Indice del forum Olimpo Informatico
I Forum di Zeus News
Leggi la newsletter gratuita - Attiva il Menu compatto
 
 FAQFAQ   CercaCerca   Lista utentiLista utenti   GruppiGruppi   RegistratiRegistrati 
 ProfiloProfilo   Messaggi privatiMessaggi privati   Log inLog in 

    Newsletter RSS Facebook Twitter Contatti Ricerca
Trojan Clicker.CVS pure io!!
Nuovo argomento   Rispondi    Indice del forum -> Pronto Soccorso Virus
Precedente :: Successivo  
Autore Messaggio
Scotch
Eroe
Eroe


Registrato: 22/09/06 10:51
Messaggi: 47
MessaggioInviato: 22 Set 2006 11:02    Oggetto: Trojan Clicker.CVS pure io!! Rispondi citando
Ciao a tutti, purtroppo anche io come l'utente del thread precedente ho dei problemi con questo Clicker.CVS
Anche nel mio caso il percorso che mi da è C/windows/syst32.dll e non ho modo di cancellarlo.
Ho preferito cmq aprire un mio thread in quanto non mi fidavo a cancellare qualcosa di cui non fossi sicuro. Vi metto il log di hijack.
Spero mi possiate aiutare, grazie in anticipo!!


Logfile of HijackThis v1.99.1
Scan saved at 10.57.20, on 22/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\service32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Documents and Settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica\tkwebl.exe
C:\Documents and Settings\Proprietario\Documenti\Lancio Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2a6af021-17a2-4014-8624-cf6015f82fad} - C:\WINDOWS\system32\jkaa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [fkcc1.exe] C:\WINDOWS\TEMP\fkcc1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: tkwebl.exe
O4 - Global Startup: hp center.lnk = C:\Programmi\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: WinVbc - Unknown owner - \\?\C:\Programmi\Windows NT\prn.exe (file missing)


Cosa devo fare?
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 22 Set 2006 12:46    Oggetto: Rispondi citando
Benvenuto nei nostri forum Smile

Purtroppo non è l´unica infezione che hai. Per prima cosa fai girare il tool della prevx contro il rootkit gromozon. Non è necessario installare tutta la suite come ti verrà chiesto alla fine: http://www.prevx.com/gromozon.asp

Poi posta:
- il contenuto del file c:/gromozon_removal.log
- un nuovo log di HijackThis
- il log di GMER.

GMER: per farlo scaricalo da www.gmer.net , avvialo, clicca su tab Autostart >> Scan. Il risultato lo copi premendo il pulsante Copy. Fai la stessa cosa con il tab rootkit e poi incolla qui i risultati.

Infine posta i nomi delle cartelle in C:/documents and settings/ e la loro data di creazione.
Top
Profilo Invia messaggio privato
Scotch
Eroe
Eroe


Registrato: 22/09/06 10:51
Messaggi: 47
MessaggioInviato: 22 Set 2006 13:58    Oggetto: Rispondi citando
Innanzitutto ti ringrazio di avermi riposto. Smile
In secondo luogo ti metto passo passo quello che hai detto di fare con i relativi problemi che ho riscontrato.

Allora, log Gromozon:

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\system32\jkaa.dll
>>>Error: File C:\WINDOWS\system32\jkaa.dll could not be removed - it will be removed on the next reboot.


Trojan.Gromozon Removed!



Poi, nuovo log hijack:

Logfile of HijackThis v1.99.1
Scan saved at 13.10.52, on 22/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Documents and Settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica\tkwebl.exe
C:\Programmi\Grisoft\AVG Free\avgcc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\MSN Apps\Updater\01.02.3000.1001\it\msnappau.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Proprietario\Documenti\Lancio Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2a6af021-17a2-4014-8624-cf6015f82fad} - C:\WINDOWS\system32\jkaa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [fkcc1.exe] C:\WINDOWS\TEMP\fkcc1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: tkwebl.exe
O4 - Global Startup: hp center.lnk = C:\Programmi\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{602AAC4C-6568-4BC9-B55C-E36394EFF4B5}: NameServer = 85.37.17.6 85.38.28.89
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NetZqm - Unknown owner - \\?\C:\Programmi\Windows NT\com4.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
O23 - Service: WinVbc - Unknown owner - \\?\C:\Programmi\Windows NT\prn.exe (file missing)




Poi, log Autostart GMER:

GMER 1.0.11.11349 - http://www.gmer.net
Autostart 2006-09-22 13:27:45
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui@DLLName = igfxsrvc.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
NetZqm /*NetZqm*/@ = "\\?\C:\Programmi\Windows NT\com4.exe"
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SmcService /*Sygate Personal Firewall Pro*/@ = C:\Programmi\Sygate\SPF\smc.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
WinVbc /*WinVbc*/@ = "\\?\C:\Programmi\Windows NT\prn.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SmcServiceC:\PROGRA~1\Sygate\SPF\smc.exe -startgui = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@snpstdC:\WINDOWS\vsnpstd.exe = C:\WINDOWS\vsnpstd.exe
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@fkcc1.exeC:\WINDOWS\TEMP\fkcc1.exe = C:\WINDOWS\TEMP\fkcc1.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@1 = C:\WINDOWS\service32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*SampleView*/C:\WINDOWS\System32\ShellvRTF.dll = C:\WINDOWS\System32\ShellvRTF.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
ZipitShellExt@{1642EA06-054E-497C-844D-AE817DF804CC} = C:\Programmi\FadeOut Zipit\ZipitExt.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{2a6af021-17a2-4014-8624-cf6015f82fad}C:\WINDOWS\system32\jkaa.dll = C:\WINDOWS\system32\jkaa.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{9394EDE7-C8B5-483E-8773-474BF36AF6E4}C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll = C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
@{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll = C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssmypics.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://it7.hpwis.com/ = http://it7.hpwis.com/
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica = tkwebl.exe

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
hp center.lnk = hp center.lnk
hp psc 1000 series.lnk = hp psc 1000 series.lnk
hpoddt01.exe.lnk = hpoddt01.exe.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.11 ----




Per quanto riguarda il log del rootkit, qui invece ho riscontrato un problema. Per ben due volte dopo aver esaminato i file di registro, ad un certo punto dell'esame dei documenti in C (non so se c'entri..) mi da errore e si blocca. Quindi al momento posto il log di quello che son riuscito a fare, non sapevo cosa altro fare. In caso dimmi cosa fare:

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-22 13:41:53
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT d347bus.sys ZwClose
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwCreatePagingFile
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT d347bus.sys ZwEnumerateKey
SSDT d347bus.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT d347bus.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT d347bus.sys ZwQueryKey
SSDT d347bus.sys ZwQueryValueKey
SSDT d347bus.sys ZwSetSystemPowerState
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82AFB538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 827681A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5785A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5785A] avgtdi.sys
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 82804750
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82804750
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 828A46C8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 82804750
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82804750
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_NAMED_PIPE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLOSE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_READ 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_WRITE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_EA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_EA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FLUSH_BUFFERS 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DIRECTORY_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FILE_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SHUTDOWN 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_LOCK_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLEANUP 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_MAILSLOT 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_POWER 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CHANGE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_PNP 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE_NAMED_PIPE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CLOSE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_READ 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_WRITE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_EA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_EA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_FLUSH_BUFFERS 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_VOLUME_INFORMATION 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DIRECTORY_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_FILE_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_INTERNAL_DEVICE_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SHUTDOWN 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_LOCK_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CLEANUP 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE_MAILSLOT 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_SECURITY 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_POWER 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SYSTEM_CONTROL 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DEVICE_CHANGE 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_QUOTA 827F3008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_PNP 827F3008
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 82804750
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82804750
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 825869C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5785A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5785A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F8A5785A] avgtdi.sys
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_CREATE [F7986220] wpsdrvnt.sys
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_CLOSE [F7986480] wpsdrvnt.sys
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_DEVICE_CONTROL [F79865A0] wpsdrvnt.sys
Device \Driver\SYMTDI \Device\SymTDI IRP_MJ_INTERNAL_DEVICE_CONTROL [F79865D0] wpsdrvnt.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 827B7718
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 827B7718
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 8262CE18
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 826FA888
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLOSE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_READ 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_WRITE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_EA 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_POWER 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_PNP 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_READ 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA 82A91188
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP 82A91188
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 827681A0
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 826A2850
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 826A2850
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 826A2850
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 826A2850
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 826A2850
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 82752698

---- Modules - GMER 1.0.11 ----

Module _________ F83E2000

---- Processes - GMER 1.0.11 ----

Process System (*** hidden *** ) [4] 82AE07F8
Process csrss.exe (*** hidden *** ) [580] 824DCDA0
Process winlogon.exe (*** hidden *** ) [608] 8238EDA0
Process services.exe (*** hidden *** ) [652] 826C3C30
Process lsass.exe (*** hidden *** ) [664] 8278EDA0
Process svchost.exe (*** hidden *** ) [808] 825CB1D0
Process svchost.exe (*** hidden *** ) [864] 8258F228
Process svchost.exe (*** hidden *** ) [900] 8263D710
Process Smc.exe (*** hidden *** ) [944] 825C7408
Process svchost.exe (*** hidden *** ) [1208] 825BFDA0
Process avgamsvr.exe (*** hidden *** ) [1600] 825AA020
Process avgemc.exe (*** hidden *** ) [1652] 8259FC30
Process nvsvc32.exe (*** hidden *** ) [1776] 82673398

---- Files - GMER 1.0.11 ----

ADS ...


Infine, ultimo dubbio. Io dentro C:/documents and settings/ ho queste 3 cartelle: Administrator (creazione giovedì 18 agosto 2005, 13.17.20), All Users (mercoledì 1 gennaio 2003, 17.59.40) e Proprietario (mercoledì 1 gennaio 2003, 18.12.58). Va bene così o devo metterti il nome delle sottocartelle di queste 3 principali?
Grazie mille ancora, aspetto le tue indicazioni Smile
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 23 Set 2006 17:09    Oggetto: Rispondi citando
Scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio

Avvia il file avenger.exe
Seleziona l'opzione Input Script Manually
Clicca sulla lente di ingrandimento

Ti si apre una finestra View/edit script
All'interno del box bianco,copia e incolla le scritte in rosso:

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\WinVbc
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fkcc1.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

files to delete:
C:\WINDOWS\system32\jkaa.dll
C:\WINDOWS\system32\jkaa.upd
C:\Programmi\Windows NT\prn.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\syst32.dll
C:\WINDOWS\syshost.dll

folders to delete:
C:\windows\temp


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Al termine posta un nuovo log di HijackThis e il contenuto del file C:/avenger.txt

Ciao
Top
Profilo Invia messaggio privato
Scotch
Eroe
Eroe


Registrato: 22/09/06 10:51
Messaggi: 47
MessaggioInviato: 25 Set 2006 12:39    Oggetto: Rispondi citando
Allora, nuovo log hijack:


Logfile of HijackThis v1.99.1
Scan saved at 12.35.10, on 25/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Documents and Settings\Proprietario\Menu Avvio\Programmi\Esecuzione automatica\tkwebl.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\MSN Apps\Updater\01.02.3000.1001\it\msnappau.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Proprietario\Documenti\Lancio Programmi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {2a6af021-17a2-4014-8624-cf6015f82fad} - C:\WINDOWS\system32\jkaa.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmi\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Apps\MSN Toolbar\01.02.4000.1001\it\msntb.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [fkcc1.exe] C:\WINDOWS\TEMP\fkcc1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: tkwebl.exe
O4 - Global Startup: hp center.lnk = C:\Programmi\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{602AAC4C-6568-4BC9-B55C-E36394EFF4B5}: NameServer = 85.37.17.6 85.38.28.89
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NetZqm - Unknown owner - \\?\C:\Programmi\Windows NT\com4.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Programmi\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe



E qui il log di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wwudujxb

*******************

Script file located at: \??\C:\WINDOWS\system32\nnajgnmf.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\WinVbc deleted successfully.
File C:\WINDOWS\system32\jkaa.dll deleted successfully.


File C:\WINDOWS\system32\jkaa.upd not found!
Deletion of file C:\WINDOWS\system32\jkaa.upd failed!

Could not process line:
C:\WINDOWS\system32\jkaa.upd
Status: 0xc0000034

File C:\Programmi\Windows NT\prn.exe deleted successfully.


File C:\WINDOWS\service32.exe not found!
Deletion of file C:\WINDOWS\service32.exe failed!

Could not process line:
C:\WINDOWS\service32.exe
Status: 0xc0000034

File C:\WINDOWS\syst32.dll deleted successfully.


File C:\WINDOWS\syshost.dll not found!
Deletion of file C:\WINDOWS\syshost.dll failed!

Could not process line:
C:\WINDOWS\syshost.dll
Status: 0xc0000034

Folder C:\windows\temp deleted successfully.


Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fkcc1.exe not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\fkcc1.exe failed!
Status: 0xc0000034



Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 failed!
Status: 0xc0000034

Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Mentre ti ringrazio ancora una volta per la tua gentilezza, aspetto indicazioni sul da farsi Confused
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 25 Set 2006 14:39    Oggetto: Rispondi citando
Bene, è rimasto solo qualche residuo. Usa sempre Avenger e incollaci questo script:


Citazione:

registry keys to delete:
HKLM\\SYSTEM\\CurrentControlSet\\Services\\NetZqm
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run

files to delete:
C:\\Programmi\\Windows NT\\com4.exe



Avvia HijackThis, poi chiudi tutte le finestre lasciando aperto solo HijackThis. Clicca Do a System

Scan only, metti un segno di spunta sulla casella accanto a queste voci (se ancora esistenti) e al

temine premi Fix checked
Citazione:
O2 - BHO: (no name) - {2a6af021-17a2-4014-8624-cf6015f82fad} -

C:\\WINDOWS\\system32\\jkaa.dll


Adesso il PC dovrebbe essere a posto Rolling Eyes ma probabilmente ci sarà qualche residuo, anche se inattivo.

Fai un paio di scansioni online:
Sy

mantec
Kaspersky

Ciao Smile
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 25 Set 2006 14:39    Oggetto: Rispondi citando
Bene, è rimasto solo qualche residuo. Usa sempre Avenger e incollaci questo script:


Citazione:

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\NetZqm
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

files to delete:
C:\Programmi\Windows NT\com4.exe



Avvia HijackThis, poi chiudi tutte le finestre lasciando aperto solo HijackThis. Clicca Do a System Scan only, metti un segno di spunta sulla casella accanto a queste voci (se ancora esistenti) e al temine premi Fix checked
Citazione:
O2 - BHO: (no name) - {2a6af021-17a2-4014-8624-cf6015f82fad} - C:\WINDOWS\system32\jkaa.dll


Adesso il PC dovrebbe essere a posto Rolling Eyes ma probabilmente ci sarà qualche residuo, anche se inattivo. Fai un paio di scansioni online:
Symantec
Kaspersky

Ciao Smile
Top
Profilo Invia messaggio privato
Scotch
Eroe
Eroe


Registrato: 22/09/06 10:51
Messaggi: 47
MessaggioInviato: 26 Set 2006 11:27    Oggetto: Rispondi
Ciao, ho fatto quanto hai detto e volevo ringraziarti per la gentilezza e disponibilità.
Ho fatto una scansione con Panda e mi ha disinfettato 25 virus.. ^^''
Spero che ora il pc vada meglio.
Grazie ancora di tutto!! Smile
Top
Profilo Invia messaggio privato
Mostra prima i messaggi di:   
Nuovo argomento   Rispondi    Indice del forum -> Pronto Soccorso Virus Tutti i fusi orari sono GMT + 2 ore
Pagina 1 di 1

 
Vai a:  
Non puoi inserire nuovi argomenti
Non puoi rispondere a nessun argomento
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi votare nei sondaggi