Sobonatovada
02-12-2008, 07:19
Ciao a tutti,
non capisco cosa mi sta dando noie sul pc, ho Windows Vista HP 32 bit su un E8400 / 4GB ram.
Il PC mi sembra andare lento per le sue caratteristiche, appena si avvia win usa già oltre 1,1 gb senza eseguire nulla ma veniamo al problema di partenza.
Uso Avira AntiVir Personal, aggiornato e ogni tot (circa ogni ora) mi segnala un pericolo però con una finestra che non mi permette di scegliere un'azione da ricordare, coem di solito fa.
Questa finestra di AntiVir appare sempre doppia, eccone due esempi:
http://img133.imageshack.us/img133/2846/antivirtragentjobky6.jpg http://img136.imageshack.us/img136/7333/antivirtrspyagentxlclz2.jpg
Ho riavviato in modalità provvisoria, effettuato e pulito a fondo con CC cleaner, ATF cleaner e combofix.
Poi ho eseguito:
- Unhackme che però non mi ha segnalato nulla come "rosso"
- Malware Bytes, anche lui non ha segnalato nulla
- combofix e hijack (di cui allego log)
- Glary Utilities e ripulito tutto
Il log di Hijack è:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8.15.53, on 02/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\_audio_e_video\Winamp\winampa.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\_utility\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\_utility\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\_utility\Unlocker\UnlockerAssistant.exe
C:\Users\Pimlico\AppData\Local\Temp\dllhst3g.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\_utility\VEXPLITE\MONLITE.EXE
C:\Program Files\_internet\VoipStunt\VoipStunt.exe
C:\Program Files\_utility\RocketDock\RocketDock.exe
C:\Program Files\_utility\UnHackMe\hackmon.exe
C:\Program Files\_internet\eMule\emule.exe
C:\Program Files\_utility\DFIncBackup\DFIncBackup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\_internet\EasyPHP\EasyPHP.exe
C:\PROGRA~1\_INTER~1\EasyPHP\Apache\bin\apache.exe
C:\PROGRA~1\_INTER~1\EasyPHP\Apache\bin\apache.exe
C:\PROGRA~1\_INTER~1\EasyPHP\MySql\bin\mysqld.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\Pimlico\Desktop\UTILITY\Antivirus e Pulizia sistema\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ig/dell?hl=it&client=dell-row&channel=it&ibd=6081003
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Pimlico\AppData\Local\Temp\dllhst3g.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\_audio_e_video\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\_utility\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\_utility\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\_utility\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\PROGRAM FILES\_UTILITY\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\_internet\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\_utility\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\_utility\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\_internet\eMule\emule.exe -AutoStart
O4 - HKLM\..\Policies\Explorer\Run: [CmSTP] C:\Windows\System\cmstp.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [Cisvc] C:\Windows\System\cisvc.exe /waitservice
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Esent Utl] C:\Windows\esentutl.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Esent Utl] C:\Windows\esentutl.exe /waitservice (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DFIncBackup.lnk = C:\Program Files\_utility\DFIncBackup\DFIncBackup.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll acaptuser32.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\_utility\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\_utility\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\_utility\AVG\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\_utility\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\PROGRAM FILES\_UTILITY\VEXPLITE\viritsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
--
End of file - 9349 bytes
Lo scan online di Kaspersky ha dato: "No malware has been detected"
Lo scan di VirIT completo sembra ok:
VirIT eXplorer Lite Log
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
01/12/2008 - 08:12:28
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 1442.
Files Totali: 1442.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
[SCANSIONE DELLA MEMORIA]
[Hidden Services]
Partizan - Partizan - system32\drivers\Partizan.sys
OK
--------------------------------------------------------
01/12/2008 - 16:06:24
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 851.
Files Totali: 851.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
--------------------------------------------------------
01/12/2008 - 16:10:54
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[E:]
[F:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[G:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[H:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[I:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[J:]
[K:]
[L:]
[N:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[O:]
BOOT SECTOR: OK
[P:]
BOOT SECTOR: OK
[Q:]
BOOT SECTOR: OK
[R:]
BOOT SECTOR: OK
Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 437208.
Files Totali: 437208.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
Dalla scansione quotidiana Malwarebytes questa mattina ha appena trovato 6 file infetti:
Malwarebytes' Anti-Malware 1.30
Versione del database: 1410
Windows 6.0.6001 Service Pack 1
02/12/2008 7.32.05
mbam-log-2008-12-02 (07-31-56).txt
Tipo di scansione: Scansione rapida
Elementi scansionati: 51025
Tempo trascorso: 2 hour(s), 31 minute(s), 12 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 6
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
C:\Windows\system\mstsc.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\drivers\rsvp.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\drivers\cisvc.exe (Trojan.Agent) -> No action taken.
C:\Users\Pimlico\AppData\Roaming\Microsoft\mstsc.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\drivers\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\Users\Pimlico\AppData\Roaming\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
E nonostante le cancellazioni continuano a venir create le cartelle con dentro i vari smss.exe, crss.exe, etc qui:
C:\Users\Pimlico\AppData\Local\Temp\~tmp
Spero possiate aiutarmi perchè non ci capisco più nulla!
Chiedetemi pure ulteriori informazioni se vi dovessero servire per capire meglio
non capisco cosa mi sta dando noie sul pc, ho Windows Vista HP 32 bit su un E8400 / 4GB ram.
Il PC mi sembra andare lento per le sue caratteristiche, appena si avvia win usa già oltre 1,1 gb senza eseguire nulla ma veniamo al problema di partenza.
Uso Avira AntiVir Personal, aggiornato e ogni tot (circa ogni ora) mi segnala un pericolo però con una finestra che non mi permette di scegliere un'azione da ricordare, coem di solito fa.
Questa finestra di AntiVir appare sempre doppia, eccone due esempi:
http://img133.imageshack.us/img133/2846/antivirtragentjobky6.jpg http://img136.imageshack.us/img136/7333/antivirtrspyagentxlclz2.jpg
Ho riavviato in modalità provvisoria, effettuato e pulito a fondo con CC cleaner, ATF cleaner e combofix.
Poi ho eseguito:
- Unhackme che però non mi ha segnalato nulla come "rosso"
- Malware Bytes, anche lui non ha segnalato nulla
- combofix e hijack (di cui allego log)
- Glary Utilities e ripulito tutto
Il log di Hijack è:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8.15.53, on 02/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\_audio_e_video\Winamp\winampa.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\_utility\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\_utility\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\_utility\Unlocker\UnlockerAssistant.exe
C:\Users\Pimlico\AppData\Local\Temp\dllhst3g.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\_utility\VEXPLITE\MONLITE.EXE
C:\Program Files\_internet\VoipStunt\VoipStunt.exe
C:\Program Files\_utility\RocketDock\RocketDock.exe
C:\Program Files\_utility\UnHackMe\hackmon.exe
C:\Program Files\_internet\eMule\emule.exe
C:\Program Files\_utility\DFIncBackup\DFIncBackup.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\_internet\EasyPHP\EasyPHP.exe
C:\PROGRA~1\_INTER~1\EasyPHP\Apache\bin\apache.exe
C:\PROGRA~1\_INTER~1\EasyPHP\Apache\bin\apache.exe
C:\PROGRA~1\_INTER~1\EasyPHP\MySql\bin\mysqld.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\Pimlico\Desktop\UTILITY\Antivirus e Pulizia sistema\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/ig/dell?hl=it&client=dell-row&channel=it&ibd=6081003
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Pimlico\AppData\Local\Temp\dllhst3g.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\_audio_e_video\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\_utility\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\_utility\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\_utility\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\PROGRAM FILES\_UTILITY\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\_internet\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\_utility\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\_utility\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\_internet\eMule\emule.exe -AutoStart
O4 - HKLM\..\Policies\Explorer\Run: [CmSTP] C:\Windows\System\cmstp.exe /waitservice
O4 - HKCU\..\Policies\Explorer\Run: [Cisvc] C:\Windows\System\cisvc.exe /waitservice
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Esent Utl] C:\Windows\esentutl.exe /waitservice (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Esent Utl] C:\Windows\esentutl.exe /waitservice (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DFIncBackup.lnk = C:\Program Files\_utility\DFIncBackup\DFIncBackup.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll acaptuser32.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\_utility\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\_utility\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\_utility\AVG\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\_utility\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\PROGRAM FILES\_UTILITY\VEXPLITE\viritsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
--
End of file - 9349 bytes
Lo scan online di Kaspersky ha dato: "No malware has been detected"
Lo scan di VirIT completo sembra ok:
VirIT eXplorer Lite Log
[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
01/12/2008 - 08:12:28
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 1442.
Files Totali: 1442.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
[SCANSIONE DELLA MEMORIA]
[Hidden Services]
Partizan - Partizan - system32\drivers\Partizan.sys
OK
--------------------------------------------------------
01/12/2008 - 16:06:24
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 851.
Files Totali: 851.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
--------------------------------------------------------
01/12/2008 - 16:10:54
[SCANSIONE DEL REGISTRO]
OK
[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[D:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[E:]
[F:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[G:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[H:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[I:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[J:]
[K:]
[L:]
[N:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK
[O:]
BOOT SECTOR: OK
[P:]
BOOT SECTOR: OK
[Q:]
BOOT SECTOR: OK
[R:]
BOOT SECTOR: OK
Chiavi Registro infette: 0.
Files Infetti: 0.
Files Sospetti: 0.
Files Analizzati: 437208.
Files Totali: 437208.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
Dalla scansione quotidiana Malwarebytes questa mattina ha appena trovato 6 file infetti:
Malwarebytes' Anti-Malware 1.30
Versione del database: 1410
Windows 6.0.6001 Service Pack 1
02/12/2008 7.32.05
mbam-log-2008-12-02 (07-31-56).txt
Tipo di scansione: Scansione rapida
Elementi scansionati: 51025
Tempo trascorso: 2 hour(s), 31 minute(s), 12 second(s)
Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 0
File infetti: 6
Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)
Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)
Chiavi di registro infette:
(Nessun elemento malevolo rilevato)
Valori di registro infetti:
(Nessun elemento malevolo rilevato)
Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)
Cartelle infette:
(Nessun elemento malevolo rilevato)
File infetti:
C:\Windows\system\mstsc.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\drivers\rsvp.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\drivers\cisvc.exe (Trojan.Agent) -> No action taken.
C:\Users\Pimlico\AppData\Roaming\Microsoft\mstsc.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\drivers\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\Users\Pimlico\AppData\Roaming\spoolsv.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
E nonostante le cancellazioni continuano a venir create le cartelle con dentro i vari smss.exe, crss.exe, etc qui:
C:\Users\Pimlico\AppData\Local\Temp\~tmp
Spero possiate aiutarmi perchè non ci capisco più nulla!
Chiedetemi pure ulteriori informazioni se vi dovessero servire per capire meglio