Virus Virtumondo

[Dirty&Rotten]

Salve a tutti, sono nuovo.Ho provato in tutti i modi a togliere questo virtumondo(adaware,spybot ecc),anche con tool specifici.Come ultima chanche ho provato inoltre anche superantispyware,che ha trovato anche altre minacce oltre virtumundo, ma penso che le cose siano collegate.Cmq anche se tolgo i file nocivi, essi ritornano subito dopo, o dopo un reboot...inoltre i nomi delle icone nel mio desktop da quando sono stato infetto, sono riquadrate di nero ed ogni tanto si apre internet explorer cercando di connettersi a siti sconosciuti.Qualcuno potrebbe aiutarmi?Grazie in anticipo!Se serve posso postare un log di hijackthis.Ciao a tutti

[OYS]

Hai provato con:

http://securityresponse.symantec.com...r/FxVMonde.exe
http://secured2k.home.comcast.net/to...undoBeGone.exe

[Dirty&Rotten]

Ciao OYS, si ho provato co entrambi, ora sto facendo un'altro scan completo con superantispyware.Il fatto e' che dopo questi files mi ricompaiono...

[Dirty&Rotten]

Ho finito la scansione completa con superantispyware e mi ha trovato questi problemi :

ADWARE.TRACKING COOKIE
TROJAN DOWNLOADER-CONHOOK
TROJAN DOWNLOADER - GEN/SST
TROJAN.DUNCAN

li ho messi in quarantena , ho riavviato ed ho fatto un log con hijackthis, eccolo qua :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.49.55, on 18/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe
C:\Programmi\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\WINDOWS\system32\V0230Mon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Router\Router.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {0fd2a91e-4ade-82ea-1274-1b3f16c79342} - {24397c61-f3b1-4721-ae28-eda4e19a2df0} - C:\WINDOWS\system32\tmp1B.tmp.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programmi\FlashGet\jccatch.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Programmi\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {eb46f37a-6e41-464c-9aca-0aef6ae340af} - C:\WINDOWS\system32\apcdfr.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programmi\FlashGet\getflash.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [AVFX Engine] C:\Programmi\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [2ccccb76] rundll32.exe "C:\WINDOWS\iihijh.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Programmi\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Programmi\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Router] C:\Programmi\Router\Router.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: &Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer = 85.37.17.57 85.38.28.80
O17 - HKLM\System\CS2\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer = 85.37.17.57 85.38.28.80
O17 - HKLM\System\CS3\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer = 85.37.17.57 85.38.28.80
O20 - AppInit_DLLs: c:\windows\system32\awvtstr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Compy\Dati applicazioni\tmpDF.tmp.exe (file missing)
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8428 bytes

[OYS]

1) Fixa questi:



O2 - BHO: {0fd2a91e-4ade-82ea-1274-1b3f16c79342} - {24397c61-f3b1-4721-ae28-eda4e19a2df0} - C:\WINDOWS\system32\tmp1B.tmp.dll

O4 - HKLM\..\Run: [2ccccb76] rundll32.exe "C:\WINDOWS\iihijh.dll",b

O20 - AppInit_DLLs: c:\windows\system32\awvtstr.dll

O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Compy\Dati applicazioni\tmpDF.tmp.exe (file missing)





2) start-->esegui--> ora copia incolla i seguenti comandi uno alla volta:

sc stop DomainService (invio)
sc delete DomainService (invio)





3) Scarica http://swandog46.geekstogo.com/avenger.zip

clicca su input script manually e poi sulla lente di ingrandimento.
nello spazio bianco inserisci con copia incolla questo:


registry keys to delete:
HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainServic e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService
HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd

files to delete:
C:\WINDOWS\system32\nxtsjvpd.exe
C:\WINDOWS\iihijh.dll
C:\WINDOWS\system32\tmp1B.tmp.dll


clicca su done.
poi sul semaforo con luce verde
due volte si, il pc si riavviera' e al ritorno posta il log di avenger (C:/avenger.txt).





4)Scarica SmitFraudFix. Avvialo scrivi 2, quando ti fa una domanda premi y e poi posta il log.



P.S. È possibile che eliminando "DomainService" la connessione internet non vadi più, perchè infatti cambia l'IP, il Subnet Mask ed i DNS. Basta rimetterli a posto e sarai ok.

[Dirty&Rotten]

ecco il log di Avenger :

*******************

Beginning to process script file:



Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D omainService
Status: 0xc0000034



File C:\WINDOWS\system32\nxtsjvpd.exe not found!
Deletion of file C:\WINDOWS\system32\nxtsjvpd.exe failed!

Could not process line:
C:\WINDOWS\system32\nxtsjvpd.exe
Status: 0xc0000034

File C:\WINDOWS\iihijh.dll deleted successfully.


File C:\WINDOWS\system32\tmp1B.tmp.dll not found!
Deletion of file C:\WINDOWS\system32\tmp1B.tmp.dll failed!

Could not process line:
C:\WINDOWS\system32\tmp1B.tmp.dll
Status: 0xc0000034



Registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa not found!
Deletion of registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\rdfa failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainServic e deleted successfully.


Registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd not found!
Deletion of registry key HKEY_USERS\S-1-5-21-3480819180-1377351881-310767820-1134\Software\Microsoft\aldd failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Ed ecco quello del smitfraudfix:

SmitFraudFix v2.271

Scan done at 21.12.28,17, 18/12/2007
Run from C:\Documents and Settings\Compy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Versione 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 85.37.17.57
DNS Server Search Order: 85.38.28.80

HKLM\SYSTEM\CCS\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer=85.37.17.57 85.38.28.80
HKLM\SYSTEM\CS2\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer=85.37.17.57 85.38.28.80
HKLM\SYSTEM\CS3\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer=85.37.17.57 85.38.28.80


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

ora che devo fare?
PS:cmq grazie mille

[Dirty&Rotten]

Il desktop ora e' diventato normale.
Ho effettuato uno scan con superantispyware e stavolta mi ha rintracciato le seguenti cose :

ADWARE.TRACKING COOKIE
TROJAN DOWNLOADER-CONHOOK
TROJAN DOWNLOADER - GEN/SST
TROJAN.DUNCAN

come prima, ed in piu':
TROJAN.DOWNLOADER-CONHOOK/REL

ora cosa mi consigli di fare?Cmq molte grazie per la disponibilita'!

[OYS]

Dei tracking cookie non ti devi preoccupare, li troverai sempre probabilmente. Gli altri non riesce a rimuoverli o a metterli in quarantena? A quali file sono legati? Non hai un file log? Hai fatto una scansione con uqlche altro antispyware?

[Dirty&Rotten]

Ciao OYS. Allora la situazione e' la seguente ho fatto una scansione con spybot mettendo windows in modalita' provvisoria e mi ha segnalato 3 problemi :
WIN32.CONHOOK.AH
DRIVER CLEANER 2006
VIRTUMONDE

I quali erano delle chiavi di registro che alla fine della scansione ho eliminato.
Dopodiche' ho riavviato in modalita' normale e l'Antivir Guard mi ha segnalato con pause di vari minuti ciascuno le seguenti cose :
TR/DLDR.AGENT.FJN.1 che si trovava in C:\windows\b151.exe
TR/BHO.AGH C:\windows\system32\iedfix.exe
TR/DISTAMIT C:\windows\system32\mlljg.exe
TR/VUNDO.GEN C:\windows\system32\tmpf5.tmp.dll
ho cliccato su delete ogni volta ed ho controllato se effettivamente erano tolti, ed era cosi', ma il problema e' che ogni tanto antivir guard me ne trova uno che prontamente tolgo.Sembra che si autogenerano,ci sarebbe da trovare la fonte forse?

ora sto facendo una scansione completa con antivir alla fine ti faro' sapere se mi trova qualcosa.

intanto se serve posto un log di hijackthis almeno controlli la situazione.
Grazie ancora

Ecco il log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.41.15, on 19/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programmi\FlashGet\jccatch.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Programmi\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programmi\FlashGet\getflash.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: &Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay125.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/.../GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in 1.4.2_03) -
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer = 85.37.17.57 85.38.28.80
O17 - HKLM\System\CS2\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer = 85.37.17.57 85.38.28.80
O17 - HKLM\System\CS3\Services\Tcpip\..\{168C0037-ED7E-4493-B57D-539417AC7CC6}: NameServer = 85.37.17.57 85.38.28.80
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: 1_srop - 1_srop.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6665 bytes

[Dirty&Rotten]

Fatta la scansione completa con Antivir ecco il log del risultato :

Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Programmi\Easy CD-DA Extractor 7\ezcdda_7091_18.7.2004.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was deleted!
C:\Programmi\Router\Router.exe
[DETECTION] Is the Trojan horse TR/Dldr.Textrec
[INFO] The file was deleted!
C:\Programmi\Trend Micro\HijackThis\backups\backup-20071218-151105-616.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Programmi\Trend Micro\HijackThis\backups\backup-20071218-210136-908.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!


End of the scan: mercoledì 19 dicembre 2007 16:13
Used time: 1:28:16 min

The scan has been done completely.

6430 Scanning directories
325886 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
4 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
325882 Files not concerned
2698 Archives were scanned
2 Warnings
0 Notes


Ora provo a riavviare e vedo se antivir guard mi trova qualcosa ancora, ma penso di si.