aiuto w32.exe

[phoenix530]

salve a tutti

due giorni fa accendo il pc e su esecuzione automatica mi ritrovo questo maledetto file appartenente ad un trojan di cui nn ricordo bene il nome...
dopo averlo rimosso da esecuzione automatica, ho effettuato una scanzione con avg ke ha rimosso un'altro file e successivamente fixato alcune voci con hijackthis secondo le info ottenute tramite l'analisi dei log sul sito....

oggi a distanza di due giorni mi viene segnalato su C:\programmi\file comuni\system\ un file kiamato lbn.exe se nn erro ke nn posso eliminare e ke oggi dopo essere entrato in modalita' provvisoria è scomparso nel nulla senza ke lo avessi eliminato....per finire quando avvio housecall, sia da explorer ke da firefox mi si kiude nel bel mezzo della scanzione la finestra del browser....

ho effettuato la scanzione anke dal sito di bitdefender e da quello di symatec, ma solo il secondo mi ha segnalato dei file di un trojan diverso ke ho provveduto a rimuovere (3 file temp e 1 dll su system32).ho installato anke antivir ma nulla....nn trovo niente...

ecco i miei log di hijack:

Logfile of HijackThis v1.99.1
Scan saved at 21.58.36, on 09/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmi\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\TRUST\Software Bluetooth\BTTray.exe
C:\Programmi\GetRight\getright.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Orazio\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emuita.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 89.186.66.247 L2authd.lineage2.com
O1 - Hosts: 89.186.66.247 L2testauthd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programmi\GetRight\getright.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4648FA2-E850-432C-854D-BEAC415AA68C}: NameServer = 193.70.192.25 193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmi\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programmi\TuneUp Utilities 2006\WinStylerThemeSvc.exe

grazie in anticipo

[Luke57]

Ciao, scarica questo tool:
Tool:
http://www.prevx.com/gromozon.asp
disattiva l'antivirus, chiudi applicazioni e programmi, esegui il tool. Al riavvio del computer, il programma terminerà la scansione. Inserisci in un post il report dello scan (mi pare che si troverà in C:\Gromozon_removal;

POi scarica Gmer :
http://www.gmer.net/gmer110.zip
Dopo averlo scompattato, lo avvii, selezioni "Rootkit"
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione Autostart, con le stesse procedure del precedente. Incolli il log generato nel suddetto block notes e poi incolli i due log in un post nel forum.

[phoenix530]

dai seguenti log deduco di essere pulito:

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.



con il secondo software ottengo questo:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-10 13:39:20
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7D8185A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7D8185A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7D8185A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7D8185A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F7D8185A] avgtdi.sys

---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION 9087B3E4AE09B313E05EF7E184B0866884630FD7DF0D446F07FAA43C89B1FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407FEBC9E127BECC74CA6A0AC4980AC79336507EBFC71A9D36E6FED410C2014BF9C34B9829853F6E9238A8AD030A268A5D7764C048B2E20E293FE359F23E14BC9D2D156A25B01E4AB6433439CB5011D4526CCC19218B5D64DD6360BBE274FAD5870E2A112A82899859853AE117B5E108021147B7C1D40C2D2931F6FC6C20CE8824F7220DCFBFA9B83BC8DFA43ED1ABFF90633737815FB7D48687AC1329F344EF0933D3EE350A016C3943E3C95F909D0E4D9BC83107F0AC3183BBCC752EFD354E1A031495BAAB3597A2572EAC293F10A8A62FCECA1617EF53FB48A2CC968ED14A91FF4F2CC8D44556EB8EA605AB192D745AB72D462BFE399CEBEC1FA1142F8CB2D7D60D29583D4A2F9DE1D5C3D4D994A08044F44D6A935586B0C712673385DDDE66D0163651BDBFB0F67B2049FE62C1554FE7AA55B2BE4FC500E5D83910D7A4FE4621603C165C5412E690ADC8C7F601044F40E4A9D5BD8F9C87F7C4B5D0423CAC99614F202F77073EFC0B3D3621FC53704FED8E7A04F6764B65BF99B20659B1ECB86A3DA54ECAE3B7F88F43652CE58AA52FC5D153AA35F731061B5F575809EBB34F3224

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\catalog.wci
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----

ecco il risultato di autostart:

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-10 13:40:21
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName = Ati2evxx.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
CiSvc /*Servizio di indicizzazione*/@ = %SystemRoot%\system32\cisvc.exe
Creative Service for CDROM Access /*Creative Service for CDROM Access*/@ = C:\WINDOWS\system32\CTsvcCDA.EXE
Diskeeper /*Diskeeper*/@ = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkService.exe"
GEARSecurity@ = %SystemRoot%\System32\GEARSec.exe
Norton Ghost /*Norton Ghost*/@ = C:\Programmi\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
SecVfk /*SecVfk*/@ = "C:\Programmi\File comuni\System\ibn.exe" /*file not found*/
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CnxDslTaskBar"C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe" = "C:\Programmi\Conexant\AccessRunner ADSL\CnxDslTb.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@AVG7_EMCC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
@ATICCC"C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay = "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@DiskeeperSystray"C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe" = "C:\Programmi\Diskeeper Corporation\Diskeeper\DkIcon.exe"
@UnlockerAssistant"C:\Programmi\Unlocker\UnlockerAssistant.exe" /*file not found*/ = "C:\Programmi\Unlocker\UnlockerAssistant.exe" /*file not found*/
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} /*TuneUp Shredder Shell Context Menu Extension*/"C:\Programmi\TuneUp Utilities 2006\sdshelex.dll" = "C:\Programmi\TuneUp Utilities 2006\sdshelex.dll"
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/(null) =
@{C6643EC0-49AC-4c15-A455-04104DB900A9} /*Image Converter context menu extension*/(null) =
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll = C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) =

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
TuneUp Shredder@{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programmi\TuneUp Utilities 2006\sdshelex.dll"
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
TuneUp Shredder@{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programmi\TuneUp Utilities 2006\sdshelex.dll"
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{31FF080D-12A3-439A-A2EF-4BA95A3148E8}C:\Programmi\GetRight\xx2gr.dll = C:\Programmi\GetRight\xx2gr.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar1.dll = c:\programmi\google\googletoolbar1.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.emuita.it/ = http://www.emuita.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2D4CCD4E-0A4B-4D6F-AD44-40E63FF09D82} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.1 = 192.168.0.1
@NameServer =
@DefaultGateway =
@Domain =

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
BTTray.lnk = BTTray.lnk
GetRight - Tray Icon.lnk = GetRight - Tray Icon.lnk

---- EOF - GMER 1.0.10 ----

[Luke57]

Ciao, pare di sì.
Con questo comando:
start>esegui>sc delete SecVfk (lo copi nello spazio)>OK
elimina il servizio, ormai disattivato.
Controlla con:

start>esegui>control userpasswords2>OK
se nella finestra Account, trovi un'utenza con nome casuale, accanto alle solite Administrators, Utente, Aspnet, se c'è la evidenzi e la rimuovi.
Inoltre, apri hiajckthis, premi "open the misc tools section", "open unistall manager", verifica che non siano installati Linkoptimizer e Connection services, se ci sono li evidenzi e premi "Delete this entry".

[phoenix530]

allora forse ho fatto un mezzo casino....

ho lanciato il delete da esegui ma mi viene detto ke nn esiste un file con quel nome da deletare

successivamente ho aperto il pannello della gestione account con il comando ke mi hai segnalato, e mi ritrovavo guest, administrator e Orazio ke è il mio account con accessi da administrators...

nn so manco io per quale motivo ora ke ci penso, ma ho cancellato Orazio e adesso mi logga da administrator...grazie a dio avevo i backup dei preferiti, desktop e documenti e li ho ripristinati....ci fa nulla se continuo ad usare administrator invece del mio profilo?? mi conviene ricrearlo o continuo tranquillamente con questo?

riguardo ad hijackthis ho cercato le voci da te segnate, ma nn ci stanno

[Luke57]

Ciao, penso che l'utenza vada bene lo stesso.
OK per le altre cose, dovresti essere pulito dal malware.

[phoenix530]

io per sicurezza, ho ricreato un nuovo utente e gli ho messo dentro tutte le cartelle ke avevo nel vekkio anke se molte nn le sovrascriveva xke in uso dal sistema...

spero di nn avere problemi anke xke adesso molte cose sono sballate e sto piano piano mettendole a posto

cmq grazie mille dell'aiuto

alla prox