log hijackthis

[ualli]

Salve a tutti.. è la prima volta che vi scrivo, finora ho cercato di trovare la soluzione al mio problemino navigando qua e là ma ho deciso di darmi per vinta.
Il problema è questo: il mio antivirus (AVG) mi da un messaggio di rilevamento di un trojan horse ogni volta che apro una finestra qualsiasi. Il nome del trojan horse è BHO.BNU e il suo percorso è C:\WINDOWS\system32\fontex.dll.
Facendo il log di hijackthis penso di aver individuato il processo da eliminare ma ogni volta che lo elimino mi ritorna. Rifacendo il log di hijackthis compare sempre. Vi copio qui il log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21.12.05, on 12/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\services.exe
F:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\Programmi\Spyware Doctor\svcntaux.exe
F:\Programmi\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\casa\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C13E3790-083E-47FF-9028-6794071B8A15} - C:\WINDOWS\system32\fontex.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKLM\..\Run: [SDTray] "F:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FEC503E-8F61-4C08-8DA9-F78EDD03204A}: NameServer = 193.70.152.15 193.70.152.25
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - F:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Programmi\Spyware Doctor\swdsvc.exe

--
End of file - 4057 bytes


Il processo che ho tentato invano di eliminare è quello nominato
O2 - BHO: (no name) - {C13E3790-083E-47FF-9028-6794071B8A15} - C:\WINDOWS\system32\fontex.dll

che ne pensate??? javascript:emoticon(':undecided:')
Indeciso
Vale

[edo_aol]

fixa quella voce detta da te in mod.provvisoria http://www.kuma215.it/WI/Mod_Provv.html
poi fai una scansione con vundofix http://www.atribune.org/ccount/click.php?id=4
clicca su scan for vundo e poi su remove vundo.
posta il relativo log lo trovi in c:/

[ualli]

Ho fatto tutto quello che mi hai detto, il log di vundo è:


VundoFix V6.5.9

Checking Java version...

Sun Java not detected
Scan started at 14.35.08 13/10/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...



però il problema non è risolto.. continua ad apparirmi il messaggio di virus ogni volta che apro una cartella. Ho anche riprovato con Hijackthis e la voce è ricomparsa!
aiuto......

[Luke57]

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Files to delete:
C:\WINDOWS\system32\fontex.dll


registry keys to delete;
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15}


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo, se così non fosse riavvialo manualmente.
Posta anche il log generato da avenger, lo trovi in C:\ è un file di testo

[ualli]

ciao luke. fatto quanto hai detto.. il log è questo:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hbyfgcps

*******************

Script file located at: \??\C:\biaanlrn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\fontex.dll for deletion
Deletion of file C:\WINDOWS\system32\fontex.dll failed!

Could not process line:
C:\WINDOWS\system32\fontex.dll
Status: 0xc0000022



File registry keys to delete; not found!
Deletion of file registry keys to delete; failed!

Could not process line:
registry keys to delete;
Status: 0xc0000034



Could not open file HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15} for deletion
Deletion of file HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15} failed!

Could not process line:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15}
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.



brutto segno vero???

[Luke57]

Ciao, le voci non c'erano più, semmai posta nuovo log di hijackthis.

[ualli]

ecco nuovo log hijackthis.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15.24.07, on 14/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
F:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\winlogon.exe
F:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Programmi\Spyware Doctor\svcntaux.exe
F:\Programmi\Spyware Doctor\swdsvc.exe
F:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\TEMP\zzlmaa.exe
F:\Programmi\Spyware Doctor\SDTrayApp.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ADSL\StarModem ADSL USB MODEM\dslmon.exe
C:\WINDOWS\system32\svchost.exe
F:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
F:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\casa\Desktop\sicurezza\HiJackThis_v2.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {C13E3790-083E-47FF-9028-6794071B8A15} - C:\WINDOWS\system32\fontex.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [zzlmaa.exe] C:\WINDOWS\TEMP\zzlmaa.exe
O4 - HKLM\..\Run: [SDTray] "F:\Programmi\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [9xadiras] 9xadiras.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FEC503E-8F61-4C08-8DA9-F78EDD03204A}: NameServer = 193.70.152.15 193.70.152.25
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - F:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - F:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Programmi\Spyware Doctor\swdsvc.exe

--
End of file - 4587 bytes

[Luke57]

Ciao, riutilizza avenger con questo script:

folders to delete:
C:\WINDOWS\TEMP


Files to delete:
C:\WINDOWS\system32\fontex.dll


registry keys to delete;
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15}

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | zzlmaa.exe


Poi, posta il report.

[ualli]

fatto ma mi da due messaggi di errore:

Fatal error: could not create new script file.

e

Error code: 0
Error logged to errorlog.txt. Aborting now!

...........comincio a pensare alla formattazione????

[Luke57]

Ciao, ripeti lo script.

[ualli]

questo è il log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gijsarnh

*******************

Script file located at: \??\C:\Documents and Settings\tjdhdfbk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\WINDOWS\TEMP deleted successfully.


Could not open file C:\WINDOWS\system32\fontex.dll for deletion
Deletion of file C:\WINDOWS\system32\fontex.dll failed!

Could not process line:
C:\WINDOWS\system32\fontex.dll
Status: 0xc0000022



File registry keys to delete; not found!
Deletion of file registry keys to delete; failed!

Could not process line:
registry keys to delete;
Status: 0xc0000034



Could not open file HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15} for deletion
Deletion of file HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15} failed!

Could not process line:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15}
Status: 0xc000003a

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|zzlmaa.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[Luke57]

Ciao, scarica COMBOFIX sul desktop (è spesso risolutivo per infezioni di questo tipo)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- Una volta scaricato,avvialo con un doppio click.
- Si aprirà una finestra blu , attendi
- Dopo qualche attimo apparirà un avviso che declina l'autore da ogni responsabilità.
- A questo punto seleziona 1 e premi ENTER per lanciare lo scan.
- Attendere.....
Il tool ti avviserà una volta lo scan finito e in qualche attimo visualizzerà il rapporto con i dettagli. (C:\ComboFix.txt)
Allega il log (C:\ComboFix.txt) e anche il file C:\ComboFix-quarantined-files.txt

[ualli]

questo è il log. Il file quarantine non l'ho trovato.

ComboFix 07-10-12.4 - casa 2007-10-14 16.10.49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.413 [GMT 2:00]
Running from: C:\Documents and Settings\casa\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\casa\ravmonlog

.
((((((((((((((((((((((((( Files Created from 2007-09-14 to 2007-10-14 )))))))))))))))))))))))))))))))
.

2007-10-14 16:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-14 13:05 17,664 C:\WINDOWS\system32\drivers\psnqutnu.dat
2007-10-14 13:05 5,120 C:\WINDOWS\system32\drivers\lvjdqqxu.dat
2007-10-14 11:44 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-10-14 11:44 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-14 11:44 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-14 11:44 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-14 11:44 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-14 11:44 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-14 11:44 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-14 11:44 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-13 13:55 <DIR> d-------- C:\VundoFix Backups
2007-10-11 20:46 <DIR> d-------- C:\WINDOWS\pss
2007-10-09 17:46 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-09 17:46 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-09 16:41 <DIR> d-------- C:\Documents and Settings\casa\Dati applicazioni\PC Tools
2007-10-09 16:41 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2007-10-09 16:41 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-09 16:41 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-09 16:41 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-09 16:41 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-09 16:41 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-07 17:28 155,648 --a------ C:\WINDOWS\system32\AdADIx32.dll
2007-10-07 17:28 147,456 --a------ C:\WINDOWS\autoclk.exe
2007-10-07 17:28 135,168 --a------ C:\WINDOWS\system32\unaddrv.exe
2007-10-07 17:28 127,456 --a------ C:\WINDOWS\system32\IPDETECT.EXE
2007-10-07 17:28 127,113 -ra------ C:\WINDOWS\system32\drivers\adiusbaw.sys
2007-10-07 17:28 46,892 --a------ C:\WINDOWS\system32\ADADIX16.DLL
2007-10-07 17:28 46,455 --a------ C:\WINDOWS\system32\drivers\adildr.sys
2007-10-07 17:28 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin
2007-10-07 17:28 4,981 --a------ C:\WINDOWS\system32\AdADIx2K.dll
2007-10-06 21:41 <DIR> d--h----- C:\Programmi\InstallShield Installation Information
2007-10-06 21:27 <DIR> d-------- C:\Programmi\File comuni\InstallShield
2007-10-01 08:43 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-10-01 08:43 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-09-29 19:16 <DIR> d-------- C:\Documents and Settings\casa\Dati applicazioni\vlc
2007-09-26 19:05 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-25 19:15 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-09-25 19:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-09-25 19:15 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-09-25 19:15 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-09-24 22:22 <DIR> d-------- C:\Documents and Settings\casa\Dati applicazioni\Grisoft
2007-09-24 22:22 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-23 21:29 <DIR> d-------- C:\Programmi\EPSON
2007-09-23 12:32 <DIR> d-------- C:\Documents and Settings\LocalService\Dati applicazioni\AVG7
2007-09-23 12:32 <DIR> d-------- C:\Documents and Settings\LocalService\Dati applicazioni\AVG7
2007-09-23 12:32 <DIR> d-------- C:\Documents and Settings\LocalService\Dati applicazioni\AVG7
2007-09-23 12:32 <DIR> d-------- C:\Documents and Settings\casa\Dati applicazioni\AVG7
2007-09-23 12:32 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-23 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Grisoft
2007-09-23 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\avg7
2007-09-23 12:29 <DIR> d---s---- C:\Documents and Settings\casa\UserData
2007-09-23 12:20 108,163 --a------ C:\WINDOWS\system32\fontex.dll
2007-09-23 12:01 <DIR> d-------- C:\Documents and Settings\casa\WINDOWS
2007-09-22 21:27 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-22 21:27 <DIR> d-------- C:\Documents and Settings\casa\Contacts
2007-09-22 21:26 <DIR> d-------- C:\Programmi\MSN Messenger
2007-09-22 21:18 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2007-09-22 21:18 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2007-09-22 21:17 <DIR> d-------- C:\Programmi\File comuni\Ahead
2007-09-22 21:17 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2007-09-22 21:17 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2007-09-22 21:17 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2007-09-22 21:17 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2007-09-22 21:17 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-09-22 21:17 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-09-22 19:30 <DIR> d-------- C:\Programmi\Microsoft.NET
2007-09-22 19:30 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-09-22 19:29 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-09-22 19:25 <DIR> dr-h----- C:\MSOCache
2007-09-22 18:50 <DIR> d-------- C:\Programmi\ADSL
2007-09-22 17:43 <DIR> d-------- C:\Programmi\File comuni\Adobe Systems Shared
2007-09-22 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Adobe Systems
2007-09-22 17:42 <DIR> d-------- C:\Programmi\File comuni\Adobe
2007-09-22 17:38 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-09-22 17:32 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-09-22 17:28 8,576 -ra------ C:\WINDOWS\system32\drivers\srvkp.sys
2007-09-22 17:27 <DIR> d-------- C:\Programmi\SiS7012
2007-09-22 15:06 <DIR> d--h----- C:\Documents and Settings\casa\Risorse di stampa
2007-09-22 15:06 <DIR> d--h----- C:\Documents and Settings\casa\Risorse di rete
2007-09-22 15:06 <DIR> dr------- C:\Documents and Settings\casa\Preferiti
2007-09-22 15:06 <DIR> d--h----- C:\Documents and Settings\casa\Modelli
2007-09-22 15:06 <DIR> dr------- C:\Documents and Settings\casa\Menu Avvio
2007-09-22 15:06 <DIR> d--h----- C:\Documents and Settings\casa\Impostazioni locali
2007-09-22 15:06 <DIR> dr------- C:\Documents and Settings\casa\Documenti
2007-09-22 15:06 <DIR> dr-h----- C:\Documents and Settings\casa\Dati applicazioni
2007-09-22 15:05 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2007-09-22 15:05 <DIR> d--h----- C:\Documents and Settings\LocalService\Impostazioni locali
2007-09-22 15:05 <DIR> d-------- C:\Documents and Settings\LocalService\Dati applicazioni
2007-09-22 15:04 <DIR> d--h----- C:\Documents and Settings\NetworkService\Impostazioni locali
2007-09-22 15:04 <DIR> d-------- C:\Documents and Settings\NetworkService\Dati applicazioni
2007-09-22 15:03 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Risorse di stampa
2007-09-22 15:03 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Risorse di rete
2007-09-22 15:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Preferiti
2007-09-22 15:03 <DIR> d--h----- C:\WINDOWS\system32\config\systemprofile\Modelli
2007-09-22 15:03 <DIR> dr------- C:\WINDOWS\system32\config\systemprofile\Menu Avvio
2007-09-22 15:03 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Impostazioni locali
2007-09-22 15:03 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Documenti
2007-09-22 15:03 <DIR> dr-h----- C:\WINDOWS\system32\config\systemprofile\Dati applicazioni
2007-09-22 15:00 <DIR> d-------- C:\Programmi\microsoft frontpage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-07 15:29 26 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2007-09-22 14:46 --------- d-----w C:\Programmi\File comuni\SpeechEngines
2007-09-22 14:46 --------- d-----w C:\Programmi\File comuni\ODBC
2007-09-22 12:57 --------- d-----w C:\Programmi\Servizi in linea
2007-09-22 12:56 --------- d-----w C:\Programmi\File comuni\MSSoap
2007-07-30 17:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C13E3790-083E-47FF-9028-6794071B8A15}]
2004-08-19 15:39 108163 --a------ C:\WINDOWS\system32\fontex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="F:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"SDTray"="F:\Programmi\Spyware Doctor\SDTrayApp.exe" [2007-10-02 16:27]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Cmaudio"="cmicnfg.cpl" []
"avast!"="F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 12:06]
"Adobe Reader Speed Launcher"="F:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"9xadiras"="9xadiras.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-08-19 15:51]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
DSLMON.lnk - C:\Programmi\ADSL\StarModem ADSL USB MODEM\dslmon.exe [2007-10-07 17:28:45]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 rzqnoctf;rzqnoctf;C:\WINDOWS\system32\drivers\psnqutnu.dat
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e0abe30-6921-11dc-ab7e-0013642ea583}]
Auto\command - G:\RavMonE.exe e
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9490fca0-6fe9-11dc-abab-4d6564696130}]
Auto\command - Ghost.pif
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Ghost.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a5988911-7059-11dc-abb1-4d6564696130}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command - Recycled\ctfmon.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-23 10:18:51 C:\WINDOWS\Tasks\yolsgk.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-14 16:29:08
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-14 16.32.07
.
--- E O F ---

[ualli]

falso.. ho trovato pure il file quarantine:


[code]
2007-09-23 11:43 5 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\casa\RavMonLog.vir


Elenco del percorso delle cartelle
Numero di serie del volume: CC46-6D02
C:\QOOBOX\QUARANTINE
+---C
| \---Documents and Settings
| \---casa
| RavMonLog.vir
|
\---Registry_backups
[/code]

[edo_aol]

come va?

[ualli]

continua a uscirmi il messaggio di erore........ e il file sospetto è ancora al suo posto, non si elimina neanche con le cannonate...

[Luke57]

Ciao, utilizza avenger con questo script:


files to delete:
C:\WINDOWS\system32\drivers\psnqutnu.dat
C:\WINDOWS\system32\drivers\lvjdqqxu.dat
C:\WINDOWS\autoclk.exe
C:\WINDOWS\system32\fontex.dll

[Luke57]

Ciao, prima fai analizzare il file fontex.dll qui:
http://www.virustotal.com/it/
posta il responso dei vari antivirus che lo avranno scansionato.

[Setolo]

Raga, m date un parere x favore?

Logfile of HijackThis v1.99.1
Scan saved at 0.22.30, on 16/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\mobile PhoneTools\WatchDog.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Skype\Plugin Manager\skypePM.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\eMule\emule.exe
C:\Documents and Settings\Aurelio.AURELIO-1IAX40K\Desktop\Pulizia e manutenzione pc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {34E1A260-45D6-6B2D-F649-6FE33EE7FA9D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64E2F131-4781-3825-AB49-6FE33EE7F8CF} - (no file)
O2 - BHO: (no name) - {68E6A63A-418C-3B21-AB49-6FE33EE6AA9E} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar5.dll
O2 - BHO: (no name) - {B2084317-A1A9-8A0F-8A0E-8BADDAE12495} - (no file)
O2 - BHO: (no name) - {B258111C-A4F8-8E0C-D10E-8BADDAB97290} - (no file)
O2 - BHO: (no name) - {B70A424F-A0FD-D158-DD0E-8BADDAE22194} - (no file)
O2 - BHO: (no name) - {B70E164C-F5A1-DE59-880E-8BADDAE17490} - (no file)
O2 - BHO: (no name) - {E70E4348-F3A0-8D0D-D90E-8BADDAE223C7} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programmi\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [WatchDog] C:\Programmi\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [AWMON] "C:\Programmi\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Bsou] "C:\WINDOWS\system32\APPATC~1\wowexec.exe" -vt ndrv
O4 - HKCU\..\Run: [Zxt] "C:\Programmi\Common Files\s?stem\j?vaw.exe"
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://s3th0l0.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.filelodge.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61} (DownloaderActiveX Control) - http://c6.community.virgilio.it/downloa ... ctiveX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5652BEC5-CA16-4099-8227-385007D8BDBE}: NameServer = 193.12.150.2 212.247.152.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8FCE1DC-991D-4A44-915E-6151E643F058}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{5652BEC5-CA16-4099-8227-385007D8BDBE}: NameServer = 193.12.150.2 212.247.152.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FILECO~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programmi\File comuni\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[ualli]

niente da fare..
la scansione con virustotal del file fontex.dll mi da questo risultato:
0 bytes size received / Se ha recibido un archivo vacio

e il log di avanger è questo:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\sqaiddyc

*******************

Script file located at: \??\C:\xhsgxfca.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\drivers\psnqutnu.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\psnqutnu.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\psnqutnu.dat
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\drivers\lvjdqqxu.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\lvjdqqxu.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\lvjdqqxu.dat
Status: 0xc0000022



File C:\WINDOWS\autoclk.exe not found!
Deletion of file C:\WINDOWS\autoclk.exe failed!

Could not process line:
C:\WINDOWS\autoclk.exe
Status: 0xc0000034



Could not open file C:\WINDOWS\system32\fontex.dll for deletion
Deletion of file C:\WINDOWS\system32\fontex.dll failed!

Could not process line:
C:\WINDOWS\system32\fontex.dll
Status: 0xc0000022


Completed script processing.

*******************

Finished! Terminate.