Virus... :\ [rimuovere falso antivirus e pagine porno]

[Sensei_Link]

Salve ragazzi.. questo è il mio primo messaggio sul forum.

Dunque ho un problemino.. e nonostante io abbia seguito la guida di Habanero, non sono riuscito a concludere nulla..

Ho beccato non so come un virus, che mi scansiona con un antivirus falso il pc, continuamente, mi apre pagine di explorer porno e nella barra in basso a destra accanto l'ora mi si aprono infinite icone (lo scudo di aggiornamenti per il pc).
non so come, mio fratello ha trovato questi 2 processi come possibili "minacce":
- wscnty.exe
- vgxoitssd.exe
Uso Avg free come antivirus e spybot search and destroy come protezione dai malware e company. CCleaner invece per i file temporanei e via dicendo..

Attualmente non riesco ad usare internet, ma riesco ad installare programmi.

Tramite start/esegui/msconfig/avvio ho disattivato la voce vgxoitssd, ed ora il virus sembra essersi "calmato" cioe che non mi si aprono piu le icone in basso a destra..

Spero possiate aiutarmi....


Ho fatto anche il log di HijackThis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13.44.58, on 09/05/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programmi\AVG\AVG8\avgssie.dll
O2 - BHO: SmartAds browser enhancer ltmrqzks - {3FB4E673-5ED5-426F-A7F0-D6400E9C1E1C} - C:\WINDOWS\system32\ltmrqzks.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ezLife browser enhancer lxeadcxu - {5C3D031A-0FB6-4B4D-A6B8-E1F51FE7FF88} - C:\WINDOWS\system32\lxeadcxu.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: hotrevenue browser enhancer - {C450BFAC-7C9C-13CB-F99B-8F44E37C88D0} - C:\WINDOWS\system32\sfkfnhfdiwmbyl.dll (file missing)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugi n.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\Msdxm6.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.e xe" -launchedbylogin
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ezLife] rundll32 "lxeadcxu.dll",,Run
O4 - HKLM\..\Run: [ufpcqsbuqcxitefm] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\sfkfnhfdiwmbyl.dll"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [gotnewupdate000.exe] C:\Documents and Settings\Link\Dati applicazioni\FA29999098E9BE16C87CC9108611D710\gotn ewupdate000.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/Messen.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - Unknown owner - C:\Programmi\McAfee Security Scan\2.0.181\McCHSvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - http://www.paginainizio.com/bkpage.jpg

--
End of file - 6200 bytes

[menatwork]

ciao

prima di fixare le voci fai questa scansione

scarica malwarebytes

Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completata, posta il rapporto.

per ora non rimuovere nulla

[Sensei_Link]

Originariamente inviato da menatwork
ciao

prima di fixare le voci fai questa scansione

scarica malwarebytes

Aggiornalo: clicca sulla scheda "aggiornamenti" => "controlla aggiornamenti"
Esegui una "scansione completa" (seleziona l'opzione)
A scansione completata, posta il rapporto.

per ora non rimuovere nulla

Ciao, grazie per la risposta..
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versione database: 4084

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

09/05/2010 22.58.51
mbam-log-2010-05-09 (22-58-51).txt

Tipo di scansione: Scansione completa (C:\|D:\|)
Elementi esaminati: 176204
Tempo trascorso: 50 minuti, 14 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 30
Valori di registro infetti: 2
Voci infette nei dati di registro: 0
Cartelle infette: 4
File infetti: 14

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5c3d031a-0fb6-4b4d-a6b8-e1f51fe7ff88} (Adware.EZlife) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{5c3d031a-0fb6-4b4d-a6b8-e1f51fe7ff88} (Adware.EZlife) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{5c3d031a-0fb6-4b4d-a6b8-e1f51fe7ff88} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{a9722a0d-365f-47d2-b70b-37d046316d99} (Adware.EZlife) -> No action taken.
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ezLife (Adware.EZlife) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SSHNAS (Trojan.Renos) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> No action taken.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adhlpr.adhlpr (Adware.Adrotator) -> No action taken.
HKEY_CLASSES_ROOT\adhlpr.adhlpr.1.0 (Adware.Adrotator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{3fb4e673-5ed5-426f-a7f0-d6400e9c1e1c} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3fb4e673-5ed5-426f-a7f0-d6400e9c1e1c} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{c450bfac-7c9c-13cb-f99b-8f44e37c88d0} (Adware.AdRotator) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c450bfac-7c9c-13cb-f99b-8f44e37c88d0} (Adware.AdRotator) -> No action taken.

Valori di registro infetti:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\ezlife (Adware.EZlife) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\ufpcqsbuqcxitefm (Trojan.Agent) -> No action taken.

Voci infette nei dati di registro:
(Non sono stati rilevati elementi nocivi)

Cartelle infette:
C:\Documents and Settings\Link\Dati applicazioni\Smart-Ads-Solutions (Adware.SmartAds) -> No action taken.
C:\Documents and Settings\Link\Dati applicazioni\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> No action taken.
C:\Documents and Settings\Link\Dati applicazioni\ezLife (Adware.EzLife) -> No action taken.
C:\Documents and Settings\Link\Dati applicazioni\ezLife\ezLife (Adware.EzLife) -> No action taken.

File infetti:
C:\WINDOWS\system32\lxeadcxu.dll (Adware.EZlife) -> No action taken.
C:\Documents and Settings\Link\Impostazioni locali\Temp\nocraesmwx.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Link\Impostazioni locali\Temp\Shv.exe (Trojan.Fraudpack) -> No action taken.
C:\Documents and Settings\Link\Impostazioni locali\Temp\uaufqma.exe (Rogue.AntispywareSoft) -> No action taken.
C:\Programmi\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\adproFfx.dll (Adware.SmartAds) -> No action taken.
C:\System Volume Information\_restore{E9AC7C64-3AA6-45ED-A1C7-CC20EF9F0E2B}\RP262\A0037985.dll (Rogue.AntimalwareDoctor) -> No action taken.
C:\System Volume Information\_restore{E9AC7C64-3AA6-45ED-A1C7-CC20EF9F0E2B}\RP264\A0038048.dll (Rogue.AntimalwareDoctor) -> No action taken.
C:\System Volume Information\_restore{E9AC7C64-3AA6-45ED-A1C7-CC20EF9F0E2B}\RP265\A0038096.dll (Rogue.AntimalwareDoctor) -> No action taken.
C:\System Volume Information\_restore{E9AC7C64-3AA6-45ED-A1C7-CC20EF9F0E2B}\RP267\A0039207.exe (Malware.Packer.Gen) -> No action taken.
C:\System Volume Information\_restore{E9AC7C64-3AA6-45ED-A1C7-CC20EF9F0E2B}\RP268\A0039283.exe (Rogue.AntispywareSoft) -> No action taken.
C:\System Volume Information\_restore{E9AC7C64-3AA6-45ED-A1C7-CC20EF9F0E2B}\RP268\A0039284.dll (Adware.SmartAds) -> No action taken.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Link\Dati applicazioni\ezLife\ezLife\log.xml (Adware.EzLife) -> No action taken.
C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> No action taken.

[menatwork]

elimina tutto e togli cio' che e' rimasto nel pc con combofix

scaricalo da qui e salvalo sul desktop (non installare la recovery console)
- esegui ComboFix.exe
- digita 1
- segui le instruzioni
- finita la scansione portati in C:\ e copia/incolla, nella tua prossima risposta, il contenuto del file di testo Combofix.txt

[Sensei_Link]

Grazie per il supporto!.... ecco qui il risultato..
Ps non riesco ancora ad usare internet

ComboFix 10-05-10.01 - Link 10/05/2010 21.11.38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.1919.1487 [GMT 2:00]
Eseguito da: c:\documents and settings\Link\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\documents and settings\Link\Dati applicazioni\Desktopicon
c:\documents and settings\Link\Dati applicazioni\Desktopicon\eBay.ico
c:\documents and settings\Link\Dati applicazioni\Desktopicon\uninst.exe
c:\programmi\Cheat Engine\dbk32.sys
c:\windows\system32\vbzlib1.dll
c:\windows\Szuhia.exe

La copia infetta di c:\windows\system32\drivers\i8042prt.sys è stata trovata e disinfettata
ipristinata copia da - Kitty had a snack
.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Creati Da 2010-04-10 al 2010-05-10 )))))))))))))))))))))))))))))))))))
.

2010-05-09 19:56 . 2010-05-09 19:56 -------- d-----w- c:\documents and settings\Link\Dati applicazioni\Malwarebytes
2010-05-09 19:56 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-09 19:56 . 2010-05-09 19:56 -------- d-----w- c:\programmi\Malwarebytes' Anti-Malware
2010-05-09 19:56 . 2010-05-09 19:56 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2010-05-09 19:56 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-09 11:44 . 2010-05-09 11:44 -------- d-----w- c:\programmi\Trend Micro
2010-05-08 00:47 . 2010-05-08 00:47 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-08 00:31 . 2010-05-09 11:53 -------- d-----w- c:\documents and settings\Link\Impostazioni locali\Dati applicazioni\udmrdxeup
2010-05-08 00:31 . 2010-05-08 00:31 50990 ----a-w- c:\windows\system32\xgyxhjlmmdtm.exe
2010-05-06 23:18 . 2010-05-06 23:18 1924976 ----a-w- c:\documents and settings\All Users\Dati applicazioni\NOS\Adobe_Downloads\install_flash_pla yer.exe
2010-05-06 23:10 . 2010-05-06 23:10 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\McAfee
2010-05-06 23:10 . 2010-05-06 23:10 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\McAfee Security Scan
2010-05-06 23:10 . 2010-05-08 01:20 -------- d-----w- c:\programmi\McAfee Security Scan
2010-05-06 14:24 . 2010-05-06 23:19 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\NOS
2010-04-28 08:46 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
2010-05-10 19:15 . 2010-02-26 01:09 -------- d-----w- c:\programmi\Cheat Engine
2010-05-10 18:53 . 2009-08-20 12:30 -------- d-----w- c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2010-04-30 13:54 . 2009-08-23 13:55 -------- d-----w- c:\documents and settings\Link\Dati applicazioni\vlc
2010-03-28 11:17 . 2001-08-31 12:00 80268 ----a-w- c:\windows\system32\perfc010.dat
2010-03-28 11:17 . 2001-08-31 12:00 481664 ----a-w- c:\windows\system32\perfh010.dat
2010-03-21 19:54 . 2009-09-16 21:14 -------- d-----w- c:\documents and settings\Link\Dati applicazioni\Skype
2010-03-21 17:14 . 2009-09-16 21:14 -------- d-----w- c:\documents and settings\Link\Dati applicazioni\skypePM
2010-03-10 08:02 . 2004-08-19 13:39 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 06:10 . 2004-08-19 13:39 664576 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 06:10 . 2004-08-19 13:39 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 12:31 . 2004-08-03 21:15 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 19:30 . 2004-08-19 13:34 2140672 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:30 . 2004-08-19 15:34 2020352 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:45 . 2004-08-19 13:39 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-03 21:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-30 7634944]
"nwiz"="nwiz.exe" [2006-10-30 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2006-10-30 86016]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"AdobeCS4ServiceManager"="c:\programmi\File comuni\Adobe\CS4ServiceManager\CS4ServiceManager.e xe" [2008-08-14 611712]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-19 2046816]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-19 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-05 08:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\TeamViewer\\Version4\\TeamViewer.e xe"=
"c:\\Programmi\\File comuni\\Adobe\\CS4ServiceManager\\CS4ServiceManage r.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\GreedyTorrent\\GTor.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgupd.exe"=
"c:\\Programmi\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Opera\\opera.exe"=
"c:\\Programmi\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Programmi\\Java\\jre6\\bin\\java.exe"=
"c:\\Programmi\\PFPortChecker\\PFPortChecker.e xe"=
"c:\\Programmi\\Starcraft\\StarCraft.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/10/2009 10.44.35 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/10/2009 10.44.40 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [05/10/2009 10.44.21 297752]
S0 wynxm;wynxm; [x]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\programmi\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\programmi\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\programmi\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\programmi\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\programmi\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

HKCU-Run-gotnewupdate000.exe - c:\documents and settings\Link\Dati applicazioni\FA29999098E9BE16C87CC9108611D710\gotn ewupdate000.exe
HKLM-Run-sbdjlcds - c:\documents and settings\Link\Impostazioni locali\Dati applicazioni\udmrdxeup\vgxoightssd.exe
MSConfigStartUp-uTorrent - c:\programmi\uTorrent\uTorrent.exe
AddRemove-eBay Icon - c:\documents and settings\Link\Dati applicazioni\Desktopicon\uninst.exe



************************************************** ************************
scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti:

************************************************** ************************
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'explorer.exe'(2760)
c:\windows\system32\msi.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\programmi\File comuni\Adobe\Acrobat\ActiveX\PDFShell.ITA
c:\windows\system32\wmvcore.dll
c:\windows\system32\WMASF.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
.
************************************************** ************************
.
Ora fine scansione: 2010-05-10 21:21:00 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2010-05-10 19:20

Pre-Run: 95.259.488.256 byte disponibili
Post-Run: 97.300.021.248 byte disponibili

- - End Of File - - 00AEF69A2A1E727DDFC07BB5F280D419

[menatwork]

dobbiamo eliminare ancora qualcosa...

usi McAfee o avg?

[Sensei_Link]

Uso Avg, Mcafee si è installato da solo prima di prendere il virus. Se hai consigli su antivirus sono qui ...

Non so se puo servire ma mentre il combofix lavorava ha eliminato un rootkit..

[menatwork]

Ora apri una pagina del blocco note e copia incolla quanto segue:

file::
c:\windows\system32\xgyxhjlmmdtm.exe
c:\programmi\McAfee Security Scan\2.0.181\McCHSvc.exe


folder::
c:\programmi\McAfee Security Scan

salva la pagina nominandola obligatoriamente in CFScript.txt
a questo punto trascina e lascia il file CFScript.txt sull'icona di combofix
lascialo lavorare fino alla fine e riposta il suo log

se vuoi tenere avg aggiornalo alla versione 9

[Sensei_Link]

Appena finito di usare combofix..altro log, ma ancora nulla.. a questo punto...se ripristinassi Windows?

[menatwork]

Appena finito di usare combofix..altro log, ma ancora nulla..

non riesco a capire

mi posti il risultato dell'ultima scansione?