOWS\system32\ati3duagf.dll . . . . Eliminazione Fallita
C:\WINDOWS\system32\ECBTEGt.dll . . . . Eliminazione Fallita

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SWOJDSXL
-------\swojdsxl


((((((((((((((((((((((((( Files Creati Da 2007-12-09 al 2008-01-09 )))))))))))))))))))))))))))))))))))
.

2008-01-08 21:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 21:39 . 2008-01-08 21:39 268 --ah-c--- C:\sqmdata02.sqm
2008-01-08 21:39 . 2008-01-08 21:39 244 --ah-c--- C:\sqmnoopt02.sqm
2008-01-07 21:59 . 2008-01-07 21:59 244 --ah-c--- C:\sqmnoopt01.sqm
2008-01-07 21:59 . 2008-01-07 21:59 232 --ah-c--- C:\sqmdata01.sqm
2008-01-06 01:09 . 2008-01-06 01:09 268 --ah-c--- C:\sqmdata00.sqm
2008-01-06 01:09 . 2008-01-06 01:09 244 --ah-c--- C:\sqmnoopt00.sqm
2008-01-03 23:42 . 2007-05-07 15:11 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-01-03 23:42 . 2007-06-20 14:57 17,920 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-01-03 23:42 . 2007-01-23 20:03 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-01-03 23:42 . 2006-12-06 18:33 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-01-03 23:42 . 2008-01-03 23:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-01-03 23:42 . 2008-01-03 23:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-01-03 23:40 . 2008-01-03 23:40 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-03 23:40 . 2008-01-03 23:40 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-01-03 23:39 . 2006-11-13 15:36 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-01-03 23:39 . 2007-06-20 14:57 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-01-03 23:38 . 2008-01-03 23:38 <DIR> d-------- C:\Programmi\Motorola
2008-01-03 23:38 . 2008-01-03 23:38 <DIR> d-------- C:\Programmi\File comuni\Motorola Shared
2007-12-23 17:19 . 2007-12-23 17:19 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-13 16:33 . 2007-12-13 16:33 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-13 16:33 . 2007-12-13 16:33 741,632 --a------ C:\WINDOWS\system32\ohnjkjnw.dat
2007-12-13 16:33 . 2007-12-13 16:33 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-13 16:33 . 2007-12-18 16:41 42,240 --a------ C:\WINDOWS\system32\kxsfclpk.dat
2007-12-13 16:33 . 2007-12-15 16:17 36,096 --a------ C:\WINDOWS\system32\axcsrynt.dat
2007-12-13 16:33 . 2007-12-13 16:33 35,072 --a------ C:\WINDOWS\system32\lqcnautk.dat
2007-12-12 16:25 . 2007-12-26 19:39 120,576 --a------ C:\WINDOWS\system32\dcqkuksv.dat
2007-12-12 16:11 . 2008-01-09 22:05 84,992 --a------ C:\WINDOWS\system32\ecbtegt.dll
2007-12-12 16:11 . 2007-12-12 16:10 17,408 --a------ C:\WINDOWS\system32\vcv.exe
2007-12-12 16:10 . 19,584 C:\WINDOWS\system32\drivers\eszhdixj.dat
2007-12-12 16:09 . 2004-08-19 23:39 84,992 --a------ C:\WINDOWS\system32\ati3duagf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 21:04 --------- d-----w C:\Programmi\GamesBar
2008-01-07 19:55 --------- d-----w C:\Programmi\Spyware Cleaner
2008-01-05 18:32 --------- d-----w C:\Programmi\File comuni\ToolSicuro
2008-01-04 12:12 --------- d-----w C:\Programmi\eMule
2007-12-17 21:05 --------- d-----w C:\Programmi\Lexmark X1100 Series
2007-12-09 09:32 --------- dc--a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-08 18:55 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\BigFishGamesCache
2007-12-08 18:55 --------- d-----w C:\Programmi\Plant Tycoon
2007-12-08 18:48 --------- d-----w C:\Programmi\bfgclient
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-30 18:38 --------- d-----w C:\Programmi\Windows Live Toolbar
2007-11-30 18:38 --------- d-----w C:\Programmi\Windows Live Favorites
2007-11-27 20:15 --------- d-----w C:\Programmi\IceCreamTycoon_at
2007-11-26 10:36 --------- d-----w C:\Programmi\iTunes
2007-11-26 10:36 --------- d-----w C:\Programmi\iPod
2007-11-26 10:34 --------- d-----w C:\Programmi\QuickTime
2007-11-26 10:32 --------- d-----w C:\Programmi\Apple Software Update
2007-11-26 10:31 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2007-11-26 10:31 --------- d-----w C:\Programmi\File comuni\Apple
2007-11-25 15:05 --------- d-----w C:\Programmi\Fish Tycoon
2007-11-24 18:54 --------- d-----w C:\Programmi\Shockwave.com
2007-11-23 15:28 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2007-11-23 15:28 --------- d-----w C:\Documents and Settings\Roberto\Dati applicazioni\Yahoo!
2007-11-23 15:10 --------- d-----w C:\Programmi\Yahoo!
2007-11-23 14:59 --------- d-----w C:\Programmi\Google
2007-11-20 19:53 --------- d-----w C:\Programmi\InstallShield Installation Information
2007-11-20 19:48 --------- d-----w C:\Programmi\Gamenext
2007-11-20 19:47 --------- d-----w C:\Programmi\Zylom Games
2007-11-19 21:54 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\GamesBar
2007-11-18 21:47 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Sandlot Games
2007-11-18 09:47 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Fugazo
2007-11-17 14:34 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Zylom
2007-11-17 14:34 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\PlayFirst
2007-11-17 14:34 --------- d-----w C:\Documents and Settings\Roberto\Dati applicazioni\Zylom
2007-11-17 14:34 --------- d-----w C:\Documents and Settings\Roberto\Dati applicazioni\PlayFirst
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 15:25 --------- d-----w C:\Programmi\RSVP
2007-11-09 22:16 --------- d-----w C:\Programmi\Turtle Odyssey 2
2007-11-09 22:16 --------- d-----w C:\Programmi\Secrets Of Great Art
2007-11-09 22:15 --------- d-----w C:\Programmi\Sallys Salon
2007-11-09 22:15 --------- d-----w C:\Programmi\Games
2007-11-09 22:15 --------- d-----w C:\Programmi\Fairy Godmother Tycoon
2007-11-09 22:14 --------- d-----w C:\Programmi\Puppy Luv
2007-11-09 22:07 --------- d-----w C:\Programmi\ToolSicuro
2007-11-09 22:05 --------- d-----w C:\Programmi\Abra Academy
2007-11-09 21:58 --------- d-----w C:\Documents and Settings\Roberto\Dati applicazioni\toolsicuro
2007-11-09 13:26 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Trymedia
2007-11-09 13:19 --------- d-----w C:\Documents and Settings\Roberto\Dati applicazioni\My Games
2007-11-09 09:19 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\ScreenSeven
2007-11-09 07:35 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2007-10-18 22:07 44,728 -c--a-w C:\Documents and Settings\Roberto\Dati applicazioni\GDIPFONTCACHEV1.DAT
2006-11-30 21:19 24,192 -c--a-w C:\Documents and Settings\Roberto\usbsermptxp.sys
2006-11-30 21:19 22,768 -c--a-w C:\Documents and Settings\Roberto\usbsermpt.sys
2005-08-27 21:03 524,300 -c--a-w C:\Documents and Settings\Roberto\Dati applicazioni\position.bin
2004-04-09 13:02 26,065 -c--a-w C:\Programmi\documenti.rtf
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{379F6C30-56F5-48DC-8082-B5B141EF1906}]
2004-08-19 23:39 84992 --a------ C:\WINDOWS\system32\ati3duagf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BE21349-6DE5-4214-9001-F898535C366A}]
2008-01-09 22:05 84992 --a------ c:\windows\system32\ecbtegt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39 15360]
"msnmsgr"="C:\PROGRA~1\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-19 23:39 397824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Programmi\QuickTime\qttask.exe

R0 ffmqsfbi;ffmqsfbi;C:\WINDOWS\system32\drivers\eszhdixj.dat []
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-30 23:08]
S2 gafwload;IPM Datacom USB ADSL Loader;C:\WINDOWS\system32\DRIVERS\gafwload.sys [2001-08-21 20:04]
S3 gAGP440p;gAGP440p;C:\DOCUME~1\Roberto\IMPOST~1\Temp\gAGP440p.sys []
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-20 14:57]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-20 14:57]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 21:28]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,36
.
Contenuto della cartella 'Scheduled Tasks'
"2007-11-26 10:32:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2007-11-30 18:38:53 C:\WINDOWS\Tasks\Verifica aggiornamenti per Windows Live Toolbar.job"
- C:\Programmi\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 22:11:33
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-09 22:14:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-09 21:14:04
.
2007-12-12 16:45:06 --- E O F ---

[robby17]

e questo è di nuovo il Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 0.38.53, on 10/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\HiJackThis_v2.exe

O2 - BHO: (no name) - {379F6C30-56F5-48DC-8082-B5B141EF1906} - C:\WINDOWS\system32\ati3duagf.dll
O2 - BHO: (no name) - {3BE21349-6DE5-4214-9001-F898535C366A} - c:\windows\system32\ecbtegt.dll
O20 - Winlogon Notify: zhgyagze - C:\WINDOWS\SYSTEM32\ecbtegt.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://digilander.libero.it/sfondigratuiti/cartoon4.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Roberto/IMPOST~1/Temp/msohtml1/03/clip_image001.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/Roberto/IMPOST~1/Temp/msohtml1/01/clip_image001.gif

--
End of file - 2670 bytes
di hijacktthis.grazie per l'aiuto. ciao a risentirci

[Luke57]

@robby17

Ciao, prendi questo codice

File::
C:\WINDOWS\system32\ohnjkjnw.dat
C:\WINDOWS\system32\kxsfclpk.dat
C:\WINDOWS\system32\axcsrynt.dat
C:\WINDOWS\system32\lqcnautk.dat
C:\WINDOWS\system32\dcqkuksv.dat
C:\WINDOWS\system32\drivers\eszhdixj.dat
C:\WINDOWS\system32\ati3duagf.dll
c:\windows\system32\ecbtegt.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{379F6C30-56F5-48DC-8082-B5B141EF1906}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BE21349-6DE5-4214-9001-F898535C366A}]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ffmqsfbi]


copialo e incollalo in un file di testo che chiamerai obbligatoriamente CFScript.txt.
Trascina poi, con il mouse, tale file sull'icona di combofix, attendi la fine della nuova scansione ed eventuale riavvio, posta il nuovo report generato.

[robby17]

ok il cod,lo trovo nel log combo,ok,volevo chiedere come antivirus,avast che l'ho scaricato anni fa dal vostro forum,èe buono affidabile,o ce ne sono altri di piu affidabili,sempre free...

[Luke57]

@robby17
Ciao, forse non mi sono spiegato, copi il codice, apri un file di testo (start>esegui>notepad.exe>OK), ci incolli il codice, salvi il file di testo nel percorso di combo fix e lo chiami obbligatoriamente CFScript.txt.
Fatto ciò, con il puntatore del mouse, trascini tale file sull'icona di combofix e attendi la nuova scansione.

[robby17]

ok,penso di aver fatto bene.grazie per il momento ComboFix 08-01-10.2 - Roberto 2008-01-11 0.39.22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1040.18.250 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Roberto\Desktop\Collegamenti desktop inutilizzati\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ati3duagf.dll . . . . Eliminazione Fallita
C:\WINDOWS\system32\ecbtegt.dll . . . . Eliminazione Fallita

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\swojdsxl


((((((((((((((((((((((((( Files Creati Da 2007-12-10 al 2008-01-10 )))))))))))))))))))))))))))))))))))
.

2008-01-10 00:36 . 2008-01-07 19:02 1,308,216 --a--c--- C:\HiJackThis_v2.exe
2008-01-08 21:55 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 21:39 . 2008-01-08 21:39 268 --ah-c--- C:\sqmdata02.sqm
2008-01-08 21:39 . 2008-01-08 21:39 244 --ah-c--- C:\sqmnoopt02.sqm
2008-01-07 21:59 . 2008-01-07 21:59 244 --ah-c--- C:\sqmnoopt01.sqm
2008-01-07 21:59 . 2008-01-07 21:59 232 --ah-c--- C:\sqmdata01.sqm
2008-01-06 01:09 . 2008-01-06 01:09 268 --ah-c--- C:\sqmdata00.sqm
2008-01-06 01:09 . 2008-01-06 01:09 244 --ah-c--- C:\sqmnoopt00.sqm
2008-01-03 23:42 . 2007-05-07 15:11 42,112 --a------ C:\WINDOWS\system32\drivers\motodrv.sys
2008-01-03 23:42 . 2007-06-20 14:57 17,920 --a------ C:\WINDOWS\system32\drivers\motccgp.sys
2008-01-03 23:42 . 2007-01-23 20:03 7,680 --a------ C:\WINDOWS\system32\drivers\motccgpfl.sys
2008-01-03 23:42 . 2006-12-06 18:33 6,400 --a------ C:\WINDOWS\system32\drivers\motswch.sys
2008-01-03 23:42 . 2008-01-03 23:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2008-01-03 23:42 . 2008-01-03 23:42 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2008-01-03 23:40 . 2008-01-03 23:40 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-03 23:40 . 2008-01-03 23:40 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-01-03 23:39 . 2006-11-13 15:36 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-01-03 23:39 . 2007-06-20 14:57 23,680 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-01-03 23:38 . 2008-01-03 23:38 <DIR> d-------- C:\Programmi\Motorola
2008-01-03 23:38 . 2008-01-03 23:38 <DIR> d-------- C:\Programmi\File comuni\Motorola Shared
2007-12-23 17:19 . 2007-12-23 17:19 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-13 16:33 . 2007-12-13 16:33 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-13 16:33 . 2007-12-13 16:33 741,632 --a------ C:\WINDOWS\system32\ohnjkjnw.dat
2007-12-13 16:33 . 2007-12-13 16:33 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-13 16:33 . 2007-12-18 16:41 42,240 --a------ C:\WINDOWS\system32\kxsfclpk.dat
2007-12-13 16:33 . 2007-12-15 16:17 36,096 --a------ C:\WINDOWS\system32\axcsrynt.dat
2007-12-13 16:33 . 2007-12-13 16:33 35,072 --a------ C:\WINDOWS\system32\lqcnautk.dat
2007-12-12 16:25 . 2007-12-26 19:39 120,576 --a------ C:\WINDOWS\system32\dcqkuksv.dat
2007-12-12 16:11 . 2008-01-11 00:42 84,992 --a------ C:\WINDOWS\system32\ecbtegt.dll
2007-12-12 16:11 . 2007-12-12 16:10 17,408 --a------ C:\WINDOWS\system32\vcv.exe
2007-12-12 16:10 . 19,584 C:\WINDOWS\system32\drivers\eszhdixj.dat
2007-12-12 16:09 . 2004-08-19 23:39 84,992 --a------ C:\WINDOWS\system32\ati3duagf.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 21:04 --------- d-----w C:\Programmi\GamesBar
2008-01-07 19:55 --------- d-----w C:\Programmi\Spyware Cleaner
2008-01-05 18:32 --------- d-----w C:\Programmi\File comuni\ToolSicuro
2008-01-04 12:12 --------- d-----w C:\Programmi\eMule
2007-12-17 21:05 --------- d-----w C:\Programmi\Lexmark X1100 Series
2007-12-09 09:32 --------- dc--a-w C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-12-08 18:55 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\BigFishGamesCache
2007-12-08 18:55 --------- d-----w C:\Programmi\Plant Tycoon
2007-12-08 18:48 --------- d-----w C:\Programmi\bfgclient
2007-12-04 14:56 93,264 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 -c--a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 -c--a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 -c--a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-30 18:38 --------- d-----w C:\Programmi\Windows Live Toolbar
2007-11-30 18:38 --------- d-----w C:\Programmi\Windows Live Favorites
2007-11-27 20:15 --------- d-----w C:\Programmi\IceCreamTycoon_at
2007-11-26 10:36 --------- d-----w C:\Programmi\iTunes
2007-11-26 10:36 --------- d-----w C:\Programmi\iPod
2007-11-26 10:34 --------- d-----w C:\Programmi\QuickTime
2007-11-26 10:32 --------- d-----w C:\Programmi\Apple Software Update
2007-11-26 10:31 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Apple
2007-11-26 10:31 --------- d-----w C:\Programmi\File comuni\Apple
2007-11-25 15:05 --------- d-----w C:\Programmi\Fish Tycoon
2007-11-24 18:54 --------- d-----w C:\Programmi\Shockwave.com
2007-11-23 15:28 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Yahoo! Companion
2007-11-23 15:28 --------- d-----w C:\Documents and Settings\Roberto\Dati applicazioni\Yahoo!
2007-11-23 15:10 --------- d-----w C:\Programmi\Yahoo!
2007-11-23 14:59 --------- d-----w C:\Programmi\Google
2007-11-20 19:53 --------- d-----w C:\Programmi\InstallShield Installation Information
2007-11-20 19:48 --------- d-----w C:\Programmi\Gamenext
2007-11-20 19:47 --------- d-----w C:\Programmi\Zylom Games
2007-11-19 21:54 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\GamesBar
2007-11-18 21:47 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Sandlot Games
2007-11-18 09:47 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Fugazo
2007-11-17 14:34 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\Zylom
2007-11-17 14:34 --------- dc----w C:\Documents and Settings\All Users\Dati applicazioni\PlayFirst
2007-11-17 14:34 --------- d-----w C:\Documents and Settings\Roberto\Dati applicazioni\Zylom
2007-11-17 14:34 --------- d-----w C:\Documents and Settings\Roberto\Dati applicazioni\PlayFirst
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 15:25 --------- d-----w C:\Programmi\RSVP
2007-10-18 22:07 44,728 -c--a-w C:\Documents and Settings\Roberto\Dati applicazioni\GDIPFONTCACHEV1.DAT
2006-11-30 21:19 24,192 -c--a-w C:\Documents and Settings\Roberto\usbsermptxp.sys
2006-11-30 21:19 22,768 -c--a-w C:\Documents and Settings\Roberto\usbsermpt.sys
2005-08-27 21:03 524,300 -c--a-w C:\Documents and Settings\Roberto\Dati applicazioni\position.bin
2004-04-09 13:02 26,065 -c--a-w C:\Programmi\documenti.rtf
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{379F6C30-56F5-48DC-8082-B5B141EF1906}]
2004-08-19 23:39 84992 --a------ C:\WINDOWS\system32\ati3duagf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BE21349-6DE5-4214-9001-F898535C366A}]
2008-01-11 00:42 84992 --a------ c:\windows\system32\ecbtegt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 23:39 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-19 23:39 397824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-14 23:43 286720 C:\Programmi\QuickTime\qttask.exe

R0 ffmqsfbi;ffmqsfbi;C:\WINDOWS\system32\drivers\eszhdixj.dat []
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-30 23:08]
S2 gafwload;IPM Datacom USB ADSL Loader;C:\WINDOWS\system32\DRIVERS\gafwload.sys [2001-08-21 20:04]
S3 gAGP440p;gAGP440p;C:\DOCUME~1\Roberto\IMPOST~1\Temp\gAGP440p.sys []
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-20 14:57]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 20:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-20 14:57]
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 21:28]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{c23dd370-cb79-11d2-898a-00c04f80a47f}]
rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\toolimg.inf,PerUserStub.Install,,36
.
Contenuto della cartella 'Scheduled Tasks'
"2007-11-26 10:32:51 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2007-11-30 18:38:53 C:\WINDOWS\Tasks\Verifica aggiornamenti per Windows Live Toolbar.job"
- C:\Programmi\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-11 00:45:56
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-11 0:48:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 23:47:58
ComboFix2.txt 2008-01-10 23:31:18
ComboFix3.txt 2008-01-09 21:14:10
.
2008-01-09 23:49:00 --- E O F ---

[Luke57]

Ciao, non è successo niente:
Ciao, prova con Dr.Web CureIt sembra che rimuova l'infezione
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
fai iuna scansione completa del compute.
Se non andasse bene,
scarica icesword
http://www.majorgeeks.com/Icesword_d5199.html
esegui il programma, clicca su file, poi si apre il ramo delle cartelle(come esplora risorse) naviga fino a trovare i seguenti file, uno alla volta:
tasto dx del mouse su ognuno di essi e scegli l'opzione delete:
C:\WINDOWS\system32\ohnjkjnw.dat
C:\WINDOWS\system32\kxsfclpk.dat
C:\WINDOWS\system32\axcsrynt.dat
C:\WINDOWS\system32\lqcnautk.dat
C:\WINDOWS\system32\dcqkuksv.dat
C:\WINDOWS\system32\drivers\eszhdixj.dat
C:\WINDOWS\system32\ati3duagf.dll
c:\windows\system32\ecbtegt.dll

[robby17]

ok va bene.ora non posso perchè sono al lavoro,quindi ci riprovo domani sera.Ma per sapere cos'è un virus brutto?cosi tiro le orecchie a mia figlia.grazie

[robby17]

ok ho fatto scansione con dr web,non ha trovato file infetti.ora ti posto il log hijackthis..ciao...Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22.16.53, on 12/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\eMule\emule.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\internet explorer\iexplore.exe
C:\Documents and Settings\Roberto\Desktop\Collegamenti desktop inutilizzati\HiJackThis_v2.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - http://digilander.libero.it/sfondigratuiti/cartoon4.jpg
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/Roberto/IMPOST~1/Temp/msohtml1/03/clip_image001.gif
O24 - Desktop Component 2: (no name) - file:///C:/DOCUME~1/Roberto/IMPOST~1/Temp/msohtml1/01/clip_image001.gif

--
End of file - 2225 bytes

[robby17]

e questo è il log di regclean: Microsoft Windows XP Home Edition Service Pack 2
5.01 build 2600 Service Pack 2
Username: Roberto
In groups: LOCALE Administrators Everyone Users Nessuno INTERACTIVE Authenticated Users
2008/01/12 22:25:54:078: Application Version: 2.7.2912.576
2008/01/12 22:25:54:453: Module Version: 1.0.2911.800
2008/01/12 22:25:54:468: Switching to PIEInProc.
2008/01/12 22:25:54:578: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:578: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:578: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: dbuses was called, but is not defined in this dll version.
2008/01/12 22:25:54:593: Database Version: 1.5.9 1196267138
2008/01/12 22:25:54:593: ===============================================================
2008/01/12 22:26:04:031: This version of RegClean is not registered.
2008/01/12 22:26:04:359: Finish Logging