Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

Log di Hijackthis dopo disinfestazione di linkoptimizer

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

Log di Hijackthis dopo disinfestazione di linkoptimizer

Postdi 2PCK8 » 10/08/06 17:48

Logfile of HijackThis v1.99.1
Scan saved at 18.43.07, on 10/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\VIA\RAID\raid_tool.exe
C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
E:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
C:\Programmi\ATI Technologies\ATI.ACE\cli.exe
E:\Programmi\Azureus\Azureus.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Giacomo\Documenti\hijackthis\HijackThis.exe
C:\Programmi\File comuni\Ahead\lib\NMIndexStoreSvr.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RaidTool] C:\Programmi\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ViewMgr] C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programmi\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{36D0DD1C-2914-4919-9B40-DD32ABC8680E}: NameServer = 85.37.17.4 85.38.28.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{36D0DD1C-2914-4919-9B40-DD32ABC8680E}: NameServer = 85.37.17.4 85.38.28.70
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: \\?\C:\WINDOWS\system32\lpt8.yrn
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: ZZ - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\Giacomo\IMPOST~1\Temp\ZZ.exe

Ecco il mio log qualcuno ptrebbe dargli un'occhiata?
il mio pc è stato infettato da linkoptimizer ma non sono del tutto sicuro di averlo rimosso al 100%
grazie!!!
ciao
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Sponsor
 

Postdi Luke57 » 10/08/06 21:42

Ciao, in effetti va verificato.
Scarica Gmer :
http://www.gmer.net/gmer110.zip
CITAZIONE:
Decomprimi il programma
Avvialo,portati sul tag "Rootkit"
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows clicca su modifica e seleziona incolla
Adesso seleziona tutto il contenuto del block notes e fai un copia e incolla nel forum
Allega anche il log della posizione Autostart
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 07:52

Prima di tutto grazie per la risposta, ora ti allego i risultati delle due scansioni
Gmer rootkit:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-11 08:49:33
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823999C0
Device \Driver\NetBT \Device\NetBT_Tcpip_{B7A34EBB-6AD9-411B-8D08-5B483183FAA9} IRP_MJ_CREATE 82061B60
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 8239A510
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 8239A510
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 8239A510
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 8239A510
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1A2D008
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 8239A7C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 8239A7C8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8208A858
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 81E99B28
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 8239A7C8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 8208A858
Device \Driver\NetBT \Device\NetBT_Tcpip_{36D0DD1C-2914-4919-9B40-DD32ABC8680E} IRP_MJ_CREATE 82061B60
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 8208A858
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 8208A858
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 8208A858
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E1018978
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82061B60
Device \Driver\00000073 \Device\0000004b IRP_MJ_SYSTEM_CONTROL [F8450F68] sptd.sys
Device \Driver\00000073 \Device\0000004b IRP_MJ_DEVICE_CHANGE [F8465A70] sptd.sys
Device \Driver\00000073 \Device\0000004b IRP_MJ_PNP_POWER [F845E728] sptd.sys
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82061B60
Device \Driver\00000073 \Device\0000004c IRP_MJ_SYSTEM_CONTROL [F8450F68] sptd.sys
Device \Driver\00000073 \Device\0000004c IRP_MJ_DEVICE_CHANGE [F8465A70] sptd.sys
Device \Driver\00000073 \Device\0000004c IRP_MJ_PNP_POWER [F845E728] sptd.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{4BC9D832-13E3-4BF1-BCB6-C99CD792C0E4} IRP_MJ_CREATE 82061B60
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 82399C78
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_CREATE 82399C78
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 81ECD8F0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 81F38A80
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 8239A7C8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 81EA8EB0
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CREATE 81E00788
Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_CREATE 82399EB0
Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port4Path0Target0Lun0 IRP_MJ_CREATE 81E00788
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target0Lun0 IRP_MJ_CREATE 82399EB0
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 81FADE08
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 81FADE08
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8207B860
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 81E4E260

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{5999C35E-1E39-4596-9E8D-D173C0BC1CC6}
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log
File D:\System Volume Information\_restore{5999C35E-1E39-4596-9E8D-D173C0BC1CC6}
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log
File E:\System Volume Information\_restore{5999C35E-1E39-4596-9E8D-D173C0BC1CC6}
File E:\System Volume Information\_restore{86A49D97-8230-471F-8767-68A971C9318B}

---- EOF - GMER 1.0.10 ----

Gmer autostart:

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-11 08:52:10
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName = Ati2evxx.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
NOD32krn /*NOD32 Kernel Service*/@ = "C:\Programmi\Eset\nod32krn.exe"
SecMzm /*SecMzm*/@ = "C:\Programmi\File comuni\System\TGf.exe" /*file not found*/
SLService /*SmartLinkService*/@ = slserv.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
@NWEReboot /*file not found*/ = /*file not found*/
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@RaidToolC:\Programmi\VIA\RAID\raid_tool.exe pd = C:\Programmi\VIA\RAID\raid_tool.exe pd
@RemoteControl"C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" = "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
@ATICCC"C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay = "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
@ViewMgrC:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe = C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
@SunJavaUpdateSchedE:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = E:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
@UnlockerAssistant"C:\Programmi\Unlocker\UnlockerAssistant.exe" /*file not found*/ = "C:\Programmi\Unlocker\UnlockerAssistant.exe" /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" = "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/E:\Programmi\iTunesMiniPlayer.dll = E:\Programmi\iTunesMiniPlayer.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll = C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/E:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll = E:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} = E:\Programmi\Java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = imon.dll
000000000002@PackedCatalogItem = imon.dll
000000000003@PackedCatalogItem = imon.dll
000000000004@PackedCatalogItem = imon.dll
000000000005@PackedCatalogItem = imon.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011@PackedCatalogItem = imon.dll

C:\Documents and Settings\Giacomo\Menu Avvio\Programmi\Esecuzione automatica = Adobe Gamma.lnk

---- EOF - GMER 1.0.10 ----

Grazie ancora
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Postdi Luke57 » 11/08/06 08:53

Ciao, scarica The Avenger
http://swandog46.geekstogo.com/avenger.zip
CITAZIONE:
Estrarre l´eseguibile sul desktop.
- copiare il contenuto in neretto qui sotto negli appunti (CTRL+C):

Files to delete:
C:\Programmi\File comuni\System\TGf.exe


avviare The Avenger e selezionare Input Script Manually
- clicca sulla icona con la lente di ingrandimento
- si aprirà una nuova finestra con scritto View/edit script
- incollare quanto copiato sopra premendo Ctrl+V
- cliccare Done
- cliccare l´icona con il semaforo con la luce verde per avviare lo script
- rispondere Yes due volte
se il PC non si riavvia da solo, riavviatelo manualmente
Al riavvio se la procedura è andata bene. Potete controllare nel log di Avenger (C:/avenger.txt) l´esito dello script. In C:/Avenger ci saranno i backup di tutti i file rimossi

Poi lanci uno dopo l’altro questi comandi (per eliminare il servizio, di cui il file suddetto era l’eseguibile):
start>esegui>sc stop SecMzm>OK
start>esegui>sc delete SecMzm >OK

Per eliminare l’applicazione Link Optimzer (se l’hai sempre in installazioni/applicazioni):
da HijackThis, clicca Open the misc tools section >> open Uninstall Manager. Seleziona la voce linkoptimizer e premi Delete this entry.

start>esegui>control userpasswords2>ok
nella finestra Account Utente dovresti avere un’utenza sospetta con nome casuale :
se sì, eliminala cliccando con il dx del mouse e scegliendo elimina.
Controlla infine se in C:\Documents and settings, hai una cartella con lo stesso nome dell'utenza sospetta eventualmente trovata , se sì eliminala.

Elimina tutti i file temp e tmp di windows e di IE.
Allo scopo scarica ATF Cleaner da qui:
http://www.atribune.org/ccount/click.php?id=1

Avvia ATF cleaner, clicca sul menu "main" e poi seleziona la casella "Select All". Poi clicca sul pulsante "Empty selected" e aspetta il messaggio "Done Cleaning!".
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 09:05

ciao e grazie per l'aiuto sono riuscito a fare tutti i passaggi con successo tranne quello di eliminare con the avenger lo script da te postato, infatti mi da un messaggio d'errore dicendomi che non sembra essere uno script valido
peraltro questo file non lo riesco a trovare in quella cartella pur esplorandola con la visualiaazaione dei file nascosti e di sistema
è possibile che non esita o è solo nascosta dal rootkit?
se sì come lo posso eliminare?
ciao :D
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Postdi Luke57 » 11/08/06 09:12

Ciao, prova questo script:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\Programmi\File comuni\System\TGf.exe
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 09:19

nulla da fare nemmeno con questo script ho provato pure a sostituire
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
con
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
perchè mi dava errore ma lo da lo stesso sebbene concluda l'operazione...
non c'è un altro modo per cancellare questo file di registro (credo sia il rootkit) e il file che diventerà poi visibile?

PS ho provato a eseguire lo script
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\Programmi\File comuni\System\TGf.exe

ma non funziona
grazie comunque per il tuo aiuto
ciao
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Postdi Luke57 » 11/08/06 10:05

Ciao, può darsi che il rootkit faccia uso degli ADS_stream.
Scarica questo file http://www.merijn.org/files/adsspy.zip
CITAZIONE:
Decomprimi l'archivo,avvia il programma,leva tutte le spunte presenti e mettila solo nella casella "Scan only this folder",clicca sul pulsantino e seleziona il disco rigido da scansionare,clicca su "Scan the system ecc " per far partire la scansione,a fine scansione se trova qualcosa,selezionane uno,tasto destro e selezioni "Select All" e poi "Save scan result" salva il risultato
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 10:13

Ecco i risultati...
C:\Documents and Settings\All Users\Documenti\Immagini\Immagini campione\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Giacomo\Desktop\credits.wmv : Zone.Identifier (26 bytes)
devo eliminare ciò che ha trovato?
grazie e ciao :lol:
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Postdi Luke57 » 11/08/06 10:26

Ciao, quelle non c'entrano.
prova rootkit revelear da qui:
http://www.sysinternals.com/Utilities/R ... ealer.html

Il log va fatto senza usare il PC con tutte le applicazioni (anche l´AV) chiuse e disconnessi da Internet.
Allega il log in un post.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 10:47

ecco qua il log
HKLM\SOFTWARE\Classes\CLSID\{FC6F89E6-A677-11d7-A773-00C04F68F44E}\Pins\Input\Types\{10ed2d83-f16f-0348-2080-8c26b23e9a26}\22 10/08/2006 15.17 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 11/08/2006 11.37 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 11/08/2006 11.37 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 19/07/2006 16.41 0 bytes Access is denied.
C:\Documents and Settings\Giacomo\Impostazioni locali\Temp\~DF1770.tmp 11/08/2006 11.42 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Giacomo\Impostazioni locali\Temp\~DF177D.tmp 11/08/2006 11.42 512 bytes Hidden from Windows API.
C:\Documents and Settings\Giacomo\Impostazioni locali\Temporary Internet Files\Content.IE5\M9WNI1K1\CA8TYFCL.HTM 11/08/2006 11.42 792 bytes Hidden from Windows API.
grazie e ciao
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Postdi Luke57 » 11/08/06 11:08

Ciao, se fai:
start>esegui>services.msc>Ok, nella lista dei Servizi si trova sempre uno sospetto dove nella colonna Connesione riporta un nome casuale ivece che Sistema locale o Servizio di rete? Se sì, click con il tasto dx>Proprietà e vedi il percorso del file eseguibile.
fammi sapere queste cose.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 11:26

no nessun nome sospetto nella colonna connessione, si chiamano tutti sistema locale e servizio locale
ciao
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Postdi Luke57 » 11/08/06 12:07

Ciao, ormai ti perseguito ;) rifai i log di Gmer e posti i due nuovi risultati, autostar compreso?
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 12:18

hahah lol ecco la scansione autostart (a dire il vero sembra che io ti stia perseguitando hihi) grazie della disponibilità
GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-11 13:08:33
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName = Ati2evxx.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
NOD32krn /*NOD32 Kernel Service*/@ = "C:\Programmi\Eset\nod32krn.exe"
SecMzm /*SecMzm*/@ = "C:\Programmi\File comuni\System\TGf.exe" /*file not found*/
SLService /*SmartLinkService*/@ = slserv.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
@NWEReboot /*file not found*/ = /*file not found*/
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@RaidToolC:\Programmi\VIA\RAID\raid_tool.exe pd = C:\Programmi\VIA\RAID\raid_tool.exe pd
@RemoteControl"C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" = "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
@ATICCC"C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay = "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
@ViewMgrC:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe = C:\Programmi\Viewpoint\Viewpoint Manager\ViewMgr.exe
@SunJavaUpdateSchedE:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = E:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
@UnlockerAssistant"C:\Programmi\Unlocker\UnlockerAssistant.exe" /*file not found*/ = "C:\Programmi\Unlocker\UnlockerAssistant.exe" /*file not found*/
@pvcsgswuC:\cldocatf.bat = C:\cldocatf.bat
@ljomqyksC:\dmdihdkk.bat = C:\dmdihdkk.bat

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" = "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/E:\Programmi\iTunesMiniPlayer.dll = E:\Programmi\iTunesMiniPlayer.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll = C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/E:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll = E:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} = E:\Programmi\Java\jre1.5.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = imon.dll
000000000002@PackedCatalogItem = imon.dll
000000000003@PackedCatalogItem = imon.dll
000000000004@PackedCatalogItem = imon.dll
000000000005@PackedCatalogItem = imon.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011@PackedCatalogItem = imon.dll

C:\Documents and Settings\Giacomo\Menu Avvio\Programmi\Esecuzione automatica = Adobe Gamma.lnk

---- EOF - GMER 1.0.10 ----

ed ecco la scansione dei fastidiosissimi rootkit sui 3 HDs (anche se quello infetto è:C)

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-11 13:16:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823999C0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8207B860
Device \Driver\NetBT \Device\NetBT_Tcpip_{B7A34EBB-6AD9-411B-8D08-5B483183FAA9} IRP_MJ_CREATE 82061B60
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 8239A510
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 8239A510
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 8239A510
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 8239A510
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1A2D008
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 8239A7C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 8239A7C8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8208A858
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 81E99B28
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 81E99B28
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 8239A7C8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 8208A858
Device \Driver\NetBT \Device\NetBT_Tcpip_{36D0DD1C-2914-4919-9B40-DD32ABC8680E} IRP_MJ_CREATE 82061B60
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 8208A858
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 8208A858
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 8208A858
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E1018978
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82061B60
Device \Driver\00000073 \Device\0000004b IRP_MJ_SYSTEM_CONTROL [F8450F68] sptd.sys
Device \Driver\00000073 \Device\0000004b IRP_MJ_DEVICE_CHANGE [F8465A70] sptd.sys
Device \Driver\00000073 \Device\0000004b IRP_MJ_PNP_POWER [F845E728] sptd.sys
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82061B60
Device \Driver\00000073 \Device\0000004c IRP_MJ_SYSTEM_CONTROL [F8450F68] sptd.sys
Device \Driver\00000073 \Device\0000004c IRP_MJ_DEVICE_CHANGE [F8465A70] sptd.sys
Device \Driver\00000073 \Device\0000004c IRP_MJ_PNP_POWER [F845E728] sptd.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{4BC9D832-13E3-4BF1-BCB6-C99CD792C0E4} IRP_MJ_CREATE 82061B60
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 82399C78
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_CREATE 82399C78
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 81ECD8F0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 81ECD8F0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 81F38A80
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 81F38A80
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 8239A7C8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 81EA8EB0
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CREATE 81E00788
Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_CREATE 82399EB0
Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port4Path0Target0Lun0 IRP_MJ_CREATE 81E00788
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target0Lun0 IRP_MJ_CREATE 82399EB0
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN [F8A406C1] prosync1.sys
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 81FADE08
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 81FADE08
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8207B860
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 81E4E260

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{5999C35E-1E39-4596-9E8D-D173C0BC1CC6}
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log
File D:\System Volume Information\_restore{5999C35E-1E39-4596-9E8D-D173C0BC1CC6}
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log
File E:\System Volume Information\_restore{5999C35E-1E39-4596-9E8D-D173C0BC1CC6}
File E:\System Volume Information\_restore{86A49D97-8230-471F-8767-68A971C9318B}

---- EOF - GMER 1.0.10 ----

comunque prima ho eliminato uno strano .exe di nome ZZ dal task manager di hijackthis, situato nella cartella temporanea di documents and settings
ciao
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Postdi Luke57 » 11/08/06 12:32

Ciao, anche questo si ripresenta tale e quale:
SecMzm /*SecMzm*/@ = "C:\Programmi\File comuni\System\TGf.exe

1) Riprova l'operazione di eliminazione con Avenger

2) dal registro di sistema nel percorso
HKLM\SYSTEM\CurrentControlSet\Services
individuare
SecMzm
e provare a eliminarlo da lì
start>esegui>regedt32>OK
clicchi sui + accanto alle singole voci, individui la voce, click su di essa>Modifica>Autorizzazioni>sulla finestra che si apre Avanzate>Proprietario, imposti il nome utente>OK, torni alla pag.precedente, imposti Controllo completo spuntando le due voci,>applica>Ok. Provi poi a eliminare con tasto dx sulla voce e scegli Elimina.
Dovessi scommettere qualcosa sull'efficacia della manovra, scommetterei che non ci si riesce, ma tu prova lo stesso :)
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 12:50

hm vedo che sei un buon scommettitore... lol
in ogni caso la manovra non riesce riesco a cambiare la protezione ma non a eliminare la chiave.... :aaah
ciao e grazie
non c'è un altro modo? hm lol sto chiedendo troppo?
a comunque c'era una voce zz in services e quella sono riuscito a eliminarla
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40

Postdi Luke57 » 11/08/06 12:59

Ciao, ho il sospetto che quel file sia già stato eliminato:
C:\Programmi\File comuni\System\TGf.exe
in quanto eseguibile del servizio che, in altri casi di linkoptimizer, è visibile nella cartella in cui è ma di colore verde in quanto crittografato. Se non riesci a trovarlo, nemmeno visualizzando file e cartelle nascosti e di sistema, penso che non ci sia più.

Prova a lanciare questi comandi per il servizio:
start>esegui>sc stop SecMzm>OK
start>esegui>sc delete SecMzm>OK
start>esegui>sc stop *SecMzm*>OK
start>esegui>sc delete *SecMzm*>OK
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi 2PCK8 » 11/08/06 13:11

l'scm rimane tranquillamente al suo posto :-? lol ma x quanto riguarda i file crittografati ricordo di averne cancellati un paio un po' di tempo fa in quella directory...
ho provato a eseguire i processi da te detti ma la chiave non si elimina
2PCK8
Utente Junior
 
Post: 11
Iscritto il: 05/08/06 21:40


Torna a Sicurezza e Privacy


Topic correlati a "Log di Hijackthis dopo disinfestazione di linkoptimizer":

Analisi log HijackThis
Autore: Sanko
Forum: Sicurezza e Privacy
Risposte: 2

Chi c’è in linea

Visitano il forum: Nessuno e 12 ospiti