Condividi:        

Linkoptimizer: ecco i logs di Gmer. Chi mi aiuta?

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Linkoptimizer: ecco i logs di Gmer. Chi mi aiuta?

Postdi fadu » 31/08/06 14:03

Salve a tutti ho letto un pò di post sull'argomento ho già scaricato avenger, gmer, Myuninstaller(cancellando linkoptimizer e connectionservices dalle applicazioni) e ccleaner, ho già eliminito un utente strano(Wko) e reso visibile file e cartelle nascosti eliminando lo stesso utente su C:\Documents and Settings.
Ora vi posto i logs di Gmer.
Mi aiutate ad andare avanti?
Grazie mille.

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 14:25:26
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 81F0ADB0 ZwConnectPort

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F8ABC85A] avgtdi.sys
---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [2500] 0x01F20000 <-- ROOTKIT !!!
Library C:\WINDOWS\mdoom1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [4036] 0x01F20000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\WINDOWS\mdoom1.dll
File C:\WINDOWS\system32\lpt4.hzq

---- EOF - GMER 1.0.10 ----





GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-31 14:27:47
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\lpt4.hzq

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Canon Driver Information Assist Service /*Canon Driver Information Assist Service*/@ = C:\Programmi\Canon\DIAS\CnxDIAS.exe
ccEvtMgr /*Symantec Event Manager*/@ = "c:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "c:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe"
Iomega App Services /*Iomega App Services*/@ = "C:\PROGRA~1\Iomega\System32\AppServices.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "c:\Programmi\Norton AntiVirus\navapsvc.exe"
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SrvXdx /*SrvXdx*/@ = "C:\Programmi\File comuni\System\mfxS.exe"
SymWSC /*SymWMI Service*/@ = "C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe"
_IOMEGA_ACTIVE_DISK_SERVICE_ /*Iomega Active Disk*/@ = "C:\Programmi\Iomega\AutoDisk\ADService.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BluetoothAuthenticationAgentrundll32.exe irprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
@SmappC:\Programmi\Analog Devices\SoundMAX\SMTray.exe = C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@tgcmd /*file not found*/ = /*file not found*/
@UC_StartC:\IBMTools\Updater\ucstartup.exe = C:\IBMTools\Updater\ucstartup.exe
@ccApp"c:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "c:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@ibmmessagesC:\Programmi\IBM\Messages By IBM\ibmmessages.exe = C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
@Mouse Suite 98 DaemonICO.EXE = ICO.EXE
@SW_SUBST_L:"C:\Export\sysint\client\bin\sw_subst.exe" L:,C:\Export = "C:\Export\sysint\client\bin\sw_subst.exe" L:,C:\Export
@ADUserMonC:\Programmi\Iomega\AutoDisk\ADUserMon.exe = C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
@Iomega Drive IconsC:\Programmi\Iomega\DriveIcons\ImgIcon.exe = C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
@DeskupC:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART = C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@PRONoMgr.exeC:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe = C:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@StatusClient 2.6C:\Programmi\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto = C:\Programmi\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
@TomcatStartup 2.5C:\Programmi\Hewlett-Packard\Toolbox\hpbpsttp.exe = C:\Programmi\Hewlett-Packard\Toolbox\hpbpsttp.exe
@HP Software Update"C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" = "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@tgcmd /*file not found*/ = /*file not found*/
@ibmmessagesC:\Programmi\IBM\Messages By IBM\ibmmessages.exe = C:\Programmi\IBM\Messages By IBM\ibmmessages.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{c7745760-8ead-11ce-b750-02608ca5202c} /*IomegaWare Shell Extension*/C:\Programmi\Iomega\Shell\ImgMenu.dll = C:\Programmi\Iomega\Shell\ImgMenu.dll
@{c7745761-8ead-11ce-b750-02608ca5202c} /*IomegaWare Shell Extension*/C:\Programmi\Iomega\Shell\ImgProp.dll = C:\Programmi\Iomega\Shell\ImgProp.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{BDF3E430-B101-42AD-A544-FADC6B084872}c:\Programmi\Norton AntiVirus\NavShExt.dll = c:\Programmi\Norton AntiVirus\NavShExt.dll
@{D4ED03F3-6672-F05B-77C2-859151625148}C:\WINDOWS\mdoom1.dll = C:\WINDOWS\mdoom1.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.libero.it/ = http://www.libero.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0785DD61-1E4F-459A-8CDA-25A8C1428A69} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.10 = 192.168.1.10
@NameServer192.168.1.1 = 192.168.1.1
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

C:\Documents and Settings\UTENTE\Menu Avvio\Programmi\Esecuzione automatica = conf_L.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----


Grazie ancora
fadu
Newbie
 
Post: 8
Iscritto il: 31/08/06 13:36

Sponsor
 

Postdi Luke57 » 31/08/06 14:42

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:
Registry values to replace with dummy:


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SrvXdx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4ED03F3-6672-F05B-77C2-859151625148}


Files to delete:
C:\WINDOWS\mdoom1.dll
C:\WINDOWS\system32\lpt4.hzq
C:\Programmi\File comuni\System\mfxS.exe



Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Posta il log di Avenger (C:/avenger.txt) con l´esito dello script

Controlla se in C:\Programmi\File comuni\System ci sono altri file di colore verde o comunque con estensione .exe.
Se sì comunica i nomi.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi fadu » 31/08/06 15:13

ecco il log di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yyisohjd

*******************

Script file located at: \??\C:\WINDOWS\xbippejw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\SrvXdx deleted successfully.
File C:\WINDOWS\mdoom1.dll deleted successfully.
File C:\WINDOWS\system32\lpt4.hzq deleted successfully.
File C:\Programmi\File comuni\System\mfxS.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4ED03F3-6672-F05B-77C2-859151625148} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



mentre prima nei file comuni c'era un file con estensione .exe che non riuscivo ad eliminare ora non c'è più.
Come procedo.
grazie in anticipo


Federico
fadu
Newbie
 
Post: 8
Iscritto il: 31/08/06 13:36

Postdi Luke57 » 31/08/06 15:22

Ciao, dovresti essere a posto, Avenger ha eliminato tutti i files, al resto (utenze nascoste, applicazioni malevole e cartella infida) ci avevi già pensato da te.
Comunque, se hai problemi, dicci pure.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi fadu » 31/08/06 15:46

Ciao Luke,

intanto grazie mille per l'aiuto, la disponibilità e la celerità.
ti posto i "nuovi" logs di hijackthis e gmer.
Se puoi mi verifichi che sia tutto ok?
Altra domanda.
Ho visto che tre dei quattro client hanno anch'essi linkoptimizer.
Seguirò la stessa procedura ma quando utlizzero gmer i file da cancellare saranno diversi da qualli che mi hai scritto in neretto prima immagino e quindi dovrò postarti i risultati, vero?

Logfile of HijackThis v1.99.1
Scan saved at 16.42.28, on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
c:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Iomega\AutoDisk\ADService.exe
c:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\Programmi\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Programmi\Canon\DIAS\CnxDIAS.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\UTENTE\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ccApp] "c:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ibmmessages] C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SW_SUBST_L:] "C:\Export\sysint\client\bin\sw_subst.exe" L:,C:\Export
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmi\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmi\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ibmmessages] C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
O4 - Startup: conf_L.lnk = C:\sysintc\UTENTE\conf_L\bin\swmenu.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6951029109
O17 - HKLM\System\CCS\Services\Tcpip\..\{0785DD61-1E4F-459A-8CDA-25A8C1428A69}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0785DD61-1E4F-459A-8CDA-25A8C1428A69}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0785DD61-1E4F-459A-8CDA-25A8C1428A69}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Programmi\Canon\DIAS\CnxDIAS.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - c:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmi\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programmi\Iomega\AutoDisk\ADService.exe



GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 16:38:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 822C98E0 ZwConnectPort

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F8ACC85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F8ACC85A] avgtdi.sys

---- EOF - GMER 1.0.10 ----





GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-31 16:40:32
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Canon Driver Information Assist Service /*Canon Driver Information Assist Service*/@ = C:\Programmi\Canon\DIAS\CnxDIAS.exe
ccEvtMgr /*Symantec Event Manager*/@ = "c:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "c:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe"
Iomega App Services /*Iomega App Services*/@ = "C:\PROGRA~1\Iomega\System32\AppServices.exe"
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "c:\Programmi\Norton AntiVirus\navapsvc.exe"
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SymWSC /*SymWMI Service*/@ = "C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe"
_IOMEGA_ACTIVE_DISK_SERVICE_ /*Iomega Active Disk*/@ = "C:\Programmi\Iomega\AutoDisk\ADService.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BluetoothAuthenticationAgentrundll32.exe irprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
@SmappC:\Programmi\Analog Devices\SoundMAX\SMTray.exe = C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@tgcmd /*file not found*/ = /*file not found*/
@UC_StartC:\IBMTools\Updater\ucstartup.exe = C:\IBMTools\Updater\ucstartup.exe
@ccApp"c:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "c:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@ibmmessagesC:\Programmi\IBM\Messages By IBM\ibmmessages.exe = C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
@Mouse Suite 98 DaemonICO.EXE = ICO.EXE
@SW_SUBST_L:"C:\Export\sysint\client\bin\sw_subst.exe" L:,C:\Export = "C:\Export\sysint\client\bin\sw_subst.exe" L:,C:\Export
@ADUserMonC:\Programmi\Iomega\AutoDisk\ADUserMon.exe = C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
@Iomega Drive IconsC:\Programmi\Iomega\DriveIcons\ImgIcon.exe = C:\Programmi\Iomega\DriveIcons\ImgIcon.exe
@DeskupC:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART = C:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@PRONoMgr.exeC:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe = C:\Programmi\Intel\NCS\PROSet\PRONoMgr.exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@StatusClient 2.6C:\Programmi\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto = C:\Programmi\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
@TomcatStartup 2.5C:\Programmi\Hewlett-Packard\Toolbox\hpbpsttp.exe = C:\Programmi\Hewlett-Packard\Toolbox\hpbpsttp.exe
@HP Software Update"C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" = "C:\Programmi\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@tgcmd /*file not found*/ = /*file not found*/
@ibmmessagesC:\Programmi\IBM\Messages By IBM\ibmmessages.exe = C:\Programmi\IBM\Messages By IBM\ibmmessages.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{c7745760-8ead-11ce-b750-02608ca5202c} /*IomegaWare Shell Extension*/C:\Programmi\Iomega\Shell\ImgMenu.dll = C:\Programmi\Iomega\Shell\ImgMenu.dll
@{c7745761-8ead-11ce-b750-02608ca5202c} /*IomegaWare Shell Extension*/C:\Programmi\Iomega\Shell\ImgProp.dll = C:\Programmi\Iomega\Shell\ImgProp.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = c:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{BDF3E430-B101-42AD-A544-FADC6B084872}c:\Programmi\Norton AntiVirus\NavShExt.dll = c:\Programmi\Norton AntiVirus\NavShExt.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.libero.it/ = http://www.libero.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0785DD61-1E4F-459A-8CDA-25A8C1428A69} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.10 = 192.168.1.10
@NameServer192.168.1.1 = 192.168.1.1
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

C:\Documents and Settings\UTENTE\Menu Avvio\Programmi\Esecuzione automatica = conf_L.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----


Grazie di nuovo,


Federico
fadu
Newbie
 
Post: 8
Iscritto il: 31/08/06 13:36

Postdi Luke57 » 31/08/06 15:57

Ciao, nei log non vedo niente di ricollegabile a linkoptimizer.
Sì i file da inserire nello script di avenger cambiano, quindi vanno visti i log di Gmer volta per volta.
Speriamo che anche la versione del virus sia malleabile come questa, perchè il malefico è sempre di più organizzato.
Allo scopo, vedi qui:

http://www.hwupgrade.it/news/sicurezza/18390.html
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi fadu » 31/08/06 16:30

Ciao sono sempre Federico.
Ecco i logs di Gmer per il primo client in cui risulta linkoptimizer:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 17:23:44
Windows 5.0.2195


---- System - GMER 1.0.10 ----

SSDT 816CE588 ZwConnectPort
---- Processes - GMER 1.0.10 ----

Library C:\WINNT\duyuv1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\IEXPLORE.EXE [984] 0x01340000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\WINNT\system32\lpt3.uoj
File C:\WINNT\duyuv1.dll

---- EOF - GMER 1.0.10 ----


GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-31 17:24:23
Windows 5.0.2195


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe = C:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe
@ShellC:\WINNT\Explorer.Exe = C:\WINNT\Explorer.Exe
Windows@AppInit_DLLs = \\?\C:\WINNT\System32\lpt3.uoj

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
fdex /*Gestione estesa floppy disk*/@ = C:\WINNT\downlo~1\8w4eqv\ci4l41d.exe
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "C:\Programmi\Norton AntiVirus\navapsvc.exe"
PPPoEService /*PPPoE Service*/@ = C:\PROGRA~1\TELECO~1\TELECO~1\app\pppoeservice.exe
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
StiSvc /*Still Image Service*/@ = %systemroot%\system32\stisvc.exe
SymWSC /*SymWMI Service*/@ = C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
WMDM PMSP Service /*WMDM PMSP Service*/@ = C:\WINNT\System32\mspmspsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@Sysres /*file not found*/ = /*file not found*/
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@ccApp"C:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@ccRegVfy"C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" = "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
@SSC_UserPromptC:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe = C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@AtiPanelC:\WINNT\atip.exe /*file not found*/ = C:\WINNT\atip.exe /*file not found*/
@LoadQMloadqm.exe = loadqm.exe
@MediaCtrC:\WINNT\mediacon.exe -i /*file not found*/ = C:\WINNT\mediacon.exe -i /*file not found*/
@dviv1.exeC:\WINNT\TEMP\dviv1.exe = C:\WINNT\TEMP\dviv1.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@PornoSito = C:\Documents and Settings\Giacomo\Dati applicazioni\PornoSito[1].exe t /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/C:\Programmi\Microsoft Office\Office\soa800.dll = C:\Programmi\Microsoft Office\Office\soa800.dll
@{59850401-6664-101B-B21C-00AA004BA90B} /*Utilità di separazione di Raccoglitore Office.*/C:\Programmi\Microsoft Office\Office\UNBIND.DLL = C:\Programmi\Microsoft Office\Office\UNBIND.DLL
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealOne Player\rpshellext.dll = C:\Programmi\Real\RealOne Player\rpshellext.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{471723FF-3AC4-22F2-1779-6C8F88BE7056}C:\WINNT\duyuv1.dll = C:\WINNT\duyuv1.dll
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Programmi\Norton AntiVirus\NavShExt.dll = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\System32\ssmarque.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\ >>>
.bcf@Location = C:\Programmi\Internet Explorer\Plugins\NPBelv32.dll
.pdf@Location = C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageC:\WINNT\System32\blank.htm = C:\WINNT\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
belarc@CLSID = C:\Programmi\Belarc\Advisor\System\BAVoilaX.dll
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\Giacomo\Menu Avvio\Programmi\Esecuzione automatica = conf_L.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----


Come procedo?

Federico
fadu
Newbie
 
Post: 8
Iscritto il: 31/08/06 13:36

Postdi fadu » 31/08/06 17:08

Altro problema.
Su un altro client mi scarica gmer, dal solito link trovato in post precedenti, ma non me lo apre.
Cosa succede?


Federico
fadu
Newbie
 
Post: 8
Iscritto il: 31/08/06 13:36

Postdi frontrunner » 31/08/06 18:26

visto ke hai lo stesso problema chiedo aiuto
nn riesco a copiare il log di rootkit sul forum-nn so forse è troppo lungo
come hai fatto??
grazie
frontrunner
Utente Junior
 
Post: 96
Iscritto il: 26/06/06 17:04

Postdi Luke57 » 31/08/06 18:47

@ Fadu
scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\dviv1.exe


Files to delete:
C:\WINNT\system32\lpt3.uoj
C:\WINNT\duyuv1.dll
C:\WINNT\TEMP\dviv1.exe


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Posta il log di Avenger (C:/avenger.txt) con l´esito dello script

Non ho visto il servizio malefico (adesso inizia anche a nascondersi al log di Gmer)
Start>esegui>services.msc (lo copi nello spazio)>OK
Nella finestra Servizi , verifica la presenza di un servizio in cui nella colonna Connesione, invece che Servixio di rete o Sistema locale, riporta un nome casuale, tipo /yKXZq e via dicendo.
Clicca con il destro e da proprietà individua il percorso del suo file eseguibile. Poi fammi sapere.

Prova GMer in mod.provvisoria (anche se ho poca fiducia). Nel sito di suspectfile avevano approntato versione modificate di Gmer, ma adesso il sito è fermo per manutenzione.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi lucas/s » 31/08/06 21:44

Il sito è chiuso per un aggiornamento del forum ed altro :D .
Per il linkoptmizer, ho una procedura in fase beta non del tutto provata
(non comporta rischi) si tratta solo di loggarsi come System(la procedura la darò io)e vedere se si riescono a far partire i tool ed eliminare i files(anche manualmente) in questo modo i privilegi sono maggiori,chi vuole provare è benvenuto.

Ciao

Gianluca
lucas/s
Utente Senior
 
Post: 224
Iscritto il: 04/02/06 00:33

Postdi BilloKenobi » 31/08/06 21:54

lucas/s ha scritto:chi vuole provare è benvenuto.


avessi un computer sacrificale..... :aaah

anche se so toglierlo, non mi va di infettare il pc buono (nonchè l'unico in mio possesso)
Begun the Clone War has

Sì sì, mi hanno fatto redattore --- SuspectFile
BilloKenobi
Utente Senior
 
Post: 348
Iscritto il: 08/07/06 11:05

Postdi lucas/s » 31/08/06 22:01

Io lo so mettere e tu lo sai togliere,ci completiamo,io dicevo a chi era già infetto,comunque esistono le macchine emulate :lol: :lol:
lucas/s
Utente Senior
 
Post: 224
Iscritto il: 04/02/06 00:33

Postdi fadu » 01/09/06 08:39

Ciao, sono di nuovo Federico.
Ti posto il log di avenger e di gmer per un controllo:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cujxbxuu

*******************

Script file located at: \??\C:\WINNT\System32\taommdia.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\lpt3.uoj deleted successfully.
File C:\WINNT\duyuv1.dll deleted successfully.
File C:\WINNT\TEMP\dviv1.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.


Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\dviv1.exe not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\dviv1.exe failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-01 09:35:46
Windows 5.0.2195


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe = C:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe
@ShellC:\WINNT\Explorer.Exe = C:\WINNT\Explorer.Exe

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
fdex /*Gestione estesa floppy disk*/@ = C:\WINNT\downlo~1\8w4eqv\ci4l41d.exe
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "C:\Programmi\Norton AntiVirus\navapsvc.exe"
PPPoEService /*PPPoE Service*/@ = C:\PROGRA~1\TELECO~1\TELECO~1\app\pppoeservice.exe
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
StiSvc /*Still Image Service*/@ = %systemroot%\system32\stisvc.exe
SymWSC /*SymWMI Service*/@ = C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
WMDM PMSP Service /*WMDM PMSP Service*/@ = C:\WINNT\System32\mspmspsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@Sysres /*file not found*/ = /*file not found*/
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@ccApp"C:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@ccRegVfy"C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" = "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
@SSC_UserPromptC:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe = C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@AtiPanelC:\WINNT\atip.exe /*file not found*/ = C:\WINNT\atip.exe /*file not found*/
@LoadQMloadqm.exe = loadqm.exe
@MediaCtrC:\WINNT\mediacon.exe -i /*file not found*/ = C:\WINNT\mediacon.exe -i /*file not found*/
@dviv1.exeC:\WINNT\TEMP\dviv1.exe /*file not found*/ = C:\WINNT\TEMP\dviv1.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@PornoSito = C:\Documents and Settings\Giacomo\Dati applicazioni\PornoSito[1].exe t /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/C:\Programmi\Microsoft Office\Office\soa800.dll = C:\Programmi\Microsoft Office\Office\soa800.dll
@{59850401-6664-101B-B21C-00AA004BA90B} /*Utilità di separazione di Raccoglitore Office.*/C:\Programmi\Microsoft Office\Office\UNBIND.DLL = C:\Programmi\Microsoft Office\Office\UNBIND.DLL
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealOne Player\rpshellext.dll = C:\Programmi\Real\RealOne Player\rpshellext.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Programmi\Norton AntiVirus\NavShExt.dll = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\System32\ssmarque.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\ >>>
.bcf@Location = C:\Programmi\Internet Explorer\Plugins\NPBelv32.dll
.pdf@Location = C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageC:\WINNT\System32\blank.htm = C:\WINNT\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
belarc@CLSID = C:\Programmi\Belarc\Advisor\System\BAVoilaX.dll
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\Giacomo\Menu Avvio\Programmi\Esecuzione automatica = conf_L.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----


GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-01 09:35:46
Windows 5.0.2195


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe = C:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe
@ShellC:\WINNT\Explorer.Exe = C:\WINNT\Explorer.Exe

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
fdex /*Gestione estesa floppy disk*/@ = C:\WINNT\downlo~1\8w4eqv\ci4l41d.exe
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "C:\Programmi\Norton AntiVirus\navapsvc.exe"
PPPoEService /*PPPoE Service*/@ = C:\PROGRA~1\TELECO~1\TELECO~1\app\pppoeservice.exe
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
StiSvc /*Still Image Service*/@ = %systemroot%\system32\stisvc.exe
SymWSC /*SymWMI Service*/@ = C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
WMDM PMSP Service /*WMDM PMSP Service*/@ = C:\WINNT\System32\mspmspsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@Sysres /*file not found*/ = /*file not found*/
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@ccApp"C:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@ccRegVfy"C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" = "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
@SSC_UserPromptC:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe = C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@AtiPanelC:\WINNT\atip.exe /*file not found*/ = C:\WINNT\atip.exe /*file not found*/
@LoadQMloadqm.exe = loadqm.exe
@MediaCtrC:\WINNT\mediacon.exe -i /*file not found*/ = C:\WINNT\mediacon.exe -i /*file not found*/
@dviv1.exeC:\WINNT\TEMP\dviv1.exe /*file not found*/ = C:\WINNT\TEMP\dviv1.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@PornoSito = C:\Documents and Settings\Giacomo\Dati applicazioni\PornoSito[1].exe t /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/C:\Programmi\Microsoft Office\Office\soa800.dll = C:\Programmi\Microsoft Office\Office\soa800.dll
@{59850401-6664-101B-B21C-00AA004BA90B} /*Utilità di separazione di Raccoglitore Office.*/C:\Programmi\Microsoft Office\Office\UNBIND.DLL = C:\Programmi\Microsoft Office\Office\UNBIND.DLL
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealOne Player\rpshellext.dll = C:\Programmi\Real\RealOne Player\rpshellext.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Programmi\Norton AntiVirus\NavShExt.dll = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\System32\ssmarque.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\ >>>
.bcf@Location = C:\Programmi\Internet Explorer\Plugins\NPBelv32.dll
.pdf@Location = C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageC:\WINNT\System32\blank.htm = C:\WINNT\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
belarc@CLSID = C:\Programmi\Belarc\Advisor\System\BAVoilaX.dll
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\Giacomo\Menu Avvio\Programmi\Esecuzione automatica = conf_L.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----


Grazie, Federico
fadu
Newbie
 
Post: 8
Iscritto il: 31/08/06 13:36

Postdi Luke57 » 01/09/06 09:01

Ciao, inserisci questo script in Avenger:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr


Files to delete:
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINNT\svchost.exe

Il secondo file potrebbe anche non esserci.
Allega anche un log di hijackhis.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi fadu » 01/09/06 09:22

Ecco, tutto quanto mi hai chiesto:

Logfile of HijackThis v1.99.1
Scan saved at 10.12.03, on 01/09/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\downlo~1\8w4eqv\ci4l41d.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\TELECO~1\TELECO~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\explorer.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINNT\loadqm.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\Giacomo\Desktop\gmer.exe
C:\Programmi\Symantec\LiveUpdate\NDETECT.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1040,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AtiPanel] C:\WINNT\atip.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MediaCtr] C:\WINNT\mediacon.exe -i
O4 - HKLM\..\Run: [dviv1.exe] C:\WINNT\TEMP\dviv1.exe
O4 - HKCU\..\Run: [PornoSito] C:\Documents and Settings\Giacomo\Dati applicazioni\PornoSito[1].exe t
O4 - Startup: conf_L.lnk = C:\sysintc\giacomo\conf_L\bin\swmenu.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O12 - Plugin for .bcf: C:\Programmi\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.accessoveloce.com/univ/ski/x/jmp17x.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7036193028
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7036088277
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1144070.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\TELECO~1\TELECO~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\krheypha

*******************

Script file located at: \??\C:\WINNT\System32\mmxxwetr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr deleted successfully.
File C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe deleted successfully.


File C:\WINNT\svchost.exe not found!
Deletion of file C:\WINNT\svchost.exe failed!

Could not process line:
C:\WINNT\svchost.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-01 10:18:07
Windows 5.0.2195


---- System - GMER 1.0.10 ----

SSDT 816CDF28 ZwConnectPort

---- EOF - GMER 1.0.10 ----

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-01 10:18:51
Windows 5.0.2195


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
fdex /*Gestione estesa floppy disk*/@ = C:\WINNT\downlo~1\8w4eqv\ci4l41d.exe
navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "C:\Programmi\Norton AntiVirus\navapsvc.exe"
PPPoEService /*PPPoE Service*/@ = C:\PROGRA~1\TELECO~1\TELECO~1\app\pppoeservice.exe
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
StiSvc /*Still Image Service*/@ = %systemroot%\system32\stisvc.exe
SymWSC /*SymWMI Service*/@ = C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
WMDM PMSP Service /*WMDM PMSP Service*/@ = C:\WINNT\System32\mspmspsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@Sysres /*file not found*/ = /*file not found*/
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@ccApp"C:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@ccRegVfy"C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" = "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
@SSC_UserPromptC:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe = C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@AtiPanelC:\WINNT\atip.exe /*file not found*/ = C:\WINNT\atip.exe /*file not found*/
@LoadQMloadqm.exe = loadqm.exe
@MediaCtrC:\WINNT\mediacon.exe -i /*file not found*/ = C:\WINNT\mediacon.exe -i /*file not found*/
@dviv1.exeC:\WINNT\TEMP\dviv1.exe /*file not found*/ = C:\WINNT\TEMP\dviv1.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@PornoSito = C:\Documents and Settings\Giacomo\Dati applicazioni\PornoSito[1].exe t /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/C:\Programmi\Microsoft Office\Office\soa800.dll = C:\Programmi\Microsoft Office\Office\soa800.dll
@{59850401-6664-101B-B21C-00AA004BA90B} /*Utilità di separazione di Raccoglitore Office.*/C:\Programmi\Microsoft Office\Office\UNBIND.DLL = C:\Programmi\Microsoft Office\Office\UNBIND.DLL
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealOne Player\rpshellext.dll = C:\Programmi\Real\RealOne Player\rpshellext.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Programmi\Norton AntiVirus\NavShExt.dll = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\System32\ssmarque.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\ >>>
.bcf@Location = C:\Programmi\Internet Explorer\Plugins\NPBelv32.dll
.pdf@Location = C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageC:\WINNT\System32\blank.htm = C:\WINNT\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
belarc@CLSID = C:\Programmi\Belarc\Advisor\System\BAVoilaX.dll
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\Giacomo\Menu Avvio\Programmi\Esecuzione automatica = conf_L.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.10 ----


Grazie, ancora.
Che mi dici di quel problema con gmer sull'altro client.
Posso scaricare un programma alternativo tipo rootkitrevealer?

Federico
fadu
Newbie
 
Post: 8
Iscritto il: 31/08/06 13:36

Postdi Luke57 » 01/09/06 10:23

Ciao, per quanto riguarda hijackthis, premi "do a system scan only", cerca e spunta:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\WINNT\svchost.exe
O4 - HKLM\..\Run: [MediaCtr] C:\WINNT\mediacon.exe -i
O4 - HKLM\..\Run: [dviv1.exe] C:\WINNT\TEMP\dviv1.exe
O4 - HKCU\..\Run: [PornoSito] C:\Documents and Settings\Giacomo\Dati applicazioni\PornoSito[1].exe t
O4 - Startup: conf_L.lnk = C:\sysintc\giacomo\conf_L\bin\swmenu.exe
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1144070.exe

premi fix chcked

Cerca ed elimina i seguenti file:
C:\WINNT\mediacon.exe
C:\WINNT\TEMP\dviv1.exe
C:\Documents and Settings\Giacomo\Dati applicazioni\PornoSito[1].exe
C:\sysintc\giacomo\conf_L\bin\swmenu.exe
C:\WINNT\downlo~1\8w4eqv\ci4l41d.exe

Scarica ATF cleaner da qui (pulizia file temporanei):
http://www.atribune.org/ccount/click.php?id=1
Avvia ATF cleaner clicca sul menu "main" e poi seleziona la casella "Select All". Adesso clicca sul pulsante "Empty selected" e aspetta il messaggio "Done Cleaning!".

Prova conn rootkitrevelear.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10

Postdi fadu » 01/09/06 17:40

Niente da fare; su un cliente, dove gira XP, non mi apre i file .exe nè di avenger, nè di gmer, nè di rootkit, mentre mi apre myunistalle hijacthis.
Cosa devo fare?
Intanto ti posto il log di hijacthis:


Logfile of HijackThis v1.99.1
Scan saved at 18.40.01, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\RODOLFO\Impostazioni locali\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: Class - {FB344BB7-64E6-E4F4-EC75-5D5B533A0329} - C:\WINDOWS\xffdl1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UC_Start] C:\Programmi\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ibmmessages] C:\Programmi\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] C:\WINDOWS\sndman.exe -i
O4 - HKLM\..\Run: [ImMsn] C:\WINDOWS\timed.exe /i
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Programmi\IBM\Messages By IBM\ibmmessages.exe
O4 - Startup: conf_L.lnk = C:\sysintc\RODOLFO\conf_L\bin\swmenu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Programmi\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

Grazie, Federico
fadu
Newbie
 
Post: 8
Iscritto il: 31/08/06 13:36

Postdi Luke57 » 01/09/06 18:13

Ciao, prova questo tool recentissimo:
http://www.pc-facile.com/forum/viewtopic.php?t=49816
leggi le istruzioni (in inglese), poi segnati il report al termine della scansione e riferiscilo nel forum.
Luke57
Moderatore
 
Post: 6415
Iscritto il: 11/08/05 19:10


Torna a Sicurezza e Privacy


Topic correlati a "Linkoptimizer: ecco i logs di Gmer. Chi mi aiuta?":


Chi c’è in linea

Visitano il forum: Nessuno e 31 ospiti