Aiuto --> File log di Hijack

[Emilianne]

Salve
Ho un piccolo problema col portatile.
Solite storie:
- finestre pop up
- falsi link dove non dovrebbero essere (che conducono a pagine di ricerca)
- la CPU (anzi meglio, il file di paging) occupato come se stessi lavorando da ore con tutti i programmi aperti.
Ho già fatto mille passaggi con ad-aware, spybot e norton. Qualcosa hanno trovato, ma non è abbastanza, quindi dev'esserci qualcosa di più nascosto.
Ho avviato anche Hijack. Il controllo automatico del log mi ha rivelato che c'è qualcosa di sospetto o alquanto sospetto, ma io me ne intendo poco.
Se lo posto qui, qualcuno mi da una mano?
Ringrazio anticipatamente.

Logfile of HijackThis v1.99.1
Scan saved at 19.31.22, on 08/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\EzButton\CPLDBL10.EXE
C:\Programmi\TOSHIBA\Power Management\CePMTray.exe
C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\WINDOWS\volumec.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\Programmi\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Marianna\IMPOST~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ffarchive.altervista.org/Frame.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Marianna\IMPOST~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E973476D-30E5-E684-4E42-640EA11E4226} - C:\WINDOWS\watca1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TPNF] C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\msncomm.exe /i
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Programmi\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\Programmi\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [wxjr1.exe] C:\WINDOWS\Temp\wxjr1.exe
O4 - HKLM\..\Run: [VolControl] C:\WINDOWS\volumec.exe -i
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Programmi\ICQ\Icq.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programmi\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programmi\ICQ\ICQ.exe
O16 - DPF: {15320607-1001-1831-1000-118599957123} - ms-its:mhtml:file://C:\PATH.MHT!http://195.225.176.5//d//yizbgyb//rz...::/painter.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F08774E-813B-4382-9EC6-A5159530E846}: NameServer = 62.211.69.150,212.48.4.15
O18 - Filter: text/html - {441D079F-4EE7-48C8-A677-F68DE8B01A90} - C:\WINDOWS\System32\pdlnmg.dll
O18 - Filter: text/plain - {441D079F-4EE7-48C8-A677-F68DE8B01A90} - C:\WINDOWS\System32\pdlnmg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programmi\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SysUmg - Unknown owner - C:\:kVI.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[Simeon]

Benvenuta sul forum.

Prima di postare il log di HijackThis era opportuno seguire alcuni semplici e pratici consigli:
http://forum.html.it/forum/showthrea...hreadid=811189

In particolar modo è importante che tu posizioni l'eseguibile di HijackThis in una cartella (in C:\ o C:\Programmi) a lui esclusivamente dedicata. Fallo adesso!

Detto questo:

Scarica CCleaner
Scarica Ewido Antimalware e aggiornalo
Scarica MyUnistaller

Disabilita il ripristino di configurazione:
Risorse del computer => Proprietà => Ripristino configurazione di sistema => Disattiva ripristino configurazione di sistema (lo riattiverai a problema risolto).

Abilita la visualizzazione dei file nascosti:
Strumenti => Opzioni cartella => Visualizzazione => Visualizza cartelle e file nascosti.

Stampati queste istruzioni poichè non potrai utilizzare la connessione:

Entra in modalità provvisoria (tasto F8 subito al riavvio => Modalità provvisoria).

Controlla nel Pannello di Controllo/Installazione applicazioni se è presente l'applicazione LinkOptimizer, nel caso eliminala (utilizza MyUnistaller se non riesci a farlo da Pannello di Controllo; se tenta di collegarsi ad un link in explorer lascia perdere e passa oltre).

Fai una scansione con Ewido.

Avvia HijackThis e fixa queste voci:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Marianna\IMPOST~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Marianna\IMPOST~1\Temp\sp.dll/sp.html
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E973476D-30E5-E684-4E42-640EA11E4226} - C:\WINDOWS\watca1.dll (file missing)
O4 - HKLM\..\Run: [wxjr1.exe] C:\WINDOWS\Temp\wxjr1.exe
O4 - HKLM\..\Run: [VolControl] C:\WINDOWS\volumec.exe -i
O4 - HKLM\..\Run: [Timer] C:\WINDOWS\msncomm.exe /i
O16 - DPF: {15320607-1001-1831-1000-118599957123} - ms-its:mhtml:file://C:\PATH.MHT!http://195.225.176.5//d//yizbgyb//rzofjic//mfdty pp//irkqpg//IT//arct.chm::/painter.exe
O23 - Service: SysUmg - Unknown owner - C:\:kVI.exe

Cerca ed elimina (se presenti):
- watca1.dll in C:\WINDOWS\
- wxjr1.exe in C:\WINDOWS\Temp\
- volumec.exe in C:\WINDOWS\
- :kVI.exe in C:\
- la cartella LinkOptimizer in C:\Programmi\

Fai pulizia utilizzando CCleaner.

Riavvia.

Posta un nuovo log di HijackThis.

Hai trovato LinkOptimizer nel Pannello di Controllo/Installazione applicazioni?

[amvinfe]

Emilianne,
benvenuta anche da parte mia.

Prima di seguire i consigli che Simeon ti ha dato, poi cortesemente inviarmi i file infetti (zippati) all'URL presente nella mia firma?
In questo modo analizzandoli e facendoli controllare dai maggiori antivirus ed antispyware li potremo invaire alle aziende che ancora non riconoscono la minaccia, facendo questo aiuteremo te ed eventuali altri utenti nel caso dovessero avere in futuro il medesimo tuo problema.
Grazie.

[Emilianne]

Dunque, innanzi tutto grazie per il benvenuta (e mi scuso fin da ora se non ho zippato i files. Uno perchè ho letto il messaggio in ritardo e due perchè anche lo avessi letto dubito che avrei saputo come fare. Chiedo scusa).

Detto questo.
Si ho trovato LinkOptimizer nel Pannello di Controllo/Installazione. Ma nè a mano nè con MyUnistaller lo elimina (anche con myunistaller cerca di aprirmi un link sul browser), tant'è vero che i link falsi ci sono ancora.
Ho seguito la procedura, i programmi hanno cancellato un sacco di cose (CCleaner in particolare ha asportato qualcosa come 300 e rotti MB di roba. Approposito, oltre ad 'Avvio Cleaner' dovevo anche fare il 'Risolvi Problemi'?).
Nota: il secondo log di hijack (fatto dopo Ewido) non mi segnalava più questa voce:
O4 - HKLM\..\Run: [VolControl] C:\WINDOWS\volumec.exe -i



Questo è il log di Hijack fatto dopo Ewido, Myunistaller, CCleaner e il riavvio.

Logfile of HijackThis v1.99.1
Scan saved at 11.55.55, on 09/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programmi\EzButton\CPLDBL10.EXE
C:\Programmi\TOSHIBA\Power Management\CePMTray.exe
C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ffarchive.altervista.org/Frame.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TPNF] C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Programmi\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\Programmi\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programmi\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programmi\ICQ\ICQ.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F08774E-813B-4382-9EC6-A5159530E846}: NameServer = 62.211.69.150,212.48.4.15
O18 - Filter: text/html - {441D079F-4EE7-48C8-A677-F68DE8B01A90} - C:\WINDOWS\System32\pdlnmg.dll
O18 - Filter: text/plain - {441D079F-4EE7-48C8-A677-F68DE8B01A90} - C:\WINDOWS\System32\pdlnmg.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programmi\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Suggerimenti per togliere quel maledetto LinkOptimizer?

[Simeon]

Ok, proviamo così:

Scarica RootkitRevealer

Assicurati che il ripristino configurazione sistema sia disabilitato.
Assicurati di aver abilitato la visualizzazione dei file nascosti.

Stampati le istruzioni che seguono:

Avvia in modalità provvisoria.

Avvia HijackThis e fixa queste voci:
O18 - Filter: text/html - {441D079F-4EE7-48C8-A677-F68DE8B01A90} - C:\WINDOWS\System32\pdlnmg.dll
O18 - Filter: text/plain - {441D079F-4EE7-48C8-A677-F68DE8B01A90} - C:\WINDOWS\System32\pdlnmg.dll

Cerca ed elimina (se presenti):
- pdlnmg.dll in C:\WINDOWS\System32\

Fai pulizia utilizzando CCleaner (solo sezione Cleaner).

Riavvia.

Assicurati di essere disconnessa, chiudi tutte le finestre, disabilita l'antivirus.
Fai una scansione con RootkitRevealer.

Apri HijackThis, vai in Open the Misc Tools section / Open ADS Spy. Togli il segno di spunta alla voce "Quick scan" e avvia la scansione (Scan). Salva il log (Save log).

Posta:
- un nuovo log di HijackThis;
- il log di RootkitRevealer;
- il log della scansione ADS di HijackThis.

p.s. Alla voce LinkOptimizer nel Pannello di Controllo ci pensiamo dopo.

[Emilianne]

Allora, dunque.

Nuovo Log di Hijack

Logfile of HijackThis v1.99.1
Scan saved at 13.24.33, on 09/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\EzButton\CPLDBL10.EXE
C:\Programmi\TOSHIBA\Power Management\CePMTray.exe
C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\Apoint2K\Apoint.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\Programmi\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ffarchive.altervista.org/Frame.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TPNF] C:\Programmi\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPLDBL10] C:\Programmi\EzButton\CPLDBL10.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\Programmi\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Programmi\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programmi\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programmi\ICQ\ICQ.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F08774E-813B-4382-9EC6-A5159530E846}: NameServer = 62.211.69.150,212.48.4.15
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Programmi\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Log di Rootkitrevealer

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 09/07/2006 13.11 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 24/06/2006 11.42 64 bytes Windows API length not consistent with raw hive data.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp .edb 09/07/2006 13.10 64.00 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\system32 09/07/2006 13.13 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32:c_285tz.nls 09/07/2006 13.13 138.23 KB Hidden from Windows API.
C:\WINDOWS\system32\wbem\Logs\WinMgmt.log 09/07/2006 13.13 54 bytes Hidden from Windows API.
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 09/07/2006 13.13 195 bytes Hidden from Windows API.
C:\WINDOWS\watca1.dll 08/07/2006 19.18 63.16 KB Hidden from Windows API.
C:\WINDOWS\watca1.upd 09/07/2006 12.56 61.04 KB Hidden from Windows API.

[Emilianne]

Questo è il log ADS di Hijack (che non entrava nell'altro post)

C:\Marianna\Fan art\Artist - Zelas - Peace.gif : Q30lsldxJoudresxAaaqpcawXc (9664 bytes)
C:\Marianna\Fan art\DWCL - Portrait - Feyha Shelv 01.jpg : Q30lsldxJoudresxAaaqpcawXc (4916 bytes)
C:\Marianna\Rebirth2003\25_00.html : Q30lsldxJoudresxAaaqpcawXc (9684 bytes)
C:\Marianna\Rebirth2003\25_01.html : Q30lsldxJoudresxAaaqpcawXc (14280 bytes)
C:\Marianna\Rebirth2003\25_02.html : Q30lsldxJoudresxAaaqpcawXc (11504 bytes)
C:\Marianna\Rebirth2003\25_03.html : Q30lsldxJoudresxAaaqpcawXc (13600 bytes)
C:\Marianna\Rebirth2003\25_04.html : Q30lsldxJoudresxAaaqpcawXc (13444 bytes)
C:\Marianna\Rebirth2003\25_05a.html : Q30lsldxJoudresxAaaqpcawXc (13304 bytes)
C:\Marianna\Rebirth2003\25_05b.html : Q30lsldxJoudresxAaaqpcawXc (13076 bytes)
C:\Marianna\Rebirth2003\25_06.html : Q30lsldxJoudresxAaaqpcawXc (12544 bytes)
C:\Marianna\Rebirth2003\25_07.html : Q30lsldxJoudresxAaaqpcawXc (13368 bytes)
C:\Marianna\Rebirth2003\25_index.html : Q30lsldxJoudresxAaaqpcawXc (9912 bytes)
C:\Marianna\Rebirth2003\404.html : Q30lsldxJoudresxAaaqpcawXc (7760 bytes)
C:\Marianna\Rebirth2003\404.jpg : Q30lsldxJoudresxAaaqpcawXc (5956 bytes)
C:\Marianna\Rebirth2003\AHW00.html : Q30lsldxJoudresxAaaqpcawXc (10308 bytes)
C:\Marianna\Rebirth2003\AHW01.html : Q30lsldxJoudresxAaaqpcawXc (11932 bytes)
C:\Marianna\Rebirth2003\AHW02.html : Q30lsldxJoudresxAaaqpcawXc (12256 bytes)
C:\Marianna\Rebirth2003\AHW03.html : Q30lsldxJoudresxAaaqpcawXc (11840 bytes)
C:\Marianna\Rebirth2003\AHW04.html : Q30lsldxJoudresxAaaqpcawXc (10832 bytes)
C:\Marianna\Rebirth2003\AHW05.html : Q30lsldxJoudresxAaaqpcawXc (11540 bytes)
C:\Marianna\Rebirth2003\AHW06.html : Q30lsldxJoudresxAaaqpcawXc (11980 bytes)
C:\Marianna\Rebirth2003\AHW_index.html : Q30lsldxJoudresxAaaqpcawXc (10348 bytes)
C:\Marianna\Rebirth2003\Archivio_attuale.jpg : Q30lsldxJoudresxAaaqpcawXc (5252 bytes)
C:\Marianna\Rebirth2003\Love02.html : Q30lsldxJoudresxAaaqpcawXc (15096 bytes)
C:\Marianna\Rebirth2003\Love03.html : Q30lsldxJoudresxAaaqpcawXc (12548 bytes)
C:\Marianna\Rebirth2003\Love04.html : Q30lsldxJoudresxAaaqpcawXc (14700 bytes)
C:\Marianna\Rebirth2003\Love05.html : Q30lsldxJoudresxAaaqpcawXc (14848 bytes)
C:\Marianna\Rebirth2003\Luna.html : Q30lsldxJoudresxAaaqpcawXc (4036 bytes)
C:\Marianna\Rebirth2003\Lyros.html : Q30lsldxJoudresxAaaqpcawXc (3912 bytes)
C:\Marianna\Rebirth2003\Magic01.html : Q30lsldxJoudresxAaaqpcawXc (14816 bytes)
C:\Marianna\Rebirth2003\Magic02.html : Q30lsldxJoudresxAaaqpcawXc (7936 bytes)
C:\Marianna\Rebirth2003\Magic03.html : Q30lsldxJoudresxAaaqpcawXc (14628 bytes)
C:\Marianna\Rebirth2003\Magic04.html : Q30lsldxJoudresxAaaqpcawXc (14128 bytes)
C:\Marianna\Rebirth2003\Magic05.html : Q30lsldxJoudresxAaaqpcawXc (14196 bytes)
C:\Marianna\Rebirth2003\Magic06.html : Q30lsldxJoudresxAaaqpcawXc (14092 bytes)
C:\Marianna\Rebirth2003\Magic07.html : Q30lsldxJoudresxAaaqpcawXc (13628 bytes)
C:\Marianna\Rebirth2003\Magic08.html : Q30lsldxJoudresxAaaqpcawXc (14056 bytes)
C:\Marianna\Rebirth2003\Magic09.html : Q30lsldxJoudresxAaaqpcawXc (15124 bytes)
C:\Marianna\Rebirth2003\Magic10.html : Q30lsldxJoudresxAaaqpcawXc (14620 bytes)
C:\Marianna\Rebirth2003\Magic11.html : Q30lsldxJoudresxAaaqpcawXc (14108 bytes)
C:\Marianna\Rebirth2003\Magic11b.html : Q30lsldxJoudresxAaaqpcawXc (14512 bytes)
C:\Marianna\Rebirth2003\Magic_index.html : Q30lsldxJoudresxAaaqpcawXc (6396 bytes)
C:\Marianna\Rebirth2003\Manami.html : Q30lsldxJoudresxAaaqpcawXc (4320 bytes)
C:\Marianna\Rebirth2003\Mazer.html : Q30lsldxJoudresxAaaqpcawXc (3800 bytes)
C:\Marianna\Rebirth2003\Miho.html : Q30lsldxJoudresxAaaqpcawXc (3848 bytes)
C:\Marianna\Rebirth2003\Mille01.html : Q30lsldxJoudresxAaaqpcawXc (11444 bytes)
C:\Marianna\Rebirth2003\Mille02.html : Q30lsldxJoudresxAaaqpcawXc (13324 bytes)
C:\Marianna\Rebirth2003\Mioamatomaestro.html : Q30lsldxJoudresxAaaqpcawXc (11712 bytes)
C:\Marianna\Rebirth2003\Neptune.html : Q30lsldxJoudresxAaaqpcawXc (4240 bytes)
C:\Marianna\Rebirth2003\Nicole.html : Q30lsldxJoudresxAaaqpcawXc (4548 bytes)
C:\Marianna\Rebirth2003\Niente_di_speciale.html : Q30lsldxJoudresxAaaqpcawXc (12940 bytes)
C:\Marianna\Rebirth2003\Non_story.html : Q30lsldxJoudresxAaaqpcawXc (3844 bytes)
C:\Marianna\Rebirth2003\Obbligoverita.html : Q30lsldxJoudresxAaaqpcawXc (10612 bytes)
C:\Marianna\Rebirth2003\Odio.html : Q30lsldxJoudresxAaaqpcawXc (11596 bytes)
C:\Marianna\Rebirth2003\Orione.html : Q30lsldxJoudresxAaaqpcawXc (3800 bytes)
C:\Marianna\Rebirth2003\OV01.html : Q30lsldxJoudresxAaaqpcawXc (12640 bytes)
C:\Marianna\Rebirth2003\OV02.html : Q30lsldxJoudresxAaaqpcawXc (12352 bytes)
C:\Marianna\Rebirth2003\OV03.html : Q30lsldxJoudresxAaaqpcawXc (11492 bytes)
C:\Marianna\Rebirth2003\OV04.html : Q30lsldxJoudresxAaaqpcawXc (10948 bytes)
C:\Marianna\Rebirth2003\OV05.html : Q30lsldxJoudresxAaaqpcawXc (11848 bytes)
C:\Marianna\Rebirth2003\OV06.html : Q30lsldxJoudresxAaaqpcawXc (12464 bytes)
C:\Marianna\Rebirth2003\OV07.html : Q30lsldxJoudresxAaaqpcawXc (12756 bytes)
C:\Marianna\Rebirth2003\OV08.html : Q30lsldxJoudresxAaaqpcawXc (11964 bytes)
C:\Marianna\Rebirth2003\OV09.html : Q30lsldxJoudresxAaaqpcawXc (11072 bytes)
C:\Marianna\Rebirth2003\OV10.html : Q30lsldxJoudresxAaaqpcawXc (10024 bytes)
C:\Marianna\Rebirth2003\OV11.html : Q30lsldxJoudresxAaaqpcawXc (12768 bytes)
C:\Marianna\Rebirth2003\OV12.html : Q30lsldxJoudresxAaaqpcawXc (11172 bytes)
C:\Marianna\Rebirth2003\OV13.html : Q30lsldxJoudresxAaaqpcawXc (13004 bytes)
C:\Marianna\Rebirth2003\OV_index.html : Q30lsldxJoudresxAaaqpcawXc (7092 bytes)
C:\Marianna\Rebirth2003\Parodia.html : Q30lsldxJoudresxAaaqpcawXc (6640 bytes)
C:\Marianna\Rebirth2003\Past00.html : Q30lsldxJoudresxAaaqpcawXc (7836 bytes)
C:\Marianna\Rebirth2003\Past01.html : Q30lsldxJoudresxAaaqpcawXc (13736 bytes)
C:\Marianna\Rebirth2003\Past02.html : Q30lsldxJoudresxAaaqpcawXc (12668 bytes)
C:\Marianna\Rebirth2003\Past03.html : Q30lsldxJoudresxAaaqpcawXc (11168 bytes)
C:\Marianna\Rebirth2003\Past04.html : Q30lsldxJoudresxAaaqpcawXc (13608 bytes)
C:\Marianna\Rebirth2003\PDC_index.html : Q30lsldxJoudresxAaaqpcawXc (12124 bytes)
C:\Marianna\Rebirth2003\Persempre.html : Q30lsldxJoudresxAaaqpcawXc (12016 bytes)
C:\Marianna\Rebirth2003\Phibrizio.html : Q30lsldxJoudresxAaaqpcawXc (3876 bytes)
C:\Marianna\Rebirth2003\Philia.html : Q30lsldxJoudresxAaaqpcawXc (6180 bytes)
C:\Marianna\Rebirth2003\Philiapoesia.html : Q30lsldxJoudresxAaaqpcawXc (8180 bytes)
C:\Marianna\Rebirth2003\Piky.html : Q30lsldxJoudresxAaaqpcawXc (9104 bytes)
C:\Marianna\Rebirth2003\Primo_amore.html : Q30lsldxJoudresxAaaqpcawXc (12424 bytes)
C:\Marianna\Rebirth2003\Progenie01.html : Q30lsldxJoudresxAaaqpcawXc (11904 bytes)
C:\Marianna\Rebirth2003\Progenie02.html : Q30lsldxJoudresxAaaqpcawXc (13888 bytes)
C:\Marianna\Rebirth2003\Progenie_index.html : Q30lsldxJoudresxAaaqpcawXc (4528 bytes)
C:\Marianna\Rebirth2003\Promessi_Slayers.html : Q30lsldxJoudresxAaaqpcawXc (11396 bytes)
C:\Marianna\Rebirth2003\Prova.html : Q30lsldxJoudresxAaaqpcawXc (2868 bytes)
C:\Marianna\Rebirth2003\Prova2.html : Q30lsldxJoudresxAaaqpcawXc (7688 bytes)
C:\Marianna\Rebirth2003\Qos.html : Q30lsldxJoudresxAaaqpcawXc (4312 bytes)
C:\Marianna\Rebirth2003\Quando.html : Q30lsldxJoudresxAaaqpcawXc (11320 bytes)
C:\Marianna\Rebirth2003\Quinet.html : Q30lsldxJoudresxAaaqpcawXc (3828 bytes)
C:\Marianna\Rebirth2003\Rachel.html : Q30lsldxJoudresxAaaqpcawXc (6500 bytes)
C:\Marianna\Rebirth2003\Ragioni01.html : Q30lsldxJoudresxAaaqpcawXc (14792 bytes)
C:\Marianna\Rebirth2003\Ragioni02.html : Q30lsldxJoudresxAaaqpcawXc (14564 bytes)
C:\Marianna\Rebirth2003\Ragioni03.html : Q30lsldxJoudresxAaaqpcawXc (14632 bytes)
C:\Marianna\Rebirth2003\Ragioni_index.html : Q30lsldxJoudresxAaaqpcawXc (5696 bytes)
C:\Marianna\Rebirth2003\Ragioni_prologo.html : Q30lsldxJoudresxAaaqpcawXc (7764 bytes)
C:\Marianna\Rebirth2003\Rebirth_2003.jpg : Q30lsldxJoudresxAaaqpcawXc (3820 bytes)
C:\Marianna\Rebirth2003\Rebirth_2003_b.jpg : Q30lsldxJoudresxAaaqpcawXc (1716 bytes)
C:\Marianna\Rebirth2003\Regole.html : Q30lsldxJoudresxAaaqpcawXc (12784 bytes)
C:\Marianna\Rebirth2003\Reunion.html : Q30lsldxJoudresxAaaqpcawXc (12384 bytes)
C:\Marianna\Rebirth2003\Reunion00.html : Q30lsldxJoudresxAaaqpcawXc (6872 bytes)
C:\Marianna\Rebirth2003\Reunion01.html : Q30lsldxJoudresxAaaqpcawXc (11376 bytes)
C:\Marianna\Rebirth2003\Reunion02.html : Q30lsldxJoudresxAaaqpcawXc (12616 bytes)
C:\Marianna\Rebirth2003\Reunion03.html : Q30lsldxJoudresxAaaqpcawXc (13376 bytes)
C:\Marianna\Rebirth2003\Reunion04.html : Q30lsldxJoudresxAaaqpcawXc (13068 bytes)
C:\Marianna\Rebirth2003\Reunion05.html : Q30lsldxJoudresxAaaqpcawXc (12800 bytes)
C:\Marianna\Rebirth2003\Reunion06.html : Q30lsldxJoudresxAaaqpcawXc (13332 bytes)
C:\Marianna\Rebirth2003\Reunion07.html : Q30lsldxJoudresxAaaqpcawXc (13548 bytes)
C:\Marianna\Rebirth2003\Reunion08.html : Q30lsldxJoudresxAaaqpcawXc (13336 bytes)
C:\Marianna\Rebirth2003\Rey.html : Q30lsldxJoudresxAaaqpcawXc (9456 bytes)
C:\Marianna\Rebirth2003\Ringraziamenti.html : Q30lsldxJoudresxAaaqpcawXc (13052 bytes)
C:\Marianna\Rebirth2003\Romantico.html : Q30lsldxJoudresxAaaqpcawXc (12116 bytes)
C:\Marianna\Rebirth2003\Ryo.html : Q30lsldxJoudresxAaaqpcawXc (6224 bytes)
C:\Marianna\Rebirth2003\Sacrifice.html : Q30lsldxJoudresxAaaqpcawXc (8468 bytes)
C:\Marianna\Rebirth2003\Sango.html : Q30lsldxJoudresxAaaqpcawXc (3812 bytes)
C:\Marianna\Rebirth2003\Scelta.html : Q30lsldxJoudresxAaaqpcawXc (11104 bytes)
C:\Marianna\Rebirth2003\Scelta02.html : Q30lsldxJoudresxAaaqpcawXc (12432 bytes)
C:\Marianna\Rebirth2003\Sconosciuto00.html : Q30lsldxJoudresxAaaqpcawXc (9992 bytes)
C:\Marianna\Rebirth2003\Sconosciuto01.html : Q30lsldxJoudresxAaaqpcawXc (14540 bytes)
C:\Marianna\Rebirth2003\Sconosciuto02.html : Q30lsldxJoudresxAaaqpcawXc (14264 bytes)
C:\Marianna\Rebirth2003\Sconosciuto03.html : Q30lsldxJoudresxAaaqpcawXc (13652 bytes)
C:\Marianna\Rebirth2003\Sconosciuto_index.html : Q30lsldxJoudresxAaaqpcawXc (4676 bytes)
C:\Marianna\Rebirth2003\Sentimentale.html : Q30lsldxJoudresxAaaqpcawXc (6284 bytes)
C:\Marianna\Rebirth2003\SID01.html : Q30lsldxJoudresxAaaqpcawXc (14264 bytes)
C:\Marianna\Rebirth2003\SID02.html : Q30lsldxJoudresxAaaqpcawXc (12416 bytes)
C:\Marianna\Rebirth2003\SID03.html : Q30lsldxJoudresxAaaqpcawXc (13004 bytes)
C:\Marianna\Rebirth2003\SID04.html : Q30lsldxJoudresxAaaqpcawXc (13368 bytes)
C:\Marianna\Rebirth2003\SID05.html : Q30lsldxJoudresxAaaqpcawXc (11832 bytes)
C:\Marianna\Rebirth2003\SID06.html : Q30lsldxJoudresxAaaqpcawXc (13972 bytes)
C:\Marianna\Rebirth2003\SID07.html : Q30lsldxJoudresxAaaqpcawXc (11892 bytes)
C:\Marianna\Rebirth2003\SID07b.html : Q30lsldxJoudresxAaaqpcawXc (12768 bytes)
C:\Marianna\Rebirth2003\SID12.html : Q30lsldxJoudresxAaaqpcawXc (13124 bytes)
C:\Marianna\Rebirth2003\SID13.html : Q30lsldxJoudresxAaaqpcawXc (13316 bytes)
C:\Marianna\Rebirth2003\SID_index.html : Q30lsldxJoudresxAaaqpcawXc (13092 bytes)
C:\Marianna\Rebirth2003\Spiegazione_sinossiA.jpg : Q30lsldxJoudresxAaaqpcawXc (5760 bytes)
C:\Marianna\Rebirth2003\Spiegazione_sinossiB.jpg : Q30lsldxJoudresxAaaqpcawXc (6656 bytes)
C:\Marianna\Rebirth2003\Zendaru.jpg : Q30lsldxJoudresxAaaqpcawXc (4708 bytes)

[amvinfe]

stesso problema poi risolto dall'ottima holifay
http://forum.html.it/forum/showthrea...=&pagenumber=1

i file infetti che risultano dal log sono
C:\WINDOWS\watca1.dll
C:\WINDOWS\watca1.upd

[Simeon]

Se è come penso io, il tuo pc è stato infettato da una variante del LinkOptimizer che utilizza tecniche di rootking per non farsi individuare.

I file incriminati sono "watca1.dll" e "watca1.upd", richiamati dalla chiave di registro HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Un caso analogo al tuo è stato risolto dalla bravissima holifay (da cui prenderò spunto) qualche giorno fa.

Vediamo di distruggerlo:

Disinsalla da Pannello di controllo/Installazione applicazioni ogni riferimento java che trovi (spero non ti dispiaccia, rinstallerai il tutto a lavoro completato).

Fai pulizia con CCleaner.

Scarica Gmer, vai nella scheda autostart, fai una scansione e posta il log (per farlo clicca su Copy, ed incolla il tutto qui su forum al momento della risposta).

[Simeon]

Battuto sul tempo da amvinfe

Nonostante fosse arrivata con venti minuti di anticipo non mi ero accorto della risposta