www.MegaLab.it

[balla01]

Salve a tutti ho un problema con il pc :

Quando navigo spesso e volentieri vengono aperte delle altre pagine con dei prodotti commerciali.
In piu ogni tanto mi si attiva una connessione del tipo 0004 e nel menu delle connessioni in pannello di controllo è sotto il nome di 0202.
Se provo a localizzare il file mi manda su un certo win2DA4.tmp.exe che non ho trovato danessuna parte.
Come anivirus faccio la scansione con spybot search and destroy e mi trova dei cookie dannosi gli elimino appena mi connetto avast trova un troiano e ricominciano i siti commerciali.
Vi posto il log con hijakalthis nella speranza che mi possiate aiutare :
Grazie a tutti!


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13.21.17, on 01/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmi\ViRobotXP\vrmonsvc.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ViRobotXP\vrmonnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programmi\CyberLink\PowerCinema\PCMService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\CyberLink\PowerCinema\PowerCinema.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Utente\Desktop\programmi\antivirus\HiJackThis_v2.exe
C:\WINDOWS\TEMP\win2DB2.tmp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ultramotard.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27CA571B-14D3-4937-B387-BE72FA7A0F87} - C:\WINDOWS\system32\khfedcy.dll
O2 - BHO: (no name) - {47D04A93-512A-40B2-AF96-97C273B7CB45} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\ykdtyvxl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AFC7A00F-13B6-4D39-B84D-4C566AA25B28} - C:\WINDOWS\system32\tcqnkxhm.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Programmi\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\lyregkgd.dll",setvm
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/230?dc2efc7d2f7147088d9d75e2ce91d575
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/229?dc2efc7d2f7147088d9d75e2ce91d575
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/games/ricochet- ... Loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1441470860
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/ac ... inder2.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{B860423D-15C1-47FC-8684-51903E532D18}: NameServer = 85.37.17.47 85.38.28.82
O20 - Winlogon Notify: khfedcy - C:\WINDOWS\SYSTEM32\khfedcy.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing)
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Programmi\ViRobotXP\vrmonsvc.exe

--
End of file - 11269 bytes

[crazy.cat]

Sospetto e molto
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\lyregkgd.dll",setvm

Tutti virus o schifezze varie elimina le righe e tutti i file dll.
C:\WINDOWS\TEMP\win2DB2.tmp.exe
O2 - BHO: (no name) - {27CA571B-14D3-4937-B387-BE72FA7A0F87} - C:\WINDOWS\system32\khfedcy.dll
O2 - BHO: (no name) - {47D04A93-512A-40B2-AF96-97C273B7CB45} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\ykdtyvxl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AFC7A00F-13B6-4D39-B84D-4C566AA25B28} - C:\WINDOWS\system32\tcqnkxhm.dll
O20 - Winlogon Notify: khfedcy - C:\WINDOWS\SYSTEM32\khfedcy.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll
O20 - Winlogon Notify: wineil32 - C:\WINDOWS\
O20 - Winlogon Notify: winuqw32 - C:\WINDOWS\SYSTEM32\winuqw32.dll

E consigliato una scansione on line http://www.kaspersky.com/virusscanner
per vedere quanti altri virus ci sono nel pc.
Alla fine salvati il log della scansione e postalo qui.

Consigliato abbandono di avast in favore di Antivir pe o active virus shield.

[Amantide]

C'è di mezzo il trojan Vundo, fai la scansione con VundoFix e posta qui il contenuto del file C:\vundofix.txt

[balla01]

questo èquello che ha trovato vundo :

C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\hhkmp.tmp
C:\WINDOWS\system32\pmkhh.dll

adeo ho disinstallato avast e installato active virus shield e sta facendo la scansione pare abbia trovato qualcosa con hijalthis ho eliminato i file che mi hai detto crazy.cat adesso aspetto di finire la scansione e posto un nuovo lgdi hijakalthis....


Grazie davvero a tutti dell aiuto!!!!

[balla01]

Niente da fare i problemi persistono : ogni tanto mi compare una nuova connessione remota che mi disconnette quella adsl e che prova a connettersi con il modem interno : i siti commerciali che mi comparivano prima sono diminuiti enormemente ma 2 mi ricompaiono ancora : vi posto una nuova scansione con hijakalthis nella spranza che possiate aiutarmi.

ogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17.23.30, on 02/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\windows\system32\winlogon.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmi\ViRobotXP\vrmonsvc.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ViRobotXP\vrmonnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programmi\CyberLink\PowerCinema\PCMService.exe
C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\DOCUME~1\Martina\IMPOST~1\Temp\wjroba.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Utente\Desktop\programmi\antivirus\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ultramotard.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27CA571B-14D3-4937-B387-BE72FA7A0F87} - C:\WINDOWS\system32\khfedcy.dll (file missing)
O2 - BHO: (no name) - {2C8C87C0-AF95-4425-9523-7A96199BCB76} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\gdtyhrtu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Programmi\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [aol] "C:\Programmi\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [wjroba.exe] C:\DOCUME~1\Martina\IMPOST~1\Temp\wjroba.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Martina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1006\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Martina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1006\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background (User 'Martina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1006\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 (User 'Martina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Marina')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/230?dc2efc7d2f7147088d9d75e2ce91d575
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/229?dc2efc7d2f7147088d9d75e2ce91d575
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/games/ricochet- ... Loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1441470860
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/ac ... inder2.CAB
O20 - Winlogon Notify: khfedcy - khfedcy.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programmi\AOL\Active Virus Shield\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing)
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Programmi\ViRobotXP\vrmonsvc.exe

--
End of file - 11065 bytes

[Amantide]

C'è altra volta Vundo di mezzo.
Rifai un altra volta la scansione con Vundofix, elimina questo file C:\DOCUME~1\Martina\IMPOST~1\Temp\wjroba.exe e svuota le cartelle dei file temporanei dalla modalità provvisoria con aiuto di CCleaner.
Questo direi che puoi disinstallare, ViRobotXP, ed installa anche un firewall buono, con AVS stà bene Zone Alarm.

Queste voci puoi tranquillamente fixare, sono superflue all'avvio del pc (e cosi la prossima volta il log sarà più corto ):
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Programmi\ViRobotXP\vrmonnt.exe Main
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background

Queste sono da fixare comunque:
O2 - BHO: (no name) - {27CA571B-14D3-4937-B387-BE72FA7A0F87} - C:\WINDOWS\system32\khfedcy.dll (file missing)
O2 - BHO: (no name) - {2C8C87C0-AF95-4425-9523-7A96199BCB76} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\gdtyhrtu.dll (file missing)
O4 - HKLM\..\Run: [wjroba.exe] C:\DOCUME~1\Martina\IMPOST~1\Temp\wjroba.exe
O20 - Winlogon Notify: khfedcy - khfedcy.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)

Fatto tutto ciò riposta il nuovo log di Hijackthis.
Poi scarica ed avvia Systemscan, spunta tutte le voci e clicca su Scan Now. A scansione terminata trova in C:\suspectfile il file report.txt, comprimilo in un archivio rar o zip ed allegalo qui.

[balla01]

Grazie Amantide!!!

Ho fatto esattamente come hai detto tu : adesso cerco il firewall intanto ti posto il log di hijakalthis


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22.40.38, on 02/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\system32\winlogon.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmi\ViRobotXP\vrmonsvc.exe
C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ViRobotXP\vrmonnt.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Programmi\CyberLink\PowerCinema\PCMService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\MSN Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\CyberLink\PowerCinema\PowerCinema.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Utente\Desktop\programmi\antivirus\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ultramotard.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O1 - Hosts: 62.173.164.131 L2authd.lineage2.com
O1 - Hosts: 62.173.164.131 L2testauthd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10A4DCA9-0AFE-456F-8066-277878C5A16A} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Programmi\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [aol] "C:\Programmi\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [netybzpq] "c:\windows\system32\netybzpq.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Martina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1006\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Martina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1006\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background (User 'Martina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1006\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 (User 'Martina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Marina')
O4 - HKUS\S-1-5-21-1078081533-1425521274-725345543-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/230?dc2efc7d2f7147088d9d75e2ce91d575
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\Windows Live Toolbar\Components\it-it\msntabres.dll.mui/229?dc2efc7d2f7147088d9d75e2ce91d575
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/games/ricochet- ... Loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1441470860
O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/ac ... inder2.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{B860423D-15C1-47FC-8684-51903E532D18}: NameServer = 85.37.17.47 85.38.28.82
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Programmi\AOL\Active Virus Shield\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programmi\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmi\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing)
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Programmi\ViRobotXP\vrmonsvc.exe

--
End of file - 10120 bytes


questo invece è il report di system scan

[Amantide]

Scarica The Avenger, estrai archivio in una cartella ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno del form copia ed incolla questo script:

Files to delete:
C:\WINDOWS\system32\pmkhh.dll
c:\windows\system32\netybzpq.exe
C:\WINDOWS\TEMP\win2D42.tmp.exe
C:\Documents and Settings\Martina\Impostazioni locali\Temp\mtramkuy.dll
C:\WINDOWS\VIROBOT.DLL
C:\WINDOWS\VRBOOT.DLL
C:\WINDOWS\SYSTEM32\VIROBOT.DLL
C:\WINDOWS\SYSTEM32\VRBOOT.DLL
C:\WINDOWS\SYSTEM32\VRUNACE.DLL
C:\WINDOWS\SYSTEM32\VRUNCAB.DLL
C:\WINDOWS\SYSTEM32\VRUNGZIP.DLL
C:\WINDOWS\SYSTEM32\VRUNRAR.DLL

registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmkhh
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10A4DCA9-0AFE-456F-8066-277878C5A16A}

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | netybzpq

Dopodichè clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi alle successive domande Si .
Il pc dovrebbe riavviarsi da solo,se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt

Fai anche la scansione con CCleaner dalla modalità provvisoria.

[balla01]

Ho fatto come hai detto questo è il log con avenger :

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jdcybqhi

*******************

Script file located at: \??\C:\WINDOWS\system32\uiheaoud.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\pmkhh.dll deleted successfully.
File c:\windows\system32\netybzpq.exe deleted successfully.


File C:\WINDOWS\TEMP\win2D42.tmp.exe not found!
Deletion of file C:\WINDOWS\TEMP\win2D42.tmp.exe failed!

Could not process line:
C:\WINDOWS\TEMP\win2D42.tmp.exe
Status: 0xc0000034



File C:\Documents and Settings\Martina\Impostazioni locali\Temp\mtramkuy.dll not found!
Deletion of file C:\Documents and Settings\Martina\Impostazioni locali\Temp\mtramkuy.dll failed!

Could not process line:
C:\Documents and Settings\Martina\Impostazioni locali\Temp\mtramkuy.dll
Status: 0xc0000034

File C:\WINDOWS\VIROBOT.DLL deleted successfully.
File C:\WINDOWS\VRBOOT.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\VIROBOT.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\VRBOOT.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\VRUNACE.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\VRUNCAB.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\VRUNGZIP.DLL deleted successfully.
File C:\WINDOWS\SYSTEM32\VRUNRAR.DLL deleted successfully.
Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmkhh deleted successfully.


Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10A4DCA9-0AFE-456F-8066-277878C5A16A} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10A4DCA9-0AFE-456F-8066-277878C5A16A} failed!
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|netybzpq deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Non riesco molto bene a capire questo file :

File C:\Documents and Settings\Martina\Impostazioni locali\Temp\mtramkuy.dll not found!
Deletion of file C:\Documents and Settings\Martina\Impostazioni locali\Temp\mtramkuy.dll failed!

Ho provato a cercarli col tasto cerca e a distruggerli con la killbox ma nn sono riuscito a trovarli e mi dice che non esistono.....

[Amantide]

Non riesco molto bene a capire questo file :

File C:\Documents and Settings\Martina\Impostazioni locali\Temp\mtramkuy.dll not found!
Deletion of file C:\Documents and Settings\Martina\Impostazioni locali\Temp\mtramkuy.dll failed!

Ho provato a cercarli col tasto cerca e a distruggerli con la killbox ma nn sono riuscito a trovarli e mi dice che non esistono.....

Questo messaggio vuol dire che il file non è stato trovato, ma siccome si trovava all'interno della cartella dei file temporanei, non c'è nulla di strano, evidentemente avevi fatto la pulizia dei file temporanei con aiuto di CCleaner o altro.

[balla01]

Grazie 1000 amantide !! ho navigato tutt oggi e nn ho avuto nessun problema credo di aver risolto!!!!!


Grazie davvero