ciao Steven questi sono i log dopo aver fatto quanto da te suggerito:
Avenger:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Sun Mar 29 18:00:10 2009
17:59:50: Error: Invalid registry syntax in command:
"[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wvnwzv]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:00:10: Error: Execution aborted by user!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Sun Mar 29 18:01:09 2009
18:00:54: Error: Invalid registry syntax in command:
"[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wvnwzv]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:00:56: Error: Invalid registry syntax in command:
"[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zszrn]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.comPlatform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "c:\windows\System32\Drivers\SjyPkt.sys" not found!
Deletion of file "c:\windows\System32\Drivers\SjyPkt.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "c:\windows\system32\roekw.dll" not found!
Deletion of file "c:\windows\system32\roekw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
Combofix:
ComboFix 09-03-27.02 - vincenzo 2009-03-29 18.18.44.10 - NTFSx86
Eseguito da: c:\documents and settings\vincenzo.VINCE.000\Documenti\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090328-0] *On-access scanning disabled* (Updated)
FW: PC Tools Firewall Plus *disabled*
.
((((((((((((((((((((((((( Files Creati Da 2009-02-28 al 2009-03-29 )))))))))))))))))))))))))))))))))))
.
2009-03-29 15:32 . 2009-03-29 15:32 2,572 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-03-25 18:58 . 2009-03-26 20:27 <DIR> d-------- c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\skypePM
2009-03-25 18:53 . 2009-03-25 18:55 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Skype
2009-03-18 19:50 . 2009-03-18 20:47 <DIR> d-------- c:\programmi\PhotoScape
2009-03-02 19:54 . 2009-03-02 19:54 <DIR> d-------- c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\WirePilot
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 16:07 --------- d---a-w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\TEMP
2009-03-29 14:14 --------- d-----w c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\HPAppData
2009-03-27 02:36 --------- d-----w c:\programmi\Apoint2K
2009-03-26 18:42 --------- d-----w c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\Skype
2009-03-25 16:55 --------- d-----w c:\programmi\File comuni\Skype
2009-03-25 16:55 --------- d-----r c:\programmi\Skype
2009-03-25 00:59 --------- d-----w c:\programmi\PC Tools Firewall Plus
2009-03-25 00:51 95,640 ----a-w c:\windows\system32\drivers\pctplfw.sys
2009-03-25 00:51 73,840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-25 00:51 130,424 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-03-11 01:27 --------- d-----w c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\SiteAdvisor
2009-03-07 01:18 --------- d-----w c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\LimeWire
2009-03-07 00:09 --------- d-----w c:\programmi\LimeWire
2009-02-15 19:25 --------- d-----w c:\programmi\MP3Gain
2009-02-14 16:57 --------- d-----w c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\gtk-2.0
2009-02-14 01:24 --------- d-----w c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\HP
2009-02-14 01:24 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\HP
2009-02-14 01:06 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\WEBREG
2009-02-14 00:18 --------- d-----w c:\programmi\HP
2009-02-14 00:18 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\HP Product Assistant
2009-02-14 00:15 --------- d-----w c:\programmi\Hewlett-Packard
2009-02-14 00:15 --------- d-----w c:\programmi\File comuni\HP
2009-02-14 00:06 --------- d-----w c:\documents and settings\All Users.WINDOWS\Dati applicazioni\Hewlett-Packard
2009-02-13 23:50 --------- d-----w c:\programmi\HP Wireless Printer Adapter
2009-02-13 23:47 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-02-13 23:47 --------- d-----w c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\InstallShield
2009-02-13 23:42 --------- d-----w c:\programmi\HP Wireless Adapter
2009-02-09 11:20 --------- d-----w c:\programmi\Safari
2009-01-31 16:20 --------- d-----w c:\programmi\File comuni\PC Tools
2009-01-25 16:25 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-03-16 15:59 56,328 ----a-w c:\documents and settings\vincenzo.VINCE.000\Dati applicazioni\GDIPFONTCACHEV1.DAT
2007-09-03 21:07 92,064 ----a-w c:\documents and settings\vincenzo.VINCE.000\mqdmmdm.sys
2007-09-03 21:07 9,232 ----a-w c:\documents and settings\vincenzo.VINCE.000\mqdmmdfl.sys
2007-09-03 21:07 79,328 ----a-w c:\documents and settings\vincenzo.VINCE.000\mqdmserd.sys
2007-09-03 21:07 66,656 ----a-w c:\documents and settings\vincenzo.VINCE.000\mqdmbus.sys
2007-09-03 21:07 6,208 ----a-w c:\documents and settings\vincenzo.VINCE.000\mqdmcmnt.sys
2007-09-03 21:07 5,936 ----a-w c:\documents and settings\vincenzo.VINCE.000\mqdmwhnt.sys
2007-09-03 21:07 4,048 ----a-w c:\documents and settings\vincenzo.VINCE.000\mqdmcr.sys
2007-09-03 21:07 25,600 ----a-w c:\documents and settings\vincenzo.VINCE.000\usbsermptxp.sys
2007-09-03 21:07 22,768 ----a-w c:\documents and settings\vincenzo.VINCE.000\usbsermpt.sys
2007-01-03 15:49 635 ----a-w c:\programmi\File comuni\Cartelle condivise.lnk
2006-01-05 01:12 532,480 ----a-w c:\programmi\cwshredder.exe
.
(((((((((((((((((((((((((((((
SnapShot@2009-03-28_16.52.52.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 19:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 18:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 07:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 06:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 07:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 06:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2009-03-29 16:06:56 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5c8.dat
+ 2009-03-29 16:06:06 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_63c.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-19 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\programmi\Apoint2K\Apoint.exe" [2003-10-08 159744]
"ATIPTA"="c:\programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-11 335872]
"Cpqset"="c:\programmi\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"RoxioEngineUtility"="c:\programmi\File comuni\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 868352]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"00PCTFW"="c:\programmi\PC Tools Firewall Plus\FirewallGUI.exe" [2009-03-25 2652056]
"avast!"="c:\programmi\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HPWireless"="c:\programmi\HP Wireless Adapter\HPWLAN.exe" [2006-10-04 618496]
"HP Software Update"="c:\programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\programmi\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AGRSMMSG"="AGRSMMSG.exe" [2003-09-30 c:\windows\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2003-10-08 c:\windows\system32\Ati2mdxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-19 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\LimeWire\\LimeWire.exe"=
"c:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"c:\\Programmi\\MSN Messenger\\livecall.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2882:TCP"= 2882:TCP:WWW
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-23 114768]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-01-31 159600]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-11-23 20560]
R2 HPEAPPkt;Realtek EAPPkt Protocol(HP);c:\windows\system32\drivers\HPEAPPkt.sys [2009-02-14 68864]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-01-31 73840]
R3 hpnuhst;HP NUSB Host;c:\windows\system32\drivers\hpnuhst.sys [2009-02-14 12032]
R3 HPNUHUB;HP NUSB Hub;c:\windows\system32\drivers\hpnuhub.sys [2009-02-14 39424]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-01-31 95640]
S3 HPNUCMP;HP NUSB Composite;c:\windows\system32\drivers\hpnucmp.sys [2009-02-14 11648]
S3 RTLWUSB;Wireless Adapter;c:\windows\system32\drivers\hpl8187.sys [2009-02-14 189440]
--- Altri Servizi/Drivers In Memoria ---
*Deregistered* - ALG
*Deregistered* - aswUpdSv
*Deregistered* - AudioSrv
*Deregistered* - avast! Antivirus
*Deregistered* - avast! Mail Scanner
*Deregistered* - avast! Web Scanner
*Deregistered* - Browser
*Deregistered* - btwdins
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - hpqcxs08
*Deregistered* - hpqddsvc
*Deregistered* - ImapiService
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PCToolsFirewallPlus
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - UdfReadr_xp
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMDM PMSP Service
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WudfPf
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aecd59d6-baf0-11dd-9629-00023f6d9a44}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.libero.it/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://it.rd.yahoo.com/customize/ycomp/defaults/su/*http://it.yahoo.com
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Invia a &Bluetooth - c:\programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-03-29 18:25:35
Windows 5.1.2600 Service Pack 2 NTFS
scansione processi nascosti ...
scansione entrate autostart nascoste ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\programmi\HPQ\Default Settings\cpqset.exe????????????7?0?7?5??P???? ?deB???????????????B????????
Scansione files nascosti ...
Scansione completata con successo
Files nascosti: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wvnwzv]
"ServiceDll"="c:\windows\system32\roekw.dll"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\zszrn]
"ServiceDll"="c:\windows\system32\roekw.dll"
.
Ora fine scansione: 2009-03-29 18.33.03
ComboFix-quarantined-files.txt 2009-03-29 16:32:48
Pre-Run: 27.689.336.832 byte disponibili
Post-Run: 27,678,359,552 byte disponibili
231