tasto destro del mouse e tasto canc ribelli

[side]

Che dire... mi sono fatto infinocchiare da una finta patch come un vero principiante...
vabè...
la cosa che lamento di più, tra le altre, è che il malware o il virus o il non so che fa partire il programma di disinstallazione dell'antivirus al solo click del tasto destro del mouse o della pressione del tasto canc.
il normale menù contestuale o la richiesta di conferma di cancellazione appaiono regolarmente dopo che però viene eseguito quel comando.
allego anche il solito tracciato hyjackthis.. chi mi sa dire di che malware si tratta?
sono preoccupato... è un server..
mau

[side]

dimenticavo il tracciato...
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\DShutdown.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://illink
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DShutdown] "C:\DShutdown.exe" /ATTIME /h18 /m30 /SAVEONEXIT /IP:LocalHost /Shutdown /Force /ForceAfterWait
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://webmail2.aemcom.net
O15 - ESC Trusted Zone: http://www.google.it
O15 - ESC Trusted Zone: http://h10025.www1.hp.com
O15 - ESC Trusted Zone: http://welcome.hp.com
O15 - ESC Trusted Zone: http://www.hp.com
O15 - ESC Trusted Zone: http://www.internetpointsoftware.it
O15 - ESC Trusted Zone: http://releases.mozilla.org
O15 - ESC Trusted Zone: http://openoffice-chi.osuosl.org
O15 - ESC Trusted Zone: http://www.pcprofessionale.it
O15 - ESC Trusted Zone: http://ftp.rhnet.is
O15 - ESC Trusted Zone: http://ftp.softvision.it
O15 - ESC Trusted Zone: http://ftp.spnet.net
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://www.officeprinting.xerox.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://192.168.177.30
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{0056C49D-915B-43E4-9081-CDED289DBA7C}: NameServer = 81.88.224.129,81.88.224.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D103ED0-B18A-46C9-BEE1-1E4A2E2C0183}: NameServer = 81.88.224.129,81.88.224.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA4D097C-446A-44FB-898B-24D7DC622DA4}: NameServer = 81.88.224.129,81.88.224.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{0056C49D-915B-43E4-9081-CDED289DBA7C}: NameServer = 81.88.224.129,81.88.224.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{0056C49D-915B-43E4-9081-CDED289DBA7C}: NameServer = 81.88.224.129,81.88.224.130
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programmi\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Programmi\Symantec AntiVirus\Rtvscan.exe (file missing)

[ste_95]

questo lo conosci?

C:\DShutdown.exe

Fixa questi:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


Questi sono sospetti, e aspetta qualcun altro prima di fixarli:

O15 - ESC Trusted IP range: http://192.168.177.30
O17 - HKLM\System\CCS\Services\Tcpip\..\{0056C49D-915B-43E4-9081-CDED289DBA7C}: NameServer = 81.88.224.129,81.88.224.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D103ED0-B18A-46C9-BEE1-1E4A2E2C0183}: NameServer = 81.88.224.129,81.88.224.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA4D097C-446A-44FB-898B-24D7DC622DA4}: NameServer = 81.88.224.129,81.88.224.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{0056C49D-915B-43E4-9081-CDED289DBA7C}: NameServer = 81.88.224.129,81.88.224.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{0056C49D-915B-43E4-9081-CDED289DBA7C}: NameServer = 81.88.224.129,81.88.224.130