www.MegaLab.it

[andrea_26]

ciao a tutti ragazzi , sono un vecchio utente del forum solo che ho perso il vecchio account e ne ho dovuto creare un altro...
comunque vi spiego il prob :
ongi tanto il pc si blocca e quando lo riavvio mi compare una schermata blu che mi dice che ho un prob con il file rdbss.sys , da qui sono comparsi altri problemi come per esempio la connessione internet che dopo un poi di ore si toglie e devo riavviare il pc x riconnettermi, anche perché se vado sulle conessioni la finestra nn si apre oppure devo sempre riscreare una nuova connessione , addirittura x navigare su internet devo usare firefox perché intenret explorer nn si apre piu..nn riesco a capire se tutto questo é colpa di qualche virus

aspetto un vostro aiuto come sempre ..grazie in anticipo :)

[ste_95]

Scarica ComboFix ed esegui una scansione, le istruzioni le trovi in fondo a questo articolo.

[andrea_26]

ecco qllo che é uscito fuori:

ComboFix 09-03-15.01 - gvggt 2009-03-18 15.24.10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1022.435 [GMT 1:00]
Eseguito da: d:\documents and settings\gvggt\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\File comuni\{B4530~1
c:\windows\Downloaded Program Files\0e17f
c:\windows\Downloaded Program Files\BwiGE
c:\windows\Downloaded Program Files\gqzvpj3
c:\windows\Downloaded Program Files\l5nqw
c:\windows\Downloaded Program Files\LbmBW
c:\windows\Downloaded Program Files\ob54o
c:\windows\Downloaded Program Files\PCSXw
c:\windows\Downloaded Program Files\PmKTu
c:\windows\Downloaded Program Files\PmKTu\hitrV.dat
c:\windows\Downloaded Program Files\RLpcNo
c:\windows\Downloaded Program Files\rtim1
c:\windows\system32\mdm.exe
d:\documents and settings\gvggt\Dati applicazioni\setup_it[1].exe

.
((((((((((((((((((((((((( Files Creati Da 2009-02-18 al 2009-03-18 )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-18 02:13 --------- d-----w d:\documents and settings\gvggt\Dati applicazioni\Skype
2009-03-17 17:22 --------- d-----w d:\documents and settings\All Users\Dati applicazioni\AntiVir PersonalEdition Classic
2009-03-16 21:38 --------- d-----w c:\programmi\eMule
2009-03-14 21:19 --------- d-----w d:\documents and settings\gvggt\Dati applicazioni\Azureus
2009-03-12 13:16 --------- d-----w c:\programmi\DkZ Studio
2009-03-10 23:40 --------- d-----w c:\programmi\Azureus
2009-02-17 01:45 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-02-17 01:38 --------- d-----w c:\programmi\DAEMON Tools
2009-02-16 01:45 --------- d-----w d:\documents and settings\All Users\Dati applicazioni\SUPERAntiSpyware.com
2009-02-16 01:44 --------- d-----w d:\documents and settings\gvggt\Dati applicazioni\SUPERAntiSpyware.com
2009-02-16 01:44 --------- d-----w c:\programmi\SUPERAntiSpyware
2009-02-16 01:44 --------- d-----w c:\programmi\File comuni\Wise Installation Wizard
2009-02-16 01:07 --------- d-----w c:\programmi\PHPNukeIT
2009-02-16 01:07 --------- d-----w c:\programmi\elenco_radio
2009-02-15 23:50 --------- d-----w d:\documents and settings\gvggt\Dati applicazioni\Malwarebytes
2009-02-15 23:50 --------- d-----w d:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-02-15 23:50 --------- d-----w c:\programmi\Malwarebytes' Anti-Malware
2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 14:04 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 14:04 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-30 22:51 --------- d-----w c:\programmi\PhotoScape
2009-01-16 20:15 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-20 22:31 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-20 22:31 826,368 ------w c:\windows\system32\dllcache\wininet.dll
2008-12-20 22:31 671,232 ------w c:\windows\system32\dllcache\mstime.dll
2008-12-20 22:31 477,696 ------w c:\windows\system32\dllcache\mshtmled.dll
2008-12-20 22:31 44,544 ------w c:\windows\system32\dllcache\pngfilt.dll
2008-12-20 22:31 233,472 ------w c:\windows\system32\dllcache\webcheck.dll
2008-12-20 22:31 193,024 ------w c:\windows\system32\dllcache\msrating.dll
2008-12-20 22:31 105,984 ------w c:\windows\system32\dllcache\url.dll
2008-12-20 22:31 102,912 ------w c:\windows\system32\dllcache\occache.dll
2008-12-20 22:31 1,160,192 ------w c:\windows\system32\dllcache\urlmon.dll
2008-12-19 09:12 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-09-15 17:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008091520080916\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 24,576 2003-05-02 09:31:50 c:\apps\ABOARD\bak\ABoard.exe

----a-w 19,417,640 2006-01-18 11:05:18 c:\apps\skype\phone\bak\SKYPE.EXE

----a-w 975,360 2005-12-08 14:39:08 c:\apps\SMP\bak\SmpSys.exe

----a-r 313,472 2006-03-30 14:45:08 c:\programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

----a-w 249,896 2007-09-10 21:04:33 c:\programmi\AntiVir PersonalEdition Classic\bak\avgnt.exe
----a-w 266,497 2008-07-17 21:43:47 c:\programmi\AntiVir PersonalEdition Classic\avgnt.exe

----a-w 94,208 2005-09-03 13:18:30 c:\programmi\File comuni\Ahead\Lib\bak\NMBgMonitor.exe

----a-w 180,269 2006-10-28 23:38:22 c:\programmi\File comuni\Real\Update_OB\bak\realsched.exe
----a-w 185,872 2008-10-29 22:44:50 c:\programmi\File comuni\Real\Update_OB\realsched.exe

----a-w 90,112 2004-11-26 09:43:34 c:\programmi\File comuni\Ulead Systems\AutoDetector\bak\monitor.exe

----a-w 310,272 2004-10-04 11:03:18 c:\programmi\Goto Software\Vade Retro\bak\Vaderetro_oe.exe

----a-w 132,496 2007-07-12 02:00:36 c:\programmi\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-r 73,840 2006-12-27 15:53:42 c:\programmi\Macrogaming\SweetIM\bak\SweetIM.exe

----a-w 282,624 2007-04-27 07:41:54 c:\programmi\QuickTime\bak\qttask.exe

----a-w 15,872 2006-09-07 17:19:27 c:\programmi\Unlocker\bak\UnlockerAssistant.exe

----a-w 67,584 2005-09-29 12:01:14 c:\windows\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-17 20:40:06 c:\windows\ehome\ehtray.exe

----a-w 208,952 2004-09-07 12:00:00 c:\windows\ime\IMJP8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-09-07 12:00:00 c:\windows\ime\IMJP8_1\imjpmig.exe

----a-w 15,360 2004-09-07 12:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 02:14:03 c:\windows\system32\ctfmon.exe

----a-w 155,648 2001-07-09 09:50:42 c:\windows\system32\bak\NeroCheck.exe

----a-w 455,168 2004-09-07 12:00:00 c:\windows\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2004-09-07 12:00:00 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-08-26 10:32 279944 --a------ c:\programmi\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]
2009-02-05 15:24 1881112 --a------ c:\programmi\PHPNukeIT\tbPHP1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{337d7945-7b40-405d-95d9-b4f5c93148f2}]
2009-01-20 15:11 1881112 --a------ c:\programmi\elenco_radio\tbele0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{337d7945-7b40-405d-95d9-b4f5c93148f2}"= "c:\programmi\elenco_radio\tbele0.dll" [2009-01-20 1881112]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\programmi\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]
"{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}"= "c:\programmi\PHPNukeIT\tbPHP1.dll" [2009-02-05 1881112]

[HKEY_CLASSES_ROOT\clsid\{337d7945-7b40-405d-95d9-b4f5c93148f2}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{337D7945-7B40-405D-95D9-B4F5C93148F2}"= "c:\programmi\elenco_radio\tbele0.dll" [2009-01-20 1881112]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\programmi\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944]
"{2C965F3F-8EFD-4BFC-A2C5-1672845FDBBF}"= "c:\programmi\PHPNukeIT\tbPHP1.dll" [2009-02-05 1881112]

[HKEY_CLASSES_ROOT\clsid\{337d7945-7b40-405d-95d9-b4f5c93148f2}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{2c965f3f-8efd-4bfc-a2c5-1672845fdbbf}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C20 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2001-01-19 68608]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\apps\skype\phone\bak\Skype.exe" [2006-01-18 19417640]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-09-07 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-07 455168]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-17 64512]
"avgnt"="c:\programmi\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"TkBellExe"="c:\programmi\File comuni\Real\Update_OB\realsched.exe" [2008-10-29 185872]
"SMSERIAL"="sm56hlpr.exe" [2005-10-18 c:\windows\sm56hlpr.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

d:\documents and settings\gvggt\Menu Avvio\Programmi\Esecuzione automatica\
Adobe Gamma.lnk - c:\programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

d:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
BlueSoleil.lnk - c:\programmi\IVT Corporation\BlueSoleil\gprs.exe [2007-12-27 43608]
Microsoft Office.lnk - c:\programmi\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programmi\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\FILECO~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= c:\progra~1\FILECO~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= c:\progra~1\FILECO~1\ULEADS~1\MPEG\mpegacm.acm
"vidc.XVID"= xvid.dll
"msacm.l3codec"= l3codecp.acm
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\Messenger\\msmsgs.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Programmi\\BearShare.exe"=
"c:\\Programmi\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"<NO NAME>"= "c:\\Programmi\\PPStream\\PPStream.exe" "c:\\Programmi\\PPStream\\PPStream.exe
"c:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmi\\MSN Messenger\\livecall.exe"=
"c:\\Programmi\\EA Games\\Ultima Online 2D Client\\client6.exe"=
"c:\\Programmi\\EA Games\\Ultima Online 2D Client\\client5.exe"=
"d:\\Programmi\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"d:\\f1challanges\\F1Challenge2007.exe"=
"c:\\Programmi\\Lphant\\eLePhantClient.exe"=
"c:\\APPS\\skype\\phone\\bak\\SKYPE.EXE"=

R1 SASDIFSV;SASDIFSV;c:\programmi\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\programmi\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 Start BT in service;Start BT in service;c:\programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2006-05-17 799744]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2007-03-22 20992]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [2006-05-17 7040]
S2 ctrlacclc;Controllo account locale;c:\windows\Downlo~1\rtim1\5jwry.exe c:\windows\Downlo~1\rtim1\5jwry.exe
S3 ovt530;Webcam Deluxe;c:\windows\system32\drivers\ov530vid.sys [2006-09-25 161792]
S3 SASENUM;SASENUM;c:\programmi\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
.
Contenuto della cartella 'Scheduled Tasks'

2009-02-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programmi\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]

2009-03-18 c:\windows\Tasks\Configura il mio PC.job
- c:\apps\SMP\PCSETUP.EXE [2005-11-17 09:03]
.
- - - - CHIAVI ORFANE RIMOSSE - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-ssqpq - c:\windows\system32\ssqpq.dll
Notify-urqpppp - urqpppp.dll


.
------- Scansione supplementare -------
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: {81BCCC61-15D0-4248-8914-0D9F97BD6B82} = 85.37.17.17 85.38.28.72
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\gvggt\Dati applicazioni\Mozilla\Firefox\Profiles\hxl45x2t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.it/
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 15:26:18
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus C20 Series = c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "c:\windows\system32\E_S4A.tmp"??t?9~??9~????????Z?9~????*?9~??????????????????????9~??Y???????????????????????????????????????????;~????????????????h?????????????????????????9~(?????>~????????????????

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_USERS\S-1-5-21-534961410-3740681359-3380630062-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8A46D85F-23F8-DF16-E938-206BEA6B8586}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaofajcpejandmcbjh"=hex:6b,61,6e,6b,63,6e,62,67,64,61,65,66,66,69,66,6d,69,63,
67,62,6a,6b,00,00
"haefghbkdbdlglja"=hex:6b,61,6e,6b,63,6e,62,67,64,61,65,66,66,69,66,6d,69,63,
67,62,6a,6b,00,00
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(1052)
c:\programmi\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\CLBCATQ.DLL
.
Ora fine scansione: 2009-03-18 15.30.51
ComboFix-quarantined-files.txt 2009-03-18 14:30:48

Pre-Run: 15.897.833.472 byte disponibili
Post-Run: 15,877,390,336 byte disponibili

249 --- E O F --- 2009-03-13 03:24:30

[ste_95]

Fai scansionare c:\windows\Downlo~1\rtim1\5jwry.exe su www.virustotal.com e posta il link ai risultati.

[Amantide]

C'è anche il trojan Obfuscated

Scarica The Avenger, estrailo in una cartella ed avvia il file avenger.exe.
Incolla il seguente spript nello spazio bianco sotto alla voce Input script here, togli la spunta alla voce Scan for rootkits e clicca su Execute.

Codice: Seleziona tutto

Files to move:
 c:\apps\skype\phone\bak\SKYPE.EXE | c:\apps\skype\phone\SKYPE.EXE
c:\apps\ABOARD\bak\ABoard.exe | c:\apps\ABOARD\ABoard.exe
c:\apps\SMP\bak\SmpSys.exe | c:\apps\SMP\SmpSys.exe
c:\programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe | c:\programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
c:\programmi\AntiVir PersonalEdition Classic\bak\avgnt.exe | c:\programmi\AntiVir PersonalEdition Classic\avgnt.exe
c:\programmi\File comuni\Ahead\Lib\bak\NMBgMonitor.exe | c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
c:\programmi\File comuni\Real\Update_OB\bak\realsched.exe | c:\programmi\File comuni\Real\Update_OB\realsched.exe
c:\programmi\File comuni\Ulead Systems\AutoDetector\bak\monitor.exe | c:\programmi\File comuni\Ulead Systems\AutoDetector\monitor.exe
c:\programmi\Goto Software\Vade Retro\bak\Vaderetro_oe.exe | c:\programmi\Goto Software\Vade Retro\Vaderetro_oe.exe
c:\programmi\Java\jre1.6.0_02\bin\bak\jusched.exe | c:\programmi\Java\jre1.6.0_02\bin\jusched.exe
c:\programmi\Macrogaming\SweetIM\bak\SweetIM.exe | c:\programmi\Macrogaming\SweetIM\SweetIM.exe
c:\programmi\QuickTime\bak\qttask.exe | c:\programmi\QuickTime\qttask.exe
c:\programmi\Unlocker\bak\UnlockerAssistant.exe | c:\programmi\Unlocker\UnlockerAssistant.exe
c:\windows\ehome\bak\ehtray.exe | c:\windows\ehome\ehtray.exe
c:\windows\ime\IMJP8_1\bak\IMJPMIG.EXE | c:\windows\ime\IMJP8_1\IMJPMIG.EXE
c:\windows\system32\bak\ctfmon.exe | c:\windows\system32\ctfmon.exe
c:\windows\system32\bak\NeroCheck.exe | c:\windows\system32\NeroCheck.exe
c:\windows\system32\IME\TINTLGNT\bak\TINTSETP.EXE | c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

Drivers to unload:
ctrlacclc

Il pc dovrebbe riavviarsi, se così non fosse, riavvialo manualmente.
Al riavvio dovrebbe apparire il log avenger.txt, posta qui il suo contenuto.

[andrea_26]

per quantp riguarda c:\windows\Downlo~1\rtim1\5jwry.exe nn si riesce a trovare il file ...(che tra l'altro mi ricordo che gia tempo fà ..crazycat mi aveva visto questo file..)

mentre questi sono i risultati di avenger : ( al riavvio mi ha dato un errore irreversibile di sistema C 000021A)

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\clvwiljh

*******************

Script file located at: \??\C:\WINDOWS\system32\ihwiapgb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File c:\windows\system32\urpqqqq.dll not found!
Deletion of file c:\windows\system32\urpqqqq.dll failed!

Could not process line:
c:\windows\system32\urpqqqq.dll
Status: 0xc0000034



File C:\WINDOWS\sUNvruqMVrH.exe not found!
Deletion of file C:\WINDOWS\sUNvruqMVrH.exe failed!

Could not process line:
C:\WINDOWS\sUNvruqMVrH.exe
Status: 0xc0000034



File C:\WINDOWS\Downlo~1\rtim1\5jwry.exe not found!
Deletion of file C:\WINDOWS\Downlo~1\rtim1\5jwry.exe failed!

Could not process line:
C:\WINDOWS\Downlo~1\rtim1\5jwry.exe
Status: 0xc0000034

File C:\Programmi\File comuni\{B4530B54-0AE9-1040-0324-060104060027}\services.dll deleted successfully.
File C:\Programmi\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL deleted successfully.
File C:\WINDOWS\bNeRsYUKAd.exe deleted successfully.
File C:\WINDOWS\bVwYJRjtv.exe deleted successfully.
File C:\WINDOWS\Downloaded Program Files\ClientAX.dll deleted successfully.
File C:\WINDOWS\HRmfftAfOvB.exe deleted successfully.
File C:\WINDOWS\IjcWjGQOfRg.exe deleted successfully.
File C:\WINDOWS\ktoOvVaFVy.exe deleted successfully.
File C:\WINDOWS\QkexLLdXp.exe deleted successfully.
File C:\WINDOWS\QXOvavj.exe deleted successfully.
File C:\WINDOWS\system32\ssqpq.dll deleted successfully.
File C:\WINDOWS\system32\urqpppp.dll deleted successfully.
File C:\WINDOWS\XqGORAROK.exe deleted successfully.
File C:\WINDOWS\YDoVgkXrqmn.exe deleted successfully.
File D:\Documents and Settings\gvggt\Impostazioni locali\Temp\jar_cache41670.tmp deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jkvrgicb

*******************

Script file located at: \??\C:\Documents and Settings\opuubmcd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File c:\windows\system32\urpqqqq.dll not found!
Deletion of file c:\windows\system32\urpqqqq.dll failed!

Could not process line:
c:\windows\system32\urpqqqq.dll
Status: 0xc0000034



File C:\WINDOWS\sUNvruqMVrH.exe not found!
Deletion of file C:\WINDOWS\sUNvruqMVrH.exe failed!

Could not process line:
C:\WINDOWS\sUNvruqMVrH.exe
Status: 0xc0000034



File C:\WINDOWS\Downlo~1\rtim1\5jwry.exe not found!
Deletion of file C:\WINDOWS\Downlo~1\rtim1\5jwry.exe failed!

Could not process line:
C:\WINDOWS\Downlo~1\rtim1\5jwry.exe
Status: 0xc0000034



File C:\Programmi\File comuni\{B4530B54-0AE9-1040-0324-060104060027}\services.dll not found!
Deletion of file C:\Programmi\File comuni\{B4530B54-0AE9-1040-0324-060104060027}\services.dll failed!

Could not process line:
C:\Programmi\File comuni\{B4530B54-0AE9-1040-0324-060104060027}\services.dll
Status: 0xc0000034



File C:\Programmi\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL not found!
Deletion of file C:\Programmi\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL failed!

Could not process line:
C:\Programmi\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL
Status: 0xc0000034



File C:\WINDOWS\bNeRsYUKAd.exe not found!
Deletion of file C:\WINDOWS\bNeRsYUKAd.exe failed!

Could not process line:
C:\WINDOWS\bNeRsYUKAd.exe
Status: 0xc0000034



File C:\WINDOWS\bVwYJRjtv.exe not found!
Deletion of file C:\WINDOWS\bVwYJRjtv.exe failed!

Could not process line:
C:\WINDOWS\bVwYJRjtv.exe
Status: 0xc0000034



File C:\WINDOWS\Downloaded Program Files\ClientAX.dll not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\ClientAX.dll failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
Status: 0xc0000034



File C:\WINDOWS\HRmfftAfOvB.exe not found!
Deletion of file C:\WINDOWS\HRmfftAfOvB.exe failed!

Could not process line:
C:\WINDOWS\HRmfftAfOvB.exe
Status: 0xc0000034



File C:\WINDOWS\IjcWjGQOfRg.exe not found!
Deletion of file C:\WINDOWS\IjcWjGQOfRg.exe failed!

Could not process line:
C:\WINDOWS\IjcWjGQOfRg.exe
Status: 0xc0000034



File C:\WINDOWS\ktoOvVaFVy.exe not found!
Deletion of file C:\WINDOWS\ktoOvVaFVy.exe failed!

Could not process line:
C:\WINDOWS\ktoOvVaFVy.exe
Status: 0xc0000034



File C:\WINDOWS\QkexLLdXp.exe not found!
Deletion of file C:\WINDOWS\QkexLLdXp.exe failed!

Could not process line:
C:\WINDOWS\QkexLLdXp.exe
Status: 0xc0000034



File C:\WINDOWS\QXOvavj.exe not found!
Deletion of file C:\WINDOWS\QXOvavj.exe failed!

Could not process line:
C:\WINDOWS\QXOvavj.exe
Status: 0xc0000034



File C:\WINDOWS\system32\ssqpq.dll not found!
Deletion of file C:\WINDOWS\system32\ssqpq.dll failed!

Could not process line:
C:\WINDOWS\system32\ssqpq.dll
Status: 0xc0000034



File C:\WINDOWS\system32\urqpppp.dll not found!
Deletion of file C:\WINDOWS\system32\urqpppp.dll failed!

Could not process line:
C:\WINDOWS\system32\urqpppp.dll
Status: 0xc0000034



File C:\WINDOWS\XqGORAROK.exe not found!
Deletion of file C:\WINDOWS\XqGORAROK.exe failed!

Could not process line:
C:\WINDOWS\XqGORAROK.exe
Status: 0xc0000034



File C:\WINDOWS\YDoVgkXrqmn.exe not found!
Deletion of file C:\WINDOWS\YDoVgkXrqmn.exe failed!

Could not process line:
C:\WINDOWS\YDoVgkXrqmn.exe
Status: 0xc0000034



File D:\Documents and Settings\gvggt\Impostazioni locali\Temp\jar_cache41670.tmp not found!
Deletion of file D:\Documents and Settings\gvggt\Impostazioni locali\Temp\jar_cache41670.tmp failed!

Could not process line:
D:\Documents and Settings\gvggt\Impostazioni locali\Temp\jar_cache41670.tmp
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\whoyygpa

*******************

Script file located at: \??\C:\WINDOWS\system32\fbltlkxy.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File c:\windows\system32\urpqqqq.dll not found!
Deletion of file c:\windows\system32\urpqqqq.dll failed!

Could not process line:
c:\windows\system32\urpqqqq.dll
Status: 0xc0000034



File C:\WINDOWS\sUNvruqMVrH.exe not found!
Deletion of file C:\WINDOWS\sUNvruqMVrH.exe failed!

Could not process line:
C:\WINDOWS\sUNvruqMVrH.exe
Status: 0xc0000034



File C:\WINDOWS\Downlo~1\rtim1\5jwry.exe not found!
Deletion of file C:\WINDOWS\Downlo~1\rtim1\5jwry.exe failed!

Could not process line:
C:\WINDOWS\Downlo~1\rtim1\5jwry.exe
Status: 0xc0000034



File C:\Programmi\File comuni\{B4530B54-0AE9-1040-0324-060104060027}\services.dll not found!
Deletion of file C:\Programmi\File comuni\{B4530B54-0AE9-1040-0324-060104060027}\services.dll failed!

Could not process line:
C:\Programmi\File comuni\{B4530B54-0AE9-1040-0324-060104060027}\services.dll
Status: 0xc0000034



File C:\Programmi\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL not found!
Deletion of file C:\Programmi\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL failed!

Could not process line:
C:\Programmi\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL
Status: 0xc0000034



File C:\WINDOWS\bNeRsYUKAd.exe not found!
Deletion of file C:\WINDOWS\bNeRsYUKAd.exe failed!

Could not process line:
C:\WINDOWS\bNeRsYUKAd.exe
Status: 0xc0000034



File C:\WINDOWS\bVwYJRjtv.exe not found!
Deletion of file C:\WINDOWS\bVwYJRjtv.exe failed!

Could not process line:
C:\WINDOWS\bVwYJRjtv.exe
Status: 0xc0000034



File C:\WINDOWS\Downloaded Program Files\ClientAX.dll not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\ClientAX.dll failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\ClientAX.dll
Status: 0xc0000034



File C:\WINDOWS\HRmfftAfOvB.exe not found!
Deletion of file C:\WINDOWS\HRmfftAfOvB.exe failed!

Could not process line:
C:\WINDOWS\HRmfftAfOvB.exe
Status: 0xc0000034



File C:\WINDOWS\IjcWjGQOfRg.exe not found!
Deletion of file C:\WINDOWS\IjcWjGQOfRg.exe failed!

Could not process line:
C:\WINDOWS\IjcWjGQOfRg.exe
Status: 0xc0000034



File C:\WINDOWS\ktoOvVaFVy.exe not found!
Deletion of file C:\WINDOWS\ktoOvVaFVy.exe failed!

Could not process line:
C:\WINDOWS\ktoOvVaFVy.exe
Status: 0xc0000034



File C:\WINDOWS\QkexLLdXp.exe not found!
Deletion of file C:\WINDOWS\QkexLLdXp.exe failed!

Could not process line:
C:\WINDOWS\QkexLLdXp.exe
Status: 0xc0000034



File C:\WINDOWS\QXOvavj.exe not found!
Deletion of file C:\WINDOWS\QXOvavj.exe failed!

Could not process line:
C:\WINDOWS\QXOvavj.exe
Status: 0xc0000034



File C:\WINDOWS\system32\ssqpq.dll not found!
Deletion of file C:\WINDOWS\system32\ssqpq.dll failed!

Could not process line:
C:\WINDOWS\system32\ssqpq.dll
Status: 0xc0000034



File C:\WINDOWS\system32\urqpppp.dll not found!
Deletion of file C:\WINDOWS\system32\urqpppp.dll failed!

Could not process line:
C:\WINDOWS\system32\urqpppp.dll
Status: 0xc0000034



File C:\WINDOWS\XqGORAROK.exe not found!
Deletion of file C:\WINDOWS\XqGORAROK.exe failed!

Could not process line:
C:\WINDOWS\XqGORAROK.exe
Status: 0xc0000034



File C:\WINDOWS\YDoVgkXrqmn.exe not found!
Deletion of file C:\WINDOWS\YDoVgkXrqmn.exe failed!

Could not process line:
C:\WINDOWS\YDoVgkXrqmn.exe
Status: 0xc0000034



File D:\Documents and Settings\gvggt\Impostazioni locali\Temp\jar_cache41670.tmp not found!
Deletion of file D:\Documents and Settings\gvggt\Impostazioni locali\Temp\jar_cache41670.tmp failed!

Could not process line:
D:\Documents and Settings\gvggt\Impostazioni locali\Temp\jar_cache41670.tmp
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File move operation "c:\apps\skype\phone\bak\SKYPE.EXE|c:\apps\skype\phone\SKYPE.EXE" completed successfully.
File move operation "c:\apps\ABOARD\bak\ABoard.exe|c:\apps\ABOARD\ABoard.exe" completed successfully.
File move operation "c:\apps\SMP\bak\SmpSys.exe|c:\apps\SMP\SmpSys.exe" completed successfully.
File move operation "c:\programmi\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe|c:\programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" completed successfully.
File move operation "c:\programmi\AntiVir PersonalEdition Classic\bak\avgnt.exe|c:\programmi\AntiVir PersonalEdition Classic\avgnt.exe" completed successfully.
File move operation "c:\programmi\File comuni\Ahead\Lib\bak\NMBgMonitor.exe|c:\programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" completed successfully.
File move operation "c:\programmi\File comuni\Real\Update_OB\bak\realsched.exe|c:\programmi\File comuni\Real\Update_OB\realsched.exe" completed successfully.
File move operation "c:\programmi\File comuni\Ulead Systems\AutoDetector\bak\monitor.exe|c:\programmi\File comuni\Ulead Systems\AutoDetector\monitor.exe" completed successfully.
File move operation "c:\programmi\Goto Software\Vade Retro\bak\Vaderetro_oe.exe|c:\programmi\Goto Software\Vade Retro\Vaderetro_oe.exe" completed successfully.
File move operation "c:\programmi\Java\jre1.6.0_02\bin\bak\jusched.exe|c:\programmi\Java\jre1.6.0_02\bin\jusched.exe" completed successfully.
File move operation "c:\programmi\Macrogaming\SweetIM\bak\SweetIM.exe|c:\programmi\Macrogaming\SweetIM\SweetIM.exe" completed successfully.
File move operation "c:\programmi\QuickTime\bak\qttask.exe|c:\programmi\QuickTime\qttask.exe" completed successfully.
File move operation "c:\programmi\Unlocker\bak\UnlockerAssistant.exe|c:\programmi\Unlocker\UnlockerAssistant.exe" completed successfully.
File move operation "c:\windows\ehome\bak\ehtray.exe|c:\windows\ehome\ehtray.exe" completed successfully.
File move operation "c:\windows\ime\IMJP8_1\bak\IMJPMIG.EXE|c:\windows\ime\IMJP8_1\IMJPMIG.EXE" completed successfully.
File move operation "c:\windows\system32\bak\ctfmon.exe|c:\windows\system32\ctfmon.exe" completed successfully.
File move operation "c:\windows\system32\bak\NeroCheck.exe|c:\windows\system32\NeroCheck.exe" completed successfully.
File move operation "c:\windows\system32\IME\TINTLGNT\bak\TINTSETP.EXE|c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" completed successfully.
Driver "ctrlacclc" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[Amantide]

Hai allegato anche i vecchi log di Avenger, fatti addirittura ancora con la versione 1

Comunque l'operazione è andata a buon fine e per assicurarsi che non ci sia dell'altro ti consiglio di fare la scansione completa con Malwarebytes' Anti-Malware.

[andrea_26]

Hai allegato anche i vecchi log di Avenger, fatti addirittura ancora con la versione 1

Comunque l'operazione è andata a buon fine e per assicurarsi che non ci sia dell'altro ti consiglio di fare la scansione completa con Malwarebytes' Anti-Malware.

DOH che stupido ..comunque adesso faccio l'altra scansione e ti faccio sapere :)

x quanto riguarda c:\windows\Downlo~1\rtim1\5jwry.exe devo provare a cercarlo , cancellarlo o provo a dargli tipo lo script ad avenger
Files to delete:
C:\WINDOWS\Downlo~1\rtim1\5jwry.exe magari si cancella

[andrea_26]

la scansione con Malwarebytes' Anti-Malware ha dato buon esito ha trovato un solo file infetto che ho puntualmente cancellato

[andrea_26]

comunque mi é rimasto solo un problema che mi ero dimenticato di scrivere (sempre relativo al rdbss.sys)che è molto strano...quando spengo il pc se io intanto mi disconnetto e spengo il modem ...il pc si blocca alla schermata azzura con scritto chiusura di windows in corso

[Amantide]

x quanto riguarda c:\windows\Downlo~1\rtim1\5jwry.exe devo provare a cercarlo , cancellarlo o provo a dargli tipo lo script ad avenger Files to delete:C:\WINDOWS\Downlo~1\rtim1\5jwry.exe magari si cancella

L'abbiamo già fatto eliminando l'intero servizio relativo a questo file:

Driver "ctrlacclc" deleted successfully.

comunque mi é rimasto solo un problema che mi ero dimenticato di scrivere (sempre relativo al rdbss.sys)che è molto strano...quando spengo il pc se io intanto mi disconnetto e spengo il modem ...il pc si blocca alla schermata azzura con scritto chiusura di windows in corso

Il SO è aggiornato? Hai installato il Service Pack 3?

Postami anche il log di Hijackthis.

[andrea_26]

ecco qui

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19.18.04, on 19/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmi\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programmi\AskBarDis\bar\bin\askBar.dll
O2 - BHO: PHPNukeIT Toolbar - {2c965f3f-8efd-4bfc-a2c5-1672845fdbbf} - C:\Programmi\PHPNukeIT\tbPHP1.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: elenco_radio Toolbar - {337d7945-7b40-405d-95d9-b4f5c93148f2} - C:\Programmi\elenco_radio\tbele0.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: elenco_radio Toolbar - {337d7945-7b40-405d-95d9-b4f5c93148f2} - C:\Programmi\elenco_radio\tbele0.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programmi\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: PHPNukeIT Toolbar - {2c965f3f-8efd-4bfc-a2c5-1672845fdbbf} - C:\Programmi\PHPNukeIT\tbPHP1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [EPSON Stylus C20 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S4A.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\APPS\skype\phone\bak\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programmi\IVT Corporation\BlueSoleil\gprs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: Alice - {6A149D78-3D89-4CD2-BBE0-0F680574FDE2} - http://gw.aliceadsl.it/alice (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://gw.aliceadsl.it/home
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://andrea26asr.spaces.live.com//Pho ... nPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://andrea26asr.spaces.live.com/Phot ... nPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{81BCCC61-15D0-4248-8914-0D9F97BD6B82}: NameServer = 85.37.17.17 85.38.28.72
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Media Center Receiver Service (ehRecvr) - Unknown owner - C:\WINDOWS\eHome\ehRecvr.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Start BT in service - Unknown owner - C:\Programmi\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 11031 bytes

[Amantide]

Non si vede nulla di anomalo.

Ma fammi capire un po' meglio questo passaggio:

quando spengo il pc se io intanto mi disconnetto e spengo il modem ...il pc si blocca alla schermata azzura con scritto chiusura di windows in corso

Stacchi il modem proprio durante la disconnessione del sistema o prima?

[andrea_26]

Non si vede nulla di anomalo.

Ma fammi capire un po' meglio questo passaggio:

quando spengo il pc se io intanto mi disconnetto e spengo il modem ...il pc si blocca alla schermata azzura con scritto chiusura di windows in corso

Stacchi il modem proprio durante la disconnessione del sistema o prima?

niente prima di andare su start spengi ecc..disconnetto la connessione..e spengo il modem (cosa che ho sempre ftt) , metto SPEGNI PC..all'inizio pare che il pc vada x spengersi normalmente ma invece rimane bloccato alla schermata chiusura di windows in corso.. e ua cosa simile mi succede quando il pc lo accendo , se vado su start connesioni ..la finestra non si apre e ogni volta devo andare sul pannello di controllo e creare una nuova connessione , altrimenti devo aspettare 2 minuti che si attivi la connessione remota

[Amantide]

Prova a disinstallare completamente sia i driver modem che la connessione e riconfigurare tutto daccapo. Può essere che il driver è stato corrotto dal virus