Ancora linkoptimizer...un'occhiatina al log?

di **filippo77** » 27/10/06 09:59

Salve a tutti!!!
Di nuovo alle prese con il Linkoptimizer...
Sono alla fase della procedura in cui bisogna eliminare i file con l'Avenger, però prima di "lanciarmi" volevo chiedere il vostro aiuto perché non mi sento molto sicuro...
Mi controllate il log di Highjack?
Grazie mille anticipatamente!!!
Saluti

Logfile of HijackThis v1.97.7
Scan saved at 10.53.37, on 27/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programmi\Java\jre1.5.0_05\bin\jusched.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\Programmi\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Borland\JBuilder2005\jdk1.4\jre\bin\javaw.exe
C:\WINDOWS\LogWatNT.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nicitdl5.exe
C:\Programmi\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Programmi\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\PCSuite\Services\NclBTHandler.exe
C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\FILECO~1\Nokia\MPAPI\MPAPI3s.exe
C:\Programmi\WIDCOMM\Software Bluetooth\BTTray.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\WIDCOMM\SOFTWA~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
D:\WinApplicationSource\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33044B22-688E-EFFF-8249-EF9EAD84E13D} - C:\WINDOWS\olbbp1.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programmi\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programmi\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dbservices] scm -Silent 1 -Action 1 -Service mssqlserver
O4 - HKLM\..\Run: [niDevMon] C:\Programmi\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [oaes1.exe] C:\WINDOWS\Temp\oaes1.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ricercaremp3] C:\Documents and Settings\rafgri\Dati applicazioni\ricercaremp3.exe t
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PcSync] C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Startup: wkcalrem.LNK = C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\WIDCOMM\Software Bluetooth\btsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Innova-Isis (HKLM)
O9 - Extra 'Tools' menuitem: Innova-Isis (HKLM)
O9 - Extra button: Ricerche (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: ricercaremp3 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://domino.c-s-m.it/iNotes6W.cab
O16 - DPF: {A335EC30-2007-4F57-A0D1-4FDFCCA18B91} - http://td8eau9td.com/0f091bbb/50310/1/xp/FreeAccess.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3692723-4FFB-497E-B5B0-071CE2E1D0B6}: Domain = c-s-m.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3692723-4FFB-497E-B5B0-071CE2E1D0B6}: NameServer = 192.168.80.3,192.168.3.60

di **Luke57** » 27/10/06 10:10

Ciao, hai già utilizzato i due tools appositi?
http://www.pc-facile.com/forum/viewtopic.php?t=49816

di **filippo77** » 27/10/06 10:47

...no, in realtà purtroppo non ho usato il tool che mi segnali, ma la vecchia procedura per la rimozione del virus: era piuttosto articolata, e come ultimo passo essa prevedeva l'eliminazione di alcune chiavi di registro per mezzo di Avenger. Poiché non mi sento molto sicuro, ho postato il log di HijackThis per avere un parere su quali chiavi di preciso debbano essere eliminate...

Non ho usato il tool sia perchè non sapevo della sua uscita, sia perché, essendo arrivato in pratica alla fine della "vecchia procedura", credo che ormai non ce ce sia più bisogno. Soltanto chiedevo a voi se notavate chiavi "strane" da sopprimere con Avenger...

Grazie!!!

Ciao

di **Luke57** » 27/10/06 11:26

Ciao, verifichiamo con Gmer, scaricalo da qui (se non l'hai):
http://www.gmer.net/gmer111.zip
Dopo averlo scompattato, lo avvii, premendo il tab>>>> entri in Avanzate, selezioni il tab "Rootkit"
Clicca su "Scan" (spunta anche la casella ADS)

Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione Autostart, con le stesse procedure del precedente. Incolli i due log in un post nel forum.

di **filippo77** » 27/10/06 15:25

OK...ecco i due log del GMER...il primo in realtà è un po' strano, ma comunque lo posto ugualmente.
Ciao e grazie!

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-27 16:08:54
Windows 5.1.2600 Service Pack 2

---- Processes - GMER 1.0.11 ----

Library C:\WINDOWS\olbbp1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\IEXPLORE.EXE [3284] 0x029A0000
Library C:\WINDOWS\olbbp1.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3708] 0x02BE0000

---- Files - GMER 1.0.11 ----

ADS ...
File C:\WINDOWS\olbbp1.dll
ADS ...

---- EOF - GMER 1.0.11 ----

GMER 1.0.11.11390 - http://www.gmer.net
Autostart 2006-10-27 16:09:27
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\:c_1000i.nls

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
btwdins /*Bluetooth Service*/@ = C:\Programmi\WIDCOMM\Software Bluetooth\bin\btwdins.exe
CalcolaPlanarita /*CalcolaPlanarita*/@ = C:\WRAPPE~1.1\bin\wrapper.exe -s C:\WRAPPE~1.1\conf\wrapper.conf
DispatcherMessage /*DispatcherMessage*/@ = C:\wrapper-windows-x86-32-3.2.1\bin\wrapper.exe -s C:\wrapper-windows-x86-32-3.2.1\conf\wrapper.conf
HCLInetd /*Hummingbird Inetd*/@ = C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe
Jconfigd /*Hummingbird Jconfig Daemon*/@ = C:\WINDOWS\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe
LkCitadelServer /*Lookout Citadel Server*/@ = C:\WINDOWS\system32\lkcitdl.exe
lkClassAds /*National Instruments PSP Server Locator*/@ = C:\WINDOWS\system32\lkads.exe
lkTimeSync /*National Instruments Time Synchronization*/@ = C:\WINDOWS\system32\lktsrv.exe
LogWatch /*Event Log Watch*/@ = C:\WINDOWS\LogWatNT.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
mxssvr /*NI Configuration Manager*/@ = "C:\Programmi\National Instruments\MAX\nimxs.exe"
NetYga /*NetYga*/@ = "C:\Programmi\File comuni\Microsoft Shared\iPtLG.exe"
NICitadel5Service /*National Instruments Citadel*/@ = C:\WINDOWS\system32\nicitdl5.exe
nidevldu@ = system32\nipalsm.exe
NIDomainService /*National Instruments Domain Service*/@ = "C:\Programmi\National Instruments\Shared\Security\nidmsrv.exe"
nipxirmu@ = system32\nipalsm.exe
niSvcLoc /*NI Service Locator*/@ = C:\WINDOWS\system32\nisvcloc.exe -s
NITaggerService /*National Instruments Variable Engine*/@ = "C:\Programmi\National Instruments\Shared\Tagger\tagsrv.exe"
SchedulerMessage /*SchedulerMessage*/@ = C:\WRAPPE~1.1\bin\wrapper.exe -s C:\WRAPPE~1.1\conf\wrapper.conf
SosSvrSvc.net /*SourceOffSite 4 Server*/@ = "C:\Programmi\SourceOffSite Server\SosService.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
WinDefend /*Windows Defender Service*/@ = "C:\Programmi\Windows Defender\MsMpEng.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SynTPLprC:\Programmi\Synaptics\SynTP\SynTPLpr.exe = C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
@SynTPEnhC:\Programmi\Synaptics\SynTP\SynTPEnh.exe = C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
@IgfxTrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@CpqsetC:\Programmi\HPQ\Default Settings\cpqset.exe ? ??? ???? ??B ? ??H<C ? ???? = C:\Programmi\HPQ\Default Settings\cpqset.exe ? ??? ???? ??B ? ??H<C ? ????
@eabconfg.cplC:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start /*file not found*/ = C:\Programmi\HPQ\Quick Launch Buttons\EabServr.exe /Start /*file not found*/
@UpdateManager"C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r = "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_05\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_05\bin\jusched.exe
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe"
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@REGSHAVEC:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN = C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
@Acrobat Assistant 7.0"C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" = "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
@ /*file not found*/ = /*file not found*/
@Windows Defender"C:\Programmi\Windows Defender\MSASCui.exe" -hide = "C:\Programmi\Windows Defender\MSASCui.exe" -hide
@dbservicesscm -Silent 1 -Action 1 -Service mssqlserver /*file not found*/ = scm -Silent 1 -Action 1 -Service mssqlserver /*file not found*/
@niDevMonC:\Programmi\National Instruments\NI-DAQ\HWConfig\nidevmon.exe = C:\Programmi\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@PCSuiteTrayApplicationC:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup = C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background r = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background r
@googletalk"C:\Programmi\Google\Google Talk\googletalk.exe" /autostart = "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
@NBJ"C:\Programmi\Ahead\Nero BackItUp\NBJ.exe" = "C:\Programmi\Ahead\Nero BackItUp\NBJ.exe"
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" = "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
@swgC:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe = C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
@ricercaremp3C:\Documents and Settings\rafgri\Dati applicazioni\ricercaremp3.exe t /*file not found*/ = C:\Documents and Settings\rafgri\Dati applicazioni\ricercaremp3.exe t /*file not found*/
@Skype"C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized = "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
@PcSyncC:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@UPnPMonitor = C:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} = C:\PROGRA~1\WINDOW~4\MpShHook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Programmi\Synaptics\SynTP\SynTPCpl.dll = C:\Programmi\Synaptics\SynTP\SynTPCpl.dll
@{DEE12703-6333-4D4E-8F34-738C4DCC2E04} /*RecordNow! SendToExt*/C:\Programmi\Sonic\RecordNow!\shlext.dll = C:\Programmi\Sonic\RecordNow!\shlext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{DB8DC413-C0AA-11D0-9545-080009B1C2F3} /*Hummingbird Neighborhood*/C:\Programmi\Hummingbird\Connectivity\7.10\HostExplorer\Ftp\heshell.dll = C:\Programmi\Hummingbird\Connectivity\7.10\HostExplorer\Ftp\heshell.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll
@{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974} /*EditPlus Context Menu Handler*/C:\Programmi\EditPlus 2\eppshell.dll = C:\Programmi\EditPlus 2\eppshell.dll
@{D9F81151-62CA-4858-B45E-82B3EC41A549} /*RExpCtxU*/(null) =
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Programmi\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll = C:\Programmi\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
@{792F0537-F929-4eb7-AC1D-FB6334C71550} /*LG Phone*/(null) =
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Periferiche Plug and Play universali*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{6B19FEC2-A45B-11CF-9045-00A0C9039735} /*Registered ActiveX Controls*/C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL = C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
@{D545EBD1-BD92-11CF-8772-00A0C9039735} /*Developer Studio Components*/C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL = C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} /*PhoneBrowser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programmi\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
EditPlus@{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974} = C:\Programmi\EditPlus 2\eppshell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{33044B22-688E-EFFF-8249-EF9EAD84E13D}C:\WINDOWS\olbbp1.dll = C:\WINDOWS\olbbp1.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar2.dll = c:\programmi\google\googletoolbar2.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll = C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URL =
@Start Pageabout:blank = about:blank
@Local Page =

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URL =
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local Page =

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mctp@CLSID = C:\Programmi\Microsoft ActiveSync\aatp.dll /*file not found*/
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = C:\Programmi\File comuni\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\msitss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
widimg@CLSID = C:\WINDOWS\system32\btxppanel.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D3692723-4FFB-497E-B5B0-071CE2E1D0B6} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.129.73 = 192.168.129.73
@NameServer192.168.80.3,192.168.3.60 = 192.168.80.3,192.168.3.60
@DefaultGateway192.168.129.1 = 192.168.129.1
@Domainc-s-m.it = c-s-m.it

C:\Documents and Settings\rafgri\Menu Avvio\Programmi\Esecuzione automatica = wkcalrem.LNK

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Acrobat Speed Launcher.lnk = Adobe Acrobat Speed Launcher.lnk
BTTray.lnk = BTTray.lnk

---- EOF - GMER 1.0.11 ----

di **Luke57** » 27/10/06 21:34

Ciao, scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper\{33044B22-688E-EFFF-8249-EF9EAD84E13D}

Files to delete:
C:\WINDOWS\olbbp1.dll

Folders to delete:
C:\Windows\temp

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script

Inoltre, apri hiajckthis, premi “open the misc tools section”, “open ADS spy….., nella nuova finestra togli la spunta a “Quick scan”, premi scan, se trovi il file:
C:\:c_1000i.nls
Lo evidenzi e premi “remove selected”

di **filippo77** » 30/10/06 09:25

...OK, tutto fatto!!! Posto il log di avenger. Non sono poi riuscito a trovare quel file che mi hai segnalato con HighjackThis...ma sarà forse per quello che all'avvio mi parte sempre un programma che si chiama "ricercaremp3.exe"?...mmmmmh...MAH!!! :undecided:

C'erano comunque queste chiavi "sospette": le ho eliminate:

O4 - HKCU\..\Run: [ricercaremp3] C:\Documents and Settings\rafgri\Dati applicazioni\ricercaremp3.exe t

O9 - Extra button: ricercaremp3 (HKLM)

Grazie di tutto, ciao!!!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ccxgbrbt

*******************

Script file located at: \??\C:\WINDOWS\system32\xacquety.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\olbbp1.dll deleted successfully.
Folder C:\Windows\temp deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper\{33044B22-688E-EFFF-8249-EF9EAD84E13D} not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper\{33044B22-688E-EFFF-8249-EF9EAD84E13D} failed!
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Ancora linkoptimizer...un'occhiatina al log?

Ancora linkoptimizer...un'occhiatina al log?

Topic correlati a "Ancora linkoptimizer...un'occhiatina al log?":

Chi c’è in linea