Aiuto: Downloader.agent.bkh

[Duke]

Ciao a tutti,
ho appena fatto una scansione con AVG anti-spyware 7.5 e mi ha trovato questo dialer: Downloader.agent.bkh che non riesco ad eliminare.
Se qualcuno ha un po' di tempo questo è il mio file log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16.35.49, on 14/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hamlet\Adsl\dslstat.exe
C:\Program Files\Hamlet\Adsl\dslagent.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\mafnmbxot.exe
C:\WINDOWS\system\msnrav.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\svch.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\MASTER\Desktop\Cristian\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Office Monitor Word Exel R] C:\WINDOWS\System32\svch.exe
O4 - HKLM\..\Run: [Microsoft OCX] C:\WINDOWS\System32\mafnmbxot.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Office Monitor Word Exel R] C:\WINDOWS\System32\svch.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EED6D2-BFF2-48FB-998E-318D24880F17}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A93DEA-DF6D-4873-8229-6BBD2A28914B}: NameServer = 85.37.17.10 85.38.28.86
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Advance Service Process - Unknown owner - C:\Programmi\File comuni\System\MSASP32.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Integrated Windows Authentication - Unknown owner - C:\Programmi\File comuni\System\MSIWA32.exe (file missing)
O23 - Service: MSN RAV - Unknown owner - C:\WINDOWS\system\msnrav.exe

--
End of file - 4086 bytes

Grazie 1000....

[Luke57]

Ciao, Scarica The Avenger
http://swandog46.geekstogo.com/avenger.zip


Poi avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno dello spazio bianco copia ed incolla questo script:


Registry keys to delete:
HKLM\System\CurrentControlSet\Services\Integrated Windows Authentication
HKLM\System\CurrentControlSet\Services\MSN RAV
HKLM\System\CurrentControlSet\Services\Advance Service Process

registry values to delete:
HKLM\Sofware\Microsoft\Windows\CurrentVersion\Run | Microsoft OCX
HKLM\Sofware\Microsoft\Windows\CurrentVersion\Run | Office Monitor Word Exel R


Files to delete:
C:\WINDOWS\System32\mafnmbxot.exe
C:\WINDOWS\system\msnrav.exe
C:\WINDOWS\System32\svch.exe
C:\Programmi\File comuni\System\MSIWA32.exe
C:\Programmi\File comuni\System\MSASP32.exe

Clicca sul pulsante Done
Adesso clicca sul semaforo con la luce verde
Rispondi Yes 2 volte
Il pc si dovrebbe riavviare,se non si riavvia,riavvialo manualmente

Al riavvio collegati e posta il contenuto del file C:\Avenger.txt

[Duke]

Ciao!
Ho fatto come hai detto, questo è il log di Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\imymjcww

*******************

Script file located at: \??\C:\WINDOWS\dfyonote.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\System\CurrentControlSet\Services\Integrated Windows Authentication deleted successfully.
Registry key HKLM\System\CurrentControlSet\Services\MSN RAV deleted successfully.


Registry key HKLM\System\CurrentControlSet\Services\Advance Service Process not found!
Deletion of registry key HKLM\System\CurrentControlSet\Services\Advance Service Process failed!

Could not process line:
HKLM\System\CurrentControlSet\Services\Advance Service Process
Status: 0xc0000034

File C:\WINDOWS\System32\mafnmbxot.exe deleted successfully.
File C:\WINDOWS\system\msnrav.exe deleted successfully.
File C:\WINDOWS\System32\svch.exe deleted successfully.
File C:\Programmi\File comuni\System\MSIWA32.exe deleted successfully.


File C:\Programmi\File comuni\System\MSASP32.exe not found!
Deletion of file C:\Programmi\File comuni\System\MSASP32.exe failed!

Could not process line:
C:\Programmi\File comuni\System\MSASP32.exe
Status: 0xc0000034



Could not delete registry value HKLM\Sofware\Microsoft\Windows\CurrentVersion\Run|Microsoft OCX
Deletion of registry value HKLM\Sofware\Microsoft\Windows\CurrentVersion\Run|Microsoft OCX failed!
Status: 0xc0000034



Could not delete registry value HKLM\Sofware\Microsoft\Windows\CurrentVersion\Run|Office Monitor Word Exel R
Deletion of registry value HKLM\Sofware\Microsoft\Windows\CurrentVersion\Run|Office Monitor Word Exel R failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Questo è il log di HiJackThis_v2:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20.54.04, on 14/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hamlet\Adsl\dslstat.exe
C:\Program Files\Hamlet\Adsl\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\utibixogd.exe
C:\Documents and Settings\MASTER\Desktop\Cristian\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Office Monitor Word Exel R] C:\WINDOWS\System32\svch.exe
O4 - HKLM\..\Run: [Microsoft OCX] C:\WINDOWS\System32\utibixogd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Office Monitor Word Exel R] C:\WINDOWS\System32\svch.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EED6D2-BFF2-48FB-998E-318D24880F17}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 3581 bytes

[Luke57]

Ciao, fai controllare su virustotal questo file:
C:\WINDOWS\System32\utibixogd.exe

http://www.virustotal.com/it/
dopo l'analisi posta il report dei vari antivirus che lo hanno esaminato.

Apri hijackthis, disconnesso da internet e con le applicazioni chiuse, cerca e spunta queste voci:
O4 - HKLM\..\Run: [Office Monitor Word Exel R] C:\WINDOWS\System32\svch.exe
O4 - HKLM\..\Run: [Microsoft OCX] C:\WINDOWS\System32\utibixogd.exe

premi fix checked.

[Duke]

Ciao,
ho fixato la voce

O4 - HKLM\..\Run: [Office Monitor Word Exel R] C:\WINDOWS\System32\svch.exe

questa non l'hp trovata

O4 - HKLM\..\Run: [Microsoft OCX] C:\WINDOWS\System32\utibixogd.exe

se ti può essere utile ti posto il file log di hijackthis, come pui notare adesso c'è anche uno strano hp-1003.exe, l'homepage mi cambia sempre con il link che vedi sotto ed inoltre ho numerosi file "***.gif. scr" nel mio computer, se ci capisci qualcosa sei bravo...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13.45.52, on 15/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hamlet\Adsl\dslstat.exe
C:\Program Files\Hamlet\Adsl\dslagent.exe
C:\WINDOWS\System32\tfklbclad.exe
C:\WINDOWS\System32\NSecurity.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\hp-1003.exe
C:\Documents and Settings\MASTER\Desktop\Cristian\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe
O4 - HKLM\..\Run: [Microsoft OCX] C:\WINDOWS\System32\tfklbclad.exe
O4 - HKLM\..\Run: [File Mapping Services] hp-1003.exe
O4 - HKLM\..\Run: [Microsoft Update] C:\WINDOWS\System32\mdm.exe
O4 - HKLM\..\RunServices: [File Mapping Services] hp-1003.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Office Monitor Word Exel R] C:\WINDOWS\System32\svch.exe
O4 - HKCU\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe
O4 - HKCU\..\Run: [File Mapping Services] hp-1003.exe
O4 - HKCU\..\Run: [Microsoft Update] C:\WINDOWS\System32\mdm.exe
O4 - HKCU\..\RunServices: [File Mapping Services] hp-1003.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [File Mapping Services] hp-1003.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EED6D2-BFF2-48FB-998E-318D24880F17}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: WinHost Debugger System - Unknown owner - C:\WINDOWS\system32\systs.exe (file missing)

--
End of file - 5243 bytes

[SkunkWorks 68]

Quando avrai il sistema pulito(ammesso di riuscirci,senza format )consiglio di installare di corsa il SP 2 e le successive patches.
Buon Ferragosto a te e anche all'onnipresente Luke 57
Ciao

[Duke]

Sarà la prima cosa che farò dopo avere installato un buon antivirus...
buon ferragosto anche a te

[Duke]

Ciao,
e se provassi a fixare tutte le voci in cui c'è presente il file hp-1003.exe?
Potrebbe essere una buona idea?

[Luke57]

Ciao scarica
SDFIX
http://downloads.andymanchesta.com/Remo ... /SDFix.exe

- Doppio click su SDFix.exe e il tool andrà ad estrarsi in C:\SDFix
- avvia il sistema in modalità provvisoria (premendo il tasto f8 ripetutamente all'accensione del computer e spostandoti con le freccette nella schermata grigia che appare).
- Apri la cartella SDFix situata in C:\ e fai un doppio click su RunThis.bat per lanciare lo script
- seleziona Y per avviare la pulizia
- Quando te lo chiederà premi un tasto per riavviare(il sistema sarà piu lungo nell'avviarsi perchè lo script eseguirà l'eliminazione dei file trovati)
- Quando apparirà il desktop il tool terminerà il suo lavoro e visualizzerà il messaggio "Finished"
- Premi un tasto per terminare lo script e ricaricare le icone del desktop
- Il log sarà visualizzato automaticamente,altrimenti potrai trovarlo in C:\SDFix\Report.txt
Posta il report + nuovo log di hijackthis.

[Duke]

Ciao scarica
SDFIX
http://downloads.andymanchesta.com/Remo ... /SDFix.exe

- Doppio click su SDFix.exe e il tool andrà ad estrarsi in C:\SDFix
- avvia il sistema in modalità provvisoria (premendo il tasto f8 ripetutamente all'accensione del computer e spostandoti con le freccette nella schermata grigia che appare).
- Apri la cartella SDFix situata in C:\ e fai un doppio click su RunThis.bat per lanciare lo script
- seleziona Y per avviare la pulizia
- Quando te lo chiederà premi un tasto per riavviare(il sistema sarà piu lungo nell'avviarsi perchè lo script eseguirà l'eliminazione dei file trovati)
- Quando apparirà il desktop il tool terminerà il suo lavoro e visualizzerà il messaggio "Finished"
- Premi un tasto per terminare lo script e ricaricare le icone del desktop
- Il log sarà visualizzato automaticamente,altrimenti potrai trovarlo in C:\SDFix\Report.txt
Posta il report + nuovo log di hijackthis.

Fatto!
questi sono i reports:

SDFix: Version 1.99

Run by MASTER on 19/08/2007 at 12.16

Microsoft Windows XP [Versione 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
NetThrottle
WinHost Debugger System

ImagePath:
"C:\WINDOWS\system32\netthrot.exe"
"C:\WINDOWS\system32\systs.exe"

NetThrottle - Deleted
WinHost Debugger System - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\hp-1003.exe - Deleted
C:\WINDOWS\system32\netthrot.exe - Deleted
C:\WINDOWS\system32\NSecurity.exe - Deleted
C:\WINDOWS\system32\svch.exe - Deleted


---------------------------------------------------------------------------





Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12.24.00, on 19/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Mixer.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hamlet\Adsl\dslstat.exe
C:\Program Files\Hamlet\Adsl\dslagent.exe
C:\WINDOWS\System32\ogyeluegc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\MASTER\Desktop\Cristian\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Microsoft OCX] C:\WINDOWS\System32\ogyeluegc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [File Mapping Services] hp-1003.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EED6D2-BFF2-48FB-998E-318D24880F17}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 4470 bytes

[Luke57]

Ciao, sembra sempre infetto, effettivamente non è facile sbarazzardi del problema.
Vai in questa pagina:
http://www.kuma215.it/Guide%20K&J/K/Sys ... guida.html
segui le istruzioni per l'uso di sysclean per fare una scansione completa del computer.(limitati a quello, trascurando al momento l'utilizzo degli altri programmi suggeriti).
Poi apri hijackthis, premi "open the misc tool section", "open process manager", se trovi il seguente processo:
C:\WINDOWS\System32\ogyeluegc.exe
lo selezioni e premi kill process.
Torna al menu principale con back, premi scan, cerchi e spunti le voci seguenti:
O4 - HKLM\..\Run: [Microsoft OCX] C:\WINDOWS\System32\ogyeluegc.exe
O4 - HKUS\S-1-5-18\..\Run: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunServices: [File Mapping Services] hp-1003.exe (User 'Default user')
premi fix checked.

Poi vai qui:
http://www.virustotal.com/it/
caricaci questo file:
C:\WINDOWS\System32\ogyeluegc.exe
fallo analizzare dagli antivirus (saranno diversi).
Riporta in un successivo post il report dell'analisi che sarà rilasciato + nuovo log di hijackthis.
Riporta

[Duke]

Ciao,
prima di fare quello che mi hai scritto vorrei chiederti un consiglio,
ho un amico che ha il mio stesso problema con l'unica differenza che ha un antivirus che gli ha individuato questo virus: w32.IRCbot.
(ps: sembra che anche il suo Norton non lo riesca ad eliminare)
Guardando su internet ho visto che c'è un certo "Virusfighter" che dovrebbe rimuoverlo, cosa ne pensi?

Grazie per la collaborazione

[Luke57]

Ciao, non lo conosco, è shareware però, per quel tipo di worm può usare
stinger della Mcfee, qui l'ultima versione:
http://download.nai.com/products/mcafee ... tinger.exe
non ha bisogno di installazione, dopo averlo scaricato basta cliccare sull'eseguibile per avviarlo, rimuove i virus più noti.

[Duke]

Ciao,
una volta avviato Stinger Windows mi dice che non è un'applicazione di Win32 valida.

[Duke]

Ciao,
Ho provato ad usare “Windows-KB890830-V1.32” per la rimozione dei malware w32.ircbot e sembra che qualcosa sia riuscito a fare, anche se non in modo completo!!
Come pensi che sia mia messo il mio file log?
Grazie per la pazienza…

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21.01.39, on 21/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hamlet\Adsl\dslstat.exe
C:\Program Files\Hamlet\Adsl\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\MASTER\Desktop\Cristian\HiJackThis_v2\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [File Mapping Services] hp-1003.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EED6D2-BFF2-48FB-998E-318D24880F17}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 4333 bytes

[Luke57]

Ciao, con hijackthis, premi "do a system scan only", cerca e spunta le voci seguenti:
O4 - HKUS\S-1-5-18\..\RunServices: [File Mapping Services] hp-1003.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunServices: [File Mapping Services] hp-1003.exe (User 'Default user')

premi fix checked.

[Duke]

Ciao Luke57!!
Ho fixato le voci che mi hai detto…
Questo è il file log, c’è qualche voce che ti appare strana?
Grazie per l’aiuto



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21.35.45, on 23/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\carpserv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Hamlet\Adsl\dslstat.exe
C:\Program Files\Hamlet\Adsl\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\MASTER\Desktop\Cristian\HiJackThis_v2\HiJackThis_v2.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EED6D2-BFF2-48FB-998E-318D24880F17}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe

--
End of file - 4071 bytes

[Duke]

Ciao,
adesso ho installato anche un antivirus, ho fatto una scansione completa e mi dice che non ha trovato infezioni, mi potreste dare una mano a vedere se nel mio logfile c'è qualcosa di strano?
Grazie

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15.42.07, on 26/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Mixer.exe
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Hamlet\Adsl\dslstat.exe
C:\Program Files\Hamlet\Adsl\dslagent.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\SoftwareDistribution\Download\2687715cf083bcb30f3fa4a439f2197c\update\update.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\MASTER\Desktop\Cristian\HiJackThis_v2\HiJackThis_v2.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Programmi\Symantec\LiveUpdate\AUPDATE.EXE
C:\Programmi\File comuni\Symantec Shared\SecurityHistory\MCUI32.EXE
C:\Programmi\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programmi\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Programmi\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Hamlet\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Hamlet\Adsl\dslagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programmi\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EED6D2-BFF2-48FB-998E-318D24880F17}: NameServer = 212.216.112.112,212.216.172.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A93DEA-DF6D-4873-8229-6BBD2A28914B}: NameServer = 212.216.172.62 212.216.112.112
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 6663 bytes

[Luke57]

Ciao, C:\WINDOWS\SoftwareDistribution\Download\2687715cf083bcb30f3fa4a439f2197c\update\update.exe
è molto sospetto, comunque vai qui:
http://www.virustotal.com/it/
carichi il file suddetto che sarà analizzato da diversi antivirus. Comuica poi (incolla) il rapporto che ti sarà rilasciato.

[SkunkWorks 68]

Il log è pulito.E' stato fatto un ottimo lavoro.
Adesso è il momento di installare il SP 2 ed eseguire tutti i successivi aggiornamenti.Speriamo vada tutto bene.
Ciao