Salve a tutti ho letto un pò di post sull'argomento ho già scaricato avenger, gmer, Myuninstaller(cancellando linkoptimizer e connectionservices dalle applicazioni) e ccleaner, ho già eliminito un utente strano(Wko) e reso visibile file e cartelle nascosti eliminando lo stesso utente su C:\Documents and Settings.
Ora vi posto i logs di Gmer.
Mi aiutate ad andare avanti?
Grazie mille.
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 14:25:26
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.10 ----
SSDT 81F0ADB0 ZwConnectPort
---- Devices - GMER 1.0.10 ----
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
---- Processes - GMER 1.0.10 ----
Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [2500] 0x01F20000 <-- ROOTKIT !!!
Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [4036] 0x01F20000 <-- ROOTKIT !!!
---- Files - GMER 1.0.10 ----
File C:\WINDOWS\mdoom1.dll
File C:\WINDOWS\system32\lpt4.hzq
---- EOF - GMER 1.0.10 ----
GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-31 14:27:47
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\lpt4.hzq
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Canon Driver Information Assist Service /*Canon Driver Information Assist Service*/@ = C:\Programmi\Canon\DIAS\CnxDIAS.exe
ccEvtMgr /*Symantec Event Manager*/@ = "c:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "c:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe"
Iomega App Services /*Iomega App Services*/@ = "C:\PROGRA~1\Iomega\System32\AppServices.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "c:\Programmi\Norton AntiVirus\navapsvc.exe"
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SrvXdx /*SrvXdx*/@ = "C:\Programmi\File comuni\System\mfxS.exe"
SymWSC /*SymWMI Service*/@ = "C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe"
_IOMEGA_ACTIVE_DISK_SERVICE_ /*Iomega Active Disk*/@ = "C:\Programmi\Iomega\AutoDisk\ADService.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BluetoothAuthenticationAgentrundll32.exe irprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
@SmappC:\Programmi\Analog Devices\SoundMAX\SMTray.exe = C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@tgcmd /*file not found*/ = /*file not found*/
@UC_StartC:\IBMTools\Updater\ucstartup.exe = C:\IBMTools\Updater\ucstartup.exe
@ccApp"c:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "c:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@ibmmessagesC:\Programmi\IBM\Messages By IBM\ibmmessages.exe = C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
@Mouse Suite 98 DaemonICO.EXE = ICO.EXE
@SW_SUBST_L:"C:\Export\sysint\client\bin\sw_subst.exe" L:,C:\Export = "C:\Export\sysint\client\bin\sw_subst.exe" L:,C:\Export
@ADUserMonC:\Programmi\Iomega\AutoDisk\ADUserMon.exe = C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
@Iomega Drive IconsC:\Programmi\Iomega\DriveIcons\ImgIcon.exe = C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
@DeskupC:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART = C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@PRONoMgr.exeC:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe = C:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@StatusClient 2.6C:\Programmi\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto = C:\Programmi\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
@TomcatStartup 2.5C:\Programmi\Hewlett-Packard\Toolbox\hpbpsttp.exe = C:\Programmi\Hewlett-Packard\Toolbox\hpbpsttp.exe
@HP Software Update"C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" = "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@tgcmd /*file not found*/ = /*file not found*/
@ibmmessagesC:\Programmi\IBM\Messages By IBM\ibmmessages.exe = C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{c7745760-8ead-11ce-b750-02608ca5202c} /*IomegaWare Shell Extension*/C:\Programmi\Iomega\Shell\ImgMenu.dll = C:\Programmi\Iomega\Shell\ImgMenu.dll
@{c7745761-8ead-11ce-b750-02608ca5202c} /*IomegaWare Shell Extension*/C:\Programmi\Iomega\Shell\ImgProp.dll = C:\Programmi\Iomega\Shell\ImgProp.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{BDF3E430-B101-42AD-A544-FADC6B084872}c:\Programmi\Norton AntiVirus\NavShExt.dll = c:\Programmi\Norton AntiVirus\NavShExt.dll
@{D4ED03F3-6672-F05B-77C2-859151625148}C:\WINDOWS\mdoom1.dll = C:\WINDOWS\mdoom1.dll
HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.libero.it/ = http://www.libero.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0785DD61-1E4F-459A-8CDA-25A8C1428A69} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.10 = 192.168.1.10
@NameServer192.168.1.1 = 192.168.1.1
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =
C:\Documents and Settings\UTENTE\Menu Avvio\Programmi\Esecuzione automatica = conf_L.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = WinZip Quick Pick.lnk
---- EOF - GMER 1.0.10 ----
Grazie ancora