dialcrises

Dopo doppio click su icona del programma mi esce :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.50.39, on 07/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\LXBKbmgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\utente\AppData\Local\oggffyfa.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Users\utente\AppData\Local\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Program Files\myBabylon\tbmyBa.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Program Files\myBabylon\tbmyBa.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: myBabylon Toolbar - {34ea1c70-42cc-42c5-aa29-ec58b95a343e} - C:\Program Files\myBabylon\tbmyBa.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU..\Run: [oggffyfa] "c:\users\utente\appdata\local\oggffyfa.exe" oggffyfa
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O17 - HKLM\System\CCS\Services\Tcpip..{064492E3-0D26-4C52-BB07-15C3C939D2B0}: NameServer = 88.149.128.22 88.149.128.12
O17 - HKLM\System\CS1\Services\Tcpip..{064492E3-0D26-4C52-BB07-15C3C939D2B0}: NameServer = 88.149.128.22 88.149.128.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: lxbk_device - - C:\Windows\system32\lxbkcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - O2Micro International - C:\Windows\system32\o2flash.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

End of file - 6346 bytes

jeangrey

Ciao

Le fastidiose pagine di pubblicità durante la navigazione sono provocate da questo file: c:\users\utente\appdata\local**oggffyfa.exe
**Inoltre sei incappata in un falso programma di sicurezza:Spyware-Secure.
Segui queste indicazioni.

Tasto destro sull'icona di Hijackthis -> esegui come amministratore
Clicca su "do a system scan only"
Metti la spunta a queste voci e clicca su "fix checked"

O4 - HKLM..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe

O4 - HKCU..\Run: [oggffyfa] "c:\users\utente\appdata\local\oggffyfa.exe" oggffyfa

Scarica the Avenger
http:/ /swandog46.geekstogo.com/avenger.zip
Lo salvi in una cartella, scompatti il file .zip
Individua avenger.exe, lo avvii
Inserisci questo script nel box bianco

Files to delete:
c:\users\utente\appdata\local\oggffyfa_navps.dat
c:\users\utente\appdata\local\oggffyfa.dat
c:\users\utente\appdata\local\oggffyfa_nav.dat
c:\users\utente\appdata\local\oggffyfa.exe
C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
**
folders to delete:
C:\WINDOWS\temp
C:\WINDOWS\Tasks**
**C:\Program Files\Spyware-Secure

**Clicca su Execute
Il pc dovrebbe riavviarsi (se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

Esegui Combofix come ti ho consigliato ed allega il rapporto.
Tasto destro sull'icona di Combofix -> esegui come amministratore

Come antivirus stai già usando Nod32, perchè comprarne un'altro?
Se proprio vuoi cambiare opta per Antivir, oltre che ottimo è pure free.

dialcrises

@JeanGrey said:

Tasto destro sull'icona di Hijackthis -> esegui come amministratore
Clicca su "do a system scan only"

Abbi pazienza. Mi dici che devo andare con tasto destro su icona, ma se clicco su icona estrapolata da winzip non mi esci "esegui come amm...". Quindi mi dovresti anche spiegare come estrapolare icona correttamente.
Ti ringrazio. Buon appetito vista l'ora.

jeangrey

Hijackthis non va eseguito da cartelle temporanee.

Prima estrai correttamente l'exe con Winzip
Per decomprimere un file basta cliccare sull'icona e compare una finestra con all'interno il suo contenuto:
Cliccare su **ACTIONS e dopo scegliere SELECT ALL **cioè seleziona tutto, vediamo che i file all'interno della finestra diventano blu.
Cliccare di nuovo su **ACTIONS **e questa volta scegliere **EXTRACT **e si aprirà una finestra per scegliere dove salvare i file in essa contenuti
Se si vogliono salvare i file in un'altra cartella basta selezionarla cliccando sui segni "+" , e trovarla.

Posizioni Hijackthis.exe in una cartella in programmi
Avvi hijackthis come ti ho suggerito

dialcrises

Ecco il rapporto :

Logfile of The Avenger Version 2.0, (c) by Swandog46

Platform: Windows Vista

---

Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger

---

Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\users\utente\appdata\local\oggffyfa_navps.dat" deleted successfully.
File "c:\users\utente\appdata\local\oggffyfa.dat" deleted successfully.
Error: could not open file "c:\usesr\utente\appdata\local\oggffyfa_nav.dat"
Deletion of file "c:\usesr\utente\appdata\local\oggffyfa_nav.dat" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist
File "c:\users\utente\appdata\local\oggffyfa.exe" deleted successfully.
File "C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe" deleted successfully.
Folder "C:\WINDOWS\temp" deleted successfully.
Folder "C:\WINDOWS\Tasks" deleted successfully.
Folder "C:\Program Files\Spyware-Secure" deleted successfully.
Completed script processing.

---

Finished! Terminate.

jeangrey

Ciao dialcrises,
nello script di avenger c'è stato un errore, forse per via degli errori di digitazione, comunque nulla di grave.

Error: could not open file "c:\usesr\utente\appdata\local\oggffyfa_nav.da t
c:*users*\utente\appdata\local\oggffyfa_nav.dat

Sei riuscita ad avviare Combofix?

dialcrises

Buongiorno.
Per quanto mi hai detto sopra, devo fare qualcosa?

COMBOFIX report :

ComboFix 08-12-07.01 - utente 2008-12-08 15.06.46.1 - NTFSx86
Microsoft Windows Vista? Home Basic 6.0.6001.1.1252.1.1040.18.167 [GMT 1:00]
Eseguito da: c:\users\utente\Application Data\ComboFix.exe

• Creato nuovo punto di ripristino
• Resident AV is active
  .
  ((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  c:\users\utente\AppData\Local\oggffyfa_nav.dat
  .
  ((((((((((((((((((((((((( Files Creati Da 2008-11-08 al 2008-12-08 )))))))))))))))))))))))))))))))))))
  .
  2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\users\All Users\Avira
  2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\programdata\Avira
  2008-12-07 20:44 . 2008-12-07 20:44 <DIR> d-------- c:\program files\Avira
  2008-12-06 18:06 . 2008-12-06 18:07 <DIR> d-------- c:\program files\Common Files\Adobe
  2008-12-03 20:52 . 2008-12-03 20:52 <DIR> d-------- c:\users\All Users\CheckPoint
  2008-12-03 20:52 . 2008-12-03 20:52 <DIR> d-------- c:\programdata\CheckPoint
  2008-12-03 20:52 . 2008-03-03 15:06 279,440 --a------ c:\windows\System32\drivers~GLH0014.TMP
  2008-12-03 20:39 . 2008-12-08 13:16 <DIR> d-a------ c:\users\All Users\TEMP
  2008-12-03 20:39 . 2008-12-08 13:16 <DIR> d-a------ c:\programdata\TEMP
  2008-12-03 20:39 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
  2008-12-03 20:39 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
  2008-12-03 20:39 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
  2008-12-03 20:39 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
  2008-12-03 20:33 . 2008-12-03 20:33 <DIR> d-------- c:\users\utente\AppData\Roaming\PC Tools
  2008-12-03 20:33 . 2008-12-03 20:41 <DIR> d-------- c:\program files\Spyware Doctor
  2008-11-27 14:16 . 2008-11-27 14:17 <DIR> d-------- c:\program files\eMule
  2008-11-26 21:49 . 2008-12-08 13:16 <DIR> d-------- c:\users\utente\AppData\Roaming\skypePM
  2008-11-26 21:49 . 2008-11-26 21:49 56 --ah----- c:\users\All Users\ezsidmv.dat
  2008-11-26 21:49 . 2008-11-26 21:49 56 --ah----- c:\programdata\ezsidmv.dat
  2008-11-26 21:48 . 2008-12-08 14:16 <DIR> d-------- c:\users\utente\AppData\Roaming\Skype
  2008-11-26 21:48 . 2008-12-04 06:57 <DIR> d-------- c:\users\All Users\Google
  2008-11-26 21:47 . 2008-12-04 07:01 <DIR> d-------- c:\program files\Google
  2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\users\All Users\Skype
  2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\programdata\Skype
  2008-11-26 21:46 . 2008-11-26 21:47 <DIR> d-------- c:\program files\Skype
  2008-11-26 21:46 . 2008-11-26 21:46 <DIR> d-------- c:\program files\Common Files\Skype
  2008-11-21 07:45 . 2008-11-21 07:45 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
  2008-11-12 06:30 . 2008-08-27 02:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
  2008-11-09 20:27 . 2008-11-10 19:36 <DIR> d-------- c:\program files\McDonaldsDragons
  .
  (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  2008-12-04 09:36 --------- d-----w c:\programdata\Spybot - Search & Destroy
  2008-12-04 09:36 --------- d-----w c:\program files\Spybot - Search & Destroy
  2008-12-03 19:34 --------- d-----w c:\program files\ESET
  2008-11-15 18:10 13,072 ----a-w c:\users\utente\AppData\Roaming\nvModes.dat
  2008-10-28 06:15 174 --sha-w c:\program files\desktop.ini
  2008-10-28 06:04 --------- d-----w c:\program files\Windows Calendar
  2008-10-28 06:03 --------- d-----w c:\program files\Windows Sidebar
  2008-10-28 06:03 --------- d-----w c:\program files\Windows Photo Gallery
  2008-10-28 06:03 --------- d-----w c:\program files\Windows Mail
  2008-10-28 06:03 --------- d-----w c:\program files\Windows Defender
  2008-10-28 06:03 --------- d-----w c:\program files\Windows Collaboration
  2008-10-28 05:38 82,432 ----a-w c:\windows\System32\axaltocm.dll
  2008-10-28 05:38 101,888 ----a-w c:\windows\System32\ifxcardm.dll
  2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
  2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
  2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
  2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
  2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
  2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
  2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
  2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
  2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
  2008-10-16 13:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
  2008-10-16 12:56 31,232 ----a-w c:\windows\System32\wuapp.exe
  2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
  2008-09-30 15:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
  2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
  2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
  2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
  2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
  2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
  2008-09-10 03:40 1,334,272 ----a-w c:\windows\System32\msxml6.dll
  .
  ((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
  .
  .
  Nota i valori vuoti & legittimi/default non sono visualizzati.
  REGEDIT4
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
  "{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
  [HKEY_CLASSES_ROOT\clsid{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
  [HKEY_LOCAL_MACHINE~\Browser Helper Objects{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
  2008-02-14 13:54 1555480 --a------ c:\program files\myBabylon\tbmyBa.dll
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
  "{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
  "{34EA1C70-42CC-42C5-AA29-EC58B95A343E}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480]
  [HKEY_CLASSES_ROOT\clsid{34ea1c70-42cc-42c5-aa29-ec58b95a343e}]
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
  "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
  "ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
  "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
  "nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-06-21 949376]
  "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
  "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]
  "lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 74672]
  "NvSvc"="c:\windows\system32\nvsvc.dll" [2007-04-12 86016]
  "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
  "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
  "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
  "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
  "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
  "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 c:\windows\RtHDVCpl.exe]
  c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup
  WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-06-21 118784]
  [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
  "EnableUIADesktopToggle"= 0 (0x0)
  [HKLM~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
  "{416B5E0E-3872-4BEA-8D4B-FF6E0F144B73}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
  "{F9FA6A3E-9B03-4112-BE35-86003DCAABFB}"= UDP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
  "{8AB98A3D-E5EE-4C87-A03C-706A50CC52BA}"= TCP:c:\windows\System32\lxbkcoms.exe:Lexmark Communications System
  "{BEACD3E5-9C23-4F84-ABB2-7623B5ABE5AE}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
  "{787C8185-E316-4FD1-BCDB-C7AE6599755B}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbkpswx.exe:Printer Status Window
  "{D544BEA9-0698-48AB-AD63-15B6DF6203F5}"= c:\program files\Skype\Phone\Skype.exe:Skype
  "TCP Query User{EBE8686C-0281-4394-9CA7-674DFA9C1B65}c:\program files\emule\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
  "UDP Query User{FE951C24-697D-4A15-823E-FE978511D2A4}c:\program files\emule\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
  R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2006-11-20 38400]
  R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2006-11-17 31360]
  R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-06-21 15424]
  R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service []
  R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-12-03 356920]
  R3 rt61x86;Ralink RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2007-02-05 274432]
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
  LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{258b5c27-393c-11dd-b01b-e747205e809f}]
  \shell\AutoRun\command - E:\StartVMCLite.exe
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246ea5-397e-11dd-9f8d-bf6de1532937}]
  \shell\AutoRun\command - E:\StartVMCLite.exe
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246eb3-397e-11dd-9f8d-bf6de1532937}]
  \shell\AutoRun\command - E:\StartVMCLite.exe
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{d0246eb4-397e-11dd-9f8d-bf6de1532937}]
  \shell\AutoRun\command - E:\StartVMCLite.exe
  [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{fb856ba2-393a-11dd-8374-f1b0c79f0fb0}]
  \shell\AutoRun\command - E:\StartVMCLite.exe
  .
  .
  ------- Supplementare di scansione -------
  .
  uStart Page =

IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
O16 -: Microsoft XML Parser for Java -

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

---

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

Rootkit scan 2008-12-08 15:10:27
Windows 6.0.6001 Service Pack 1 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0

---

.
Ora fine scansione: 2008-12-08 15.12.01
ComboFix-quarantined-files.txt 2008-12-08 14:11:45
Pre-Run: 68.222.320.640 byte disponibili
Post-Run: 68,267,180,032 byte disponibili
166 --- E O F --- 2008-12-05 05:51:36

Grazie mille per l'aiuto!!

jeangrey

Per questo file non devi fare nulla, perchè è stato eliminato da Combofix.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
c:\users\utente\AppData\Local\oggffyfa_nav.datIndividua avenger.exe, lo avvii
Inserisci questo script nel box bianco

Files to delete:
c:\windows\System32\drivers~GLH0014.TMP

Clicca su Execute
Il pc dovrebbe riavviarsi (se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

(Fai un copia/incolla dello script nel box)

Scarica, installa, aggiorna Malwarebytes ed esegui una scansione completa.
download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Copia il rapporto nella tua risposta.

dialcrises

Ecco log Avenger :

Logfile of The Avenger Version 2.0, (c) by Swandog46

Platform: Windows Vista

---

Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger

---

Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "c:\windows\System32\drivers~GLH0014.TMP" deleted successfully.
Completed script processing.

---

Finished! Terminate

dialcrises

Ed ecco log Malware :

Malwarebytes' Anti-Malware 1.31
Versione del database: 1456
Windows 6.0.6001 Service Pack 1
08/12/2008 22.06.11
mbam-log-2008-12-08 (22-06-11).txt
Tipo di scansione: Scansione completa (C:|)
Elementi scansionati: 109865
Tempo trascorso: 1 hour(s), 38 minute(s), 17 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 0
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
(Nessun elemento malevolo rilevato)

Buonanotte. Grazie mille.

jeangrey

Bene, direi che abbiamo risolto! Sono contenta per te!

dialcrises

Ma grazie mille a te! Sei stata eccezzzzionale!!!!