eliminazione LinkOptimizer [era:che diavolo è?]

[valsinha]

ogni tanto mi si apre la finestra di zone alarm che mi richiede l'accesso a internet del file xjue1.exe. non conoscendolo gli ho negato l'accesso e mi è partita una telefonata dal modem, con la conseguente disconnessione adsl.
questo file era in windows/temp.
l'ho cancellato, ma dopo qualche giorno ne ho trovati 3, stesso nome ma numeri diversi, e lo stesso file è in esecuzione automatica e in windows/prefetch.
dopo averli eliminati di nuovo, mi sono accorta di un file nascosto nella cartella c/programmi, ogni volta che riavvio il pc cambia nome, e quindi credo che parta tutto da lì.
è un file.exe, se cerco di eliminarlo mi dice che è in uso, se cerco di togliere la spunta a nascosto mi dice che non ho il permesso, non si zippa.
ho eseguito allora tutta la procedura che consigliate voi ma niente, è sempre lì, anche in modalità provvisoria non si cancella e ewido e gli altri programmi non mi hanno risolto il problema. mi rimanete solo voi
vi allego quindi il log, sperando nella vostra bravura.
Logfile of HijackThis v1.99.1
Scan saved at 12.25.26, on 28/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tin.virgilio.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {251AF1B2-C209-A642-E1CB-B6CA8542B8D7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: Class - {FD0A802C-7261-EBF7-B714-3748E53B5A8E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3098202-A015-476F-B373-370B32DA2DA9}: NameServer = 151.99.125.1,151.99.125.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Nightmare-1]

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {251AF1B2-C209-A642-E1CB-B6CA8542B8D7} - (no file)
O2 - BHO: Class - {FD0A802C-7261-EBF7-B714-3748E53B5A8E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Fixa anzitutto queste voci corrotte. Per eliminare il file una volta trovato scasica EMCO Unlock it, permette di terminare i processi relativi al file esaminato, in modo da poterlo eliminare subito dopo.

Nel caso ripeti la pulizia dalla modalità provvisoria per essere sicura ed elimina dall'avvio i processi indesiderati da mascongif: start -> esegui -> msconfig -> avvio

Facci sapere se hai risolto. Saluti,
Nightmare

[Habanero]

stiamo attenti ai titoli per favore...

[valsinha]

scusa ma non sapevo proprio di che si trattasse..
ora mi metto all'opera

[valsinha]

il mio problema non è risolto.
alla riaccensione ho trovato un altro file simile al precedente (ma non nascosto) nella stessa cartella. questo però l'ho eliminato.
l'altro, il malefico, l'ho analizzato con emco, ma mi dice che non è collegato ad altri processi, però se provo a eliminarlo mi dà l'accesso negato perchè è in uso. in proprietà sono spuntati file nascosto e di sola lettura. e non si zippa. in msconfig non è attivato.
altri consigli?

questo è il nuovo log:
Logfile of HijackThis v1.99.1
Scan saved at 15.51.38, on 28/06/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\ewido anti-spyware 4.0\ewido.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\hijackthis\HijackThis.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\regedit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tin.virgilio.it/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3098202-A015-476F-B373-370B32DA2DA9}: NameServer = 151.99.125.1,151.99.125.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7DBF145-76A1-4375-BACA-EC6FF8B72CAF}: NameServer = 193.12.150.2 212.247.152.2
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[valsinha]

ho un'altra traccia:
ho cercato il nome del file anomalo nel registro, ed è in questo percorso:
windows/explorer/comdlg32/opensavemru/*
e
windows/explorer/comdlg32/opensavemru/exe
in questa cartelle fra varie voci c'è lui, in c/programmi.
lo posso cancellare da lì?
non mi muovo finchè non mi date il via, ho paura di combinare guai

[holifay]

Cancellarlo da lì ti servirà a poco: è solo la lista dei file aperti di recente.

Prova a far girare questi due tool e poi posta il log:

1) Silentrunners
2) Rootkitrevealer Prima di avviare questo, termina tutte le applicazioni, disconnettiti da internet, disabilita lo sceeinsaver, l\'antivirus ed eventuali scansioni in real time (es ewido). E non usare il PC finchè ha finito.

Ciao

[valsinha]

questo è di rootkitreveal:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 12/06/2006 15.12 32 bytes Windows API length not consistent with raw hive data.
C:\WINDOWS\jrvlp1.dll 12/06/2006 15.12 63.16 KB Hidden from Windows API.
C:\WINDOWS\jrvlp1.upd 15/06/2006 15.53 61.04 KB Hidden from Windows API.

e questo è silent runners:
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Zone Labs Client" = "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"!ewido" = ""C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Provider fax"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallP rovider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\programmi\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Estensione panoramica video del Pannello di controllo"
-> {HKLM...CLSID} = "Estensione panoramica video del Pannello di controllo"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {HKLM...CLSID} = "FTP Explorer Shell Extension"
\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "Componente estensione della shell di CorelDRAW"
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"
\InProcServer32\(Default) = "C:\Programmi\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programmi\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programmi\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programmi\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programmi\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programmi\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programmi\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Ricerche"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll " ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Ricerche"


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programmi\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
Machine Debug Manager, MDM, ""C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
EPSON BiD Monitor1\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
EPSON BiD Monitor1(1)\Driver = "EBPMON2.dll" ["SEIKO EPSON CORPORATION"]
EPSON BiD Monitor1(2)\Driver = "EBPMON2.dll" ["SEIKO EPSON CORPORATION"]
HP DesignJet ECP Monitor\Driver = "HPLTLM5.DLL" ["Hewlett-Packard Corporation, Microsoft Corporation"]
hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 52 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 28 seconds.
---------- (total run time: 195 seconds)

non vedo l'ora di sapere di che si tratta!
ciao e grazie per la pazienza

[holifay]

OK, questo è il trojan jrvlp1.dll. Usa tecniche di rootking per non farsi trovare. E´ richiamato con modalità nascoste dalla chiave:
HKLM>SOFTWARE>Microsoft>Windows NT>CurrentVersion>Windows>AppInit_DLLs

Come puoi vedere la chiave è stata modificata nella stessa data in cui è stato creato il file nascosto.

Prova così:

1) riavvia in modalità provvisoria
2) abilta la visualizzazione dei file nascosti e di sistema

scegli Opzioni cartella dal menu Strumenti in Risorse del computer o Esplora risorse. Fai clic sulla scheda Visualizza, abilita Visualizza cartelle e file nascosti e deseleziona la casella di controllo Nascondi i file protetti di sistema (consigliato).
Scegli Sì alla richiesta di conferma della modifica e quindi scegli Ok.

3) cerca i file jrvlp1.dll e jrvlp1.upd in C:>Windows
4) Se li trovi spostali da lì e mettili in un file zip che poi mi manderai a www.suspectfile.com
5) poi riavvii e posti un nuovo log di HijackThis e anche uno nuovo di silenrunners, ma premi NO quando lo avii.

Se NON riesci a trovarli significa che sono ancora nascosti. Scaricati allora RKUnhooker da questo indirizzo e fai una scansione, poi posta il log.
http://www.rkunhooker.narod.ru/

Ciao

[valsinha]

non li ho trovati, quindi ecco qui:
lo divido in due parti

SYSENTER instruction hook detected - No

Id Service Name Hooked Address Module
0 NtAcceptConnectPort - 0x8056E5E7 C:\WINDOWS\system32\ntoskrnl.exe
1 NtAccessCheck - 0x805690C2 C:\WINDOWS\system32\ntoskrnl.exe
2 NtAccessCheckAndAuditAlarm - 0x80576195 C:\WINDOWS\system32\ntoskrnl.exe
3 NtAccessCheckByType - 0x805C8A70 C:\WINDOWS\system32\ntoskrnl.exe
4 NtAccessCheckByTypeAndAuditAlarm - 0x8056F4CE C:\WINDOWS\system32\ntoskrnl.exe
5 NtAccessCheckByTypeResultList - 0x8061CAB3 C:\WINDOWS\system32\ntoskrnl.exe
6 NtAccessCheckByTypeResultListAndAuditAlarm - 0x8061EC3E C:\WINDOWS\system32\ntoskrnl.exe
7 NtAccessCheckByTypeResultListAndAuditAlarmByHandle - 0x8061EC7C C:\WINDOWS\system32\ntoskrnl.exe
8 NtAddAtom - 0x8057E3A1 C:\WINDOWS\system32\ntoskrnl.exe
9 NtAddBootEntry - 0x8062C194 C:\WINDOWS\system32\ntoskrnl.exe
10 NtAdjustGroupsToken - 0x8061C598 C:\WINDOWS\system32\ntoskrnl.exe
11 NtAdjustPrivilegesToken - 0x8057594D C:\WINDOWS\system32\ntoskrnl.exe
12 NtAlertResumeThread - 0x80616277 C:\WINDOWS\system32\ntoskrnl.exe
13 NtAlertThread - 0x8055C07F C:\WINDOWS\system32\ntoskrnl.exe
14 NtAllocateLocallyUniqueId - 0x80570974 C:\WINDOWS\system32\ntoskrnl.exe
15 NtAllocateUserPhysicalPages - 0x8060F4D3 C:\WINDOWS\system32\ntoskrnl.exe
16 NtAllocateUuids - 0x805763BF C:\WINDOWS\system32\ntoskrnl.exe
17 NtAllocateVirtualMemory - 0x80559047 C:\WINDOWS\system32\ntoskrnl.exe
18 NtAreMappedFilesTheSame - 0x8058F772 C:\WINDOWS\system32\ntoskrnl.exe
19 NtAssignProcessToJobObject - 0x8058DEFE C:\WINDOWS\system32\ntoskrnl.exe
20 NtCallbackReturn - 0x804E1BF0 C:\WINDOWS\system32\ntoskrnl.exe
21 NtCancelDeviceWakeupRequest - 0x80613647 C:\WINDOWS\system32\ntoskrnl.exe
22 NtCancelIoFile - 0x8058C6BA C:\WINDOWS\system32\ntoskrnl.exe
23 NtCancelTimer - 0x804F2A62 C:\WINDOWS\system32\ntoskrnl.exe
24 NtClearEvent - 0x80557A0E C:\WINDOWS\system32\ntoskrnl.exe
25 NtClose - 0x80557077 C:\WINDOWS\system32\ntoskrnl.exe
26 NtCloseObjectAuditAlarm - 0x80561BFB C:\WINDOWS\system32\ntoskrnl.exe
27 NtCompactKeys - 0x80630EF1 C:\WINDOWS\system32\ntoskrnl.exe
28 NtCompareTokens - 0x8061F93F C:\WINDOWS\system32\ntoskrnl.exe
29 NtCompleteConnectPort - 0x8056EA29 C:\WINDOWS\system32\ntoskrnl.exe
30 NtCompressKey - 0x8063111D C:\WINDOWS\system32\ntoskrnl.exe
31 NtConnectPort - 0x8056EE2A C:\WINDOWS\system32\ntoskrnl.exe
32 NtContinue - 0x804E1298 C:\WINDOWS\system32\ntoskrnl.exe
33 NtCreateDebugObject - 0x805CC62B C:\WINDOWS\system32\ntoskrnl.exe
34 NtCreateDirectoryObject - 0x805A4A9B C:\WINDOWS\system32\ntoskrnl.exe
35 NtCreateEvent - 0x805620FB C:\WINDOWS\system32\ntoskrnl.exe
36 NtCreateEventPair - 0x8062C19D C:\WINDOWS\system32\ntoskrnl.exe
37 NtCreateFile - 0x8055AC20 C:\WINDOWS\system32\ntoskrnl.exe
38 NtCreateIoCompletion - 0x8057EC67 C:\WINDOWS\system32\ntoskrnl.exe
39 NtCreateJobObject - 0x805C561E C:\WINDOWS\system32\ntoskrnl.exe
40 NtCreateJobSet - 0x8061669B C:\WINDOWS\system32\ntoskrnl.exe
41 NtCreateKey - 0x8056160F C:\WINDOWS\system32\ntoskrnl.exe
42 NtCreateMailslotFile - 0x8058E7AD C:\WINDOWS\system32\ntoskrnl.exe
43 NtCreateMutant - 0x80566467 C:\WINDOWS\system32\ntoskrnl.exe
44 NtCreateNamedPipeFile - 0x805693FE C:\WINDOWS\system32\ntoskrnl.exe
45 NtCreatePagingFile - 0x805B4010 C:\WINDOWS\system32\ntoskrnl.exe
46 NtCreatePort - 0x8057BF75 C:\WINDOWS\system32\ntoskrnl.exe
47 NtCreateProcess - 0x805AADCD C:\WINDOWS\system32\ntoskrnl.exe
48 NtCreateProcessEx - 0x80577107 C:\WINDOWS\system32\ntoskrnl.exe
49 NtCreateProfile - 0x8062C6DF C:\WINDOWS\system32\ntoskrnl.exe
50 NtCreateSection - 0x80555CC9 C:\WINDOWS\system32\ntoskrnl.exe
51 NtCreateSemaphore - 0x8057E1E9 C:\WINDOWS\system32\ntoskrnl.exe
52 NtCreateSymbolicLinkObject - 0x805A195D C:\WINDOWS\system32\ntoskrnl.exe
53 NtCreateThread - 0x80567C10 C:\WINDOWS\system32\ntoskrnl.exe
54 NtCreateTimer - 0x80586FB6 C:\WINDOWS\system32\ntoskrnl.exe
55 NtCreateToken - 0x805C63DA C:\WINDOWS\system32\ntoskrnl.exe
56 NtCreateWaitablePort - 0x805C5434 C:\WINDOWS\system32\ntoskrnl.exe
57 NtDebugActiveProcess - 0x805CC92F C:\WINDOWS\system32\ntoskrnl.exe
58 NtDebugContinue - 0x805CBDC8 C:\WINDOWS\system32\ntoskrnl.exe
59 NtDelayExecution - 0x80556270 C:\WINDOWS\system32\ntoskrnl.exe
60 NtDeleteAtom - 0x8056DB7B C:\WINDOWS\system32\ntoskrnl.exe
61 NtDeleteBootEntry - 0x80613647 C:\WINDOWS\system32\ntoskrnl.exe
62 NtDeleteFile - 0x805C4B30 C:\WINDOWS\system32\ntoskrnl.exe
63 NtDeleteKey - 0x80588F16 C:\WINDOWS\system32\ntoskrnl.exe
64 NtDeleteObjectAuditAlarm - 0x805D128F C:\WINDOWS\system32\ntoskrnl.exe
65 NtDeleteValueKey - 0x80582B38 C:\WINDOWS\system32\ntoskrnl.exe
66 NtDeviceIoControlFile - 0x80557E4C C:\WINDOWS\system32\ntoskrnl.exe
67 NtDisplayString - 0x805B2E2A C:\WINDOWS\system32\ntoskrnl.exe
68 NtDuplicateObject - 0x8056760C C:\WINDOWS\system32\ntoskrnl.exe
69 NtDuplicateToken - 0x8055CFB8 C:\WINDOWS\system32\ntoskrnl.exe
70 NtEnumerateBootEntries - 0x8062C194 C:\WINDOWS\system32\ntoskrnl.exe
71 NtEnumerateKey - 0x80565345 C:\WINDOWS\system32\ntoskrnl.exe
72 NtEnumerateSystemEnvironmentValuesEx - 0x8062BC6C C:\WINDOWS\system32\ntoskrnl.exe
73 NtEnumerateValueKey - 0x8057D8CC C:\WINDOWS\system32\ntoskrnl.exe
74 NtExtendSection - 0x8058EA23 C:\WINDOWS\system32\ntoskrnl.exe
75 NtFilterToken - 0x805C2F8F C:\WINDOWS\system32\ntoskrnl.exe
76 NtFindAtom - 0x8058315B C:\WINDOWS\system32\ntoskrnl.exe
77 NtFlushBuffersFile - 0x8056D573 C:\WINDOWS\system32\ntoskrnl.exe
78 NtFlushInstructionCache - 0x8056B497 C:\WINDOWS\system32\ntoskrnl.exe
79 NtFlushKey - 0x8058A8AB C:\WINDOWS\system32\ntoskrnl.exe
80 NtFlushVirtualMemory - 0x8059D790 C:\WINDOWS\system32\ntoskrnl.exe
81 NtFlushWriteBuffer - 0x8060FD9B C:\WINDOWS\system32\ntoskrnl.exe
82 NtFreeUserPhysicalPages - 0x8060F871 C:\WINDOWS\system32\ntoskrnl.exe
83 NtFreeVirtualMemory - 0x80559FC7 C:\WINDOWS\system32\ntoskrnl.exe
84 NtFsControlFile - 0x80558679 C:\WINDOWS\system32\ntoskrnl.exe
85 NtGetContextThread - 0x8058C7D5 C:\WINDOWS\system32\ntoskrnl.exe
86 NtGetDevicePowerState - 0x8061365D C:\WINDOWS\system32\ntoskrnl.exe
87 NtGetPlugPlayEvent - 0x80590E12 C:\WINDOWS\system32\ntoskrnl.exe
88 NtGetWriteWatch - 0x80533024 C:\WINDOWS\system32\ntoskrnl.exe
89 NtImpersonateAnonymousToken - 0x8061F5A5 C:\WINDOWS\system32\ntoskrnl.exe
90 NtImpersonateClientOfPort - 0x8056F50B C:\WINDOWS\system32\ntoskrnl.exe
91 NtImpersonateThread - 0x8057E58F C:\WINDOWS\system32\ntoskrnl.exe
92 NtInitializeRegistry - 0x805C7D4A C:\WINDOWS\system32\ntoskrnl.exe
93 NtInitiatePowerAction - 0x8061345D C:\WINDOWS\system32\ntoskrnl.exe
94 NtIsProcessInJob - 0x80616571 C:\WINDOWS\system32\ntoskrnl.exe
95 NtIsSystemResumeAutomatic - 0x8061364F C:\WINDOWS\system32\ntoskrnl.exe
96 NtListenPort - 0x805C7E22 C:\WINDOWS\system32\ntoskrnl.exe
97 NtLoadDriver - 0x8059A880 C:\WINDOWS\system32\ntoskrnl.exe
98 NtLoadKey - 0x805A4EE2 C:\WINDOWS\system32\ntoskrnl.exe
99 NtLoadKey2 - 0x805A4EF4 C:\WINDOWS\system32\ntoskrnl.exe
100 NtLockFile - 0x8057E995 C:\WINDOWS\system32\ntoskrnl.exe
101 NtLockProductActivationKeys - 0x805A5E62 C:\WINDOWS\system32\ntoskrnl.exe
102 NtLockRegistryKey - 0x805C119A C:\WINDOWS\system32\ntoskrnl.exe
103 NtLockVirtualMemory - 0x805CB08C C:\WINDOWS\system32\ntoskrnl.exe
104 NtMakePermanentObject - 0x805A17AF C:\WINDOWS\system32\ntoskrnl.exe
105 NtMakeTemporaryObject - 0x805A1906 C:\WINDOWS\system32\ntoskrnl.exe
106 NtMapUserPhysicalPages - 0x8060E7ED C:\WINDOWS\system32\ntoskrnl.exe
107 NtMapUserPhysicalPagesScatter - 0x8060ED87 C:\WINDOWS\system32\ntoskrnl.exe
108 NtMapViewOfSection - 0x8055FA31 C:\WINDOWS\system32\ntoskrnl.exe
109 NtModifyBootEntry - 0x80613647 C:\WINDOWS\system32\ntoskrnl.exe
110 NtNotifyChangeDirectoryFile - 0x8057DD74 C:\WINDOWS\system32\ntoskrnl.exe
111 NtNotifyChangeKey - 0x80570FC1 C:\WINDOWS\system32\ntoskrnl.exe
112 NtNotifyChangeMultipleKeys - 0x80570DDA C:\WINDOWS\system32\ntoskrnl.exe
113 NtOpenDirectoryObject - 0x80574E87 C:\WINDOWS\system32\ntoskrnl.exe
114 NtOpenEvent - 0x8055BF51 C:\WINDOWS\system32\ntoskrnl.exe
115 NtOpenEventPair - 0x8062C26F C:\WINDOWS\system32\ntoskrnl.exe
116 NtOpenFile - 0x8055E112 C:\WINDOWS\system32\ntoskrnl.exe
117 NtOpenIoCompletion - 0x806037EB C:\WINDOWS\system32\ntoskrnl.exe
118 NtOpenJobObject - 0x8058DC47 C:\WINDOWS\system32\ntoskrnl.exe
119 NtOpenKey - 0x80560CAC C:\WINDOWS\system32\ntoskrnl.exe
120 NtOpenMutant - 0x8056930F C:\WINDOWS\system32\ntoskrnl.exe
121 NtOpenObjectAuditAlarm - 0x8059C4A6 C:\WINDOWS\system32\ntoskrnl.exe
122 NtOpenProcess - 0x80564A24 C:\WINDOWS\system32\ntoskrnl.exe
123 NtOpenProcessToken - 0x80558C9B C:\WINDOWS\system32\ntoskrnl.exe
124 NtOpenProcessTokenEx - 0x80558CB1 C:\WINDOWS\system32\ntoskrnl.exe
125 NtOpenSection - 0x8056471E C:\WINDOWS\system32\ntoskrnl.exe
126 NtOpenSemaphore - 0x8059E541 C:\WINDOWS\system32\ntoskrnl.exe
127 NtOpenSymbolicLinkObject - 0x805690EC C:\WINDOWS\system32\ntoskrnl.exe
128 NtOpenThread - 0x8057BBC7 C:\WINDOWS\system32\ntoskrnl.exe
129 NtOpenThreadToken - 0x80558C81 C:\WINDOWS\system32\ntoskrnl.exe
130 NtOpenThreadTokenEx - 0x80558B85 C:\WINDOWS\system32\ntoskrnl.exe
131 NtOpenTimer - 0x805CDEA6 C:\WINDOWS\system32\ntoskrnl.exe
132 NtPlugPlayControl - 0x80583FB1 C:\WINDOWS\system32\ntoskrnl.exe
133 NtPowerInformation - 0x8059F2C0 C:\WINDOWS\system32\ntoskrnl.exe
134 NtPrivilegeCheck - 0x8057C000 C:\WINDOWS\system32\ntoskrnl.exe
135 NtPrivilegeObjectAuditAlarm - 0x805A6443 C:\WINDOWS\system32\ntoskrnl.exe
136 NtPrivilegedServiceAuditAlarm - 0x805CD5D2 C:\WINDOWS\system32\ntoskrnl.exe
137 NtProtectVirtualMemory - 0x80567AAE C:\WINDOWS\system32\ntoskrnl.exe
138 NtPulseEvent - 0x8059C3D6 C:\WINDOWS\system32\ntoskrnl.exe
139 NtQueryAttributesFile - 0x8055EDCF C:\WINDOWS\system32\ntoskrnl.exe
140 NtQueryBootEntryOrder - 0x8062C194 C:\WINDOWS\system32\ntoskrnl.exe