controllo hijackthis

[mymonix]

ciao ragazzi,
qualcuno può aiutarmi per un controllo di log Hijackthis ???
e' il pc di un'amica .... all'improvviso avast le ha trovato dei virus. La prima cosa che ho fatto è una scansione hjthis, ho fatto il controllo on line, ma mi dà solo una cosa sospetta ma sconosciuta.
Grazie mille per l'aiuto :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.08.32, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\ASUS\ASUS Remote\RemoteControlAppl.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\PROGRA~1\RCrawler\RCrawler.exe
C:\Programmi\CyberLink\PowerCinema\PCMService.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Lexmark 2500 Series\lxddmon.exe
C:\Programmi\Lexmark 2500 Series\lxddamon.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\C'è Posta\CPosta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\GIULIA\IMPOST~1\Temp\Rar$EX00.391\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Hotplug] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUS\ASUS Remote\RemoteControlAppl.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Programmi\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Programmi\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programmi\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lphcpa8j0etba] C:\WINDOWS\system32\lphcpa8j0etba.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E06IXLRD_10054343] "C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE" -m
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: C'è Posta.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - AppInit_DLLs: \\?\C:\WINDOWS\system32\prn.gbe
O20 - Winlogon Notify: SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8299 bytes

[Luke57]

Ciao, apri hijackthis, premi "do a system scan only", cerca e spunta le voci seguenti:
4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
O20 - AppInit_DLLs: \\?\C:\WINDOWS\system32\prn.gbe

premi fix checked

Poi scarica navilog1 da qui:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

Dopo averlo scaricato,doppio click su Navilog.exe per lanciare l'installazione. Una volta terminata l'installazione doppio click su Navilog1 per eseguirlo. Nella prima schermata slezionate la lingua che piu vi conviene e confermate tramite ENTER. Nella finestra degli avvisi, premete un tasto per continuare fino ad arrivare alla schermata principale del tool

Premete 1 (ricerca) sulla vostra tastiera e avviatela mediante il tasto ENTER
Attendere........... (lo scan puo durare una decina di minuti)
Quando Navilog vi avviserà che la ricerca é terminata,premete un tasto per visualizzare il rapporto (log) che ha generato.

Allega il report in un post.

[mymonix]

ciao Luke ,
grazie per l'aiuto .... ecco il rapporto di navilog:

Search Navipromo version 3.6.1 began on 22/07/2008 at 13.16.34,06

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Programmi\navilog1
Actual User Account : "GIULIA"

Updated on 19.07.2008 at 20h00 by IL-MAFIOSO


Microsoft Windows XP [Versione 5.1.2600]
Version Internet Explorer : 6.0.2900.2180
Filesystem type : NTFS

Search done in normal mode

*** Searching for installed Software ***


*** Search folders in "C:\WINDOWS" ***


*** Search folders in "C:\Programmi" ***


*** Search folders in "C:\Documents and Settings\All Users\menuav~1\progra~1" ***


*** Search folders in "C:\Documents and Settings\All Users\menuav~1" ***


*** Search folders in "c:\docume~1\alluse~1\datiap~1" ***


*** Search folders in "C:\Documents and Settings\GIULIA\datiap~1" ***


*** Search folders in "C:\DOCUME~1\Benny\datiap~1" ***


*** Search folders in "C:\DOCUME~1\Guest\datiap~1" ***


*** Search folders in "C:\DOCUME~1\mVN\datiap~1" ***


*** Search folders in "C:\DOCUME~1\Nino\datiap~1" ***


*** Search folders in "C:\Documents and Settings\GIULIA\impost~1\datiap~1" ***


*** Search folders in "C:\DOCUME~1\Benny\impost~1\datiap~1" ***


*** Search folders in "C:\DOCUME~1\Guest\impost~1\datiap~1" ***


*** Search folders in "C:\DOCUME~1\mVN\impost~1\datiap~1" ***


*** Search folders in "C:\DOCUME~1\Nino\impost~1\datiap~1" ***


*** Search folders in "C:\Documents and Settings\GIULIA\menuav~1\progra~1" ***


*** Search folders in "C:\DOCUME~1\Benny\menuav~1\progra~1" ***


*** Search folders in "C:\DOCUME~1\Guest\menuav~1\progra~1" ***


*** Search folders in "C:\DOCUME~1\mVN\menuav~1\progra~1" ***


*** Search folders in "C:\DOCUME~1\Nino\menuav~1\progra~1" ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

No Navipromo file found


*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in "C:\WINDOWS\system32" *

* Scan in "C:\Documents and Settings\GIULIA\impost~1\datiap~1" *

* Scan in "C:\DOCUME~1\Benny\impost~1\datiap~1" *

* Scan in "C:\DOCUME~1\Guest\impost~1\datiap~1" *

* Scan in "C:\DOCUME~1\mVN\impost~1\datiap~1" *

* Scan in "C:\DOCUME~1\Nino\impost~1\datiap~1" *



*** Search files ***



*** Search specific Registry keys ***


*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In "C:\WINDOWS\system32" :


* In "C:\Documents and Settings\GIULIA\impost~1\datiap~1" :


* In "C:\DOCUME~1\Benny\impost~1\datiap~1" :


* In "C:\DOCUME~1\Guest\impost~1\datiap~1" :


* In "C:\DOCUME~1\mVN\impost~1\datiap~1" :


* In "C:\DOCUME~1\Nino\impost~1\datiap~1" :


3)Certificates Search :

Egroup certificate not found !
Electronic-Group certificate not found !
OOO-Favorit certificate not found !
Sunny-Day-Design-Ltd certificate not found !

4)Search known files :



*** Search completed on 22/07/2008 at 13.22.31,84 ***

[Luke57]

Ciao, nel report di navilog1 non appare niente, posta un altro log di hijackthis e per sicurezza riavvia navilog1 ,ma questa volta premi l'opzione 2.

[mymonix]

ciao Luke,
grazie mille per la risposta. Il pc è di una mia amica ... la vedo domattina e continuo con la procedura che mi hai suggerito.
Ti spiego però come è iniziato il problema: all'improvviso (penso dopo una navigazione a rischio ) lo sfondo del desktop è sparito e c'è uno sfondo blu con una finestra fissa (sempre come sfondo) che dice "attenzione c'è un virus .. installare un antivirus .. ecc. ". Ho cercato di reimpostare il desktop ma non c'è più la linguetta con l'opzione di scelta.
Inoltre lei non aveva neanche impostato la scelta di ripristino di configurazione del sistema .. quindi non ho trovato alcun punto di ripristino precedente.
Spero di darti buone notizie domani.
Grazie ancora
mymonix

[Luke57]

Ciao, scarica superantispyware ed.freee da qui:
http://www.superantispyware.com/downloa ... PYWAREFREE
lo installi e lo aggiorni con check for updates. Poi fai una scansione completa del computer , cliccando Ok al termine di essa per eliminare le infezioni trovate.
Poi, dalla pagina centrale di superantispyware premi Preferences, Repairs, spunti le voci:
# Riabilitazione della System Tray (barra vicino all'orologio)
Rimozione/Reset dello Sfondo e del Desktop
premi Perform repair...
Riavvia il computer e informa come va.

[mymonix]

ok Luke, tutto fatto.
1) quella finestra di sfondo che parlava di virus adesso non c'è più, però ancora non mi dà la possibilità di scegliere lo sfondo ... cioè se clikko tasto destro - proprietà mi escono solo le tab aspetto, impostazioni , temi ...... mancano desktop e screensever.
2) ho fatto scansione e pulizia con superantispyware ... trovati 500 e rotti virus.
3) ho rifatto la scansione con navilog .. ma stavolta con l'opzione 2 e questo è il report :
Navipromo Removal version 3.6.1 started on 23/07/2008 at 10.34.02,84

Fix running from C:\Programmi\navilog1
Actual User Account : "GIULIA"

Updated on 19.07.2008 at 20h00 by IL-MAFIOSO


Microsoft Windows XP [Versione 5.1.2600]
Internet Explorer : 6.0.2900.2180
Filesystem type : NTFS

Automatic removal
with Catchme and GNS results


Cleanning stage done on Reboot


*** fsbl1.txt not found ***
(Check that Catchme found nothing in Search Mode)


*** Deleting with Backups GenericNaviSearch results ***

* Deletion in "C:\WINDOWS\System32" *


* Deletion in "C:\Documents and Settings\GIULIA\impost~1\datiap~1" *


* Deletion in "C:\DOCUME~1\Benny\impost~1\datiap~1" *

* Deletion in "C:\DOCUME~1\Guest\impost~1\datiap~1" *

* Deletion in "C:\DOCUME~1\mVN\impost~1\datiap~1" *

* Deletion in "C:\DOCUME~1\Nino\impost~1\datiap~1" *


*** Deleting folders in "C:\WINDOWS" ***


*** Deleting folders in "C:\Programmi" ***


*** Deleting folders in "C:\Documents and Settings\All Users\menuav~1\progra~1" ***


*** Deleting folders in "C:\Documents and Settings\All Users\menuav~1" ***


*** Deleting folders in "c:\docume~1\alluse~1\datiap~1" ***


*** Deleting folders in "C:\Documents and Settings\GIULIA\datiap~1" ***


*** Deleting folders in "C:\DOCUME~1\Benny\datiap~1" ***


*** Deleting folders in "C:\DOCUME~1\Guest\datiap~1" ***


*** Deleting folders in "C:\DOCUME~1\mVN\datiap~1" ***


*** Deleting folders in "C:\DOCUME~1\Nino\datiap~1" ***


*** Deleting folders in "C:\Documents and Settings\GIULIA\impost~1\datiap~1" ***


*** Deleting folders in "C:\DOCUME~1\Benny\impost~1\datiap~1" ***


*** Deleting folders in "C:\DOCUME~1\Guest\impost~1\datiap~1" ***


*** Deleting folders in "C:\DOCUME~1\mVN\impost~1\datiap~1" ***


*** Deleting folders in "C:\DOCUME~1\Nino\impost~1\datiap~1" ***


*** Deleting folders in "C:\Documents and Settings\GIULIA\menuav~1\progra~1" ***


*** Deleting folders in "C:\DOCUME~1\Benny\menuav~1\progra~1" ***


*** Deleting folders in "C:\DOCUME~1\Guest\menuav~1\progra~1" ***


*** Deleting folders in "C:\DOCUME~1\mVN\menuav~1\progra~1" ***


*** Deleting folders in "C:\DOCUME~1\Nino\menuav~1\progra~1" ***



*** Deleting files ***


*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !
Cleaning of C:\Documents and Settings\GIULIA\impost~1\Temp done !

*** Complementary Search ***
(Search specific files)

1)Deletion with backups new Instant Access files:

2)Heuristic search and deletion with backups :


* In "C:\WINDOWS\system32" *


* In "C:\Documents and Settings\GIULIA\impost~1\datiap~1" *


* In "C:\DOCUME~1\Benny\impost~1\datiap~1" *


* In "C:\DOCUME~1\Guest\impost~1\datiap~1" *


* In "C:\DOCUME~1\mVN\impost~1\datiap~1" *


* In "C:\DOCUME~1\Nino\impost~1\datiap~1" *


*** Copy Registry to Safebackup folder ***

Backing up Registry done !

*** Cleaning Registry ***

Registry cleaned


*** Certificates ***

Egroup Certificate not found !
Electronic-Group Certificate not found !
OOO-Favorit Certificate not found !
Sunny-Day-Design-Ltd Certificate not found !

*** Cleaning stage complete on 23/07/2008 at 10.42.14,34 ***





4) ho fatto una scansione con hijack e questo è il report :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10.32.04, on 23/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared Files\RichVideo.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\ASUS\ASUS Remote\RemoteControlAppl.exe
C:\Programmi\CyberLink\PowerCinema\PCMService.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Lexmark 2500 Series\lxddmon.exe
C:\Programmi\Lexmark 2500 Series\lxddamon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE
C:\Programmi\Picasa2\PicasaMediaDetector.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\C'è Posta\CPosta.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\GIULIA\Desktop\ANTI v\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1040
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Lexmark Barra degli strumenti - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Programmi\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Hotplug] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\ASUS\ASUS Remote\RemoteControlAppl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Programmi\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Programmi\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programmi\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E06IXLRD_10054343] "C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE" -m
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: C'è Posta.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7935 bytes

[mymonix]

[/quote]

Salve.. ho un problema al pc ke mi sta dando fastidio già da qualke settimana.. in pratica ogni tanto capita ke all'improvviso alcune impostazioni del computer sono confuse.. andando su Start/tutti i programmi ad esempio tutti i programmi sono ordinati in modo diverso, inoltre su desktop/proprietà non escono più gli sfondi e lo screesaver, ma solo Temi/Aspetto/impostazioni.. Inoltre anke in altri casi come risorse del computer c'è un pò di confusione.. Fino ad ora mi bastava fare il rispristino configurazione sistema e risolvevo il tutto.. ma da stamattina (dopo ke mi è uscito un avviso ke avevo beccato uno spyware) non vi sono più punti di ripristino antecedenti ad oggi.. e quelli di oggi mi dice ke non è riuscito a fare il ripristino! Infine se resta il pc in attesa, al posto dello screensaver esce una skermata blu con delle scritte, se clicco su F8 però mi torna la skermata normale... Ke devo fare?

ieri cercando nel forum ho trovato un utente con un problema simile.
dylan 666 ha consigliato questi due link

http://support.microsoft.com/kb/922370/it
http://billjr.spaces.live.com/blog/cns! ... !675.entry

non so quale è il mio caso e quindi se è il caso che segua una delle procedure ...
grazie e a presto

[mymonix]

Ciao,scarica sdfix da qui:
http://downloads.andymanchesta.com/Remo ... /SDFix.exe

Doppio click su SDFix.exe e il tool andrà ad estrarsi in C:\SDFix

* Adesso avvia il sistema in modalità provvisoria
-se non sa come andarci:
http://www.kuma215.it/WI/Mod_Provv.html

Poi - Apri la cartella SDFix situata in C:\ e fai un doppio click su RunThis.bat per lanciare lo script
- seleziona Y per avviare la pulizia
- Quando te lo chiederà premi un tasto per riavviare
(il sistema sarà piu lungo nell'avviarsi perchè lo script eseguirà l'eliminazione dei file trovati)
- Quando apparirà il desktop il tool terminerà il suo lavoro e visualizzerà il messaggio "Finished"
- Premi un tasto per terminare lo script e ricaricare le icone del desktop
- Il log sarà visualizzato automaticamente,altrimenti potrai trovarlo in C:\SDFix\Report.txt
Allegalo nel forum.

Poi scarica ComboFix sul desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Disconettiti da internet
disattiva l'antivirus


Avvia il file ComboFix.exe
Digita 1 per avviare il tool (non fare altre manovre durante la scansione)
Segui le istruzioni e alla fine verrà generato un log. in C:\combofix.txt
Incolla il contenuto del report in un post.

ciao Luke, ho seguito la procedura che hai suggerito, ti allego i report ... (ps era piena zeppa di virus) :

SDFix: Version 1.208
Run by Administrator on 25/07/2008 at 19.57

Microsoft Windows XP [Versione 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default ScreenSaver value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\PPHCPA~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PHCPA8~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BLPHCP~1.SCR - Deleted
C:\WINDOWS\system32\10.tmp - Deleted
C:\WINDOWS\system32\11.tmp - Deleted
C:\WINDOWS\system32\12.tmp - Deleted
C:\WINDOWS\system32\13.tmp - Deleted
C:\WINDOWS\system32\14.tmp - Deleted
C:\WINDOWS\system32\15.tmp - Deleted
C:\WINDOWS\system32\17.tmp - Deleted
C:\WINDOWS\system32\1A.tmp - Deleted
C:\WINDOWS\system32\1E.tmp - Deleted
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 20:13:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecHuh]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=""C:\Programmi\File comuni\System\Bil.exe""
"DisplayName"="SecHuh"
"ObjectName"=".\mVN"
"Description"="Fornisce tre servizi di gestione: il servizio Database catalogo, che serve per confermare le firme dei file di Windows; il servizio Archivio principale protetto, per aggiungere e rimuovere dal computer i certificati dell'autorità di certificazione delle fonti attendibili; e il servizio Chiave, che aiuta a registrare i certificati nel computer. Se questo servizio è interrotto, i servizi di gestione non funzioneranno in modo corretto. Se il servizio è disabilitato, tutti i servizi che dipendono direttamente da questo non potranno essere avviati."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecHuh\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SecHuh]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=""C:\Programmi\File comuni\System\Bil.exe""
"DisplayName"="SecHuh"
"ObjectName"=".\mVN"
"Description"="Fornisce tre servizi di gestione: il servizio Database catalogo, che serve per confermare le firme dei file di Windows; il servizio Archivio principale protetto, per aggiungere e rimuovere dal computer i certificati dell'autorità di certificazione delle fonti attendibili; e il servizio Chiave, che aiuta a registrare i certificati nel computer. Se questo servizio è interrotto, i servizi di gestione non funzioneranno in modo corretto. Se il servizio è disabilitato, tutti i servizi che dipendono direttamente da questo non potranno essere avviati."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SecHuh\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\eMule\\emule.exe"="C:\\Programmi\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Programmi\\iDC++\\iDCPlusPlus.exe"="C:\\Programmi\\iDC++\\iDCPlusPlus.exe:*:Enabled:iDC++"
"C:\\Programmi\\CyberLink\\PowerCinema\\PowerCinema.exe"="C:\\Programmi\\CyberLink\\PowerCinema\\PowerCinema.exe:*:Enabled:PowerCinema"
"C:\\Programmi\\CyberLink\\PowerCinema\\PCMService.exe"="C:\\Programmi\\CyberLink\\PowerCinema\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Programmi\\uTorrent\\uTorrent.exe"="C:\\Programmi\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\WINDOWS\\system32\\lxddcoms.exe"="C:\\WINDOWS\\system32\\lxddcoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Programmi\\Lexmark 2500 Series\\lxddamon.exe"="C:\\Programmi\\Lexmark 2500 Series\\lxddamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Programmi\\Lexmark 2500 Series\\App4R.exe"="C:\\Programmi\\Lexmark 2500 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\\Programmi\\MVM 2005 - Delta Force 2\\Df2.exe"="C:\\Programmi\\MVM 2005 - Delta Force 2\\Df2.exe:*:Disabled:Df2"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programmi\\Lexmark 2500 Series\\app4r.exe"="C:\\Programmi\\Lexmark 2500 Series\\App4R.exe:*:Enabled:BorgListener"
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"="C:\\Programmi\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programmi\\MSN Messenger\\livecall.exe"="C:\\Programmi\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 6 Jul 2008 6,104,632 A..H. --- "C:\Programmi\Picasa2\setup.exe"
Mon 1 May 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 14 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e3f1ec8dd65f588e7a8a94dcffba142c\BIT6.tmp"
Sat 27 Jan 2007 14,776,112 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\eda9bedf230096428613e135c22785bf\BIT7.tmp"

Finished!


questo è COMBOFIX :
ComboFix 08-07-24.6 - GIULIA 2008-07-25 20:25:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.624 [GMT 0:00]
Eseguito da: C:\Documents and Settings\GIULIA\Desktop\ANTI v\ComboFix.exe

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\GIULIA\Dati applicazioni\rhcta8j0etba
C:\Programmi\rhcta8j0etba
C:\windows\system32\B.tmp
C:\windows\system32\C.tmp
C:\windows\system32\D.tmp
C:\windows\system32\E.tmp
C:\windows\system32\F.tmp
C:\windows\system32\lphcpa8j0etba.exe
.
---- Previous Run -------
.
C:\windows\install.exe

.
((((((((((((((((((((((((( Files Creati Da 2008-06-25 al 2008-07-25 )))))))))))))))))))))))))))))))))))
.

2008-07-25 19:53 . 2008-07-25 19:53 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-25 19:52 . 2006-03-16 17:45 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-07-25 19:52 . 2006-03-16 17:45 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-07-25 19:52 . 2006-03-16 17:45 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-07-25 19:52 . 2006-03-16 17:48 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-07-25 19:52 . 2006-03-16 17:45 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-07-25 19:52 . 2008-07-25 20:29 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-07-25 19:52 . 2006-03-16 17:45 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-07-25 19:52 . 2006-03-16 17:45 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-07-25 19:52 . 2008-07-25 19:52 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-25 19:49 . 2008-07-25 20:15 <DIR> d-------- C:\SDFix
2008-07-23 10:26 . 2008-07-23 10:26 268 --ah----- C:\sqmdata05.sqm
2008-07-23 10:26 . 2008-07-23 10:26 244 --ah----- C:\sqmnoopt05.sqm
2008-07-23 09:20 . 2008-07-23 09:20 <DIR> d-------- C:\Programmi\File comuni\Wise Installation Wizard
2008-07-23 09:20 . 2008-07-23 09:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2008-07-22 14:22 . 2008-07-22 14:22 268 --ah----- C:\sqmdata04.sqm
2008-07-22 14:22 . 2008-07-22 14:22 244 --ah----- C:\sqmnoopt04.sqm
2008-07-22 14:11 . 2008-07-22 14:11 268 --ah----- C:\sqmdata03.sqm
2008-07-22 14:11 . 2008-07-22 14:11 244 --ah----- C:\sqmnoopt03.sqm
2008-07-22 14:06 . 2008-07-22 14:06 268 --ah----- C:\sqmdata02.sqm
2008-07-22 14:06 . 2008-07-22 14:06 244 --ah----- C:\sqmnoopt02.sqm
2008-07-22 13:14 . 2008-07-23 10:42 <DIR> d-------- C:\Programmi\Navilog1
2008-07-14 21:48 . 2008-07-14 21:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-14 21:48 . 2008-07-14 21:48 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-08 11:19 . 2008-07-08 11:19 268 --ah----- C:\sqmdata01.sqm
2008-07-08 11:19 . 2008-07-08 11:19 244 --ah----- C:\sqmnoopt01.sqm
2008-07-06 16:37 . 2008-07-06 16:37 <DIR> d-------- C:\Programmi\Google
2008-07-06 16:37 . 2006-10-05 02:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-06 16:37 . 2006-10-05 02:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-06 16:36 . 2008-07-06 23:39 <DIR> d-------- C:\Programmi\Picasa2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 09:20 --------- d-----w C:\Programmi\SUPERAntiSpyware
2008-07-23 09:20 --------- d-----w C:\Documents and Settings\GIULIA\Dati applicazioni\SUPERAntiSpyware.com
2008-07-16 22:41 --------- d-----w C:\Programmi\Lx_cats
2008-07-07 11:42 --------- d-----w C:\Programmi\MVM 2005 - Delta Force 2
2008-07-02 14:43 --------- d-----w C:\Programmi\C'è Posta
2008-06-20 17:39 247,296 ----a-w C:\windows\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\windows\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\windows\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\windows\system32\drivers\tcpip6.sys
2008-06-14 17:59 272,768 ------w C:\windows\system32\drivers\bthport.sys
2008-05-07 05:14 1,292,800 ----a-w C:\windows\system32\quartz.dll
2001-09-13 13:19 1,732,608 ----a-w C:\Programmi\ScnPanel.exe
2000-11-30 22:33 293 ----a-w C:\Programmi\Ultima.psl
2000-10-31 15:05 79,650 ----a-w C:\Programmi\ScnPanel.hlp
2000-02-25 21:49 1,836,032 ----a-w C:\Programmi\XPage3b.dll
2000-02-25 21:45 348,672 ----a-w C:\Programmi\TB1PLUG.PSP
2000-02-25 21:44 888,320 ----a-w C:\Programmi\XIFFPLUG.PSP
2000-02-25 21:43 2,259,456 ----a-w C:\Programmi\XOcr3.dll
2000-02-25 21:41 650,240 ----a-w C:\Programmi\Xfile.psp
2000-02-25 21:40 1,290,752 ----a-w C:\Programmi\XIMAGE3.DLL
2000-02-25 21:36 3,401 ----a-w C:\Programmi\CONV.DAT
2000-02-25 21:36 1,320 ----a-w C:\Programmi\convfonts.dat
1999-12-10 22:04 44,544 ----a-w C:\Programmi\BINDER.DLL
1999-11-22 16:14 218,624 ----a-w C:\Programmi\W019T32W.DLL
1999-07-21 09:25 156 ----a-w C:\Programmi\DEVMODE.PRN
1999-05-05 10:21 239,104 ----a-w C:\Programmi\XCONV32.DLL
1999-02-12 08:04 1,325,568 ----a-w C:\Programmi\ICRSRV32.EXE
1998-09-30 23:08 107,520 ----a-w C:\Programmi\W001T32W.DLL
1998-08-05 17:40 237,568 ----a-w C:\Programmi\W048T32W.DLL
1998-07-21 22:59 223,232 ----a-w C:\Programmi\W042T32W.DLL
1998-05-06 15:52 164,864 ----a-w C:\Programmi\W033T32W.DLL
1997-12-17 19:40 164,352 ----a-w C:\Programmi\ICR32.DLL
1997-12-17 11:45 896,442 ----a-w C:\Programmi\GERMAN.LC
1997-12-17 11:45 859,094 ----a-w C:\Programmi\SPANISH.LC
1997-12-17 11:45 790,945 ----a-w C:\Programmi\FRENCH.LC
1997-12-17 11:45 754,990 ----a-w C:\Programmi\DUTCH.LC
1997-12-17 11:45 753,571 ----a-w C:\Programmi\ENGLISH.LC
1997-12-17 11:45 751,614 ----a-w C:\Programmi\PORT.LC
1997-12-17 11:45 696,056 ----a-w C:\Programmi\ITALIAN.LC
1997-12-17 11:45 687,496 ----a-w C:\Programmi\SWEDISH.LC
1997-12-17 11:45 677,183 ----a-w C:\Programmi\DANISH.LC
1997-12-17 11:45 617,038 ----a-w C:\Programmi\FINNISH.LC
1997-12-17 11:45 578,687 ----a-w C:\Programmi\NORSK.LC
1997-12-17 11:45 318,205 ----a-w C:\Programmi\RUSSIAN.LC
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-19 14:39 15360]
"E06IXLRD_10054343"="C:\Programmi\Microsoft Encarta\Microsoft Encarta Enciclopedia DVD - 2006\EDICT.EXE" [2005-06-04 16:06 301776]
"Picasa Media Detector"="C:\Programmi\Picasa2\PicasaMediaDetector.exe" [2008-02-26 01:23 443968]
"SUPERAntiSpyware"="C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotplug"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\hot_plug.exe" [2005-07-28 10:42 278528]
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2005-05-18 14:44 905216]
"SoundMAXPnP"="C:\Programmi\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 10:11 1388544]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-15 04:01 5513216]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-12-15 04:01 86016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 23:19 79224]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RemoteControl"="C:\Programmi\ASUS\ASUS Remote\RemoteControlAppl.exe" [2005-12-05 16:04 65536]
"PCMService"="C:\Programmi\CyberLink\PowerCinema\PCMService.exe" [2006-05-25 17:57 147456]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2006-12-02 15:13 98304]
"lxddmon.exe"="C:\Programmi\Lexmark 2500 Series\lxddmon.exe" [2007-02-12 23:58 291760]
"lxddamon"="C:\Programmi\Lexmark 2500 Series\lxddamon.exe" [2007-02-05 23:32 20480]
"FaxCenterServer"="C:\Programmi\Lexmark Fax Solutions\fm3032.exe" [2007-02-13 00:00 312240]
"LXDDCATS"="C:\windows\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [2007-01-22 22:05 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-12-14 09:42 23040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-19 14:39 15360]

C:\Documents and Settings\GIULIA\Menu Avvio\Programmi\Esecuzione automatica\
C'Š Posta.lnk - C:\Programmi\C'Š Posta\CPosta.exe [2004-06-21 09:33:46 729174]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Reader Speed Launch.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
WinZip Quick Pick.lnk - C:\Programmi\WinZip\WZQKPICK.EXE [2006-03-16 12:26:21 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon]
2007-04-19 13:41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"vidc.XVID"= xvid.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-12-15 04:01 1490944 C:\WINDOWS\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\eMule\\emule.exe"=
"C:\\Programmi\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"C:\\Programmi\\CyberLink\\PowerCinema\\PCMService.exe"=
"C:\\Programmi\\uTorrent\\uTorrent.exe"=
"C:\\WINDOWS\\system32\\lxddcoms.exe"=
"C:\\Programmi\\Lexmark 2500 Series\\lxddamon.exe"=
"C:\\Programmi\\Lexmark 2500 Series\\App4R.exe"=
"C:\\Programmi\\MVM 2005 - Delta Force 2\\Df2.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=

R1 aswSP;avast! Self Protection;C:\windows\system32\drivers\aswSP.sys [2008-05-15 23:20]
R2 aswFsBlk;aswFsBlk;C:\windows\system32\DRIVERS\aswFsBlk.sys [2008-05-15 23:16]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-02-12 23:59]
R3 3xHybrid;3xHybrid service;C:\windows\system32\DRIVERS\3xHybrid.sys [2005-12-26 08:08]
S2 SecHuh;SecHuh;C:\Programmi\File comuni\System\Bil.exe []
S3 SampleScanner;Sm@rtScan Slim Edition Scanner;C:\windows\system32\DRIVERS\GT680x.sys []
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1040
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&sporta in Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 20:29:20
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDDCATS = rundll32 C:\windows\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-07-25 20:30:49
ComboFix-quarantined-files.txt 2008-07-25 20:30:29

Pre-Run: 168,755,740,672 byte disponibili
Post-Run: 168,744,001,536 byte disponibili

195 --- E O F --- 2008-07-08 23:11:24

[mymonix]

perfavore,
qualcuno può dirmi se è tutto a posto o devo fare qualcos'altro ???
Grazie mille

[Luke57]

Ciao, pare di sì, hai sempre problemi?