Precedente :: Successivo |
Autore |
Messaggio |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 10 Lug 2006 01:18 Oggetto: win32:agent-gen [risolto] |
|
|
ciao a tutti. Ho seguito la prima parte della guida ma il problema non è ancora risolto.
Vi posto qui i vari logs:
log di hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 18.04.39, on 09/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\TRUST\Bluetooth Software\BTTray.exe
C:\Programmi\StopDialers\StopDialer.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\Rar$EX00.770\gmer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1A06B321-9911-88C0-89F1-281F7413084A} - C:\WINDOWS\hyqtt1.dll (file missing)
O2 - BHO: Class - {5C7E26C2-BE3E-425E-31C5-143161E782D7} - C:\WINDOWS\hyqtt1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: C6 Messenger.lnk = C:\Programmi\C6 Messenger\c6Messenger.exe
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BB49E12-5953-4147-B9F2-92EE7B60C8B1}: NameServer = 193.70.192.25 193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe
O23 - Service: UpdZqs - Unknown owner - C:\Programmi\File comuni\Microsoft Shared\XVy.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Alternate data streams:
C:\WINDOWS\Prefetch\SYSTEM32 : VYITW.EXE-2E280696.pf (19844 bytes)
Silentrunners:
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SweetIM" = "C:\Programmi\Macrogaming\SweetIM\SweetIM.exe" ["MacroGaming LTD."]
"MessengerPlus3" = ""C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"msnmsgr" = "~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"snpstd" = "C:\WINDOWS\vsnpstd.exe" [empty string]
"DataLayer" = "C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"BDMCon" = ""C:\Programmi\Softwin\BitDefender8\bdmcon.exe"" ["SOFTWIN S.R.L."]
"BDNewsAgent" = ""C:\Programmi\Softwin\BitDefender8\bdnagent.exe"" [null data]
"VIRIT LITE MONITOR" = "C:\VEXPLITE\MONLITE.EXE" ["TG Soft S.a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1A06B321-9911-88C0-89F1-281F7413084A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Class"
\InProcServer32\(Default) = "C:\WINDOWS\hyqtt1.dll" [file not found]
{5C7E26C2-BE3E-425E-31C5-143161E782D7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Class"
\InProcServer32\(Default) = "C:\WINDOWS\hyqtt1.dll" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Estensione panoramica video del Pannello di controllo"
-> {HKLM...CLSID} = "Estensione panoramica video del Pannello di controllo"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Estensione dell'icona del file di Outlook"
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "Risorse di rete Bluetooth"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Programmi\Nokia\Nokia PC Suite 6\NokiaPhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {HKLM...CLSID} = "Contact View"
\InProcServer32\(Default) = "C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programmi\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Cartelle condivise"
\InProcServer32\(Default) = "C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programmi\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programmi\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Colline.bmp"
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica
"C6 Messenger" -> shortcut to: "C:\Programmi\C6 Messenger\c6Messenger.exe" ["Icona SpA"]
"Stop Dialers" -> shortcut to: "C:\Programmi\StopDialers\StopDialer.exe" [null data]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
"BTTray" -> shortcut to: "C:\Programmi\TRUST\Bluetooth Software\BTTray.exe" ["WIDCOMM, Inc."]
"Stop Dialers" -> shortcut to: "C:\Programmi\StopDialers\StopDialer.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programmi\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programmi\google\googletoolbar1.dll" ["Google Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{E10CA33E-A153-8E29-1F0D-76747590D591}\(Default) = (no title provided)
-> {HKLM...CLSID} = "JavaScript console"
\InProcServer32\(Default) = "C:\WINDOWS\hyqtt1.dll" [file not found]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Programmi\TRUST\Bluetooth Software\btsendto_ie.htm" [null data]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programmi\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
avast! Antivirus, avast! Antivirus, ""C:\Programmi\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
BitDefender Communicator, XCOMM, ""C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Scan Server, bdss, ""C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
Bluetooth Service, btwdins, "C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Servizio Messenger Sharing USN Journal Reader, usnsvc, "C:\WINDOWS\system32\svchost.exe -k usnsvc" {"C:\Programmi\MSN Messenger\usnsvc.dll" [MS]}
Virit eXplorer Lite, viritsvclite, "C:\VEXPLITE\viritsvc.exe" ["TG Soft Sas www.tgsoft.it"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Porta stampante Bluetooth\Driver = "bthcrp.dll" ["WIDCOMM, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 163 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 71 seconds.
---------- (total run time: 371 seconds)
Rootkit di Gmer:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-10 01:13:23
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.10 ----
Device \Driver\BTHUSB \Device\00000065 IRP_MJ_CREATE [F5F8EBB0] bthport.sys
Device \Driver\BTHUSB \Device\00000065 IRP_MJ_CLOSEIRP_MJ_READ [F5FBA990] bthport.sys
Device \Driver\BTHUSB \Device\00000065 IRP_MJ_INTERNAL_DEVICE_CONTROL [F5F8CF00] bthport.sys
Device \Driver\BTHUSB \Device\00000065 IRP_MJ_SHUTDOWN [F5F8DA70] bthport.sys
Device \Driver\BTHUSB \Device\00000065 IRP_MJ_CREATE_MAILSLOT [F5F8E920] bthport.sys
Device \Driver\BTHUSB \Device\00000065 IRP_MJ_SYSTEM_CONTROL [F5FBBEE0] bthport.sys
Device \Driver\BTHUSB \Device\00000065 IRP_MJ_DEVICE_CHANGE [F5FBC7B0] bthport.sys
Device \Driver\BTHUSB \Device\00000065 IRP_MJ_PNP_POWER [F5FBB3B0] bthport.sys
Device \Driver\BTHUSB \Device\00000067 IRP_MJ_CREATE [F5F8EBB0] bthport.sys
Device \Driver\BTHUSB \Device\00000067 IRP_MJ_CLOSEIRP_MJ_READ [F5FBA990] bthport.sys
Device \Driver\BTHUSB \Device\00000067 IRP_MJ_INTERNAL_DEVICE_CONTROL [F5F8CF00] bthport.sys
Device \Driver\BTHUSB \Device\00000067 IRP_MJ_SHUTDOWN [F5F8DA70] bthport.sys
Device \Driver\BTHUSB \Device\00000067 IRP_MJ_CREATE_MAILSLOT [F5F8E920] bthport.sys
Device \Driver\BTHUSB \Device\00000067 IRP_MJ_SYSTEM_CONTROL [F5FBBEE0] bthport.sys
Device \Driver\BTHUSB \Device\00000067 IRP_MJ_DEVICE_CHANGE [F5FBC7B0] bthport.sys
Device \Driver\BTHUSB \Device\00000067 IRP_MJ_PNP_POWER [F5FBB3B0] bthport.sys
---- Processes - GMER 1.0.10 ----
Library C:\WINDOWS\hyqtt1.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1156] 0x031E0000 <-- ROOTKIT !!!
Library C:\WINDOWS\hyqtt1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [3456] 0x01F10000 <-- ROOTKIT !!!
---- Files - GMER 1.0.10 ----
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINDOWS\hyqtt1.dll
File C:\WINDOWS\system32\com4.igp
---- EOF - GMER 1.0.10 ----
Autostart di gmer:
&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica >>>
C6 Messenger.lnk = C6 Messenger.lnk
Stop Dialers.lnk = Stop Dialers.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
BTTray.lnk = BTTray.lnk
Stop Dialers.lnk = Stop Dialers.lnk
---- EOF - GMER 1.0.10 ---- |
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 10 Lug 2006 01:24 Oggetto: |
|
|
ah dimenticavo di dire che non ho nessuna cartella di nome linkoptimizer e in c: programmi non ho nessun file eseguibile. In doucments and settings il nome dell'utente fittizio è dkc.
grazie a chi mi potrà aiutare!! |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 10 Lug 2006 15:00 Oggetto: |
|
|
ciao, scusa l´attesa. Il tuo caso è leggermente diverso da quello degli altri che ho visto (che fortuna eh? )
Scarica per favore rootkitrevelear e posta un log. Mi raccomando prima di avviare il tool:
- disattiva ogni scansione realtime degli antispware/antivirus
- disconnettiti da Internet
- chiudi il firewall
- disattiva lo screensaver
- non usare il PC finchè ha finito
Spero che tu non abbia riavviato il computer da quando hai postato i log, altrimenti potrebbe essere necessario rifarli
Ciao |
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 10 Lug 2006 16:51 Oggetto: |
|
|
ecco il log:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 17/06/2006 10.29 66 bytes Windows API length not consistent with raw hive data.
C:\WINDOWS\hyqtt1.del 10/07/2006 14.56 63.16 KB Hidden from Windows API.
C:\WINDOWS\hyqtt1.dll 10/07/2006 14.56 63.16 KB Hidden from Windows API.
C:\WINDOWS\system32\com4.igp 10/07/2006 16.39 115.04 KB Hidden from Windows API.
purtroppo ho riavviato, ma se è necessario posso rifarli tranquillamente!
grazie! |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 10 Lug 2006 17:05 Oggetto: |
|
|
sì, grazie. Falli nuovamente altrimenti rischiamo di non risolvere. Vedi la data di creazione delle dll nascoste? E\' di oggi
Dopo che li hai postati, finchè io o qualcun altro non ti dice cosa fare, non riavviare a meno che tu non sia proprio costretta.
Credo che ti sei infettata il 17/06/2006. Cosa hai fatto quel giorno?  |
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 10 Lug 2006 17:38 Oggetto: |
|
|
Log di Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 17.10.52, on 10/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\TRUST\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\Programmi\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: C6 Messenger.lnk = C:\Programmi\C6 Messenger\c6Messenger.exe
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BB49E12-5953-4147-B9F2-92EE7B60C8B1}: NameServer = 193.70.192.25 193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Alternate data streams:
C:\WINDOWS\Prefetch\SYSTEM32 : VYITW.EXE-2E280696.pf (19844 bytes)
Silentrunners:
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SweetIM" = "C:\Programmi\Macrogaming\SweetIM\SweetIM.exe" ["MacroGaming LTD."]
"MessengerPlus3" = ""C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart" ["Patchou"]
"msnmsgr" = "~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"snpstd" = "C:\WINDOWS\vsnpstd.exe" [empty string]
"DataLayer" = "C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"BDMCon" = ""C:\Programmi\Softwin\BitDefender8\bdmcon.exe"" ["SOFTWIN S.R.L."]
"BDNewsAgent" = ""C:\Programmi\Softwin\BitDefender8\bdnagent.exe"" [null data]
"VIRIT LITE MONITOR" = "C:\VEXPLITE\MONLITE.EXE" ["TG Soft S.a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Estensione panoramica video del Pannello di controllo"
-> {HKLM...CLSID} = "Estensione panoramica video del Pannello di controllo"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Estensione di icona di HyperTerminal"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Estensione dell'icona del file di Outlook"
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programmi\Microsoft Office\Office10\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "Risorse di rete Bluetooth"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Programmi\Nokia\Nokia PC Suite 6\NokiaPhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {HKLM...CLSID} = "Contact View"
\InProcServer32\(Default) = "C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programmi\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Cartelle condivise"
\InProcServer32\(Default) = "C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programmi\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programmi\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
-> {HKLM...CLSID} = "BitDefender Antivirus v8"
\InProcServer32\(Default) = "C:\Programmi\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programmi\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Colline.bmp"
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica
"C6 Messenger" -> shortcut to: "C:\Programmi\C6 Messenger\c6Messenger.exe" ["Icona SpA"]
"Stop Dialers" -> shortcut to: "C:\Programmi\StopDialers\StopDialer.exe" [null data]
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica
"BTTray" -> shortcut to: "C:\Programmi\TRUST\Bluetooth Software\BTTray.exe" ["WIDCOMM, Inc."]
"Stop Dialers" -> shortcut to: "C:\Programmi\StopDialers\StopDialer.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programmi\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\programmi\google\googletoolbar1.dll" ["Google Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{E10CA33E-A153-8E29-1F0D-76747590D591}\(Default) = (no title provided)
-> {HKLM...CLSID} = "JavaScript console"
\InProcServer32\(Default) = "C:\WINDOWS\hyqtt1.dll" [file not found]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Programmi\TRUST\Bluetooth Software\btsendto_ie.htm" [null data]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programmi\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
avast! Antivirus, avast! Antivirus, ""C:\Programmi\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
BitDefender Communicator, XCOMM, ""C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
BitDefender Scan Server, bdss, ""C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
Bluetooth Service, btwdins, "C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Servizio Messenger Sharing USN Journal Reader, usnsvc, "C:\WINDOWS\system32\svchost.exe -k usnsvc" {"C:\Programmi\MSN Messenger\usnsvc.dll" [MS]}
Virit eXplorer Lite, viritsvclite, "C:\VEXPLITE\viritsvc.exe" ["TG Soft Sas www.tgsoft.it"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Porta stampante Bluetooth\Driver = "bthcrp.dll" ["WIDCOMM, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 31 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 30 seconds.
---------- (total run time: 151 seconds)
Rootkit di gmer:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-10 17:34:14
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.10 ----
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_CREATE [F602EBB0] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_CLOSEIRP_MJ_READ [F605A990] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_INTERNAL_DEVICE_CONTROL [F602CF00] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_SHUTDOWN [F602DA70] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_CREATE_MAILSLOT [F602E920] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_SYSTEM_CONTROL [F605BEE0] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_DEVICE_CHANGE [F605C7B0] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_PNP_POWER [F605B3B0] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_CREATE [F602EBB0] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_CLOSEIRP_MJ_READ [F605A990] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_INTERNAL_DEVICE_CONTROL [F602CF00] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_SHUTDOWN [F602DA70] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_CREATE_MAILSLOT [F602E920] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_SYSTEM_CONTROL [F605BEE0] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_DEVICE_CHANGE [F605C7B0] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_PNP_POWER [F605B3B0] bthport.sys
---- Files - GMER 1.0.10 ----
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINDOWS\hyqtt1.del
File C:\WINDOWS\hyqtt1.dll
File C:\WINDOWS\system32\com4.igp
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log
File D:\System Volume Information\_restore{2D8247C5-F923-4080-A2A5-C06D5543D82F}
File D:\System Volume Information\_restore{51B0E9B2-DDA4-44B2-A47F-A5BA2FFC7FB1}
---- EOF - GMER 1.0.10 ----
Autostar di gmer:
GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-07-10 17:35:32
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\com4.igp
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
bdss /*BitDefender Scan Server*/@ = "C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service
btwdins /*Bluetooth Service*/@ = C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe
XCOMM /*BitDefender Communicator*/@ = "C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@snpstdC:\WINDOWS\vsnpstd.exe = C:\WINDOWS\vsnpstd.exe
@DataLayerC:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE = C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
@PCSuiteTrayApplicationC:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE = C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@BDMCon"C:\Programmi\Softwin\BitDefender8\bdmcon.exe" = "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
@BDNewsAgent"C:\Programmi\Softwin\BitDefender8\bdnagent.exe" = "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@SweetIMC:\Programmi\Macrogaming\SweetIM\SweetIM.exe = C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
@MessengerPlus3"C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart = "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
@msnmsgr~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background /*file not found*/ = ~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\NokiaPhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\NokiaPhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} /*BitDefender Antivirus v8*/C:\Programmi\Softwin\BitDefender8\bdshelxt.dll = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
BitDefender Antivirus v8@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
BitDefender Antivirus v8@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica >>>
C6 Messenger.lnk = C6 Messenger.lnk
Stop Dialers.lnk = Stop Dialers.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
BTTray.lnk = BTTray.lnk
Stop Dialers.lnk = Stop Dialers.lnk
---- EOF - GMER 1.0.10 ----
Quel giorno mi sa che c'era mia madre al pc che cercava sfondi per la mia tesina e se lo sarà preso in qualche sito...
Comunque ok non riavvio il computer finchè non mi dici tu. |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 10 Lug 2006 18:01 Oggetto: |
|
|
OK, adesso è più chiaro, lo abbiamo in pugno
Scarica The Avenger sul Desktop.
- Estrai l´eseguibile sul desktop.
- copia il contenuto di questa finestra negli appunto (CTRL+C)
Citazione: |
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
registry keys to delete:
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{E10CA33E-A153-8E29-1F0D-76747590D591}
Files to replace with dummy:
C:\WINDOWS\hyqtt1.del
C:\WINDOWS\hyqtt1.dll
C:\WINDOWS\system32\com4.igp
Files to delete:
C:\WINDOWS\hyqtt1.del
C:\WINDOWS\hyqtt1.dll
C:\WINDOWS\system32\com4.igp
Folders to Delete:
c:\documents and settings\dkc
|
- avvia The Avenger e seleziona "Input Script Manually"
- clicca sulla icona con la lente di ingrandimento
- si aprirà una nuova finestra con scritto "View/edit script"
- incolla quanto copiato sopra premendo Ctrl+V
- clicca Done
- clicca l'icona con il semaforo con la luce verde per avviare lo script
- rispondi "Yes" due volte
se non si riavvia, riavvialo tu.
Adesso vai in C:\Avenger e metti in un file zip questi file che poi invierai a www.suspectfile.com:
Citazione: | C:\WINDOWS\hyqtt1.del
C:\WINDOWS\hyqtt1.dll
C:\WINDOWS\system32\com4.igp |
Se non li vedi abilita la visualizzazione dei file nascosti e di sistema:
Citazione: | - apri gestione risorse
- dal menu selezona strumenti >> opzioni cartella
- seleziona il tab visualizzazione
- metti la spunta alla casella visualizza file e cartelle nascoste
- togli la spunta alla casella nascondi file di sistema (consigliato) (trovi l´ozione più in basso)
- clicca Si, poi Applica, poi OK. |
Dopo che li hai inviati, riavvia in modalità provvisoria (riavvia e premi F8 al boot) e fai una scansione con Virit.
Riavvia in modalità normale e sgrida tua madre!
Al termine posta un nuovo log di HijackThis e i due log (Rootkit + autoruns) di GMER
Ciao  |
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 10 Lug 2006 18:20 Oggetto: |
|
|
mi da un errore di sintassi su questo carattere - e non procede... |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 10 Lug 2006 18:43 Oggetto: |
|
|
Citazione: | mi da un errore di sintassi su questo carattere - e non procede... |
quale errore? Su quale carattere? Non ho capito bene.
Cioè riesci ad avviare The Avenger e poi si blocca al momento di iniziare lo script?
Strano, sicura di aver vatto copia/incolla del solo contenuto della finestra con lo script? |
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 10 Lug 2006 18:47 Oggetto: |
|
|
dopo aver cliccato sul semaforo mi esce l'errore. I caratteri che forse non accetta sono questi "---" senza apici.
Credo si riferisca a questa parte dello script {E10CA33E-A153-8E29-1F0D-76747590D591} (i trattini in mezzo) |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 10 Lug 2006 18:56 Oggetto: |
|
|
strano... vabbè, fa niente, tanto il file lo cancelliamo e la chiave non risulterà attiva. Poi andiamo a cercarla nel registro.
Fai lo script senza questa parte:
Citazione: |
registry keys to delete:
HKCU/Software/Microsoft/Internet Explorer/Explorer Bars/{E10CA33E-A153-8E29-1F0D-76747590D591} |
|
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 11 Lug 2006 01:54 Oggetto: |
|
|
allora ho inviato i primi due files ma com4.igp non riesco a zipparlo e non l'ho ancora mandato.Nel frattempo ho fatto il resto e questi sono i logs:
Logfile of HijackThis v1.99.1
Scan saved at 1.36.43, on 11/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\vsnpstd.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Softwin\BitDefender8\bdmcon.exe
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\VEXPLITE\MONLITE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\TRUST\Bluetooth Software\BTTray.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SweetIM] C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: C6 Messenger.lnk = C:\Programmi\C6 Messenger\c6Messenger.exe
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a &Bluetooth - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programmi\TRUST\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4BB49E12-5953-4147-B9F2-92EE7B60C8B1}: NameServer = 193.70.192.25 193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Autostart:
GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-07-11 01:40:28
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
bdss /*BitDefender Scan Server*/@ = "C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service
btwdins /*Bluetooth Service*/@ = C:\Programmi\TRUST\Bluetooth Software\bin\btwdins.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe
XCOMM /*BitDefender Communicator*/@ = "C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@snpstdC:\WINDOWS\vsnpstd.exe = C:\WINDOWS\vsnpstd.exe
@DataLayerC:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE = C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
@PCSuiteTrayApplicationC:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE = C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@BDMCon"C:\Programmi\Softwin\BitDefender8\bdmcon.exe" = "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
@BDNewsAgent"C:\Programmi\Softwin\BitDefender8\bdnagent.exe" = "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@SweetIMC:\Programmi\Macrogaming\SweetIM\SweetIM.exe = C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
@MessengerPlus3"C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart = "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
@msnmsgr~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background /*file not found*/ = ~"C:\Programmi\MSN Messenger\msnmsgr.exe" /background /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@(null) =
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\NokiaPhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\NokiaPhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} /*BitDefender Antivirus v8*/C:\Programmi\Softwin\BitDefender8\bdshelxt.dll = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
BitDefender Antivirus v8@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
BitDefender Antivirus v8@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\sstext3d.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll
C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica >>>
C6 Messenger.lnk = C6 Messenger.lnk
Stop Dialers.lnk = Stop Dialers.lnk
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
BTTray.lnk = BTTray.lnk
Stop Dialers.lnk = Stop Dialers.lnk
---- EOF - GMER 1.0.10 ----
Rootkit:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-11 01:53:55
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.10 ----
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_CREATE [F602EBB0] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_CLOSEIRP_MJ_READ [F605A990] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_INTERNAL_DEVICE_CONTROL [F602CF00] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_SHUTDOWN [F602DA70] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_CREATE_MAILSLOT [F602E920] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_SYSTEM_CONTROL [F605BEE0] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_DEVICE_CHANGE [F605C7B0] bthport.sys
Device \Driver\BTHUSB \Device\00000066 IRP_MJ_PNP_POWER [F605B3B0] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_CREATE [F602EBB0] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_CLOSEIRP_MJ_READ [F605A990] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_INTERNAL_DEVICE_CONTROL [F602CF00] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_SHUTDOWN [F602DA70] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_CREATE_MAILSLOT [F602E920] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_SYSTEM_CONTROL [F605BEE0] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_DEVICE_CHANGE [F605C7B0] bthport.sys
Device \Driver\BTHUSB \Device\00000068 IRP_MJ_PNP_POWER [F605B3B0] bthport.sys
---- Files - GMER 1.0.10 ----
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log
File D:\System Volume Information\_restore{2D8247C5-F923-4080-A2A5-C06D5543D82F}
File D:\System Volume Information\_restore{51B0E9B2-DDA4-44B2-A47F-A5BA2FFC7FB1}
---- EOF - GMER 1.0.10 ----
Grazie ancora! |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 11 Lug 2006 13:29 Oggetto: |
|
|
bene, andiamo bene
Grazie per l´invio dei file infetti: è confermato che si tratta di linkoptimizer
http://www.suspectfile.com/forum/viewtopic.php?t=152
Quei due file che hai inviato, puoi cancellarli. Per quanto riguarda il file com4.igp è un pochino più complicato, perchè probabilmente hai un file system NTFS.
Quel nome (come quelli del tipo prn#, lpt#) sono nomi riservati in windows e non si dovrebbero poter creare. Se ci provi infatti non riesci
Per copiare/cancellare/rinominare uno di quei file in caso di NTFS occorre usare una particolare sintassi dei comand dos che bypassa il controllo di protezione sui nomi.
Prova così. Premi start >> Esegui e digita CMD (invio). Nella finestra di DOS che si apre digita ora esattamente:
REN \\.\c:\avenger\com4.igp back_com4.igp
fai attenzione agli spazi e alla sintassi. Se non ti viene prova a copiare/incollare quanto sopra in un nuovo file che crei con il blocco note e poi salvi con estensione bat (es forum.bat). Poi avvialo (clicca 2 volte)
Se il comando funziona adesso dovresti trovare il file back_com4.igp in C:\avenger che riuscirai a zippare e a mandare a www.suspectfile.com
Dopo, eliminalo
PS: Riesci mica a ricordarti quali siti ha visitato tua madre quel giorno? |
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 11 Lug 2006 15:17 Oggetto: |
|
|
Il file è diventato back_com4.igp però non riesco ancora a zipparlo... |
|
Top |
|
 |
Dink the Boss Eroe in grazia degli dei

Registrato: 03/07/06 10:33 Messaggi: 136
|
Inviato: 11 Lug 2006 15:41 Oggetto: |
|
|
ma sto maledetto link optimizer vedo che ha colpito 1pò tutti...io per fortuna sono riuscito a toglierlo...segui i consigli di questo forum e vedi ke lo riesci a togliere ^^
quello ke posso consigliarti, è fare le scansioni con gli antivirus online...che ti trovano 1 bel pò di roba...
e usare ANTIVIR che a me ha trovato tanti file infetti ke altri antivirus non rilevavano
ps: da dove si prende sto virus link optimizer?  |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 11 Lug 2006 15:46 Oggetto: |
|
|
mmm strano. Cliccaci sopra con il tasto destro e scegli proprietà dal menu.
Cerca il tab autorizzazioni e prova ad impostare al tuo utente il controllo completo su quel file. |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 11 Lug 2006 15:48 Oggetto: |
|
|
Citazione: |
ps: da dove si prende sto virus link optimizer?  |
piacerebbe saperlo anche a me e anche alla Fortinet che me lo ha chiesto. Per questo ho chiesto a montellina87 se si ricorda quali siti ha visitato la madre.
Credo si installi attraverso i controlli activeX navigando in internet con IE |
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 11 Lug 2006 15:54 Oggetto: |
|
|
se clicco su proprietà c'è solo il tab generale...Comunque purtroppo non si ricorda precisamente in quale sito è andata perchè ne ha girati molti quel giorno |
|
Top |
|
 |
holifay Dio maturo


Registrato: 08/03/05 10:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 11 Lug 2006 16:03 Oggetto: |
|
|
che errore ti dà quando cerchi di zipparlo? Hai provato a riavviare? |
|
Top |
|
 |
montellina87 Mortale pio

Registrato: 09/07/06 17:42 Messaggi: 18
|
Inviato: 11 Lug 2006 16:15 Oggetto: |
|
|
si ho riavviato.
mi da questo messaggio di errore:
! C:\Avenger\Nuovo Archivio WinRAR ZIP.zip: Impossibile aprire back_com4.igp
Accesso negato. |
|
Top |
|
 |
|
|
Non puoi inserire nuovi argomenti Non puoi rispondere a nessun argomento Non puoi modificare i tuoi messaggi Non puoi cancellare i tuoi messaggi Non puoi votare nei sondaggi
|
|