www.MegaLab.it

[luogotenente]

buonasera, mi esce sempre più spesso la finestra con la scritta ,per esempio se apro internet explorer.exe immagine danneggiata L'APPLICAZIONE o DLL c:\windows\sistem32\ravefuge.dll non è un'immagine valida di windows. Verificare con il dischetto di installazione. quanto detto viene fuori all'apertura di ogni programma. al riavvio di win mi vengono fuori tante altre finestre come: service.exe,sixengine.exe,clistart.exe,nodkui.exe (circa 20 finestre) tutte seguite dalla scritta sopradetta. posso fare qualcosa senza formattare? grazie

[nannolo]

Start -> Esegui -> "sfc /scannow". Probabilmente ti chiederà di inserire il CD di Windows.

[luogotenente]

provato,mi dice impossibile trovare il file. grazie

[crazy.cat]

Visto che il file ravefuge.dll sembra non esistere su google puzza tanto di virus.
cominciamo a vedere una scansione di hijackthis e poi decideremo cosa fare.

[luogotenente]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.00.36, on 25/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
C:\Programmi\Windows Desktop Search\WindowsSearch.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\zeropop.exe
C:\WINDOWS\system32\mioengine.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MjTunes.com Toolbar - {908abdd0-74d6-433b-aed5-8f3e7f792319} - C:\Programmi\MjTunes.com\tbMjTu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programmi\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programmi\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MjTunes.com Toolbar - {908abdd0-74d6-433b-aed5-8f3e7f792319} - C:\Programmi\MjTunes.com\tbMjTu.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programmi\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\Six Engine\SixEngine.exe" -r
O4 - HKLM\..\Run: [StartCCC] "C:\Programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [swoka] "c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka.exe" swoka
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Programmi\XP Repair Pro\xprepairpro.exe /s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-21-854245398-879983540-725345543-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Gianluca')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 0pop.lnk = C:\Programmi\zeropop.exe
O4 - Startup: My Vodafone.it.lnk = C:\Documents and Settings\Gianni\Dati applicazioni\mioObjects\[objects]\69GWEU9386MTAR08.mio
O4 - Global Startup: TL-WN321G Wireless Utility.lnk = C:\Programmi\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe
O4 - Global Startup: Windows Search.lnk = C:\Programmi\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9072164484
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\ravufuge.dll C:\WINDOWS\system32\mivawubi.dll C:\WINDOWS\system32\fagefute.dll c:\windows\system32\fitozeba.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe

--
End of file - 6255 bytes

[ba_61]

Start -> Esegui -> "sfc /scannow".

provato,mi dice impossibile trovare il file

Digita solo sfc /scannow senza virgolette.

[crazy.cat]

Rifai la scansione con hijackthis, selezioni le caselle di queste righe e premi fix checked per eliminarle.
O4 - HKCU\..\Run: [swoka] "c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka.exe" swoka
O20 - AppInit_DLLs: C:\WINDOWS\system32\ravufuge.dll C:\WINDOWS\system32\mivawubi.dll C:\WINDOWS\system32\fagefute.dll c:\windows\system32\fitozeba.dll

Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Ora incolla queste righe nel box bianco che si è aperto:

Codice: Seleziona tutto

Files to delete:
c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka.exe
c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka.dat
c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka_nav.dat
c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka_navps.dat
C:\WINDOWS\system32\ravufuge.dll
C:\WINDOWS\system32\mivawubi.dll
C:\WINDOWS\system32\fagefute.dll
c:\windows\system32\fitozeba.dll


Togli il segno di spunta dalla voce Scan for Rootkits
Premi il pulsante Execute
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

Se ti da un errore di script errato, prova a riscrivere manualmente la prima riga (Files to delete:) ricordando i due punti.

[luogotenente]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File "c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka.exe" deleted successfully.
File "c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka.dat" deleted successfully.
File "c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka_nav.dat" deleted successfully.
File "c:\documents and settings\gianni\impostazioni locali\dati applicazioni\swoka_navps.dat" deleted successfully.
File "C:\WINDOWS\system32\ravufuge.dll" deleted successfully.

Error: file "C:\WINDOWS\system32\mivawubi.dll" not found!
Deletion of file "C:\WINDOWS\system32\mivawubi.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Error: file "C:\WINDOWS\system32\fagefute.dll" not found!
Deletion of file "C:\WINDOWS\system32\fagefute.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist


Error: file "c:\windows\system32\fitozeba.dll" not found!
Deletion of file "c:\windows\system32\fitozeba.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
the object does not exist

[ste_95]

Scarica ComboFix ed esegui una scansione, le istruzioni le trovi in fondo a questo articolo.

[luogotenente]

buonsera ho scansionato sia con combofix sia con virtumundo e allego i risultai. Comunque le famigerate finestre non si aprono più.ComboFix 08-12-24.01 - Gianni 2008-12-26 0.29.27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2047.1463 [GMT 1:00]
Eseguito da: c:\documents and settings\Gianni\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programmi\INSTALL.LOG
c:\windows\system32\akivigir.ini
c:\windows\system32\igevibik.ini
c:\windows\system32\olumivuk.ini
c:\windows\system32\sasoresi.dll
c:\windows\system32\zitosaba.dll
H:\copy.exe

.
((((((((((((((((((((((((( Files Creati Da 2008-11-25 al 2008-12-25 )))))))))))))))))))))))))))))))))))
.

2008-12-25 22:50 . 2008-12-25 22:50 <DIR> d-------- C:\VundoFix Backups
2008-12-25 11:59 . 2008-12-25 11:59 <DIR> d-------- c:\programmi\Trend Micro
2008-12-24 00:49 . 2008-12-24 00:49 <DIR> d-------- c:\programmi\Enigma Software Group
2008-12-23 19:37 . 2008-12-23 20:06 <DIR> d-------- c:\programmi\XP Repair Pro
2008-12-23 16:58 . 2008-12-23 16:58 <DIR> d-------- c:\programmi\QUAD Utilities
2008-12-22 16:39 . 2008-12-22 16:39 <DIR> d-------- c:\documents and settings\Gianni\Dati applicazioni\Desktop Mechanic
2008-12-19 13:15 . 2008-12-19 13:15 0 --a------ C:\proc.id
2008-12-19 13:15 . 2008-12-19 13:15 0 --a------ C:\asdasd.asdasd
2008-12-19 10:35 . 2008-12-19 10:35 <DIR> d-------- c:\documents and settings\Gianni\Dati applicazioni\Malwarebytes
2008-12-19 10:35 . 2008-12-19 10:35 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-12-18 22:57 . 2008-12-18 22:57 <DIR> d-------- C:\fsaua.data
2008-12-18 09:07 . 2008-12-23 20:12 <DIR> d-------- c:\programmi\Panda Security
2008-12-17 19:55 . 2008-10-16 02:00 1,499,648 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2008-12-17 18:56 . 2008-12-23 16:39 <DIR> d-------- c:\programmi\Registry Easy
2008-12-16 20:32 . 2008-12-22 19:50 <DIR> d-a------ c:\documents and settings\All Users\Dati applicazioni\TEMP
2008-12-16 20:23 . 2007-10-04 09:01 66,048 --a------ c:\windows\ieResetIcons.exe
2008-12-16 18:36 . 2008-12-16 18:43 <DIR> d-------- c:\programmi\Angle Interactive
2008-12-16 18:36 . 2008-12-16 18:36 <DIR> d-------- C:\ProgramData
2008-12-15 17:16 . 2008-12-15 19:37 <DIR> d-------- c:\documents and settings\Gianluca\Dati applicazioni\U3
2008-12-13 12:25 . 2008-12-13 12:25 0 --a------ c:\windows\nsreg.dat
2008-12-11 23:03 . 2008-12-11 23:03 <DIR> d-------- c:\documents and settings\Gianni\Dati applicazioni\Windows Search

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 18:57 --------- d-----w c:\programmi\eMule
2008-12-25 14:30 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Google Updater
2008-12-24 12:13 --------- d-----w c:\programmi\Free Video Converter
2008-12-16 21:13 --------- d-----w c:\programmi\Google
2008-12-16 19:24 --------- d-----w c:\programmi\PeerGuardian2
2008-11-10 23:21 --------- d-----w c:\programmi\File comuni\Adobe
2008-11-10 02:31 --------- d-----w c:\documents and settings\Gianluca\Dati applicazioni\Windows Desktop Search
2008-11-09 19:24 --------- d-----w c:\programmi\Windows Desktop Search
2008-11-09 19:24 --------- d-----w c:\documents and settings\Gianni\Dati applicazioni\Windows Desktop Search
2008-10-25 17:38 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-10-25 17:38 --------- d-----w c:\programmi\EtalonSoft
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:04 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 17:48 407,047 ----a-w c:\windows\system32\mioengine.exe
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2003-08-19 00:04 1,024,512 ----a-w c:\programmi\zeropop.exe
2008-09-10 06:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{908abdd0-74d6-433b-aed5-8f3e7f792319}]
2008-08-05 01:13 1610264 --a------ c:\programmi\MjTunes.com\tbMjTu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{908abdd0-74d6-433b-aed5-8f3e7f792319}"= "c:\programmi\MjTunes.com\tbMjTu.dll" [2008-08-05 1610264]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{908ABDD0-74D6-433B-AED5-8F3E7F792319}"= "c:\programmi\MjTunes.com\tbMjTu.dll" [2008-08-05 1610264]

[HKEY_CLASSES_ROOT\clsid\{908abdd0-74d6-433b-aed5-8f3e7f792319}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\programmi\Messenger\msmsgs.exe" [2008-04-14 1695232]
"XPRepairBusiness"="c:\programmi\XP Repair Pro\xprepairpro.exe" [2005-10-31 1228800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2008-05-14 5958656]
"StartCCC"="c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2008-08-14 949376]
"EPSON Stylus C46 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE" [2004-01-13 99840]
"DeltaIITaskbarApp"="c:\windows\system32\DeltaIITray.exe" [2008-03-03 236040]
"M-Audio Taskbar Icon"="c:\windows\System32\DeltaIITray.exe" [2008-03-03 236040]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-26 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Gianni\Menu Avvio\Programmi\Esecuzione automatica\
0pop.lnk - c:\programmi\zeropop.exe [2003-08-19 1024512]
My Vodafone.it.lnk - c:\documents and settings\Gianni\Dati applicazioni\mioObjects\[objects]\69GWEU9386MTAR08.mio [2008-10-03 18:48:34 103615]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
TL-WN321G Wireless Utility.lnk - c:\programmi\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe [2008-08-14 622592]
Windows Search.lnk - c:\programmi\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
WinZip Quick Pick.lnk - c:\programmi\WinZip\WZQKPICK.EXE [2008-08-14 106560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL"= 0 (0x0)
"NoDevMgrPage"= 0 (0x0)
"NoConfigPage"= 0 (0x0)
"NoVirtMemPage"= 0 (0x0)
"NoFileSysPage"= 0 (0x0)
"NoNetSetup"= 0 (0x0)
"NoNetSetupIDPage"= 0 (0x0)
"NoNetSetupSecurityPage"= 0 (0x0)
"NoWorkgroupContents"= 0 (0x0)
"NoEntireNetwork"= 0 (0x0)
"NoFileSharingControl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\programmi\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\system32\\searchindexer.exe"=
"c:\\Programmi\\Google\\Google Updater\\GoogleUpdater.exe"=
"c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10a.exe"=

R0 mv61xx;mv61xx;c:\windows\system32\DRIVERS\mv61xx.sys [2008-08-14 150568]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-08-14 15424]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\DRIVERS\deltaII.sys [2008-09-10 302728]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-08-14 36864]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Gianni\IMPOST~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7edcfaed-cab8-11dd-85aa-001478eb4b82}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contenuto della cartella 'Scheduled Tasks'

2008-12-25 c:\windows\Tasks\Google Software Updater.job
- c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-16 20:31]

2008-12-25 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-04-23 16:17]

2008-12-25 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-04-23 16:17]

2008-12-24 c:\windows\Tasks\Schedule Task Weekly.job
- c:\programmi\Registry Easy\RE.exe []
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-updateMgr - c:\programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-DeltTray - DeltTray.exe


.
------- Supplementare di scansione -------
.
uStart Page = www.libero.it/
mStart Page = about:blank
mWindow Title = Microsoft Internet Explorer
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-26 00:32:25
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\imon.dll
c:\programmi\Eset\pr_imon.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\programmi\ESET\nod32krn.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\WgaTray.exe
c:\combofix\hidec.exe
c:\programmi\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\programmi\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\mioengine.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Ora fine scansione: 2008-12-26 0:35:57 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-12-25 23:34:39

Pre-Run: 20.667.199.488 byte disponibili
Post-Run: 21,174,599,680 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

212 --- E O F --- 2008-12-20 09:00:32



[12/26/2008, 0:20:42] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Gianni\Desktop\VirtumundoBeGone.exe" )
[12/26/2008, 0:20:51] - Detected System Information:
[12/26/2008, 0:20:51] - Windows Version: 5.1.2600, Service Pack 3
[12/26/2008, 0:20:51] - Current Username: Gianni (Admin)
[12/26/2008, 0:20:51] - Windows is in NORMAL mode.
[12/26/2008, 0:20:51] - Searching for Browser Helper Objects:
[12/26/2008, 0:20:51] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/26/2008, 0:20:51] - BHO 2: {908abdd0-74d6-433b-aed5-8f3e7f792319} (MjTunes.com Toolbar)
[12/26/2008, 0:20:51] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[12/26/2008, 0:20:51] - BHO 4: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[12/26/2008, 0:20:51] - BHO 5: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} (Google Dictionary Compression sdch)
[12/26/2008, 0:20:51] - BHO 6: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[12/26/2008, 0:20:51] - Finished Searching Browser Helper Objects
[12/26/2008, 0:20:51] - Finishing up...
[12/26/2008, 0:20:51] - Nothing found! Exiting...

[ste_95]

Bon, direi che di problemi non dovresti più riscontrarne, confermi?

[luogotenente]

Buongiorno, per il momento tutto procede bene. Tempestivi e professionali come sempre . Grazie di cuore e tanti auguri.