Virus noioso

[zena]

ciao a tutti... è da circa due settimane che dopo che accendo il pc e mi carica windows xp, sul desktop mi esce un dial up e prova a connettermi. Lo chiudo e mi connetto normalmente con Alice e ogni tanto mi esce un messaggio di windows che mi chiede di bloccare o sbloccare un un file .exe di nome XXexmdnkXX dove le XX indicano dei numeri che ogni volta cambiano... io gli dico di continuare a bloccarlo, sono anche andato a cercarlo, lo cancello ma ogni volta si ricrea. penso che il problema del Dial up iniziale e questo siano collegati anche perchè prima di ciò non ho mai avuto nessun problema. Potete aiutarmi?
Vi posto il log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10.36.05, on 05/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\Creative\Shared Files\CamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\Fedo\IMPOST~1\Temp\Rar$EX31.016\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Programmi\Creative\Shared Files\CamTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\programmi\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{716F82CC-0AC0-42FF-B946-16F4D35AC5F3}: NameServer = 85.37.17.13 85.38.28.81
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe

Spero in un vostro aiuto.
Grazie mille.

[Luke57]

Ciao, scarica SDFix sul desktop
http://downloads.andymanchesta.com/Remo ... /SDFix.exe
Doppio click sul file SDFix.exe e si estrarranno i files in C:\SDFix
Avvia in modalità provvisoria, premendo ripetutamente il tasto f8 all'accensione del computer prima che si carichi windows. Nella schermata grigia che appare, scegli modalità provisoria spostandoti con le freccette e confermando con invio).
Una volta in modalità provvisoria, apri il disco C:\ e troverai la cartella SDFix, apri questa cartella e doppio click sul file RunThis.bat
Ti si apre il prompt Dos
Digita Y e dai l'invio
Attendi la fine della "scansione"
Premi un pulsante qualsiasi quando ti viene chiesto di riavviare
Al riavvio, continuerà la scansione, quando visualizzerai il messaggio "Finished" premi un pulsante qualsiasi e si caricherà il desktop e le relative icone.
Finito il caricamento si aprirà il block notes, chiudilo.

Allega poi il report
C:\SDFix\Report.txt

[zena]

ecco, ho fatto tutto... questo è il report:

SDFix: Version 1.188
Run by Fedo on 05/06/2008 at 12.06

Microsoft Windows XP [Versione 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00001.dll - Deleted
C:\Programmi\File comuni\Microsoft Shared\Web Folders\ibm00002.dll - Deleted
C:\Documents and Settings\Fedo\Dati applicazioni\addon.dat - Deleted
C:\WINDOWS\system\smvss.exe - Deleted
C:\WINDOWS\system32\Command.HTM - Deleted
C:\WINDOWS\system32\web.dat - Deleted
C:\WINDOWS\Temp\$b17a2e8.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 12:10:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\Messenger\\msmsgs.exe"="C:\\Programmi\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\TEMP\\NavBrowser.exe"="C:\\WINDOWS\\TEMP\\NavBrowser.exe:*:Enabled:NAVBrowser"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Programmi\\iDC++\\iDCPlusPlus.exe"="C:\\Programmi\\iDC++\\iDCPlusPlus.exe:*:Enabled:iDC++"
"C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE"="C:\\Programmi\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\\Programmi\\Windows Media Player\\WMPLAYER.EXE"="C:\\Programmi\\Windows Media Player\\WMPLAYER.EXE:*:Enabled:Windows Media Player"
"C:\\WINDOWS\\System32\\rtcshare.exe"="C:\\WINDOWS\\System32\\rtcshare.exe:*:Disabled:Condivis. App. RTC"
"C:\\Programmi\\NetMeeting\\conf.exe"="C:\\Programmi\\NetMeeting\\conf.exe:*:Enabled:Windows© NetMeeting©"
"C:\\Programmi\\EA GAMES\\MOHAA\\MOHAA.exe"="C:\\Programmi\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault(tm)"
"C:\\Programmi\\eMule\\emule.exe"="C:\\Programmi\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\BMW M3 Challenge\\BMW.exe"="C:\\BMW M3 Challenge\\BMW.exe:*:Enabled:BMW M3 Challenge"
"C:\\Programmi\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"="C:\\Programmi\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"
"C:\\Programmi\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Programmi\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty 4 - Modern Warfare (TM)"
"C:\\Programmi\\EA Sports\\Tiger Woods PGA TOUR 08\\BIN\\TW2008.exe"="C:\\Programmi\\EA Sports\\Tiger Woods PGA TOUR 08\\BIN\\TW2008.exe:*:Enabled:Tiger Woods PGA TOUR(R) 08"
"C:\\WINDOWS\\System32\\dpnsvr.exe"="C:\\WINDOWS\\System32\\dpnsvr.exe:*:Enabled:Server di Microsoft DirectPlay8"
"C:\\Programmi\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"="C:\\Programmi\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe:*:Enabled:Test Drive Unlimited"
"C:\\Programmi\\Hamachi\\hamachi.exe"="C:\\Programmi\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"
"C:\\Programmi\\Codemasters\\DiRT\\DiRT.exe"="C:\\Programmi\\Codemasters\\DiRT\\DiRT.exe:*:Enabled:DiRT Executable"
"C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\63exmdnk54.exe"="C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\63exmdnk54.exe:*:Disabled:63exmdnk54"
"C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\23exmdnk54.exe"="C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\23exmdnk54.exe:*:Disabled:23exmdnk54"
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"="C:\\Programmi\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Programmi\\iTunes\\iTunes.exe"="C:\\Programmi\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\73exmdnk56.exe"="C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\73exmdnk56.exe:*:Disabled:73exmdnk56"
"C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\93exmdnk57.exe"="C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\93exmdnk57.exe:*:Disabled:93exmdnk57"
"C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\27exmdnk57.exe"="C:\\Documents and Settings\\Fedo\\Impostazioni locali\\Temp\\27exmdnk57.exe:*:Disabled:27exmdnk57"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 10 Feb 2007 194 ..SH. --- "C:\AUTOEXEC.BAK"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Fedo\Dati applicazioni\U3\temp\Launchpad Removal.exe"
Sun 2 Mar 2008 444 ...HR --- "C:\Documents and Settings\Fedo\Dati applicazioni\SecuROM\UserData\securom_v7_01.bak"

Finished!

grazie mille per la disponibilità... aspetto istruzioni

[Luke57]

Ciao, hai risolto il problema?

[zena]

Ciao, sì sì perfetto, non mi da più sia il Dial-up iniziale, sia la richiesta di blocco del programma!
Grazie mille veramente per la disponibilità! Gentilissimo!
Ciao