Impossibilitato a installara antivirus... (riporto log x richiesta aiuto!)

[GiampaoloM]

da ieri sono infetto da qualche virus che mi cancella gli exe degli antivirus e non mi permette di istallarne nuovi... insomma una situazione fastidiosa, visto anche che non riesco neanche a far ripartire il computer in modalita' provvisoria!?!?!?

ho provato naturalmente a seguire i vostri consigli con varie scansioni online
hanno trovato questo

Incident Status Location

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Giampaolo\Cookies\giampaolo@toplist[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Giampaolo\Cookies\giampaolo@toplist[3].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Giampaolo\Dati applicazioni\Mozilla\Firefox\Profiles\0cewvh09.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Giampaolo\Dati applicazioni\Mozilla\Firefox\Profiles\0cewvh09.default\cookies.txt[.xiti.com/]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Giampaolo\Dati applicazioni\Thunderbird\Profiles\6svlk93j.default\Mail\Local Folders\Inbox[~0000353.~]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect Keylogger v1.4.7.4 ITA [overnet-italia].rar[Perfect Keylogger v1.4.7.4 italiano.exe][bpkun.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect Keylogger v1.4.7.4 ITA [overnet-italia].rar[Perfect Keylogger v1.4.7.4 italiano.exe][bpkvw.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect Keylogger v1.4.7.4 ITA [overnet-italia].rar[Perfect Keylogger v1.4.7.4 italiano.exe][bpkhk.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect Keylogger v1.4.7.4 ITA [overnet-italia].rar[Perfect Keylogger v1.4.7.4 italiano.exe][bpki.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect Keylogger v1.4.7.4 ITA [overnet-italia].rar[Perfect Keylogger v1.4.7.4 italiano.exe][bpkwb.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect Keylogger v1.4.7.4 ITA [overnet-italia].rar[Perfect Keylogger v1.4.7.4 italiano.exe][bpkr.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][bpk.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][bpkun.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][bpkvw.exe]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][Setup.exe]
Potentially unwanted tool:Application/PerfectKeylog.B Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][bpkhk.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][bpki.dll]
Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][bpkwb.dll]
Potentially unwanted tool:Application/PerfectKeylog.D Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][bpk.chm]
Virus:Trj/Killav.AB Not disinfected C:\Downloads\Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE.rar[Perfect.Keylogger.v1.6.2.0.Incl.Keymaker-EMBRACE\e-pk1620.zip][embrace.rar][i_bpk2003.exe][bpkr.exe]
Virus:Trj/Rizalof.gen Disinfected C:\Programmi\Avast4\DATA\moved\setup.exe.2.vir
Virus:Trj/Rizalof.gen Disinfected C:\Programmi\Avast4\DATA\moved\setup.exe.vir
Potentially unwanted tool:Application/Psshutdown.A Not disinfected C:\Programmi\Winamp\Skins\EPS_High-End_System_v1_test.wal[shutdown.exe]


per completezza riporto anche i log di hijackthis e Gmer.... AIUTO!!!! :-)

Logfile of HijackThis v1.99.1
Scan saved at 14.04.37, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\nero burning\InCD\InCDsrv.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Apoint\Apoint.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\SpeedswitchXP\SpeedswitchXP.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Apoint\Apntex.exe
C:\Programmi\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programmi\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programmi\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programmi\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programmi\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programmi\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Giampaolo\Menu Avvio\antivirus\gmer.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Giampaolo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Programmi\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [Remote Master] C:\Programmi\Remote Master\Remote Master.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Programmi\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programmi\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Programmi\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Giampaolo\Dati applicazioni\hidires\hidr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MiniMinder.lnk = C:\Programmi\MiniMind\MiniMind.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programmi\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\nero burning\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Programmi\Intel\Wireless\Bin\WLKeeper.exe

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-04 14:12:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT d347bus.sys ZwClose
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwEnumerateKey
SSDT d347bus.sys ZwEnumerateValueKey
SSDT d347bus.sys ZwOpenKey
SSDT d347bus.sys ZwQueryKey
SSDT d347bus.sys ZwQueryValueKey

---- User code sections - GMER 1.0.12 ----

.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!LoadResource 7C809FB5 7 Bytes JMP 27001B70 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!FindResourceExW 7C80AC88 7 Bytes JMP 27001AE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!FindResourceW 7C80BBCE 7 Bytes JMP 27001A60 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!SizeofResource 7C80BC69 7 Bytes JMP 27001C20 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!LockResource 7C80CC97 5 Bytes JMP 27001CD0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!CreateEventA 7C8308AD 5 Bytes JMP 27001840 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004E12D0 C:\Programmi\MSN Messenger\msnmsgr.exe
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ADVAPI32.dll!CryptDeriveKey 77F5A685 7 Bytes JMP 27001000 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ADVAPI32.dll!CryptDecrypt 77F5A7B1 2 Bytes JMP 27001050 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ADVAPI32.dll!CryptDecrypt + 3 77F5A7B4 4 Bytes [ 0A, AF, CC, CC ]
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!PeekMessageW 77D1929B 5 Bytes JMP 27003760 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!CreateWindowExW 77D1FF50 5 Bytes JMP 27003270 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!SetWindowRgn 77D202DD 7 Bytes JMP 27004AB0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!CreateDialogParamW 77D284EE 5 Bytes JMP 27004E30 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!SetWindowPlacement 77D2DF46 5 Bytes JMP 270049D0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!FlashWindow 77D55C5C 5 Bytes JMP 27004B50 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!MessageBoxIndirectW 77D66093 5 Bytes JMP 27004F90 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!TrackPopupMenuEx 77D6CB1A 5 Bytes JMP 27003F30 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!send 71A3428A 5 Bytes JMP 270095A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 27009390 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!recv 71A3615A 5 Bytes JMP 27009200 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 27009720 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 27009930 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] SHELL32.dll!Shell_NotifyIconW 7CA31B5A 5 Bytes JMP 27002BA0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ole32.dll!CoInitializeEx 774CEF6B 5 Bytes JMP 27001D30 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ole32.dll!CoRegisterClassObject 774E8720 5 Bytes JMP 27001E30 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WININET.dll!InternetCloseHandle 771BE85D 5 Bytes JMP 27008460 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WININET.dll!HttpOpenRequestA 771C160A 5 Bytes JMP 27008180 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WININET.dll!InternetReadFile 771C5BAA 5 Bytes JMP 270082E0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WININET.dll!HttpSendRequestA 771C7519 5 Bytes JMP 270083B0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!DialogBoxParamW 77D2662C 5 Bytes JMP 7E1F5415 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!DialogBoxIndirectParamW 77D32043 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!MessageBoxIndirectA 77D3A05A 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!DialogBoxParamA 77D3B11C 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!MessageBoxExW 77D50538 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!MessageBoxExA 77D5055C 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!DialogBoxIndirectParamA 77D56CAD 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!MessageBoxIndirectW 77D66093 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F08A18
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1B5BC30
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CLOSE E1B5BC30
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_DEVICE_CONTROL E1B5BC30
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 862F7320
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B856C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B856C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B856C1] prosync1.sys
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E167C4E8
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CLOSE E167C4E8
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_DEVICE_CONTROL E167C4E8
Device \FileSystem\InCDfs \Device\InCDfsComm IRP_MJ_READ 86BE17D8
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 85F382A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 862408F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 862408F0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 86C68B80
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86B04D80
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B856C1] prosync1.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE B6976C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE B69737C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 85BDD960
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE B696FAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION B697A958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION B697D821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA B698638A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA B6985D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS B697FBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION B6980331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION B698E4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL B6976B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL B6972948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL B697C46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN B698D79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL B698CC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP B69732FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP B698D1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible B69881F9
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\InCDfs \GLOBAL??\BsUDF IRP_MJ_READ 86BE17D8

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS C:\WINDOWS\SYSTEM32\DEVENUM.DLL:SummaryInformation
ADS C:\WINDOWS\SYSTEM32\DEVENUM.DLL:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\SYSTEM32\irftp.exe:SummaryInformation
ADS C:\WINDOWS\SYSTEM32\irftp.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-04 14:12:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT d347bus.sys ZwClose
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwEnumerateKey
SSDT d347bus.sys ZwEnumerateValueKey
SSDT d347bus.sys ZwOpenKey
SSDT d347bus.sys ZwQueryKey
SSDT d347bus.sys ZwQueryValueKey

---- User code sections - GMER 1.0.12 ----

.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!LoadResource 7C809FB5 7 Bytes JMP 27001B70 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!FindResourceExW 7C80AC88 7 Bytes JMP 27001AE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!FindResourceW 7C80BBCE 7 Bytes JMP 27001A60 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!SizeofResource 7C80BC69 7 Bytes JMP 27001C20 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!LockResource 7C80CC97 5 Bytes JMP 27001CD0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!CreateEventA 7C8308AD 5 Bytes JMP 27001840 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004E12D0 C:\Programmi\MSN Messenger\msnmsgr.exe
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ADVAPI32.dll!CryptDeriveKey 77F5A685 7 Bytes JMP 27001000 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ADVAPI32.dll!CryptDecrypt 77F5A7B1 2 Bytes JMP 27001050 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ADVAPI32.dll!CryptDecrypt + 3 77F5A7B4 4 Bytes [ 0A, AF, CC, CC ]
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!PeekMessageW 77D1929B 5 Bytes JMP 27003760 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!CreateWindowExW 77D1FF50 5 Bytes JMP 27003270 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!SetWindowRgn 77D202DD 7 Bytes JMP 27004AB0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!CreateDialogParamW 77D284EE 5 Bytes JMP 27004E30 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!SetWindowPlacement 77D2DF46 5 Bytes JMP 270049D0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!FlashWindow 77D55C5C 5 Bytes JMP 27004B50 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!MessageBoxIndirectW 77D66093 5 Bytes JMP 27004F90 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] USER32.dll!TrackPopupMenuEx 77D6CB1A 5 Bytes JMP 27003F30 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!send 71A3428A 5 Bytes JMP 270095A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!WSARecv 71A34318 5 Bytes JMP 27009390 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!recv 71A3615A 5 Bytes JMP 27009200 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!WSASend 71A36233 5 Bytes JMP 27009720 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WS2_32.dll!closesocket 71A39639 5 Bytes JMP 27009930 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] SHELL32.dll!Shell_NotifyIconW 7CA31B5A 5 Bytes JMP 27002BA0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ole32.dll!CoInitializeEx 774CEF6B 5 Bytes JMP 27001D30 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] ole32.dll!CoRegisterClassObject 774E8720 5 Bytes JMP 27001E30 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WININET.dll!InternetCloseHandle 771BE85D 5 Bytes JMP 27008460 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WININET.dll!HttpOpenRequestA 771C160A 5 Bytes JMP 27008180 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WININET.dll!InternetReadFile 771C5BAA 5 Bytes JMP 270082E0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2768] WININET.dll!HttpSendRequestA 771C7519 5 Bytes JMP 270083B0 C:\Programmi\Messenger Plus! Live\MsgPlusLive1.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!DialogBoxParamW 77D2662C 5 Bytes JMP 7E1F5415 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!DialogBoxIndirectParamW 77D32043 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!MessageBoxIndirectA 77D3A05A 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!DialogBoxParamA 77D3B11C 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!MessageBoxExW 77D50538 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!MessageBoxExA 77D5055C 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!DialogBoxIndirectParamA 77D56CAD 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[3376] USER32.dll!MessageBoxIndirectW 77D66093 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F08A18
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1B5BC30
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CLOSE E1B5BC30
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_DEVICE_CONTROL E1B5BC30
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 862F7320
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B856C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B856C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B856C1] prosync1.sys
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E167C4E8
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CLOSE E167C4E8
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_DEVICE_CONTROL E167C4E8
Device \FileSystem\InCDfs \Device\InCDfsComm IRP_MJ_READ 86BE17D8
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 85F382A0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 862408F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 862408F0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 86C68B80
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86B04D80
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B856C1] prosync1.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE B6976C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE B69737C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 85BDD960
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE B696FAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION B697A958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION B697D821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA B698638A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA B6985D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS B697FBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION B6980331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION B698E4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL B6976B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL B6972948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL B697C46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN B698D79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL B698CC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP B69732FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP B698D1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible B69881F9
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 8635A998
Device \FileSystem\InCDfs \GLOBAL??\BsUDF IRP_MJ_READ 86BE17D8

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS C:\WINDOWS\SYSTEM32\DEVENUM.DLL:SummaryInformation
ADS C:\WINDOWS\SYSTEM32\DEVENUM.DLL:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\SYSTEM32\irftp.exe:SummaryInformation
ADS C:\WINDOWS\SYSTEM32\irftp.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----


grazie in anticipo!

Giamp

[Kars]

Ti sei preso il W32.Beagle.DZ
Segui la procedura, non mi pare esista un tool di rimozione automatica. Ce ne sarebbero 2, ma credo che non funzionino con questa variante. 1 e 2
Vedi se trovi con gmer questo processo nascosto:
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Giampaolo\Dati applicazioni\hidires\hidr.exe
e killalo. Poi scansiona di nuovo con gmer>rootkit e con l'antivirus, ora potrebbe funzionare.
ciao