|
|||||||
|
|
|
 |
|
|
Strumenti |
17-09-2006, 03:25
|
#121 | |
|
Junior Member
Iscritto dal: Sep 2006
Messaggi: 14
|
Quote:
Il mio OS: XP Home Ed. SP2, i miei drives: 2HD Fat32 Ripristino configurazione disattivato e java disinstallato Armada.exe loaded into memory ------------------------------------ Executing rootkit removal engine.... ------------------------------------ Disabling rootkit file: \\?\C:\WINDOWS\system32\com6.bvu \\?\C:\WINDOWS\system32\com6.bvu Resetting file permissions... Clearing attributes... Removing file... Rootkit removed! Cleaning up... Removing temp files... Scanning: C:\WINDOWS Gromozon-Related Malicious Code Detected! FileName: C:\WINDOWS\xlixg1.dll >>>Error: File C:\WINDOWS\xlixg1.dll could not be removed - it will be removed on the next reboot. Scanning: C:\Programmi\File comuni Trojan.Gromozon Removed! (adesso il log dice: Removal tool loaded into memory Gromozon rootkit component not detected - searching for other components Scanning: C:\WINDOWS Trojan.Gromozon does not exist - your system is clean.) ///////////////////////////////////////////////////////////////////////////////////// Successivamente ho rimosso con avenger C:\Programmi\File comuni\System\com5.exe ma Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed! Status: 0xc0000034. Ho provato ad immettere a mano la stringa ...\CurrentVersion\Windows|AppInit_DLLs e ci riuscivo, ma, al riavvio, trovavo al suo posto il NOME "Rootkit_File" (Replicato più volte) DUBBIO: è il rotkit che mi fa fesso o e MaAfee che "pulisce"? Ho eliminato l'utente strano e connessi (cartelle servizi voci nel registro)MANUALMENTE. Gmer (credo!) è ok, ma, se scelgo show all (non posso postarlo: è enorme) mi seppellisce di Rootkit (gli SSDT ed i servizi SENZA files da eseguire) ecco un PICCOLO estratto GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-09-17 02:12:24 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT sptd.sys ZwCreateKey <-- ROOTKIT !!! SSDT sptd.sys ZwEnumerateKey <-- ROOTKIT !!! SSDT sptd.sys ZwEnumerateValueKey <-- ROOTKIT !!! SSDT sptd.sys ZwOpenKey <-- ROOTKIT !!! SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess <-- ROOTKIT !!! SSDT sptd.sys ZwQueryKey <-- ROOTKIT !!! SSDT sptd.sys ZwQueryValueKey <-- ROOTKIT !!! SSDT sptd.sys ZwSetValueKey <-- ROOTKIT !!! SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess <-- ROOTKIT !!! ---- Services - GMER 1.0.10 ---- Service [DISABLED] Abiosdsk <-- ROOTKIT !!! Service [DISABLED] abp480n5 <-- ROOTKIT !!! Service [DISABLED] ACPIEC <-- ROOTKIT !!! Service [DISABLED] adpu160m <-- ROOTKIT !!! Service [DISABLED] Aha154x <-- ROOTKIT !!! Service [DISABLED] aic78u2 <-- ROOTKIT !!! Service [DISABLED] aic78xx <-- ROOTKIT !!! Service [DISABLED] AliIde <-- ROOTKIT !!! Service [DISABLED] amsint <-- ROOTKIT !!! Service [DISABLED] asc <-- ROOTKIT !!! Service [DISABLED] asc3350p <-- ROOTKIT !!! Service [DISABLED] asc3550 <-- ROOTKIT !!! Service [DISABLED] Atdisk <-- ROOTKIT !!! Service [SYSTEM] Beep <-- ROOTKIT !!! Service [DISABLED] cbidf2k <-- ROOTKIT !!! Service [DISABLED] cd20xrnt <-- ROOTKIT !!! Service [SYSTEM] Cdaudio <-- ROOTKIT !!! Service [DISABLED] Cdfs <-- ROOTKIT !!! Service [SYSTEM] Changer <-- ROOTKIT !!! Service [DISABLED] CmdIde <-- ROOTKIT !!! Service [DISABLED] Cpqarray <-- ROOTKIT !!! Service [DISABLED] dac2w2k <-- ROOTKIT !!! Service [DISABLED] dac960nt <-- ROOTKIT !!! Service [DISABLED] dpti2o <-- ROOTKIT !!! Service [DISABLED] Fastfat <-- ROOTKIT !!! Service [SYSTEM] FileDisk <-- ROOTKIT !!! Service [SYSTEM] Fips <-- ROOTKIT !!! Service [SYSTEM] Fs_Rec <-- ROOTKIT !!! Service [DISABLED] hpn <-- ROOTKIT !!! Service [SYSTEM] i2omgmt <-- ROOTKIT !!! Service [DISABLED] i2omp <-- ROOTKIT !!! Service [SYSTEM] InCDrec <-- ROOTKIT !!! Service [DISABLED] ini910u <-- ROOTKIT !!! Service [DISABLED] IntelIde <-- ROOTKIT !!! Service [BOOT] KSecDD <-- ROOTKIT !!! Service [SYSTEM] lbrtfdc <-- ROOTKIT !!! Service [SYSTEM] mnmdd <-- ROOTKIT !!! Service [MANUAL] Modem <-- ROOTKIT !!! Service [BOOT] MountMgr <-- ROOTKIT !!! Service [DISABLED] mraid35x <-- ROOTKIT !!! Service [SYSTEM] Msfs <-- ROOTKIT !!! Service [BOOT] Mup <-- ROOTKIT !!! Service [BOOT] NDIS <-- ROOTKIT !!! Service [MANUAL] NDProxy <-- ROOTKIT !!! Service [SYSTEM] Npfs <-- ROOTKIT !!! Service [DISABLED] Ntfs <-- ROOTKIT !!! Service [SYSTEM] Null <-- ROOTKIT !!! Service [BOOT] PartMgr <-- ROOTKIT !!! Service [AUTO] ParVdm <-- ROOTKIT !!! Service [SYSTEM] PCIDump <-- ROOTKIT !!! Service [DISABLED] PCIIde <-- ROOTKIT !!! Service [DISABLED] Pcmcia <-- ROOTKIT !!! Service [MANUAL] PDCOMP <-- ROOTKIT !!! Service [MANUAL] PDFRAME <-- ROOTKIT !!! Service [MANUAL] PDRELI <-- ROOTKIT !!! Service [MANUAL] PDRFRAME <-- ROOTKIT !!! Service [DISABLED] perc2 <-- ROOTKIT !!! Service [DISABLED] perc2hib <-- ROOTKIT !!! Service [DISABLED] ql1080 <-- ROOTKIT !!! Service [DISABLED] Ql10wnt <-- ROOTKIT !!! Service [DISABLED] ql12160 <-- ROOTKIT !!! Service [DISABLED] ql1240 <-- ROOTKIT !!! Service [DISABLED] ql1280 <-- ROOTKIT !!! Service [MANUAL] RDPWD <-- ROOTKIT !!! Service [SYSTEM] Sfloppy <-- ROOTKIT !!! Service [DISABLED] Simbad <-- ROOTKIT !!! Service [DISABLED] Sparrow <-- ROOTKIT !!! Service [DISABLED] sym_hi <-- ROOTKIT !!! Service [DISABLED] sym_u3 <-- ROOTKIT !!! Service [DISABLED] symc810 <-- ROOTKIT !!! Service [DISABLED] symc8xx <-- ROOTKIT !!! Service [MANUAL] TDPIPE <-- ROOTKIT !!! Service [MANUAL] TDTCP <-- ROOTKIT !!! Service [DISABLED] TosIde <-- ROOTKIT !!! Service [DISABLED] Udfs <-- ROOTKIT !!! Service [DISABLED] ultra <-- ROOTKIT !!! Service [BOOT] VolSnap <-- ROOTKIT !!! Service [MANUAL] WDICA <-- ROOTKIT !!! Service [MANUAL] Winsock <-- ROOTKIT !!! Capita anche a voi? Avete anche voi TANTI servizi VUOTI? NON posso eseguire Regmon (already running on this system) NON posso eseguire il tool Sophos Sophos Anti-Rootkit Version 1.0 (c) 2006 Sophos Plc Started logging on 17/09/2006 at 2.46.01 Warning: Failed to set privilege SeDebugPrivilege. You may not have sufficient access rights. Non tutti i privilegi menzionati sono assegnati al chiamante. Warning: Could not initialize Toolhelp. Please restart and try again. Accesso negato. Stopped logging on 17/09/2006 at 2.46.01 Ho letto di NTRights, ma non so se è bene usarlo adesso (il PC è pulito?) e come (su quali voci) OK Avenger, GMER, RootkitRevealer. RootkitRevealer. HKLM\S-1-5-21-481920901-3577517646-4231418846-1005\RemoteAccess\InternetProfile 21/02/2006 23.25 5 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg 05/09/2006 5.14 0 bytes Access is denied. Seguono i due GMER GMER 1.0.10.10122 - http://www.gmer.net Autostart 2006-09-16 16:32:41 Windows 5.1.2600 Service Pack 2 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe, HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>> AtiExtEvent@DLLName = Ati2evxx.dll WgaLogon@DLLName = WgaLogon.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe InCDsrv /*InCD Helper*/@ = C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe LexBceS /*LexBce Server*/@ = C:\WINDOWS\system32\LEXBCES.EXE McDetect.exe /*McAfee WSC Integration*/@ = c:\programmi\mcafee.com\agent\mcdetect.exe McShield /*McAfee.com McShield*/@ = c:\PROGRA~1\mcafee.com\vso\mcshield.exe McTskshd.exe /*McAfee Task Scheduler*/@ = c:\PROGRA~1\mcafee.com\agent\mctskshd.exe MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe" MpfService /*McAfee Personal Firewall Service*/@ = C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys SDhelper /*PC Tools Spyware Doctor*/@ = C:\Programmi\Spyware Doctor\sdhelp.exe SimpTcp /*Servizi semplici TCP/IP*/@ = %SystemRoot%\System32\tcpsvcs.exe Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe StarWindService /*StarWind iSCSI Service*/@ = C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @CARPServicecarpserv.exe = carpserv.exe @ATIPTAC:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe @Lexmark X5100 Series"C:\Programmi\Lexmark X5100 Series\lxbabmgr.exe" = "C:\Programmi\Lexmark X5100 Series\lxbabmgr.exe" @Nokia Tray ApplicationC:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe = C:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe @VSOCheckTask"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask = "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask @VirusScan OnlineC:\Programmi\McAfee.com\VSO\mcvsshld.exe = C:\Programmi\McAfee.com\VSO\mcvsshld.exe @MCAgentExec:\PROGRA~1\mcafee.com\agent\mcagent.exe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe @MCUpdateExec:\PROGRA~1\mcafee.com\agent\mcupdate.exe = c:\PROGRA~1\mcafee.com\agent\mcupdate.exe @MPFExeC:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE = C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE @WinampAgentC:\Programmi\Winamp\winampa.exe = C:\Programmi\Winamp\winampa.exe @Adobe Photo Downloader"C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" = "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" @NWEReboot /*file not found*/ = /*file not found*/ @NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe @InCDC:\Programmi\Nero\Nero 7\InCD\InCD.exe = C:\Programmi\Nero\Nero 7\InCD\InCD.exe @Acrobat Assistant 7.0"C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" = "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" @ISUSPM StartupC:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup = C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup @ISUSScheduler"C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start = "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start @DAEMON Tools"C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033 = "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033 @OASClntC:\Programmi\McAfee.com\VSO\oasclnt.exe = C:\Programmi\McAfee.com\VSO\oasclnt.exe @iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe" @QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime @LexPPS.exeC:\WINDOWS\system32\lexpps.exe = C:\WINDOWS\system32\lexpps.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>> @H/PC Connection Agent"C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE" = "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE" @BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" = "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" @ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe @Spyware Doctor"C:\Programmi\Spyware Doctor\swdoctor.exe" /Q = "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@UPnPMonitor = C:\WINDOWS\system32\upnpui.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/ @{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) = @{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Periferiche Plug and Play universali*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll @{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll @{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL @{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL @{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll @{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL @{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL @{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL @{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL @{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll @InCDShellExt extension /*{CAE3251E-9B15-4810-B268-852AD9792A59}*/(null) = @{acb4a560-3606-11d3-aef4-00104bd0f92d} /*KodakShellExtension*/C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll = C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll @{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll @{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll @{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Programmi\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll = C:\Programmi\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll @{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll @{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>> Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programmi\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKLM\Software\Classes\*\shellex\ContextMenuHandlers >>> @{CFC7205E-2792-4378-9591-3879CC6C9022}c:\progra~1\mcafee.com\vso\mcvsshl.dll = c:\progra~1\mcafee.com\vso\mcvsshl.dll @{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>> ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>> WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers >>> @{CFC7205E-2792-4378-9591-3879CC6C9022}c:\progra~1\mcafee.com\vso\mcvsshl.dll = c:\progra~1\mcafee.com\vso\mcvsshl.dll @{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>> @{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll @{31FF080D-12A3-439A-A2EF-4BA95A3148E8}C:\Programmi\GetRight\xx2gr.dll = C:\Programmi\GetRight\xx2gr.dll @{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll @{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar2.dll = c:\programmi\google\googletoolbar2.dll @{AE7CD045-E861-484f-8273-0445EE161910}C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll = C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll @{B56A7D7D-6927-48C8-A975-17DF180C71AC}C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\scrnsave.scr HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLhttp://www.wooow.it = http://www.wooow.it @Start Page = @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main >>> @Start Pagehttp://www.wooow.it/ = http://www.wooow.it/ @Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll its@CLSID = C:\WINDOWS\System32\itss.dll mctp@CLSID = C:\Programmi\Microsoft ActiveSync\aatp.dll mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll ms-its@CLSID = C:\WINDOWS\System32\itss.dll ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\msitss.dll mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL tv@CLSID = C:\WINDOWS\system32\msvidctl.dll wia@CLSID = C:\WINDOWS\System32\wiascr.dll HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{70E801FD-19EB-4F19-B1A1-CB9F05DF7698} /*Rete Firewire*/ >>> @IPAddress192.168.0.1 = 192.168.0.1 @NameServer = @DefaultGateway = @Domain = C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>> Kodak software updater.lnk = Kodak software updater.lnk WinZip Quick Pick.lnk = WinZip Quick Pick.lnk Kodak EasyShare software.lnk = Kodak EasyShare software.lnk Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk Alice ti aiuta.lnk = Alice ti aiuta.lnk Adobe Acrobat Speed Launcher.lnk = Adobe Acrobat Speed Launcher.lnk ---- EOF - GMER 1.0.10 ---- GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-09-16 16:19:53 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT sptd.sys ZwCreateKey SSDT sptd.sys ZwEnumerateKey SSDT sptd.sys ZwEnumerateValueKey SSDT sptd.sys ZwOpenKey SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess SSDT sptd.sys ZwQueryKey SSDT sptd.sys ZwQueryValueKey SSDT sptd.sys ZwSetValueKey SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess ---- Devices - GMER 1.0.10 ---- Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 82F9DC78 Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 82F9EA40 Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 82F9EA40 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82D080E8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 82CB96A8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 82CB96A8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82D080E8 Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82D080E8 Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 82D080E8 Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 82D080E8 Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE 82D080E8 Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82C72350 Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE 82D080E8 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_CREATE 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_CREATE_NAMED_PIPE 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_CLOSEIRP_MJ_READ 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_WRITE 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_QUERY_INFORMATION 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_SET_INFORMATION 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_QUERY_EA 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_SET_EA 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_FLUSH_BUFFERS 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_QUERY_VOLUME_INFORMATION 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_SET_VOLUME_INFORMATION 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_DIRECTORY_CONTROL 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_FILE_SYSTEM_CONTROL 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_DEVICE_CONTROL 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_INTERNAL_DEVICE_CONTROL 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_SHUTDOWN 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_LOCK_CONTROL 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_CLEANUP 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_CREATE_MAILSLOT 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_QUERY_SECURITY 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_SET_SECURITY 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_POWER 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_SYSTEM_CONTROL 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_DEVICE_CHANGE 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_QUERY_QUOTA 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_SET_QUOTA 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_PNP 82CD1B88 Device \FileSystem\InCDFs \Device\InCDFsComm IRP_MJ_PNP_POWER 82CD1B88 Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82C72350 Device \Driver\00000052 \Device\0000004d IRP_MJ_SYSTEM_CONTROL [F8550EA8] sptd.sys Device \Driver\00000052 \Device\0000004d IRP_MJ_DEVICE_CHANGE [F8564A70] sptd.sys Device \Driver\00000052 \Device\0000004d IRP_MJ_PNP_POWER [F855D728] sptd.sys Device \Driver\00000052 \Device\0000004e IRP_MJ_SYSTEM_CONTROL [F8550EA8] sptd.sys Device \Driver\00000052 \Device\0000004e IRP_MJ_DEVICE_CHANGE [F8564A70] sptd.sys Device \Driver\00000052 \Device\0000004e IRP_MJ_PNP_POWER [F855D728] sptd.sys Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 82F9DEB0 Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_CREATE 82F9DEB0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 82C04350 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 82C04350 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 82C04350 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 82D1AA28 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 82D1AA28 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 82D1AA28 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 82D1AA28 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 82D1AA28 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 82D1AA28 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 82D1AA28 Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 82F9EA40 Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 82CA2BA8 Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CREATE 82D70908 Device \Driver\imagedrv \Device\Scsi\imagedrv1Port2Path0Target1Lun0 IRP_MJ_CREATE 82F9D0E8 Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 82D70908 Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target1Lun0 IRP_MJ_CREATE 82A680E8 Device \Driver\imagedrv \Device\Scsi\imagedrv1Port2Path0Target0Lun0 IRP_MJ_CREATE 82F9D0E8 Device \Driver\imagedrv \Device\Scsi\imagedrv1 IRP_MJ_CREATE 82F9D0E8 Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_CREATE 82A680E8 Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 82A680E8 Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 82F9DC78 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_CREATE 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_CREATE_NAMED_PIPE 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_CLOSEIRP_MJ_READ 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_WRITE 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_QUERY_INFORMATION 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_SET_INFORMATION 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_QUERY_EA 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_SET_EA 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_FLUSH_BUFFERS 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_QUERY_VOLUME_INFORMATION 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_SET_VOLUME_INFORMATION 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_DIRECTORY_CONTROL 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_FILE_SYSTEM_CONTROL 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_DEVICE_CONTROL 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_INTERNAL_DEVICE_CONTROL 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_SHUTDOWN 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_LOCK_CONTROL 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_CLEANUP 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_CREATE_MAILSLOT 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_QUERY_SECURITY 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_SET_SECURITY 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_POWER 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_SYSTEM_CONTROL 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_DEVICE_CHANGE 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_QUERY_QUOTA 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_SET_QUOTA 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_PNP 82CD1B88 Device \FileSystem\InCDFs \GLOBAL??\BsUDF IRP_MJ_PNP_POWER 82CD1B88 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 82C05350 ---- EOF - GMER 1.0.10 ---- ed ecco HJT Logfile of HijackThis v1.99.1 Scan saved at 23.26.11, on 16/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programmi\ewido anti-spyware 4.0\guard.exe c:\programmi\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe C:\Programmi\Spyware Doctor\sdhelp.exe C:\WINDOWS\System32\tcpsvcs.exe C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\carpserv.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe C:\Programmi\McAfee.com\VSO\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe C:\Programmi\McAfee.com\VSO\oasclnt.exe C:\Programmi\iTunes\iTunesHelper.exe C:\Programmi\QuickTime\qttask.exe C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe C:\Programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Programmi\iPod\bin\iPodService.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\PROGRA~1\FILECO~1\Nokia\Services\SERVIC~1.EXE C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE C:\PROGRA~1\MSNGAM~1\Windows\zclientm.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\Explorer.EXE C:\hijackthis\Ried.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooow.it/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wooow.it R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programmi\GetRight\xx2gr.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\Programmi\TextAloud\TAForIE.dll O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Programmi\Lexmark X5100 Series\lxbabmgr.exe" O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programmi\File comuni\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Programmi\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programmi\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programmi\File comuni\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [OASClnt] C:\Programmi\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: Kodak software updater.lnk = C:\Programmi\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE O4 - Global Startup: Kodak EasyShare software.lnk = C:\Programmi\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\programmi\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\programmi\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programmi\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Download with GetRight Pro - C:\Programmi\GetRight\GRdownload.htm O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Programmi\GetRight\GRbrowse.htm O8 - Extra context menu item: Similar Pages - res://c:\programmi\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\programmi\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wooow.it O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://www.pixaco.it/static/download...odndupload.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {5B461C2E-763A-4F47-9809-55827667E821} (MGDomConnector Class) - http://www.vestelitaly.it/Magic93Scripts/MGBCCOM9.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} (PowerPlayer Control) - http://download.ppstream.com/bin/powerplayer.cab O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bi...datePortal.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129414846250 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/sh...,2/mcmysec.cab O16 - DPF: {E61135DF-716D-49A7-B29B-8287A1CD072C} (WidelookX Control) - http://quattroruote.immanens.com/it/.../widelookX.cab O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager...etOpPlugin.ocx O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...51/mcfscan.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\programmi\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programmi\Spyware Doctor\sdhelp.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe PRECISO: NON ho (credo) files o cartelle strani vado LENTO e tendo ad avere processi che crescono la connessione mi sembra CONDIVISA ed in TaskManager non visualizzo i Byte in uscita sulla scheda ethernet, mentre li vedi sulla scheda adsl. Come si vede da HJT ho gia fatto online con successo i vari bitdefender e kaspersky. Spero di aver messo tutto, ed attendo risposte. Grazie a tutti Che devo fare  ?Ancora saluti (e scusate se ho sbagliato  qualcosa, ma è tardi e nelle ore e giornate precedenti ho combattuto con l'acqua che il Buon Dio ha scaraventato in terra)
Ultima modifica di gianninicp : 17-09-2006 alle 03:34. Motivo: ripristino configurazione e java |
|
|
|
|
17-09-2006, 08:46
|
#122 | |
|
Senior Member
Iscritto dal: Jun 2003
Città: ..By The Sea..
Messaggi: 564
|
Quote:
__________________
Without Contraries is no Progression... |
|
|
|
|
|
17-09-2006, 09:16
|
#123 |
|
Senior Member
Iscritto dal: Jun 2003
Città: ..By The Sea..
Messaggi: 564
|
@ giannicp
dai log non noto niente di strano, sembra tutto a posto.. la maggior parte delle voci sono di daemon tools, e di altri programmi legittimi. Potrebbe anche essermi sfuggito qualcosa  comunque lo guarderanno anche altri dal momento che è qua.Per rimettere il debug privilege esegui secpol.msc, cerca assegnazione diritti utenti, e nella voce che riguarda il debug aggiungi gli utenti a cui vuoi assegnare tale privilegio.
__________________
Without Contraries is no Progression... |
|
|
|
|
17-09-2006, 12:01
|
#124 | |
|
Junior Member
Iscritto dal: Sep 2006
Messaggi: 14
|
Quote:
 secpol.msc non esiste! (XP Home Edition SP2)Anche da mmc non trovo "Criteri di protezione locali". E' da un po' che sapevo di questa assenza, ma pensavo  che fosse una carenza di sistema (presente SOLO in XP Pro). Fà parte delle conseguenze dei diritti "abbassati"? Devo mettere mano all'installazione di componenti di Windows? E l'impossibilità a lanciare Regmon? E l'impossibilità ad impostare una nuova HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs? E tutti i rootkit in GMER?Soluzioni?   Saluti e buona Domenica (almeno a voi )
Ultima modifica di gianninicp : 17-09-2006 alle 12:08. |
|
|
|
|
|
17-09-2006, 12:13
|
#125 |
|
Member
Iscritto dal: Jul 2006
Messaggi: 38
|
facendo una scansione online con norton mi sono stati rilevati un trojan.linkoptimizer e due downloader.trojan.
ho provveduto a eliminare tutti i file infetti, ho scaricato e seguito le procedure per eliminare gromozon (che aveva creato un utente)...ho fatto di tutto, ora gli antivirus dicono che il mio pc è ok, che non ci sono virus, ma il pc non va ancora bene, è ancora lentissimo e la funzione "trova" non va , appena inizio la ricerca "non risponde". non so più cosa fare e non sono un'esperta di informatica. ho passato hijackthis e gmer (rootkit e autostart) e questi sono i risultati: hijackthis Logfile of HijackThis v1.99.1 Scan saved at 19.04.56, on 15/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe C:\Programmi\Alwil Software\Avast4\ashServ.exe C:\Programmi\Synaptics\SynTP\SynTPLpr.exe C:\Programmi\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\VTtrayp.exe C:\WINDOWS\system32\VTTimer.exe C:\Apps\Powercinema\PCMService.exe C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\cisvc.exe C:\Programmi\QuickTime\qttask.exe C:\VEXPLITE\MONLITE.EXE C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe C:\Programmi\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\slserv.exe C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\VEXPLITE\viritsvc.exe C:\Programmi\FreeLan 802.11g Wireless 125 Mbps USB 2.0 Adapter\WlanUtl.exe C:\Programmi\Avast Alwil Software\Avast4\ashMaiSv.exe C:\Programmi\Avast Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Programmi\Mozilla Firefox\firefox.exe C:\DOCUME~1\manuvola\IMPOST~1\Temp\Directory temporanea 1 per hijackthis.zip\HijackThis.exe C:\DOCUME~1\manuvola\IMPOST~1\Temp\Directory temporanea 2 per hijackthis.zip\HijackThis.exe C:\Programmi\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-b...&key=SEARCH R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\it.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PBITV2 - {4E7BD74F-2B8D-469E-A0E8-EB65B685FA7D} - C:\WINDOWS\system32\pbitv2.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: FreeLan 802.11g WLAN Utility.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Programmi\IrfanView\Ebay\Ebay.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\it.htm O15 - Trusted Zone: *.energy-factor.com O15 - Trusted Zone: *.hardcorefantasyland.com O15 - Trusted Zone: *.hardfootballbabes.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...amp;clcid=0x409 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...can8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...b?1158184263015 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O20 - AppInit_DLLs: prova.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Avast Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Avast Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing) O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe questo invece è gmer rootkit GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-09-16 11:42:29 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.10 ---- SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess ---- Devices - GMER 1.0.10 ---- Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE EF987C8A ---- Files - GMER 1.0.10 ---- File C:\System Volume Information\catalog.wci File C:\System Volume Information\MountPointManagerRemoteDatabase File C:\System Volume Information\tracking.log File C:\System Volume Information\_restore{98DF0744-E9D0-4D5D-BAFF-085C137ADB1B} ---- EOF - GMER 1.0.10 ---- autostart GMER 1.0.10.10122 - http://www.gmer.net Autostart 2006-09-16 11:43:33 Windows 5.1.2600 Service Pack 2 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>> Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe, Windows@AppInit_DLLs = prova.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe" avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe" avast! Mail Scanner /*avast! Mail Scanner*/@ = "C:\Programmi\Avast Alwil Software\Avast4\ashMaiSv.exe" /service avast! Web Scanner /*avast! Web Scanner*/@ = "C:\Programmi\Avast Alwil Software\Avast4\ashWebSv.exe" /service C-DillaSrv /*C-DillaSrv*/@ = C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE CiSvc /*Servizio di indicizzazione*/@ = %SystemRoot%\system32\cisvc.exe ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe SLService /*SmartLinkService*/@ = slserv.exe Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @PHIME2002ASyncC:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC @PHIME2002AC:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName @SynTPLprC:\Programmi\Synaptics\SynTP\SynTPLpr.exe = C:\Programmi\Synaptics\SynTP\SynTPLpr.exe @SynTPEnhC:\Programmi\Synaptics\SynTP\SynTPEnh.exe = C:\Programmi\Synaptics\SynTP\SynTPEnh.exe @VTTraypVTtrayp.exe = VTtrayp.exe @VTTimerVTTimer.exe = VTTimer.exe @PCMService"c:\Apps\Powercinema\PCMService.exe" = "c:\Apps\Powercinema\PCMService.exe" @TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot @avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe @QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime @UserFaultCheck%systemroot%\system32\dumprep 0 -u = %systemroot%\system32\dumprep 0 -u @VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE @SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe RunOnceEx@ = /*file not found*/ HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@1 = C:\WINDOWS\service32.exe /*file not found*/ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/ @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll @{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) = @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll @{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Programmi\Synaptics\SynTP\SynTPCpl.dll = C:\Programmi\Synaptics\SynTP\SynTPCpl.dll @{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll @{DEE12703-6333-4D4E-8F34-738C4DCC2E04} /*RecordNow! SendToExt*/C:\Apps\RecordNow\shlext.dll = C:\Apps\RecordNow\shlext.dll @{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL @{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL @{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL @{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll @{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll @{acb4a560-3606-11d3-aef4-00104bd0f92d} /*KodakShellExtension*/C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll = C:\Programmi\File comuni\Kodak\ifscore\KodakShX.dll @{23170F69-40C1-278A-1000-000100020000} /*7-Zip Shell Extension*/C:\Programmi\7-Zip\7-zip.dll = C:\Programmi\7-Zip\7-zip.dll HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>> 7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zip.dll avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>> 7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zip.dll ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>> @{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll @{4E7BD74F-2B8D-469E-A0E8-EB65B685FA7D}C:\WINDOWS\system32\pbitv2.dll /*file not found*/ = C:\WINDOWS\system32\pbitv2.dll /*file not found*/ @{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\ >>> .fpx@Location = C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll /*file not found*/ .ivr@Location = C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll /*file not found*/ HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLfile://C:\APPS\IE\offline\it.htm = file://C:\APPS\IE\offline\it.htm @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main >>> @Start Pageabout :blank = about :blank @Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll its@CLSID = C:\WINDOWS\system32\itss.dll mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll ms-its@CLSID = C:\WINDOWS\system32\itss.dll mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL tv@CLSID = C:\WINDOWS\system32\msvidctl.dll HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>> Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk FreeLan 802.11g WLAN Utility.lnk = FreeLan 802.11g WLAN Utility.lnk ---- EOF - GMER 1.0.10 ---- |
|
|
|
|
17-09-2006, 12:47
|
#126 | |
|
Senior Member
Iscritto dal: Apr 2002
Città: Versilia
Messaggi: 4991
|
Quote:
__________________
Tornerò indietro.
 |
|
|
|
|
|
17-09-2006, 12:48
|
#127 |
|
Senior Member
Iscritto dal: Apr 2002
Città: Versilia
Messaggi: 4991
|
Non riesco a avviare il tool di rimozione F-Secure, perchè mi dice che c'è qualcosa che lo blocca.
__________________
Tornerò indietro.
|
|
|
|
|
17-09-2006, 12:50
|
#128 | |
|
Senior Member
Iscritto dal: Apr 2002
Città: Versilia
Messaggi: 4991
|
Quote:
Provo a cancellarlo e faccio sapere ..... del \.\\C:\windows\system32\com5.vlb ESITO NEGATIVO non si cancella. Avenger dove si scarica? http://swandog46.geekstogo.com/avenger.zip PS: inoltre in installazione ho la voce ConnectionServices..... lo conoscete vero?
__________________
Tornerò indietro.
Ultima modifica di groot : 17-09-2006 alle 13:11. |
|
|
|
|
|
17-09-2006, 12:55
|
#129 | |
|
Senior Member
Iscritto dal: Jun 2003
Città: ..By The Sea..
Messaggi: 564
|
Quote:
Fai pure così allora: ntrights.exe -u tuonomeutente +r SeDebugPrivilege Gmer definisce quei servizi rootkit su tutti i pc. La questione della chiave non me la so spiegare, potrebbe essere l'antivirus, ma la cosa va approfondita, magari cercando su google. Perchè dal resto non si evince altro che possa causare quel comportamento. Il problema di regmon potrebbe essere dovuto al debug privilege, anche se dal messaggio di errore restituito non sembrerebbe. Casomai riavvia dopo aver settato il debug privilege.
__________________
Without Contraries is no Progression... |
|
|
|
|
|
17-09-2006, 12:59
|
#130 | |
|
Senior Member
Iscritto dal: Jun 2003
Città: ..By The Sea..
Messaggi: 564
|
Quote:
utilizzano il servizio stesso per creare i nuovi servizi col nome diverso ad ogni riavvio.Cmq vediamo meglio: vai dentro file comuni\services \microsoft shared e \system e guarda quanti nomi casuali (magari anche verdi se utilizzi NTFS) hai.. prova a cancellarli direttamente e vedi quanti non si riescono a cancellare..
__________________
Without Contraries is no Progression... |
|
|
|
|
|
17-09-2006, 13:13
|
#131 | |
|
Senior Member
Iscritto dal: Apr 2002
Città: Versilia
Messaggi: 4991
|
Quote:
il percorso completo delle directori? si è una variante, anche cattiva.  download http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP Per rimozione file com5.vlb Riuscita. Sto piano piano togliendo tutto, ma è veramente infettato questo pc... ora ho da eliminare connectionServices....  grazie.
__________________
Tornerò indietro.
Ultima modifica di groot : 17-09-2006 alle 13:34. |
|
|
|
|
|
17-09-2006, 13:30
|
#132 | |
|
Senior Member
Iscritto dal: Jun 2003
Città: ..By The Sea..
Messaggi: 564
|
Quote:
O2 - BHO: PBITV2 - {4E7BD74F-2B8D-469E-A0E8-EB65B685FA7D} - C:\WINDOWS\system32\pbitv2.dll (file missing) O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM O15 - Trusted Zone: *.energy-factor.com O15 - Trusted Zone: *.hardcorefantasyland.com O15 - Trusted Zone: *.hardfootballbabes.com Per quanto riguarda il rallentamento, non è che magari ultimamente hai installato più antivirus contemporaneamente? Hai sempre utilizzato ewido avast e virit e il pc andava bene? Prova.dll ce lo hai messo tu in appinit? Infine per quanto riguarda la funzione trova, (ti riferisci a quella dello start menu? immagino), non saprei cosa dirti al momento. Si blocca cercando file sul computer locale e poi non si sblocca più? Devi usare ctrl alt canc?
__________________
Without Contraries is no Progression... |
|
|
|
|
|
17-09-2006, 13:36
|
#133 |
|
Senior Member
Iscritto dal: Apr 2002
Città: Versilia
Messaggi: 4991
|
Per far partire BLACKLIGHT ROOTKIT Elimnator, della F.Secure ho utilizzato Look2me.destroyer.
ora parte anche il tool beta della F.secure http://www.f-secure.com/blacklight
__________________
Tornerò indietro.
|
|
|
|
|
17-09-2006, 18:48
|
#134 | |
|
Member
Iscritto dal: Jul 2006
Messaggi: 38
|
Quote:
effettivamente prima avevo solo avast. oggi però cercando di collegarmi su questo sito ho visto che sotto nella finestra cercava un altro indirizzo...un po' sospetto. per la funzione trova, si è quella di start. nel 90% dei casi devo ammazzarla con ctrl alt canc, nel restante 10%, dopo circa 30/40 minuti, avvia la ricerca. prova.dll ...mi sa che era la dll del virus, poi seguendo una delle innumerevoli procedure, me l'hanno fatta rinominare per vedere se cambiava nome all'avvio o meno (non cambiando il nome, teoricamente il virus è debellato...) |
|
|
|
|
|
17-09-2006, 20:34
|
#135 |
|
Senior Member
Iscritto dal: Apr 2002
Città: Versilia
Messaggi: 4991
|
__________________
Tornerò indietro.
|
|
|
|
|
19-09-2006, 03:17
|
#136 | |
|
Junior Member
Iscritto dal: Sep 2006
Messaggi: 14
|
Quote:
Regmon non parte il tool di sophos non si lamenta più GMER tra i servizi BOOT mi rileva Armada_Cleaner Forse impedisce la creazione della chiave AppInit_DLLs (ma questa chiave non serve a nessun altro?!?!?)Ho provato ad installare sul mio XP Home SP2 (vedi qui http://www.astwinds.com/astuces/secpolxphome.html ) secpol.msc , perchè credo debba correggere MOLTI problemi di diritti. Ad esempio, frugando fra le autorizzazioni di alcune chiavi del registro (anche usando un'utility sysinternals AccessEnum), ho trovato chiavi alle quali l'amministratore non può accedere ("HKEY_LOCAL_MACHINE\SECURITY\*" "Accesso negato.")Ho seguito la procedura ho anche messo una dll inglese, ma sempre niente. Non sò se il problema viene dalle lingue diverse dal SO o da ulteriori blocchi di diritti. Microsoft Management Console Nome:<Sconosciuto> CLSID:{8FC0B734-A0E1-11D1-A7D3-0000F87571E3} Poi compare la struttura della consolle con, nella metà destra, cerchio rosso e croce bianca: Creazione snap-in non riuscita Qualcuno, se pensa che si possa riuscire, mi posta wsecedit.dll e secpol.msc ITALIANI? Ovvero, c'è un sistema per ripristinare i privilegi ai livelli standard in modo automatico (ci sono dei valori standard o default?) Ho continuato qui perchè penso che queste alterazioni provengano dall'infezione e possano riscontrarsi amche negli altri. Se sbaglio avvisatemi che mi sposto (dove?)Un salutone Ultima modifica di gianninicp : 19-09-2006 alle 03:26. |
|
|
|
|
|
27-09-2006, 23:27
|
#137 | |
|
Senior Member
Iscritto dal: Jun 2003
Città: ..By The Sea..
Messaggi: 564
|
Quote:
__________________
Without Contraries is no Progression... Ultima modifica di bReAkDoWn : 27-09-2006 alle 23:33. |
|
|
|
|
|
28-09-2006, 00:30
|
#138 |
|
Junior Member
Iscritto dal: Sep 2006
Messaggi: 13
|
HELP!!!!
ciao... vi spiego ke mi è successo: praticamente, il mio pc andava strano, si blokkava,lento ecc ecc....... la sett scorsa faccio un antivirus e mi trova il linkoptimazer (se si scrive così),mi dice ke lo cancella e riavvio ma il pc nn va ankora bene allora ho provato cn altri 4 tra antivirus ed anti spy cn il "nulla" come risultato! poi guardo questo forum e decido di scaricare il software GROMOZON lo faccio partire,mi trova il file infetto e dopo poco fa 4/5 skermate di dos...........finisce e mi ritrovo cn il pc vuoto oltre a una ventina di programmi(avevo 40gb solo di film di cui nn si ha + traccia oltre al resto) e con un utente in +....... cosa devo fare????? helppppppppppppppppppppppp!!! grazie
p.s. il pc nn va ancora bene!! :-((( |
|
|
|
|
28-09-2006, 07:54
|
#139 | |
|
Senior Member
Iscritto dal: Apr 2002
Città: Versilia
Messaggi: 4991
|
Quote:
__________________
Tornerò indietro.
|
|
|
|
|
|
28-09-2006, 07:58
|
#140 | |
|
Senior Member
Iscritto dal: Apr 2002
Città: Versilia
Messaggi: 4991
|
Quote:
Ti consiglio per facilitare la lettura degli utenti che leggono di utilizzare il vocabolario italiano e non i kkk .... sett nn cn sk e varie abbreviazioni ...... Inoltre, nelle precedenti pagine c'è già una serie di aiuti per ovviare al tuo problema, quindi leggi, pensa e esegui i passi precedenti se hai problemi noi (almeno io) siamo qua a disposizione per aiutarti. Ciao.
__________________
Tornerò indietro.
|
|
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 22:33.
