www.MegaLab.it

[padita]

Ciao a tutti. Il problema di oggi è questo:
ho installato Avast Home ed ho eseguito uno scanner del PC. Al termine Avast riporta di aver trovato dei file infetti che non può rimuovere perché i file non lo supportano (se non ricordo male). Cerco di cancellarli fisicamente andando nelle directory indicate, ma non li trovo...

Chiudo Avast ed apro il registro che mi riporta solo alcuni degli avvisi precedenti, altri non ci sono più.

Chiedo :

1) dove sono finiti i file che non trovo più? sono stati cancellati ?

2) esiste una cartella quarantena in Avast ?


3) i file del registro di Avast sono elencati al livello "ATTENZIONE": li devo cancellare o no? ad esempio:

Sign of "Win32:Steal-AO [Trj]" has been found in "D:\EMULE\Incoming\MPC to MP3 Converter with Crack.rar\MPC to MP3 Converter with Crack\keygen.exe" file.

17/01/2008 2.41.25 ULISSE 4064 Sign of "Win32:Agent-PBF [Trj]" has been found in "D:\EMULE\Incoming\Programma Per Convertire File Mpc In Mp3.rar\Toolbook Instructor 2004 Serial.zip\keygen.exe\[UPX]" file.

17/01/2008 2.51.30 ULISSE 4064 Sign of "Win32:Trojan-gen {UPX}" has been found in "D:\EMULE\Incoming\Sail Simulator 4.2.rar\Sail Simulator 4.2.ISO\CRACK\RUNCRACK.EXE\[UPX]\[Embedded#096a0]" file.
Grazie per l'aiuto

[ste_95]

I file da te elencati, sono download di eMule, il 90% delle volte infetti, non dovresti avere problemi a eliminarli manualmente...

Posta un log di HijackThis seguendo la seguente procedura:

Scarica HijackThis
Salvalo in una cartella (non aprirlo direttamente, sennò non farà i backup!)
Apri l'eseguibile
Clicca quindi su "Do a System Scan and Save a Logfile"
Attendi che finisca la scansione
Quindi copia il contenuto del blocco note qui sul forum.

[padita]

Ti invio il file di HijackThis.
Non so dove sia il blocco note e quindi l'ho incollato qui.
Ti ringrazio per l'aiuto.



ps come posso imparare a leggere anch'io i dati?

------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.43.09, on 17/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Programmi\Sygate\SPF\smc.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\Programmi\Avast4\aswUpdSv.exe
H:\Programmi\Avast4\ashServ.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\spoolsv.exe
H:\Programmi\ATI Technologies\ATI.ACE\CLI.EXE
H:\WINDOWS\system32\LVCOMSX.EXE
H:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\PROGRA~1\Avast4\ashDisp.exe
H:\Programmi\Microsoft ActiveSync\Wcescomm.exe
H:\WINDOWS\system32\cisvc.exe
H:\Programmi\FolderSize\FolderSizeSvc.exe
H:\WINDOWS\system32\ctfmon.exe
H:\PROGRA~1\MI3AA1~1\rapimgr.exe
H:\Programmi\Power Translator 11\LogoMedia TranslateDotNet Server.exe
H:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
H:\Programmi\Nokia\Nokia PC Phone\NokiaPcPhoneTray.exe
H:\Programmi\Nokia\Nokia PC Phone\bin\NokiaPcPhoneService.exe
H:\Programmi\LogMeIn\x86\RaMaint.exe
H:\Programmi\LogMeIn\x86\LogMeIn.exe
H:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\Programmi\Raxco\PerfectDisk\PDAgent.exe
H:\WINDOWS\System32\snmp.exe
H:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\System32\PAStiSvc.exe
H:\WINDOWS\system32\svchost.exe
H:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
H:\Programmi\Avast4\ashMaiSv.exe
H:\Programmi\Avast4\ashWebSv.exe
H:\Programmi\PC Connectivity Solution\ServiceLayer.exe
H:\Programmi\Raxco\PerfectDisk\PDEngine.exe
H:\Programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
H:\Programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
H:\Programmi\PC Connectivity Solution\Transports\NclMSBTSrv.exe
H:\Programmi\ATI Technologies\ATI.ACE\cli.exe
H:\Programmi\ATI Technologies\ATI.ACE\cli.exe
H:\WINDOWS\system32\cidaemon.exe
H:\Programmi\Microsoft ActiveSync\WCESMgr.exe
H:\WINDOWS\System32\svchost.exe
H:\Programmi\Microsoft Office\OFFICE11\OUTLOOK.EXE
H:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
H:\PROGRA~1\FREEDO~1\fdm.exe
H:\Programmi\Internet Explorer\IEXPLORE.EXE
H:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - H:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - H:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Programmi\Free Download Manager\iefdm2.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - H:\Programmi\Power Translator 11\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - H:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "H:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LVCOMSX] H:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SmcService] H:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "H:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Nokia PC Phone Tray Application.lnk = H:\Programmi\Nokia\Nokia PC Phone\NokiaPcPhoneTray.exe
O8 - Extra context menu item: Aggiungi a PDF esistente - res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scarica con Free Download Manager - file://H:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Scarica i video con Free Download Manager - file://H:\Programmi\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Scarica selezionati con Free Download Manager - file://H:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Scarica tutto con Free Download Manager - file://H:\Programmi\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Programmi\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - H:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - H:\Programmi\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Barra di ricerca di Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - H:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - H:\Programmi\Free Download Manager\FUM\fumiebtn.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - H:\Programmi\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/v ... .2.2.1.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - H:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - H:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Programmi\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - H:\Programmi\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - H:\Programmi\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - H:\Programmi\Avast4\ashWebSv.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - H:\Programmi\Symantec\pcAnywhere\awhost32.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - H:\Programmi\FolderSize\FolderSizeSvc.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - H:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - H:\Programmi\Power Translator 11\LogoMedia TranslateDotNet Server.exe
O23 - Service: LiveUpdate - Symantec Corporation - H:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - H:\Programmi\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - H:\Programmi\LogMeIn\x86\LogMeIn.exe
O23 - Service: PDAgent - Raxco Software, Inc. - H:\Programmi\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - H:\Programmi\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - H:\Programmi\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - H:\Programmi\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - H:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - H:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 12072 bytes

[ste_95]

il log è pulito, Avast rileva ancora qualcosa?

PS. Per imparare a leggere i log di hijackthis, c'è un'ottima guida:

http://www.MegaLab.it/2286

[padita]

grazie.
ora controllo con avast (solo i due HD interessati) e ti faccio sapere

[padita]

Ti invio i risultati della scansione di Avast
ed anche un allegato in word per maggior chiarezza (mi sembra che non venga caricato il file word).
Comunque è stato rilevato solo un win32:test agent - C (Trj) in una catella che ho cancellato successivamente, con la descrizione : E:\my outlook_old\posta inviata.dbx\Message has been disinfected -invio in corso posta elettronica ... ecc

allego anche un log di runscanner, se può esserti utile a capirci qualcosa in più.

Penso comunque c'è qualcosa che non va nel sistema:

1 - il PC si è spento mentre stavo avviando IE (per questa ragione ho cambiato antivirus ed ho fatto la scansione completa)
2 - nell'aprire outlook si è ripresentata la pagina di inizializzazione di outlook, come se non fosse installato. successivamente ha aperto regolarmente
3 - dopo aver lavorato con IE l'ho chiuso, ma invece di chiudersi si sono aperte varie finestre e IE si è bloccato.
4 - in formato html non posso modificare il carattere: compaioni tutti quadratini.
5 - spesso non posso utilizzare le accentate, alla è corrisponde infatti un simbolo diverso, così come per à, ù ecc.

Pensi che devo reinstallare office?

Ti ringrazio
---------------------------------------------------------
log di runscanner

Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

000 General info
----------------
Computer name : NEWXP
Creation time : 10/01/2008 7.03.00
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.11
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.6.1.0
User Language : Italiano (Italia)
User rights : Administrator
Windows folder : H:\WINDOWS

001 Running processes
---------------------
* h:\programmi\microsoft activesync\wcescomm.exe (Microsoft Corporation)
* h:\progra~1\mi3aa1~1\rapimgr.exe (Microsoft Corporation)
* h:\programmi\lavasoft\ad-aware 2007\aawservice.exe (Lavasoft AB)
h:\programmi\antivir personaledition classic\avguard.exe (Avira GmbH)
h:\programmi\antivir personaledition classic\sched.exe (Avira GmbH)
h:\programmi\antivir personaledition classic\avgnt.exe (Avira GmbH)
h:\programmi\file comuni\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple, Inc.)
* h:\windows\system32\alg.exe (Microsoft Corporation)
* h:\windows\system32\winlogon.exe (Microsoft Corporation)
* h:\windows\system32\services.exe (Microsoft Corporation)
* h:\windows\system32\ati2evxx.exe (ATI Technologies Inc.)
* h:\windows\system32\ati2evxx.exe (ATI Technologies Inc.)
h:\programmi\ati technologies\ati.ace\cli.exe (ATI Technologies Inc.)
h:\programmi\ati technologies\ati.ace\cli.exe (ATI Technologies Inc.)
h:\programmi\ati technologies\ati.ace\cli.exe (ATI Technologies Inc.)
* h:\windows\system32\csrss.exe (Microsoft Corporation)
* h:\windows\system32\cisvc.exe (Microsoft Corporation)
* h:\windows\system32\ctfmon.exe (Microsoft Corporation)
* h:\windows\explorer.exe (Microsoft Corporation)
h:\progra~1\freedo~1\fdm.exe (FreeDownloadManager.ORG)
* h:\windows\system32\svchost.exe (Microsoft Corporation)
* h:\windows\system32\svchost.exe (Microsoft Corporation)
* h:\windows\system32\svchost.exe (Microsoft Corporation)
* h:\windows\system32\svchost.exe (Microsoft Corporation)
* h:\windows\system32\svchost.exe (Microsoft Corporation)
* h:\windows\system32\svchost.exe (Microsoft Corporation)
* h:\programmi\hp\digital imaging\bin\hpqste08.exe (Hewlett-Packard Development Company, L.P.)
* h:\programmi\hp\digital imaging\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
* h:\windows\system32\cidaemon.exe (Microsoft Corporation)
* h:\programmi\logmein\x86\logmein.exe (LogMeIn, Inc.)
* h:\programmi\logmein\x86\ramaint.exe (LogMeIn, Inc.)
h:\programmi\power translator 11\logomedia translatedotnet server.exe (Language Engineering Corporation, LLC)
* h:\windows\system32\lsass.exe (Microsoft Corporation)
h:\windows\system32\lvcomsx.exe (Logitech Inc.)
* h:\programmi\file comuni\microsoft shared\vs7debug\mdm.exe (Microsoft Corporation)
h:\programmi\netgear wg311v2 adapter\wlancfg5.exe
* h:\windows\system32\pastisvc.exe
* h:\programmi\raxco\perfectdisk\pdagent.exe (Raxco Software, Inc.)
* h:\programmi\raxco\perfectdisk\pdengine.exe (Raxco Software, Inc.)
* c:\downloads\controllo e rimozione malware\runscanner.exe (Runscanner.net)
* h:\windows\system32\snmp.exe (Microsoft Corporation)
h:\programmi\analog devices\soundmax\smagent.exe (Analog Devices, Inc.)
* h:\windows\system32\spoolsv.exe (Microsoft Corporation)
* h:\programmi\sygate\spf\smc.exe (Sygate Technologies, Inc.)
* h:\windows\system32\smss.exe (Microsoft Corporation)
* h:\windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
h:\programmi\ati technologies\ati.ace\clistart.exe
h:\programmi\antivir personaledition classic\avgnt.exe (Avira GmbH)
h:\windows\system32\lvcomsx.exe (Logitech Inc.)
* h:\progra~1\sygate\spf\smc.exe (Sygate Technologies, Inc.)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
h:\programmi\antivir personaledition classic\avcenter.exe (Avira GmbH)

005 H:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
----------------------------------------------------------------------------------
* h:\progra~1\hp\digita~1\bin\hpqtra08.exe (Hewlett-Packard Development Company, L.P.)
h:\progra~1\netgea~1\wlancfg5.exe

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* h:\programmi\lavasoft\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service)
h:\programmi\file comuni\adobe systems shared\service\adobelmsvc.exe (Adobe LM Service)
h:\programmi\antivir personaledition classic\avguard.exe (AntiVir PersonalEdition Classic Guard)
h:\programmi\antivir personaledition classic\sched.exe (AntiVir PersonalEdition Classic Scheduler)
h:\programmi\file comuni\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple Mobile Device)
h:\windows\system32\ati2sgag.exe (ATI Smart)
h:\programmi\file comuni\macrovision shared\flexnet publisher\fnplicensingservice.exe (FLEXnet Licensing Service)
h:\programmi\power translator 11\logomedia translatedotnet server.exe (LEC TranslateDotNet Server)
* h:\programmi\logmein\x86\logmein.exe (LogMeIn)
* h:\programmi\logmein\x86\ramaint.exe (LogMeIn Maintenance Service)
h:\programmi\microsoft sql server\80\tools\binn\sqladhlp.exe (MSSQLServerADHelper)
* h:\programmi\raxco\perfectdisk\pdagent.exe (PDAgent)
* h:\programmi\raxco\perfectdisk\pdengine.exe (PDEngine)
h:\windows\system32\hpzipm12.exe (Pml Driver HPZ12)
* h:\programmi\ipod\bin\ipodservice.exe (Servizio iPod)
h:\programmi\analog devices\soundmax\smagent.exe (SoundMAX Agent Service)
* h:\programmi\sygate\spf\smc.exe (Sygate Personal Firewall)
* H:\WINDOWS\system32\tuneupdefragservice.exe (TuneUp Drive Defrag Service)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* h:\programmi\antivir personaledition classic\avgio.sys (avgio)
* h:\programmi\antivir personaledition classic\avgntflt.sys (avgntflt)
* H:\WINDOWS\system32\drivers\avipbb.sys (avipbb)
- h:\windows\system32\drivers\changer.sys (Changer)
* h:\windows\system32\drivers\defragfs.sys (DefragFS)
* H:\WINDOWS\system32\drivers\hamachi.sys (Hamachi Network Interface)
- h:\windows\system32\drivers\i2omgmt.sys (i2omgmt)
- h:\windows\system32\drivers\lbrtfdc.sys (lbrtfdc)
* H:\WINDOWS\system32\drivers\lmimirr.sys (lmimirr)
* h:\programmi\logmein\x86\rainfo.sys (LogMeIn Kernel Information Provider)
* h:\windows\system32\drivers\lmirfsdriver.sys (LogMeIn Remote File System Driver)
- h:\windows\system32\drivers\pcidump.sys (PCIDump)
- h:\windows\system32\drivers\pdcomp.sys (PDCOMP)
- h:\windows\system32\drivers\pdframe.sys (PDFRAME)
- h:\windows\system32\drivers\pdreli.sys (PDRELI)
- h:\windows\system32\drivers\pdrframe.sys (PDRFRAME)
h:\windows\temp\siwio.sys (SIWIO)
* H:\WINDOWS\system32\drivers\ssmdrv.sys (ssmdrv)
* h:\windows\system32\drivers\wg3n.sys (SyGate for NT, wg3n)
* h:\windows\system32\drivers\wg4n.sys (SyGate for NT, wg4n)
* h:\windows\system32\drivers\wg5n.sys (SyGate for NT, wg5n)
* h:\windows\system32\drivers\wg6n.sys (SyGate for NT, wg6n)
H:\WINDOWS\system32\drivers\dgivecp.sys (Team MFP Comm Driver)
H:\WINDOWS\system32\drivers\teefer.sys (Teefer for NT)
h:\programmi\unlocker\unlockerdriver5.sys (UnlockerDriver5)
H:\WINDOWS\system32\drivers\vnusb.sys (VN Series Device)
H:\WINDOWS\system32\drivers\pcouffin.sys (VSO Software pcouffin)
- h:\windows\system32\drivers\wdica.sys (WDICA)
h:\windows\system32\drivers\wpsdrvnt.sys (wpsdrvnt)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
H:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
H:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
H:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
h:\programmi\file comuni\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
h:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
h:\programmi\power translator 11\applications\lec ie translation extension.dll (Language Engineering Corporation, LLC) {1DBAB667-A486-421e-AFE4-CF07DD0088E5}

042 HKLM\Software\Microsoft\Internet Explorer\Extensions
--------------------------------------------------------
GUID / CLSID not found {B205A35E-1FC4-4CE3-818B-899DBBB3388C}

047 Trusted zones
-----------------
Zone: secure.ingdirect.it : https://secure.ingdirect.it

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
h:\programmi\free download manager\iefdm2.dll {CC59E0F9-7E43-44FA-9FAA-8377850BF205}
h:\programmi\skype\toolbars\internet explorer\skypeieplugin.dll (Skype Technologies S.A.) {22BF413B-C6D2-4d91-82A9-A0F997BA588C}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
h:\programmi\axcrypt\1.6.2.3\axcrypt.dll (Axantum Software AB) {6F701774-8E07-458B-A15E-8A6C8F0ADCA9}
h:\programmi\ati technologies\ati.ace\atiacmxx.dll {5E2121EE-0300-11D4-8D3B-444553540000}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
h:\programmi\free download manager\fum\fumshext.dll {F49C55B9-D417-45A1-A6E7-D6E057946280}
* h:\programmi\itunes\itunesminiplayer.dll (Apple Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
h:\programmi\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
h:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
h:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
* h:\programmi\tuneup utilities 2008\sdshelex-win32.dll (TuneUp Software GmbH) {4858E7D9-8E12-45a3-B6A3-1CD128C9D403}
* H:\WINDOWS\system32\uxtuneup.dll (TuneUp Software GmbH) {44440D00-FF19-4AFC-B765-9A0970567D97}
h:\programmi\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
h:\programmi\file comuni\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
H:\WINDOWS\system32\lsdelete.exe
* H:\WINDOWS\system32\pdboot.exe (Raxco Software, Inc.)

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
* H:\WINDOWS\system32\lmiinit.dll (LogMeIn, Inc.)

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
H:\WINDOWS\system32\hptcpmon.dll (Hewlett Packard)
* H:\WINDOWS\system32\lmiport.dll (LogMeIn, Inc.)

073 %windir%\Tasks
------------------
1-Click Maintenance.job : h:\programmi\tuneup utilities 2008\oneclick.exe (TuneUp Software GmbH)

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
* h:\windows\system32\macromed\director\swdir.dll (Adobe Systems, Inc.) {166B1BCA-3F9C-11CF-8075-444553540000}
h:\windows\downlo~1\downlo~1.ocx (Akamai Technologies, Inc.) {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
Aggiungi a PDF esistente : res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Converti destinazione link in Adobe PDF : res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Converti destinazione link in file PDF esistente : res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Converti i link selezionati in Adobe PDF : res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
Converti i link selezionati in file PDF esistente : res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
Converti in Adobe PDF : res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Converti selezione in Adobe PDF : res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Converti selezione in file PDF esistente : res://H:\Programmi\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
E&sporta in Microsoft Excel : res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Scarica con Free Download Manager : file://H:\Programmi\Free Download Manager\dllink.htm
Scarica i video con Free Download Manager : file://H:\Programmi\Free Download Manager\dlfvideo.htm
Scarica selezionati con Free Download Manager : file://H:\Programmi\Free Download Manager\dlselected.htm
Scarica tutto con Free Download Manager : file://H:\Programmi\Free Download Manager\dlall.htm

170 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
------------------------------------------------------------------------
{89462122-6ae2-11dc-877c-806d6172696f} : G:\PCOpen.exe

172 HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
---------------------------------------------------------------
* H:\WINDOWS\system32\lmirfsclientnp.dll (LogMeIn, Inc.)

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
h:\programmi\antivir personaledition classic\shlext.dll (Avira GmbH) {45AC2688-0253-4ED8-97DE-B5370FA7D48A}
* h:\programmi\tuneup utilities 2008\sdshelex-win32.dll (TuneUp Software GmbH) {4858E7D9-8E12-45a3-B6A3-1CD128C9D403}
h:\programmi\axcrypt\1.6.2.3\axcrypt.dll (Axantum Software AB) {6F701774-8E07-458B-A15E-8A6C8F0ADCA9}
h:\programmi\winrar\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

[ste_95]

In runscanner non ho nootato nulla, potresti eseguriele scansioni delle sezioni autostart e rootkit con gmer?

[padita]

ok ho avviato.
al primo tentativo gmer è andato in errore e si è bloccato.
l'ho ravviato ed ho fatto le scansioni un elemento alla volta.
Si blocca con la partizione che contiene il SO vista.

allego il file log che ho salvato.

ciao