Virtumonde ?

[Kimical]

Buonasera
mi sono appena iscritto al forum perchè credo di avere un problema sul pc. Premetto che ventodelsud mi ha parlato benissimo di questo forum e della altissima disponibilità e professionalità, nonchè bravura di Luke57, dal quale se possibile mi piacerebbe avere la risposta.

Il problema è che mi si aprono finestre di pubblicità e l'antivirus individua ma non elimina il trojan. Credo si tratti del virtumonde.

Questo è il log file di Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18.28.52, on 11/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\crypserv.exe
C:\Programmi\File comuni\Bentley Shared\IEG\IEGLCS\IEGLicSrv.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Programmi\Intel\AMT\LMS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\PDF Complete\pdfsvc.exe
C:\Programmi\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\REXECD.exe
C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Programmi\Rainbow Technologies\SentinelLM 7.2.0.1 Server\English\lservnt.exe
C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\HPQ\IAM\bin\asghost.exe
C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Programmi\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\KV1325.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {435927AE-675E-4F40-9F58-65F1FAA8B467} - C:\DOCUME~1\pascan01\IMPOST~1\Temp\ddaba.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Programmi\HPQ\IAM\Bin\ItIeAddIN.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tasto di scelta rapida per l'avvio di AutoCAD LT.lnk = C:\Programmi\File comuni\Autodesk Shared\acstart17.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} -
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} -
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} -
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescan ... roinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mythen.intranet
O17 - HKLM\Software\..\Telephony: DomainName = mythen.intranet
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1BF7297-B497-4838-BD2E-9934B395A4E8}: NameServer = 10.10.10.11,10.10.10.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mythen.intranet
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: OneCard - C:\Programmi\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Bentley License Client (IEGLicSrv) - Bentley Systems Inc. - C:\Programmi\File comuni\Bentley Shared\IEG\IEGLCS\IEGLicSrv.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: Intel(R) Active Management Technology LMS Service (LMS) - Intel - C:\Programmi\Intel\AMT\LMS.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Programmi\PDF Complete\pdfsvc.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Programmi\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: REXECD (REXEC) - Aspen Technology, Inc - C:\WINDOWS\system32\REXECD.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: SentinelLM - Rainbow Technologies, Inc. - C:\Programmi\Rainbow Technologies\SentinelLM 7.2.0.1 Server\English\lservnt.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programmi\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7515 bytes

-------------------------------------------------------------------------

Questo invece è l' operazione che ho effettuato con il Combo.Fix ( ho letto un altro topic in cui si parlava del virtumonde e ho anticipato l'operazione)

ComboFix 08-02-11.2 - Administrator 2008-02-11 18.15.55.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.778 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Administrator\Desktop\Nuova cartella\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Dati applicazioni\inst.exe
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat
C:\Programmi\mcroso~1
C:\Programmi\mcroso~1\l?gonui.exe
C:\Programmi\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\system32\dp1
C:\WINDOWS\system32\feq9
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nsprs.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qkhvaidy.ini
C:\WINDOWS\system32\x64
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://update.pdfcomplete.com

.
((((((((((((((((((((((((( Files Creati Da 2008-01-11 al 2008-02-11 )))))))))))))))))))))))))))))))))))
.

2008-02-11 18:20 . 2008-02-11 18:20 0 --a------ C:\WINDOWS\system32\tmpPrst.dll
2008-02-11 16:51 . 2008-02-11 17:08 <DIR> d-------- C:\suspectfile
2008-02-11 14:03 . 2008-02-11 14:03 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-02-07 18:38 . 2008-02-11 13:51 7,714 --a------ C:\WINDOWS\cfgall.ini
2008-02-07 18:33 . 2008-02-07 18:33 21 --a------ C:\tmuninst.ini
2008-02-07 13:22 . 2008-02-11 11:33 <DIR> d-------- C:\VundoFix Backups
2008-02-07 09:03 . 2008-02-07 09:03 81,192,751 --a------ C:\WINDOWS\pav.sig
2008-02-07 08:52 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-02-07 08:51 . 2008-02-07 10:03 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-02-07 08:51 . 2008-02-07 10:43 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-02-07 08:51 . 2008-02-07 10:43 3,377 --a------ C:\WINDOWS\system32\.ico
2008-02-07 08:51 . 2008-02-07 10:43 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-02-07 08:51 . 2008-02-07 10:43 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-02-06 15:16 . 2008-02-06 15:06 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-06 15:16 . 2008-02-06 15:16 3,455 --a------ C:\WINDOWS\unins000.dat
2008-02-06 15:01 . 2008-02-05 18:16 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-06 14:57 . 2008-02-07 18:33 <DIR> d-------- C:\Programmi\Trend Micro
2008-02-06 10:34 . 2008-02-06 10:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-06 10:34 . 2008-02-06 10:34 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2008-02-06 09:06 . 2008-02-06 12:10 <DIR> d-------- C:\Documents and Settings\pascan01\.housecall6.6
2008-02-05 18:16 . 2008-02-06 17:18 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-02-05 17:54 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-05 17:44 . 2008-02-05 17:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-05 17:44 . 2008-02-05 17:44 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-05 17:44 . 2008-02-05 17:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-05 17:44 . 2008-02-05 17:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-05 16:08 . 2008-02-07 17:41 <DIR> d-------- C:\Programmi\Spybot - Search & Destroy
2008-02-05 16:08 . 2008-02-07 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-02-05 15:35 . 2008-02-05 15:52 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-02-05 12:37 . 2008-02-07 19:36 <DIR> d-------- C:\Programmi\Drmupgds
2008-02-05 12:33 . 2008-02-11 18:16 <DIR> d-------- C:\Temp
2008-02-04 14:20 . 2008-02-04 14:20 <DIR> d-------- C:\Programmi\CambridgeSoft
2008-02-04 14:20 . 2008-02-04 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\CambridgeSoft
2008-02-04 11:05 . 2008-02-05 14:49 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\DNA
2008-01-18 14:12 . 2008-01-18 14:13 24 --ahs---- C:\WINDOWS\SC5ED1F2B.tmp
2008-01-17 17:39 . 2008-01-17 17:39 <DIR> d-------- C:\Documents and Settings\pascan01\Dati applicazioni\ErrorSmart
2008-01-17 17:07 . 2008-01-17 17:07 <DIR> d-------- C:\Programmi\IntrBase
2008-01-17 17:07 . 2008-01-17 17:07 <DIR> d-------- C:\Programmi\Borland
2008-01-17 17:07 . 1999-04-23 11:06 335,360 --------- C:\WINDOWS\system32\Gds32.dll
2008-01-17 17:07 . 1999-04-23 11:06 183,808 --------- C:\WINDOWS\system32\Bdeadmin.cpl
2008-01-17 17:07 . 1999-04-23 11:06 154,576 --------- C:\WINDOWS\system32\Dbclient.dll
2008-01-17 17:06 . 2008-01-17 17:06 <DIR> d-------- C:\Programmi\File comuni\Haestad
2008-01-17 17:06 . 2008-01-17 17:06 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Bentley
2008-01-17 17:00 . 2008-02-04 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\ErrorSmart
2008-01-17 16:59 . 2008-02-11 14:12 <DIR> d-------- C:\Programmi\ErrorSmart
2008-01-15 13:30 . 2008-01-15 13:31 <DIR> d-------- C:\Programmi\Elaborate Bytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 15:34 --------- d-----w C:\Documents and Settings\pascan01\Dati applicazioni\Skype
2008-02-07 17:37 --------- d-----w C:\Documents and Settings\Administrator.MYTHEN\Dati applicazioni\Skype
2008-02-07 11:29 --------- d-----w C:\Programmi\Google
2008-02-07 09:44 --------- d-----w C:\Programmi\QuickTime
2008-02-07 08:57 --------- d-----w C:\Programmi\SkypeMate
2008-02-07 08:57 --------- d-----w C:\Programmi\PDF Complete
2008-02-07 08:53 --------- d-----w C:\Programmi\File comuni\Autodesk Shared
2008-02-06 07:52 --------- d-----w C:\Programmi\Compaq
2008-02-05 13:53 --------- d-----w C:\Programmi\File comuni\ADO
2008-02-05 13:52 --------- d-----w C:\Programmi\File comuni\Schlumberger
2008-02-05 13:49 --------- d-----w C:\Programmi\eMule
2008-02-05 13:48 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-02-05 13:44 --------- d-----w C:\Programmi\BitTorrent
2008-02-05 08:42 --------- d-----w C:\Documents and Settings\pascan01\Dati applicazioni\BitTorrent
2008-02-04 13:21 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\BitTorrent
2008-01-31 08:49 --------- d-----w C:\Documents and Settings\pascan01\Dati applicazioni\InstallShield
2008-01-18 15:06 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Vso
2008-01-18 13:29 94,208 ----a-w C:\WINDOWS\system32\drivers\ezplay.sys
2008-01-18 13:29 94,208 ----a-w C:\Documents and Settings\Administrator\Dati applicazioni\ezplay.sys
2008-01-18 13:29 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-18 13:29 47,360 ----a-w C:\Documents and Settings\Administrator\Dati applicazioni\pcouffin.sys
2008-01-18 13:29 --------- d-----w C:\Programmi\VSO
2008-01-17 16:06 --------- d-----w C:\Programmi\Bentley
2008-01-02 13:07 --------- d-----w C:\Documents and Settings\pascan01\Dati applicazioni\OLGA
2008-01-02 12:40 --------- d-----w C:\Programmi\SPT
2007-12-31 08:40 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\OLGA
2007-12-31 08:35 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Macrovision
2007-12-28 15:58 --------- d-----w C:\Programmi\File comuni\Crystal Decisions
2007-12-28 15:58 --------- d-----w C:\Programmi\DFC
2007-12-28 15:58 --------- d-----w C:\Programmi\Crystal Decisions
2007-12-28 15:57 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\InstallShield
2007-12-11 14:39 --------- d-----w C:\Programmi\File comuni\PROCAD
2007-05-07 08:59 225 ----a-w C:\Documents and Settings\Administrator\lsprst7.dll
2007-04-26 15:15 87,608 ----a-w C:\Documents and Settings\Administrator\Dati applicazioni\ezpinst.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{435927AE-675E-4F40-9F58-65F1FAA8B467}]
2008-02-05 12:38 320512 --a------ C:\DOCUME~1\pascan01\IMPOST~1\Temp\ddaba.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-02-07 16:16 356352]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
Tasto di scelta rapida per l'avvio di AutoCAD LT.lnk - C:\Programmi\File comuni\Autodesk Shared\acstart17.exe [2006-03-05 14:43:54 11000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuPinnedList"= 0 (0x0)
"NoStartMenuMFUprogramsList"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinters"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
IfxWlxEN.dll 2006-04-07 05:00 434176 C:\WINDOWS\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
C:\Programmi\HPQ\IAM\Bin\AsWlnPkg.dll 2006-06-07 20:26 40448 C:\Programmi\HPQ\IAM\Bin\AsWlnPkg.dll

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [2003-06-03 15:52]
R1 PersonalSecureDrive;PersonalSecureDrive;C:\WINDOWS\system32\drivers\psd.sys [2006-04-07 05:46]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [2003-06-03 15:52]
R2 ASChannel;Canale di comunicazione locale;C:\WINDOWS\System32\svchost.exe [2006-03-02 03:00]
R2 IEGLicSrv;Bentley License Client;"C:\Programmi\File comuni\Bentley Shared\IEG\IEGLCS\IEGLicSrv.exe" [2007-03-07 15:02]
R2 LMS;Intel(R) Active Management Technology LMS Service;C:\Programmi\Intel\AMT\LMS.exe [2006-07-25 12:46]
R2 pdfcDispatcher;PDF Document Manager;C:\Programmi\PDF Complete\pdfsvc.exe [2006-07-14 07:43]
R2 REXEC;REXECD;C:\WINDOWS\system32\REXECD.exe [2005-05-09 12:34]
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe" [2006-08-22 00:00]
R2 SentinelLM;SentinelLM;"C:\Programmi\Rainbow Technologies\SentinelLM 7.2.0.1 Server\English\lservnt.exe" [2002-07-10 06:20]
R3 IFXTPM;IFXTPM;C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2006-04-25 17:26]
S3 mbr;mbr;C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\mbr.sys []
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 02:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4676d8ae-f408-11db-b9ec-000ffe4746ef}]
\Shell\AutoRun\command - F:\Autorun.exe

.
Contenuto della cartella 'Scheduled Tasks'
"2008-02-08 19:56:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
"2008-02-11 13:11:56 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Programmi\ErrorSmart\ErrorSmart.ex
- C:\Programmi\ErrorSmart
"2008-02-10 12:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 18:22:12
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="C:\Programmi\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Programmi\File comuni\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\HPQ\IAM\bin\asghost.exe
C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Programmi\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Programmi\RealVNC\VNC4\WinVNC4.exe
C:\Programmi\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\KV1325.EXE
.
**************************************************************************
.
Ora fine scansione: 2008-02-11 18:25:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-11 17:25:38
.
2008-02-11 17:10:36 --- E O F ---



_________________________________________________

Ringrazio in anticipo Luke57 ed attendo fiducioso.

[Luke57]

Ciao, prova a fare così:
scarica, se non l'hai atf cleaner da qui:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
lo metti sul desktop.

Poi copia e incolla questo codice in un file di testo:

file::
C:\DOCUME~1\pascan01\IMPOST~1\Temp\ddaba.dll

registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{435927AE-675E-4F40-9F58-65F1FAA8B467}]

salvi il file di testo obbligatoriamente con il nome CFScript.txt
Lo trascini con il puntatore del mouse sull'icona di combofix e attendi una nuova scansione e un eventuale riavvio.

Riavvii in modalità provvisoria (premendo il tasto f8 ripetutamente al boot prima che si carichi windows e scegli mod.provisoria spostandoti con le freccette e confermando con invio).
Avvia ATf cleaner. seleziona “Select All” , nella barra del menù in alto compariranno anche le voci dei browers, (Firofox o Opera) premi sulla voce di menu che riguarda il tuo brower e seleziona anche lì la casella “Select All“
Premi sul pulsante “Empty selected” e attendi che venga mostrato il messaggio “Done Cleaning!.” la pulizia è terminata.
Riavvii in mod.normale e utilizzi nuovamente Atf cleaner.

Posta poi nuovo log di hijackthis.

[Kimical]

Gentilissimo Luke57 il problema è risolto.
Ti ringrazio per l'immediato intervento e per la prontezza di risoluzione. Complimenti vivissimi per il forum e per l'aiuto che fornite.

Buon lavoro e ancora grazie mille.