Valutazione 4.87/ 5 (100.00%) 5838 voti

Condividi:        

S.O.S

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: kadosh, Luke57

S.O.S

Postdi invino » 18/02/07 13:18

Prego reindirizzarmi ad altri topic se dovesse essere un argomento già trattato

1) Improvvisamente il mio AVG non riesce più ad eseguire gli update.

2) Provo ad installarlo nuovamente, ma l'installazione non va a buon fine, quindi è impossibile farlo partire.

3) Provo anche ad installare Kaspersky, con gli stessi risultati: dopo l'installazione, sembra smarrirsi il file eseguibile, quindi niente antivirus.

4) Faccio un po di pulizia con cc cleaner, va tutto per il meglio, ma il sintomo principale rimane immune: si aprono finestre di explorer a ripetizione (tipo 60 per volta). Se può servire, utilizzo firefox e non ie.

5) Faccio diversi scan online (Panda, Kaspersky, spybot...), ma non ne vengo a capo.



Vi ringrazio per la disponibilità
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06

Sponsor
 

Postdi invino » 18/02/07 14:05

Questo è il risultato dello scan con Gmer

GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-02-18 14:02:04
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
RichVideo /*Cyberlink RichVideo Service(CRVS)*/@ = "C:\Programmi\Cyberlink\Shared files\RichVideo.exe" ??????????????????????????????????????????????????
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@RemoteControlD:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = D:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@LanguageShortcutD:\Programmi\CyberLink\PowerDVD\Language\Language.exe = D:\Programmi\CyberLink\PowerDVD\Language\Language.exe
@WinampAgentD:\Programmi\Winamp\winampa.exe = D:\Programmi\Winamp\winampa.exe
@hldrrrC:\WINDOWS\system32\hldrrr.exe = C:\WINDOWS\system32\hldrrr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@hldrrrC:\WINDOWS\system32\hldrrr.exe = C:\WINDOWS\system32\hldrrr.exe
@drvsyskitC:\Documents and Settings\MaTt&Co\Dati applicazioni\hidires\hidr.exe = C:\Documents and Settings\MaTt&Co\Dati applicazioni\hidires\hidr.exe
@german.exeC:\WINDOWS\system32\wintems.exe = C:\WINDOWS\system32\wintems.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@0aMCPClient =

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/D:\Programmi\WinRAR\rarext.dll = D:\Programmi\WinRAR\rarext.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/D:\Programmi\Real\RealPlayer\rpshell.dll = D:\Programmi\Real\RealPlayer\rpshell.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@(null) =
@{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}



/*PhotoToys*/C:\WINDOWS\system32\phototoys.dll = C:\WINDOWS\system32\phototoys.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4EFB-9B51-7695ECA05670}C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll = C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{501902E7-6DF4-4981-A1A3-EC7D28CC20E3} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.2 = 192.168.1.2
@NameServer212.245.255.2,212.245.158.66 = 212.245.255.2,212.245.158.66
@DefaultGateway192.16.2.1 = 192.16.2.1
@Domain =

C:\Documents and Settings\MaTt&Co\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma.lnk = Adobe Gamma.lnk
OpenOffice.org 2.0.lnk = OpenOffice.org 2.0.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = Avvio veloce di Adobe Reader.lnk

---- EOF - GMER 1.0.12 ----
[/quote]
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06

Postdi Pao1o » 18/02/07 14:08

Sembri avere un bel parassita che ti blocca gli av.

Fai un controllo hijack
http://www.pc-facile.com/download/homep ... ijackthis/
ed incolli il log qui
http://www.hijackthis.de/it
o lo posti.

dai una ripulita al registro con regseeker, regcleaner e ccleaner
http://www.pc-facile.com/download/?cat=54

Fai un controllo antispyware adaware + spybot + ewido (aggiornati)
http://www.pc-facile.com/download/?cat=17
http://www.pc-facile.com/news/ewido_la_ ... otenziata/

Poi facci sapere risultati.

Bisogna individuare esattamente l'infezione, per poterla eliminare.
Immagine
Avatar utente
Pao1o
Utente Senior
 
Post: 1375
Iscritto il: 23/10/05 12:58
Località: non scrivo più su questo forum per divergenze

Postdi invino » 18/02/07 15:51

Questo è il log:

Logfile of HijackThis v1.99.1
Scan saved at 14.15.15, on 18/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
D:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
D:\Programmi\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\Mozilla Firefox\firefox.exe
D:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\MaTt&Co\IMPOST~1\Temp\Rar$EX00.328\gmer.exe
D:\Programmi\WinRAR\WinRAR.exe
C:\DOCUME~1\MaTt&Co\IMPOST~1\Temp\Rar$EX00.594\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar con blocco Pop-Up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] D:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] D:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Programmi\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programmi\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: SessoXXX - {EF6D6AE3-2625-40D6-A5AB-920DFD2DAF8C} - C:\Documents and Settings\MaTt&Co\Dati applicazioni\SessoXXX.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://shilvietta1992.spaces.live.com// ... nPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{501902E7-6DF4-4981-A1A3-EC7D28CC20E3}: NameServer = 212.245.255.2,212.245.158.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD70AB4D-9801-4B27-80E4-59A80A938449}: NameServer = 212.216.112.222,212.216.172.162
O17 - HKLM\System\CCS\Services\Tcpip\..\{E43D1958-532C-4878-A399-C8F31C73E61D}: NameServer = 193.70.152.15 193.70.152.25
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Boonty Games - BOONTY - C:\Programmi\File comuni\BOONTY Shared\Service\Boonty.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\Cyberlink\Shared files\RichVideo.exe


Capitolo pulizia:

Avevo già usato CCleaner, quindi ora mi da tutto pulito:
PULIZIA COMPLETATA - (13,969 sec)
0,17MB rimossi.


Mi sento ingnorante con RegSeeker, non so come postare il risultato (che comunque resta uguale ogni volta che ripeto l'operazione).

Questo invece è Ad-Adware

Ad-Aware SE Build 1.06r1
Logfile Created on:domenica 18 febbraio 2007 14.35.22
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R153 15.02.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):9 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


18-02-2007 14.35.22 - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 440
ThreadCreationTime : 18-02-2007 12.33.21
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 524
ThreadCreationTime : 18-02-2007 12.33.23
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 548
ThreadCreationTime : 18-02-2007 12.33.23
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 592
ThreadCreationTime : 18-02-2007 12.33.24
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applicazione Servizi e Controller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 604
ThreadCreationTime : 18-02-2007 12.33.24
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 760
ThreadCreationTime : 18-02-2007 12.33.25
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 832
ThreadCreationTime : 18-02-2007 12.33.25
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 868
ThreadCreationTime : 18-02-2007 12.33.26
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 912
ThreadCreationTime : 18-02-2007 12.33.26
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 936
ThreadCreationTime : 18-02-2007 12.33.26
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1048
ThreadCreationTime : 18-02-2007 12.33.27
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [richvideo.exe]
FilePath : C:\Programmi\Cyberlink\Shared files\
ProcessID : 1224
ThreadCreationTime : 18-02-2007 12.33.28
BasePriority : Normal
FileVersion : 1.1.0808
ProductVersion : 1.1.0808
ProductName : RichVideo Module
FileDescription : RichVideo Module
InternalName : RichVideo
LegalCopyright : Copyright 2004
OriginalFilename : RichVideo.EXE

#:13 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1256
ThreadCreationTime : 18-02-2007 12.33.28
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:14 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1280
ThreadCreationTime : 18-02-2007 12.33.28
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1476
ThreadCreationTime : 18-02-2007 12.33.28
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Esplora risorse
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : EXPLORER.EXE

#:16 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1784
ThreadCreationTime : 18-02-2007 12.33.32
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Modulo di esecuzione DLL come applicazioni
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Tutti i diritti riservati.
OriginalFilename : RUNDLL.EXE

#:17 [jusched.exe]
FilePath : C:\Programmi\Java\jre1.5.0_10\bin\
ProcessID : 1804
ThreadCreationTime : 18-02-2007 12.33.32
BasePriority : Normal


#:18 [realsched.exe]
FilePath : C:\Programmi\File comuni\Real\Update_OB\
ProcessID : 1812
ThreadCreationTime : 18-02-2007 12.33.32
BasePriority : Normal
FileVersion : 0.1.0.3760
ProductVersion : 0.1.0.3760
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:19 [pdvdserv.exe]
FilePath : D:\Programmi\CyberLink\PowerDVD\
ProcessID : 1820
ThreadCreationTime : 18-02-2007 12.33.32
BasePriority : Normal
FileVersion : 5.00.0910
ProductVersion : 5.00.0910
ProductName : PowerDVD
CompanyName : Cyberlink Corp.
FileDescription : PowerDVD RC Service
InternalName : PowerDVD RC Service
LegalCopyright : Copyright (c) CyberLink Corp. 1997-2004
OriginalFilename : PDVDSERV.EXE

#:20 [winampa.exe]
FilePath : D:\Programmi\Winamp\
ProcessID : 1836
ThreadCreationTime : 18-02-2007 12.33.32
BasePriority : Normal


#:21 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1864
ThreadCreationTime : 18-02-2007 12.33.33
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:22 [devldr32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1964
ThreadCreationTime : 18-02-2007 12.33.35
BasePriority : Normal
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 17
ProductName : Creative Ring3 NT Inteface
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
LegalCopyright : Copyright (C) Creative Technology Ltd. 1998-2001
OriginalFilename : DevLdr32.exe

#:23 [firefox.exe]
FilePath : C:\Programmi\Mozilla Firefox\
ProcessID : 1292
ThreadCreationTime : 18-02-2007 12.35.16
BasePriority : Normal


#:24 [regseeker.exe]
FilePath : C:\DOCUME~1\MaTt&Co\IMPOST~1\Temp\Rar$EX00.453\
ProcessID : 2060
ThreadCreationTime : 18-02-2007 13.21.02
BasePriority : Normal


#:25 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 2496
ThreadCreationTime : 18-02-2007 13.25.23
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:26 [ccleaner.exe]
FilePath : C:\Programmi\CCleaner\
ProcessID : 2584
ThreadCreationTime : 18-02-2007 13.29.48
BasePriority : Normal
FileVersion : 1.37.0456
ProductVersion : 1.37.0456
ProductName : CCleaner
CompanyName : Piriform Ltd
FileDescription : CCleaner
InternalName : ccleaner
LegalCopyright : Copyright 2005-2007 Piriform Ltd
OriginalFilename : ccleaner.exe
Comments : CCleaner

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Disk Scan Result for C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Disk Scan Result for C:\DOCUME~1\MaTt&Co\IMPOST~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 0



MRU List Object Recognized!
Location: : C:\Documents and Settings\MaTt&Co\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1757981266-2147068855-839522115-1004\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-1757981266-2147068855-839522115-1004\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1757981266-2147068855-839522115-1004\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1757981266-2147068855-839522115-1004\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1757981266-2147068855-839522115-1004\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1757981266-2147068855-839522115-1004\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9

14.36.42 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00.01.20.46
Objects scanned:84301
Objects identified:0
Objects ignored:0
New critical objects:0


e questo Ewido

AVG Anti-Spyware - Rapporto scansione
---------------------------------------------------------

+ Creato alle: 15.48.41 18/02/2007

+ Risultato scansione:



C:\System Volume Information\_restore{A941E4DB-E9B0-468D-A5D0-67FCEB9F1EF9}\RP73\A0021332.exe -> Adware.HotBar : Nessuna operazione eseguita.
C:\System Volume Information\_restore{A941E4DB-E9B0-468D-A5D0-67FCEB9F1EF9}\RP73\A0021342.dll -> Adware.HotBar : Nessuna operazione eseguita.
C:\System Volume Information\_restore{A941E4DB-E9B0-468D-A5D0-67FCEB9F1EF9}\RP73\A0021371.dll -> Adware.Hotbar : Nessuna operazione eseguita.
C:\System Volume Information\_restore{A941E4DB-E9B0-468D-A5D0-67FCEB9F1EF9}\RP106\A0034866.exe -> Adware.Lop : Nessuna operazione eseguita.
C:\System Volume Information\_restore{A941E4DB-E9B0-468D-A5D0-67FCEB9F1EF9}\RP81\A0027593.exe -> Dialer.DialWeb : Nessuna operazione eseguita.
C:\System Volume Information\_restore{A941E4DB-E9B0-468D-A5D0-67FCEB9F1EF9}\RP82\A0027618.exe -> Dialer.DialWeb : Nessuna operazione eseguita.
C:\Documents and Settings\MaTt&Co\Desktop\Nuova cartella\Kaspersky.Antivirus.Personal.5.0.372.(español).-.rar/Kaspersky Antivirus Personal 5.0.372 (espa¤ol)\Keys\key???@ttdown.com.exe -> Dropper.Agent.xk : Nessuna operazione eseguita.
:mozilla.17:C:\Documents and Settings\MaTt&Co\Dati applicazioni\Mozilla\Firefox\Profiles\7by2v7yu.default\cookies.txt -> TrackingCookie.Adtech : Nessuna operazione eseguita.
:mozilla.10:C:\Documents and Settings\MaTt&Co\Dati applicazioni\Mozilla\Firefox\Profiles\7by2v7yu.default\cookies.txt -> TrackingCookie.Atdmt : Nessuna operazione eseguita.
:mozilla.16:C:\Documents and Settings\MaTt&Co\Dati applicazioni\Mozilla\Firefox\Profiles\7by2v7yu.default\cookies.txt -> TrackingCookie.Doubleclick : Nessuna operazione eseguita.


::Fine rapporto


Attendo nuovi ordini,
Grazie davvero.
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06

Postdi invino » 18/02/07 15:53

Dimenticavo: Spybot non riesco ad installarlo (non per incapacità, ma perchè mi blocca il setup).
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06

Postdi invino » 19/02/07 11:23

Ahem...Pao1o, il tuo è un modo carino per dirmi che non ho scampo?

:D :undecided:
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06

Postdi Luke57 » 19/02/07 12:46

invino ha scritto:Ahem...Pao1o, il tuo è un modo carino per dirmi che non ho scampo?

:D :undecided:

Ciao, il fatto è che l'infezione era già visibile dal log di Gmer e, quindi, del tutto inutile consigliare altre manovre palliative.

scarica e decomprimi avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip

- con un doppio click avvia il file avenger.exe
- Seleziona "Input Script Manually"
- Clicca sulla lente di ingrandimento

- Nella finestra che si aprirà "View/edit script"
- copia / incolla (Ctrl+v) lo scrip seguente in neretto:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

files to delete:
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe

folders to delete:
C:\Documents and Settings\MaTt&Co\Dati applicazioni\hidires
C:\WINDOWS\exefld

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr



- Clicca sul tasto Done
- Poi sull'icona del semaforo
- Rispondi Yes due volte
Il pc dovrebbe riavviarsi ( se così non fosse, fallo tu)
Posta il log che verrà creato in C:\Avenger

Ora apri il registro di sistema (Start / Esegui / digita regedit / Ok)

Cliccando nel segno + accanto alle singole voci ti porti nella chiave;
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

click su di essa e nel pannello di destra, tra gli altri valori, trova
Hldrrr
Click tasto dx del mouse e scegli elimina.
Poi cerca
Drvsyskit
Click tasto dx e scegli Elimina
Poi cerca
german.exe
Click tasto dx e scegli Elimina

Se ci sono, con il solito metodo, elimina anche queste due chiavi, nei seguenti percorsi:
HKEY_CURRENT_USER\Software\DateTime4
HKEY_CURRENT_USER\Software\FirstRRRun

Chiudi il registro.

Poi esegui nuovamente lo scan con Gmer, dalla posizione Autostart e dalla posizione Rootkit, incolli i report in un post.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi invino » 19/02/07 13:10

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\duagecjl

*******************

Script file located at: \??\C:\WINDOWS\jwrqnund.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\wintems.exe deleted successfully.
File C:\WINDOWS\system32\hldrrr.exe deleted successfully.
Folder C:\Documents and Settings\MaTt&Co\Dati applicazioni\hidires deleted successfully.
Folder C:\WINDOWS\exefld deleted successfully.


Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Questo è Gmer - Autostart

GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-02-19 12:58:02
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
RichVideo /*Cyberlink RichVideo Service(CRVS)*/@ = "C:\Programmi\Cyberlink\Shared files\RichVideo.exe" ??????????????????????????????????????????????????
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_10\bin\jusched.exe"
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@RemoteControlD:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = D:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@LanguageShortcutD:\Programmi\CyberLink\PowerDVD\Language\Language.exe = D:\Programmi\CyberLink\PowerDVD\Language\Language.exe
@WinampAgentD:\Programmi\Winamp\winampa.exe = D:\Programmi\Winamp\winampa.exe
@!AVG Anti-Spyware"C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@0aMCPClient =

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/D:\Programmi\WinRAR\rarext.dll = D:\Programmi\WinRAR\rarext.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/D:\Programmi\Real\RealPlayer\rpshell.dll = D:\Programmi\Real\RealPlayer\rpshell.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@(null) =
@{1530F7EE-5128-43BD-9977-84A4B0FAD7DF} /*PhotoToys*/C:\WINDOWS\system32\phototoys.dll = C:\WINDOWS\system32\phototoys.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_10\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.it/

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{501902E7-6DF4-4981-A1A3-EC7D28CC20E3} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.2 = 192.168.1.2
@DefaultGateway192.16.2.1 = 192.16.2.1
@Domain =

C:\Documents and Settings\MaTt&Co\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma.lnk = Adobe Gamma.lnk
OpenOffice.org 2.0.lnk = OpenOffice.org 2.0.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = Avvio veloce di Adobe Reader.lnk

---- EOF - GMER 1.0.12 ----


Gmer - Rootkit

[quote]GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-19 13:09:25
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT a347bus.sys ZwClose
SSDT a347bus.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT a347bus.sys ZwSetSystemPowerState

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs\ntfs IRP_MJ_READ 867E2328
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 860A5AB8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 86246260
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 860A5AB8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_NAMED_PIPE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLOSE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_READ 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_WRITE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FLUSH_BUFFERS 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DIRECTORY_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FILE_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SHUTDOWN 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_LOCK_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLEANUP 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_MAILSLOT 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_POWER 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CHANGE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_PNP 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA
[/q
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06

Postdi invino » 19/02/07 13:12

Perdonami, questo è il log corretto

[quote]GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-19 13:11:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT a347bus.sys ZwClose
SSDT a347bus.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT a347bus.sys ZwSetSystemPowerState

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867E2328
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 860A5AB8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 860A5AB8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 86246260
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 860A5AB8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 860A5AB8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_NAMED_PIPE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLOSE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_READ 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_WRITE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FLUSH_BUFFERS 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DIRECTORY_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FILE_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SHUTDOWN 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_LOCK_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLEANUP 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_MAILSLOT 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_POWER 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CHANGE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_PNP 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 860E62A8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 860E62A8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06

Postdi Luke57 » 19/02/07 13:38

Ciao, OK, Poi per riattivare i servizi terminati:
Apri la lista dei Servizi (Start --> Esegui --> digita SERVICES.MSC --> Ok) ed abilita, ove necessario, questi servizi disabilitati:
Avvisi, Centro sicurezza PC, Aggiornamenti automatici, Connessioni di rete, Zero Configuration reti senza fili e Windows Firewall/ Condivisione connessione Internet (ICS).
(Per avviare un servizio, clicca con il tasto destro su Proprietà --> Automatico --> Ok --> Avvia --> Ok).

Poi da qui (per ripristinare la modalità provvisoria, dusabilitata dal virus):
http://www.wininizio.it/forum/index....=post&id=13379
scarichi il file .zip, lo decomprimi e avvii il file.reg con doppio click.
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi invino » 19/02/07 13:53

ok, tranne:

- Zero Configuration reti senza fili e Windows Firewall, che non riesco ad avviare

- http://www.wininizio.it/forum/index....=post&id=13379 questo link, che non si trova.


Luke, pensi che ora possa passare a reinstallare un antivirus (se sì, meglio kaspersky di AVG?)

Grazie Ancora
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06

Postdi Luke57 » 20/02/07 08:53

Ciao, prova questo link per il file .reg:
http://www.megalab.it/download.php?id=349
Luke57
Moderatore
 
Post: 6410
Iscritto il: 11/08/05 19:10

Postdi invino » 20/02/07 14:10

Alla Grande, aggiunto al registro.

Ti ringrazio davvero Luke, a buon rendere (non in questo campo ovviamente ;)).
invino
Utente Junior
 
Post: 23
Iscritto il: 06/10/06 14:06


Torna a Sicurezza e Privacy

Chi c’è in linea

Visitano il forum: Nessuno e 47 ospiti