Olimpo Informatico

[Paolo333]

Questa discussione proviene da qui
http://forum.zeusnews.com/viewtopic.php?t=17621

Lo stesso vale anche per me

AVG lo rileva ad ogni start up. Lo rimuovi e si ripresenta
Ho provato anche in modalità provvisoria, ma è la stessa cosa

Forse ho in più una traccia. Attraverso RegCleaner mi compare un nuovo software definito come 9F65E3H10M, che non so cosa sia e non lo trovo da nessuna parte

Lo cancello, ma ricompare ad ogni riavvio...

Ho anche Norton e ho provato una scansione anche con Kaspersky dopo aver disabilitato gli altri antivirus, ma nessuno dei due lo rileva

...hhhmmm ho anche Reanimator di RegRun, ma non trova niente

Anche con AD-Aware e SuperAntispyware nessuna traccia

Comunque sembra proprio un dialer perchè qualche volta mi appare una finestra di dialogo che mi chiede la connessione

Mah, il computer funziona bene (sistema operativo Windows 2000), più che altro vorrei sapere cosa in concreto può fare

Grazie

[Paolo333]

Ecco cosa compare quando solo cerco di accedere a "sys32.dll"

[Paolo333]

Davvero notevole!

Il virus è scomparso, non si trova più. (almeno non viene più segnalato da AVG)

Ho seguito la tue istruzioni, eliminando syst32.dll e service32.exe.

cnv4_minid.exe invece, non risulta presente

Ecco i risultati delle scansioni che hai richiesto:

Panda ha trovato un infinità di cose....

[size=7]

[holifay]

@paolo333: hehe, due piccioni con una fava

le mie istruzioni erano per STERNATIVOCOSIMO, non avevo fatto caso al tuo post. Era meglio se aprivi un topic tutto tuo, ma mi fa piacere che le istruzioni per lui siano servite anche a te.

Solo che prima di procedere con Panda, vorrei vedere il tuo log di Hijackthis per capire se quello che trova sono residui o adware ancora presenti. Me lo posteresti?

[Paolo333]

Questo è il log di hijackthis dopo lo scan on line di Panda

...hhhhmmm, non è per caso che mi devo seriamente preoccupare di quello che ha trovato Panda?

Grazie

Citazione:

Logfile of HijackThis v1.99.1 Scan saved at 11:46:57 PM, on 9/17/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe C:\Programmi\Norton Internet Security\NISUM.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Programmi\Norton Internet Security\ccPxySvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\mgabg.exe C:\Programmi\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Ati2evxx.exe c:\winnt\delldsk.exe C:\WINNT\Explorer.EXE C:\WINNT\soundman.exe C:\Programmi\File comuni\Symantec Shared\ccApp.exe C:\WINNT\system32\Linksts.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmi\ATI Technologies\ATI.ACE\cli.exe C:\Programmi\D4\D4.exe C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\PROGRA~1\Alice\ALICEE~1\app\EnterNet.exe C:\Programmi\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Max1\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.tiscali.it/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=c:\winnt\system32\userinit.exe,"c:\winnt\delldsk.exe", O2 - BHO: Class - {4F68401B-D078-D8BA-B721-16F30A8402E6} - C:\WINNT\cscil1.dll (file missing) O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024 O4 - HKLM\..\Run: [Microsoft Explorer] msl.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Update] C:\Programmi\AntiVir PersonalEdition Classic\preupd.exe /CALLSCHEDULER /DM="0" /CALLSCHEDULER O4 - HKLM\..\Run: [Dimension4] C:\Programmi\D4\D4.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\RunServices: [Microsoft Explorer] msl.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122736782765 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/v_mywebex/webex/ieatgpc.cab O16 - DPF: {E84D31FB-302A-4F6D-86F7-94A685E9672B} (CQGGUID.GUIDGenerator) - https://www.cqgtrader.com/Global/CQGGUID.CAB O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4784/mcfscan.cab O16 - DPF: {F5BC716E-2650-4B08-9235-C110CF95017F} (Connessione Tiscali) - http://selfcare.tiscali.it/scripts/oneclick/ConnessioneTiscali.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPxySvc.exe O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programmi\Norton Internet Security\NISUM.EXE O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WebPkh - Unknown owner - \\?\C:\Programmi\File comuni\System\com1.exe (file missing)

[holifay]

sì, io mi preoccuperei, soprattutto se usi il PC per operazioni di borsa

Allora. per prima cosa cerca questi file e mettili in un file zip che manderai a www.suspectfile.com (con la nota per holifay) questi file:

c:/winnt/delldsk.exe
msl.exe (probabilmente in c:/winnt o c:/winnt/system32)

Poi scarica questo tool http://www.prevx.com/gromozon.asp
Avvialo e segui le istruzioni, al termine ti salverà il log in c:/gromozon_removal.log

Dopo che lo hai usato, apri una finestra di DOS (premi start, esegui, digita CMD e premi invio) e al suo interno scrivi in successione:
sc stop WebPkh
sc delete WebPkh


Poi apri HijackThis, chiudi tutte le applicazioni e le finestre, fai una scansione ed elimina queste voci:

[Paolo333]

Ho trovato solo delldsk.exe, ma quando cerco di inviarlo o trascinarlo all'interno di WinZip, mi appare il seguente messaggio: WinZip encountered problems during this operation. Would you like to see WinZip'slog file?

se gli do il comando yes appare una finestra WIEW LAST OUTPUT con all'interno scritoo:
Action: Add (and replace) files Include subfolders: no Save full path: no
Include system and hidden files: yes
Adding DellDsk.exe
Warning: could not open for reading: C:/WINNT/DellDsk.exe
copying Zip file

cosa devo fare?

[chemicalbit]

vuol dire che il programma che WinZip usa per creare il file zi, non riesce ad accedere al file delldsk.exe per leggerlo.

(penso sia una protezione del malaware per evitare di essere analizzato da antivirus e simili. E che il malaware quando ha bisogno di accedere a quel file, lo faccia in un modo non standard che non è bloccato).

Prova a creare il file zip da modalità provvisoria.

[Paolo333]

Grazie del suggerimento, però prima di andare in modalità provvisoria, visto mi sono stati indicati due file, vorrei trovare msl.exe che tra l'altro attraverso la scansione con hijackthis risulta presente O4 - HKLM\..\Run: [Microsoft Explorer] msl.exe

come lo trovo?

[chemicalbit]

Hai abilitato
panello di controllo -> (eventuale categoria) ->opzioni carella
(oppureanche da una qualsiasi cartella in gestioen risorse o simili: menù strumenti -> opzioni cartella)

nella finestre alla che ti si apre: scheda visulizzazione -> impostazioni avanzate ->
1) cartelle e file nascosti -> scegli "visualizza cartelle e file nascosti"
2) un po' più sotto "Nascondi i file protetti di sistema (consigliato)" -> togli il segno di spunta.
3) già che ci sei, subito sotto "nascondi le estensioni per i tipi di file conosciuti"-> togli il segno di spunta. (questo può essere utile per evitare "sviste" che certi virus possono causare usando nomi di file ingannevoli)

Se non lo vedi neppure così, lascia le impostazioni di visualizzazione file come ho detto, e riparti in modalità provvisoria
(potrebbe essere il malawere stesso che "nasconde" i file, e magari in modlaità provviroria il malaware non è caricato in memoria).

[Paolo333]

Ho seguito le tue indicazioni, ma anche in modalità provvisoria non riesco a zippare delldsk.exe per gli stessi motivi sopraelencati e non trovo msl.exe

Inoltre ho provato ad eseguire il comando in DOS ma non lo riconosce




[/img]

[holifay]

ah, giusto... hai W2k. Non sto a farti scaricare sc.exe, vai avanti con la procedura, non è essenziale.

Il file delldsk.exe prova a zipparlo dopo aver terminato il processo dal task manager.

[Paolo333]

Sì, chiudendo il processo sul Task Manager sono riuscito a zippare il file
Non riesco a trovare msl.exe

In modalita provvisoria sono riuscito ad eliminare dell.dsk, che nel frattempo aveva cambiato icona (con una "e" di explorer)

ecco i log che mi hai richiesto:

mi sembra che O4 - HKLM\..\Run: [Microsoft Explorer] msl.exe ci sia ancora

Comunque prvx/gromozon, mi ha eliminato i fastidiosi pop up di Google, inoltre le finestre di explorer ora si aprono più velocemente

Siete veramente bravi

Citazione:

Logfile of HijackThis v1.99.1 Scan saved at 2:53:04 PM, on 9/18/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe C:\Programmi\Norton Internet Security\NISUM.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Programmi\Norton Internet Security\ccPxySvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\mgabg.exe C:\Programmi\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\soundman.exe C:\Programmi\File comuni\Symantec Shared\ccApp.exe C:\WINNT\system32\Linksts.exe C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmi\ATI Technologies\ATI.ACE\cli.exe C:\Programmi\D4\D4.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Documents and Settings\Max1\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.tiscali.it/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024 O4 - HKLM\..\Run: [Microsoft Explorer] msl.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Update] C:\Programmi\AntiVir PersonalEdition Classic\preupd.exe /CALLSCHEDULER /DM="0" /CALLSCHEDULER O4 - HKLM\..\Run: [Dimension4] C:\Programmi\D4\D4.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122736782765 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/v_mywebex/webex/ieatgpc.cab O16 - DPF: {E84D31FB-302A-4F6D-86F7-94A685E9672B} (CQGGUID.GUIDGenerator) - https://www.cqgtrader.com/Global/CQGGUID.CAB O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4784/mcfscan.cab O16 - DPF: {F5BC716E-2650-4B08-9235-C110CF95017F} (Connessione Tiscali) - http://selfcare.tiscali.it/scripts/oneclick/ConnessioneTiscali.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPxySvc.exe O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programmi\Norton Internet Security\NISUM.EXE O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

Citazione:

Removal tool loaded into memory ------------------------------------ Executing rootkit removal engine.... ------------------------------------ Disabling rootkit file: \\?\C:\WINNT\system32\lpt3.ksa Resetting file permissions... Clearing attributes... Impossibile trovare il file - C:\_cleaned.tmp Removing file... Rootkit removed! Cleaning up... Removing temp files... Scanning: C:\WINNT Gromozon-Related Malicious Code Detected! FileName: C:\WINNT\12.tmp Removed! Gromozon-Related Malicious Code Detected! FileName: C:\WINNT\cscil1.dll Removed! Trojan.Gromozon Removed!

[holifay]

Bene, ma non abbiamo ancora finito

Grazie per aver inviato il file. Trovi le analisi qui:
http://www.suspectfile.com/forum/viewtopic.php?t=347

Al momento è riconosciuto da ben pochi, tra cui Panda per cui conviene fare una scansione online.

Scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio

Avvia il file avenger.exe
Seleziona l'opzione Input Script Manually
Clicca sulla lente di ingrandimento

Ti si apre una finestra View/edit script
All'interno del box bianco,copia e incolla le scritte in rosso:

registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Adesso scarica sul desktop GMER http://www.gmer.net/gmer.zip
decomprimi sul desktop il file gmer.zip.
Esegui gmer.exe
Clicca sul Tab Rootkit
Clicca su Scan
finita la scansione clicca su Copy
Apri il Blocco Note incolla il risultato (CTRL+V)
Salva il file(rootkit.txt)

Esegui gmer.exe
Clicca sul Tab Autostart
Spunta la casella Show All
Clicca su Scan
finita la scansione clicca su Copy
Apri il Blocco Note incolla il risultato (CTRL+V)
Salva il file(autostart.txt)

Collegati al sito di panda e fai una scansione online (disattiva temporaneament il tuo AV). Al termine clicca su see report e salva il log.

posta i seguenti logs:

avenger.txt (salvato da avenger)
rootkit.txt (da GMER)
autostart.txt (da GMER)
log di Panda
nuovo log di hijackthis

[Paolo333]

AIUTO!!

Sono statto attaccato da tre Trojan mentre stavo facendo lo scanner con Panda

Due sono Trojan Horse Download Generic2.NUA
- aws32.exe
- aw1.exe

rilevati da AVG e poi:

Trojan Horse Lpt3.ksa rilevato da Norton

l'attacco proveniva da MSRC SrvSvc Net Api Buffer Overflow (2)

sono andato in modalità provvisoria ma non sono riuscito a rimuoverli

Ora il mio PC funziona male e al riavvio mi appare un messaggio di windows che mi avvisa che il mio PC è infetto e mi consiglia di effettuare una scansione online presso un sito che in questo momento non ricordo...

Allego anche i log richiesti e attendo un aiuto, grazie

Citazione:

Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\nhwcpgsw ******************* Script file located at: \??\C:\iljdoblg.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer not found! Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer failed! Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate.

Citazione:

GMER 1.0.11.11349 - http://www.gmer.net Rootkit 2006-09-18 19:24:06 Windows 5.0.2195 Service Pack 4 ---- System - GMER 1.0.11 ---- SSDT 81C84BA8 ZwConnectPort ---- Devices - GMER 1.0.11 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EB97A85A] avgtdi.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB97A85A] avgtdi.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB97A85A] avgtdi.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB97A85A] avgtdi.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EB97A85A] avgtdi.sys ---- Processes - GMER 1.0.11 ---- Process svchost.exe (*** hidden *** ) [1140] 816B8020 Process services.exe (*** hidden *** ) [288] 817D2B00 Process svchost.exe (*** hidden *** ) [776] 81730580 Process avgamsvr.exe (*** hidden *** ) [696] 81748D60 Process lsass.exe (*** hidden *** ) [300] 817CF200 Process pppoeservice.ex (*** hidden *** ) [972] 816EB580 Process WinMgmt.exe (*** hidden *** ) [1832] 814D1020 Process System (*** hidden *** ) [8] 8203F8E0 Process csrss.exe (*** hidden *** ) [240] 819EBAE0 Process winlogon.exe (*** hidden *** ) [232] 817E2020 Process navapsvc.exe (*** hidden *** ) [852] 8170F620 Process avgemc.exe (*** hidden *** ) [748] 8173AD60 Process ccPxySvc.exe (*** hidden *** ) [760] 817349A0 Process EnterNet.exe (*** hidden *** ) [1980] 81455D60 Process smss.exe (*** hidden *** ) [220] 81A0D2C0 Process Ati2evxx.exe (*** hidden *** ) [412] 817AF8E0 Process svchost.exe (*** hidden *** ) [496] 8179A800 Process spoolsv.exe (*** hidden *** ) [524] 8178BD60 Process NISUM.EXE (*** hidden *** ) [568] 8177F020 Process ccEvtMgr.exe (*** hidden *** ) [552] 81788160 Process avgupsvc.exe (*** hidden *** ) [728] 8174B020 Process MSTask.exe (*** hidden *** ) [1008] 816DA020 Process svchost.exe (*** hidden *** ) [1152] 816B3D60 Process regsvc.exe (*** hidden *** ) [988] 816E5D20 Process Ati2evxx.exe (*** hidden *** ) [512] 815DCD60 Process mgabg.exe (*** hidden *** ) [828] 8171D7A0 ---- EOF - GMER 1.0.11 ----

Citazione:

GMER 1.0.11.11349 - http://www.gmer.net Autostart 2006-09-18 19:26:42 Windows 5.0.2195 Service Pack 4 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk * /*file not found*/ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\SYSTEM\CurrentControlSet\Control\WOW@cmdline = %SystemRoot%\system32\ntvdm.exe HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>> @UserinitC:\WINNT\SYSTEM32\Userinit.exe, = C:\WINNT\SYSTEM32\Userinit.exe, @ShellExplorer.exe = Explorer.exe @System = HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>> AtiExtEvent@DLLName = Ati2evxx.dll crypt32chain@DLLName = crypt32.dll cryptnet@DLLName = cryptnet.dll cscdll@DLLName = cscdll.dll sclgntfy@DLLName = sclgntfy.dll SensLogn@DLLName = WlNotify.dll wzcnotif@DLLName = wzcdlg.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> Alerter /*Avvisi*/@ = %SystemRoot%\System32\services.exe Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe ATI Smart /*ATI Smart*/@ = C:\WINNT\system32\ati2sgag.exe Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe BITS /*Servizio trasferimento intelligente in background*/@ = %SystemRoot%\System32\svchost.exe -k BITSgroup Browser /*Browser di computer*/@ = %SystemRoot%\System32\services.exe ccEvtMgr /*Symantec Event Manager*/@ = "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe" ccPxySvc /*Symantec Proxy Service*/@ = C:\Programmi\Norton Internet Security\ccPxySvc.exe Dhcp /*Client DHCP*/@ = %SystemRoot%\System32\services.exe dmserver /*Gestione disco logico*/@ = %SystemRoot%\System32\services.exe Dnscache /*Client DNS*/@ = %SystemRoot%\System32\services.exe Eventlog /*Registro eventi*/@ = %SystemRoot%\system32\services.exe lanmanserver /*Server*/@ = %SystemRoot%\System32\services.exe lanmanworkstation /*Workstation*/@ = %SystemRoot%\System32\services.exe LmHosts /*Servizio guida TCP/IP NetBIOS*/@ = %SystemRoot%\System32\services.exe MGABGEXE /*MGABGEXE*/@ = %SystemRoot%\system32\mgabg.exe navapsvc /*Servizio Norton AntiVirus Auto-Protect*/@ = "C:\Programmi\Norton AntiVirus\navapsvc.exe" NISUM /*Norton Internet Security Accounts Manager*/@ = C:\Programmi\Norton Internet Security\NISUM.EXE NtmsSvc /*Gestione archivi rimovibili*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs PlugPlay /*Plug and Play*/@ = %SystemRoot%\system32\services.exe PolicyAgent /*Agente criteri IPSEC*/@ = %SystemRoot%\System32\lsass.exe PPPoEService /*PPPoE Service*/@ = C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe ProtectedStorage /*Archiviazione protetta*/@ = %SystemRoot%\system32\services.exe RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe RpcSs /*RPC (Remote Procedure Call)*/@ = %SystemRoot%\system32\svchost -k rpcss SamSs /*Gestione protezione account*/@ = %SystemRoot%\system32\lsass.exe SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe seclogon /*Servizio RunAs*/@ = %SystemRoot%\system32\services.exe SENS /*Notifica eventi di sistema*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe SymWSC /*SymWMI Service*/@ = C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe TrkWks /*Manutenzione collegamenti distribuiti client*/@ = %SystemRoot%\system32\services.exe wuauserv /*Aggiornamenti automatici*/@ = %systemroot%\system32\svchost.exe -k wugroup HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @SoundMansoundman.exe = soundman.exe @ccApp"C:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe" @ccRegVfy"C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" = "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" @ISDN MonitorLinksts.exe W 1024 = Linksts.exe W 1024 @Microsoft Explorermsl.exe /*file not found*/ = msl.exe /*file not found*/ @Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer @SSC_UserPromptC:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe = C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe @ATIPTAC:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe @ATICCC"C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime = "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime @UpdateC:\Programmi\AntiVir PersonalEdition Classic\preupd.exe /CALLSCHEDULER /DM="0" /CALLSCHEDULER /*file not found*/ = C:\Programmi\AntiVir PersonalEdition Classic\preupd.exe /CALLSCHEDULER /DM="0" /CALLSCHEDULER /*file not found*/ @Dimension4C:\Programmi\D4\D4.exe = C:\Programmi\D4\D4.exe @AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run >>> @delldsk"c:\winnt\delldsk.exe" /*file not found*/ = "c:\winnt\delldsk.exe" /*file not found*/ @1C:\WINNT\service32.exe /*file not found*/ = C:\WINNT\service32.exe /*file not found*/ HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>> @Network.ConnectionTrayC:\WINNT\system32\NETSHELL.dll = C:\WINNT\system32\NETSHELL.dll @WebCheck%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @SysTraystobject.dll = stobject.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler >>> @{438755C2-A8BA-11D1-B96B-00A0C90312E1}%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{8C7461EF-2B13-11d2-BE35-3078302C2030}%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll HKLM\Software\Classes\Folder\shell\open\command@ = %SystemRoot%\Explorer.exe /idlist,%I,%L HKLM\Software\Classes\Folder\shell\explore\command@ = %SystemRoot%\Explorer.exe /e,/idlist,%I,%L HKLM\Software\Classes\ >>> .exe@ = "%1" %* .com@ = "%1" %* .cmd@ = "%1" %* .bat@ = "%1" %* .pif@ = "%1" %* .scr@ = "%1" /s .hta@ = C:\WINNT\System32\mshta.exe "%1" %* HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{AEB6717E-7E19-11d0-97EE-00C04FD91972} = shell32.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{00022613-0000-0000-C000-000000000046} /*Proprietà dei file Multimedia*/mmsys.cpl = mmsys.cpl @{176d6597-26d3-11d1-b350-080036a75b03} /*Gestore scanner ICM*/icmui.dll = icmui.dll @{1F2E5C40-9550-11CE-99D2-00AA006E086C} /*Pagina di protezione NTFS*/rshx32.dll = rshx32.dll @{3EA48300-8CF6-101B-84FB-666CCB9BCD32} /*Pagina di proprietà di Docfile OLE*/docprop.dll = docprop.dll @{40dd6e20-7c17-11ce-a804-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll @{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll @{42071712-76d4-11d1-8b24-00a0c9068ff3} /*Estensione scheda video del Pannello di controllo*/deskadp.dll = deskadp.dll @{42071713-76d4-11d1-8b24-00a0c9068ff3} /*Estensione monitor del Pannello di controllo*/deskmon.dll = deskmon.dll @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/ @{4E40F770-369C-11d0-8922-00A024AB2DBB} /*Pagina di protezione DS*/dssec.dll = dssec.dll @{56117100-C0CD-101B-81E2-00AA004AE837} /*Gestore dati dei ritagli di shell*/shscrap.dll = shscrap.dll @{59099400-57FF-11CE-BD94-0020AF85B590} /*Estensione copia dischi*/diskcopy.dll = diskcopy.dll @{59be4990-f85c-11ce-aff7-00aa003ca9f6} /*Estensioni shell per oggetti Rete Microsoft Windows*/ntlanui2.dll = ntlanui2.dll @{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*Gestore monitor ICM*/%SystemRoot%\System32\icmui.dll = %SystemRoot%\System32\icmui.dll @{675F097E-4C4D-11D0-B6C1-0800091AA605} /*Gestore stampante ICM*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll @{764BF0E1-F219-11ce-972D-00AA00A14F56} /*Estensioni shell per la compressione dei file*/(null) = @{77597368-7b15-11d0-a0c2-080036af3f03} /*Estensione shell per la stampante Web*/printui.dll = printui.dll @{7988B573-EC89-11cf-9C00-00AA00A14F56} /*Disk Quota UI*/dskquoui.dll = dskquoui.dll @{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} /*Menu di scelta rapida di crittografia*/(null) = @{85BBD920-42A0-1069-A2E4-08002B30309D} /*Sincronia file*/syncui.dll = syncui.dll @{88895560-9AA2-1069-930E-00AA0030EBC8} /*Estensione di icona di HyperTerminal*/C:\WINNT\System32\hticons.dll = C:\WINNT\System32\hticons.dll @{BD84B380-8CA2-1069-AB1D-08000948F534} /*Fonts*/fontext.dll = fontext.dll @{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*Profilo ICC*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll @{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} /*Pagina di protezione della stampante*/rshx32.dll = rshx32.dll @{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll @{f92e8c40-3d33-11d2-b1aa-080036a75b03} /*Display TroubleShoot CPL Extension*/deskperf.dll = deskperf.dll @{60254CA5-953B-11CF-8C96-00AA00B8708C} /*Estensioni di shell per Windows Script Host*/C:\WINNT\system32\wshext.dll = C:\WINNT\system32\wshext.dll @{7444C717-39BF-11D1-8CD9-00C04FC29D45} /*Estensione Crypto PKO*/C:\WINNT\system32\cryptext.dll = C:\WINNT\system32\cryptext.dll @{7444C719-39BF-11D1-8CD9-00C04FC29D45} /*Estensione firma crittografata*/C:\WINNT\system32\cryptext.dll = C:\WINNT\system32\cryptext.dll @{7007ACC7-3202-11D1-AAD2-00805FC1270E} /*Rete e connessioni remote*/C:\WINNT\system32\NETSHELL.dll = C:\WINNT\system32\NETSHELL.dll @{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Icon Handler*/C:\WINNT\System32\mstask.dll = C:\WINNT\System32\mstask.dll @{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Shell Extension*/C:\WINNT\System32\mstask.dll = C:\WINNT\System32\mstask.dll @{D6277990-4C6A-11CF-8D87-00AA0060F5BF} /*Operazioni pianificate*/C:\WINNT\System32\mstask.dll = C:\WINNT\System32\mstask.dll @{1A9BA3A0-143A-11CF-8350-444553540000} /*Cartella Preferiti*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{20D04FE0-3AEA-1069-A2D8-08002B30309D} /*Risorse del computer*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{86747AC0-42A0-1069-A2E6-08002B30309D} /*Cartella Sincronia file*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{0AFACED1-E828-11D1-9187-B532F1E9575D} /*Collegamento alla cartella*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{12518493-00B2-11d2-9FA5-9E3420524153} /*Volume installato*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{21B22460-3AEA-1069-A2DC-08002B30309D} /*Estensione pagina proprietà file*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{B091E540-83E3-11CF-A713-0020AFD79762} /*Pagina tipi di file*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{FBF23B41-E3F0-101B-8488-00AA003E56F8} /*Hook di tipi di file MIME*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{C2FBB630-2971-11d1-A18C-00C04FD75D13} /*Servizio CopyTo Microsoft*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{C2FBB631-2971-11d1-A18C-00C04FD75D13} /*Microsoft MoveTo Service*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{13709620-C279-11CE-A49E-444553540000} /*Servizio automazione della shell*/C:\WINNT\system32\shell32.dll = C:\WINNT\system32\shell32.dll @{62112AA1-EBE4-11cf-A5FB-0020AFE7292D} /*Shell Automation Folder View*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{4622AD11-FF23-11d0-8D34-00A0C90F2719} /*Menu Avvio*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{7BA4C740-9E81-11CF-99D3-00AA004AE837} /*Microsoft SendTo Service*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{D969A300-E7FF-11d0-A93B-00A0C90F2719} /*Microsoft New Object Service*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{09799AFB-AD67-11d1-ABCD-00C04FC30936} /*Apri con gestore menu di scelta rapida*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{3FC0B520-68A9-11D0-8D77-00C04FD70822} /*Mostra estensioni HTML del Pannello di controllo*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{75048700-EF1F-11D0-9888-006097DEACF9} /*ActiveDesktop*/C:\WINNT\system32\shell32.dll = C:\WINNT\system32\shell32.dll @{6D5313C0-8C62-11D1-B2CD-006097DF8C11} /*Estensione pagina proprietà Opzioni cartella*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{57651662-CE3E-11D0-8D77-00C04FC99D61} /*CmdFileIcon*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{4657278A-411B-11d2-839A-00C04FD918D0} /*Helper trascinamento selezione Shell*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{A470F8CF-A1E8-4f65-8335-227475AA5C46} /*Aggiungere l'elemento di crittografia al menu di scelta rapida in Esplora risorse*/%SystemRoot%\system32\shell32.dll = %SystemRoot%\system32\shell32.dll @{5E6AB780-7743-11CF-A12B-00AA004AE837} /*Barra degli strumenti Microsoft Internet*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{22BF0C20-6DA7-11D0-B373-00A0C9034938} /*Stato del download*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{568804CA-CBD7-11d0-9816-00C04FD91972} /*Menu Shell Folder*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{5b4dae26-b807-11d0-9815-00c04fd91972} /*Menu Band*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{8278F931-2A3E-11d2-838F-00C04FD918D0} /*Tracking Shell Menu*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{E13EF4E4-D2F2-11d0-9816-00C04FD91972} /*Menu Site*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{ECD4FC4F-521C-11D0-B792-00A0C90312E1} /*Menu Desk Bar*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{91EA3F8B-C99B-11d0-9815-00C04FD91972} /*Shell Folder accresciuto*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{6413BA2C-B461-11d1-A18A-080036B11A03} /*Shell Folder 2 accresciuto*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{F61FFEC1-754F-11d0-80CA-00AA005B4383} /*BandProxy*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{D82BE2B0-5764-11D0-A96E-00C04FD705A2} /*IShellFolderBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{7BA4C742-9E81-11CF-99D3-00AA004AE837} /*Microsoft BrowserBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{30D02401-6A81-11d0-8274-00C04FD5AE38} /*SearchBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{169A0691-8DF9-11d1-A1C4-00C04FD75D13} /*Ricerca all'interno*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{07798131-AF23-11d1-9111-00A0C98BA67D} /*Ricerca Web*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{0E5CBF21-D15F-11d0-8301-00AA005B4383} /*Co&llegamenti*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{AF4F6510-F982-11d0-8595-00AA004CD6D8} /*Utilità opzioni della struttura del Registro di sistema*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{01E04581-4EEE-11d0-BFE9-00AA005B4383} /*&Indirizzo*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{A08C11D2-A228-11d0-825B-00AA005B4383} /*Address EditBox*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{00BB2763-6A77-11D0-A535-00C04FD7D062} /*Completamento automatico Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{7487cd30-f71a-11d0-9ea7-00805f714772} /*Immagine di anteprima*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{7376D660-C583-11d0-A3A5-00C04FD706EC} /*TridentImageExtractor*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{6756A641-DE71-11d0-831B-00AA005B4383} /*Elenco di Completamento automatico MRU*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{00BB2764-6A77-11D0-A535-00C04FD7D062} /*Elenco di Completamento automatico della Cronologia di Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{03C036F1-A186-11D0-824A-00AA005B4383} /*Elenco di Completamento automatico di Shell Folder di Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{00BB2765-6A77-11D0-A535-00C04FD7D062} /*Contenitore dell'elenco di Completamento automatico multiplo Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{ECD4FC4E-521C-11D0-B792-00A0C90312E1} /*Shell Band Site Menu*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} /*Shell DeskBarApp*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{ECD4FC4C-521C-11D0-B792-00A0C90312E1} /*Shell DeskBar*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{ECD4FC4D-521C-11D0-B792-00A0C90312E1} /*Shell Rebar BandSite*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{DD313E04-FEFF-11d1-8ECD-0000F87A470C} /*Assistenza utente*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} /*Impostazioni cartella globale*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{EFA24E61-B078-11d0-89E4-00C04FC9E26E} /*Favorites Band*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{0A89A860-D7B1-11CE-8350-444553540000} /*Shell Automation Inproc Service*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/shdocvw.dll = shdocvw.dll @{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Servizio Cronologia Url Microsoft*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{FF393560-C2A7-11CF-BFF4-444553540000} /*Cronologia*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Hook per la ricerca di URL Microsoft*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} /*Schermata iniziale applicazioni Internet Explorer 4*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{67EA19A0-CCEF-11d0-8024-00C04FD75D13} /*CDF Extension Copy Hook*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{131A6951-7F78-11D0-A979-00C04FD705A2} /*ISFBand OC*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{9461b922-3c5a-11d2-bf8b-00c04fb93661} /*Search Assistant OC*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINNT\System32\sendmail.dll = C:\WINNT\System32\sendmail.dll @{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINNT\System32\sendmail.dll = C:\WINNT\System32\sendmail.dll @{88C6C381-2E85-11D0-94DE-444553540000} /*Cartella cache ActiveX*/%SystemRoot%\System32\occache.dll = %SystemRoot%\System32\occache.dll @{E6FB5E20-DE35-11CF-9C87-00AA005127ED} /*WebCheck*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} /*Subscription Mgr*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{F5175861-2688-11d0-9C5E-00AA00A45957} /*Cartella Subscription*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{08165EA0-E946-11CF-9C87-00AA005127ED} /*WebCheckWebCrawler*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} /*WebCheckChannelAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} /*TrayAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{7D559C10-9FE9-11d0-93F7-00AA0059CE02} /*Code Download Agent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} /*ConnectionAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{D8BD2030-6FC9-11D0-864F-00AA006809D9} /*PostAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} /*WebCheck SyncMgr Handler*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll @{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll @{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll @{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll @{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll @{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\System32\thumbvw.dll = C:\WINNT\System32\thumbvw.dll @{352EC2B7-8B9A-11D1-B8AE-006008059382} /*Gestione applicazioni shell*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl @{0B124F8C-91F0-11D1-B8B5-006008059382} /*Enumeratore applicazioni installate*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl @{CFCCC7A0-A282-11D1-9082-006008059382} /*Darwin App Publisher*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl @{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll @{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll @{8A23E65E-31C2-11d0-891C-00A024AB2DBB} /*Directory Query UI*/dsquery.dll = dsquery.dll @{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} /*Directory Object Find*/dsquery.dll = dsquery.dll @{F020E586-5264-11d1-A532-0000F8757D7E} /*Directory Start/Search Find*/dsquery.dll = dsquery.dll @{0D45D530-764B-11d0-A1CA-00AA00C16E65} /*Directory Property UI*/dsuiext.dll = dsuiext.dll @{62AE1F9A-126A-11D0-A14B-0800361B1103} /*Directory Context Menu Verbs*/dsuiext.dll = dsuiext.dll @{450D8FBA-AD25-11D0-98A8-0800361B1103} /*MyDocs Folder*/mydocs.dll = mydocs.dll @{ECF03A33-103D-11d2-854D-006008059367} /*MyDocs Copy Hook*/mydocs.dll = mydocs.dll @{ECF03A32-103D-11d2-854D-006008059367} /*MyDocs Drop Target*/mydocs.dll = mydocs.dll @{4a7ded0a-ad25-11d0-98a8-0800361b1103} /*MyDocs Properties*/mydocs.dll = mydocs.dll @{750fdf0e-2a26-11d1-a3ea-080036587f03} /*Menu file non in linea*/cscui.dll = cscui.dll @{10CFC467-4392-11d2-8DB4-00C04FA31A66} /*Opzioni cartella File non in linea*/cscui.dll = cscui.dll @{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} /*Cartella file non in linea*/cscui.dll = cscui.dll @{7A80E4A8-8005-11D2-BCF8-00C04F72C717} /*MMC Icon Handler*/mmcshext.dll = mmcshext.dll @{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} /*.CAB file viewer*/cabview.dll = cabview.dll @{59850401-6664-101B-B21C-00AA004BA90B} /*Microsoft Office Binder Unbind*/C:\PROGRA~1\MICROS~2\Office\1040\UNBIND.DLL = C:\PROGRA~1\MICROS~2\Office\1040\UNBIND.DLL @{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL @{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL @{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL @{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} /*Elenco di Completamento automatico MRU personalizzato*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{7e653215-fa25-46bd-a339-34a2790f3cb7} /*Accessibile*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{acf35015-526e-4230-9596-becbe19f0ac9} /*Indicatore di avanzamento popup*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{E0E11A09-5CB8-4B6C-8332-E00720A168F2} /*Parser della barra degli indirizzi*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll @{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} /*Microsoft Browser Architecture*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{EFA24E64-B078-11d0-89E4-00C04FC9E26E} /*Explorer Band*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll @{f39a0dc0-9cc8-11d0-a599-00c04fd64433} /*File del canale*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll @{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} /*Collegamento al canale*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll @{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} /*Channel Handler Object*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll @{f3da0dc0-9cc8-11d0-a599-00c04fd64437} /*Channel Menu*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll @{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} /*Channel Properties*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll @{32714800-2E5F-11d0-8B85-00AA0044F941} /*&Contatti...*/C:\Programmi\Outlook Express\wabfind.dll = C:\Programmi\Outlook Express\wabfind.dll @{1D2680C9-0E2A-469d-B787-065558BC7D43} /*Fusion Cache*/C:\WINNT\system32\mscoree.dll = C:\WINNT\system32\mscoree.dll @{2206CDB2-19C1-11D1-89E0-00C04FD7A829} /*Microsoft Data Link*/C:\Programmi\File comuni\System\OLE DB\OLEDB32.DLL = C:\Programmi\File comuni\System\OLE DB\OLEDB32.DLL @{4A741382-48B4-11d2-AD84-00A024D24BF3} /*Matrox PowerDesk Properties*/C:\WINNT\system32\PDesk\PDPAGES.DLL = C:\WINNT\system32\PDesk\PDPAGES.DLL @{AB77609F-2178-4E6F-9C4B-44AC179D937A} /*a² Context Menu Shell Extension*/(null) = @{D653647D-D607-4DF6-A5B8-48D2BA195F7B} /*BitDefender Antivirus v8*/(null) = @{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) = @{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINNT\system32\dfshim.dll = C:\WINNT\system32\dfshim.dll @{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINNT\system32\dfshim.dll = C:\WINNT\system32\dfshim.dll @{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll @{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>> AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll Open With@{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll Open With EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>> Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll Open With EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll Sharing@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>> AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll BitDefender Antivirus v8@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{BDF3E430-B101-42AD-A544-FADC6B084872} = C:\Programmi\Norton AntiVirus\NavShExt.dll HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\system32\sstext3d.scr HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main >>> @Start Pageabout:blank = about:blank @Local PageC:\WINNT\SYSTEM32\blank.htm = C:\WINNT\SYSTEM32\blank.htm HKLM\Software\Classes\PROTOCOLS\Filter\ >>> application/octet-stream@CLSID = mscoree.dll application/x-complus@CLSID = mscoree.dll application/x-msdownload@CLSID = mscoree.dll Class Install Handler@CLSID = C:\WINNT\system32\urlmon.dll deflate@CLSID = C:\WINNT\system32\urlmon.dll gzip@CLSID = C:\WINNT\system32\urlmon.dll lzdhtml@CLSID = C:\WINNT\system32\urlmon.dll text/webviewhtml@CLSID = %SystemRoot%\system32\shell32.dll HKLM\Software\Classes\PROTOCOLS\Handler\ >>> about@CLSID = %SystemRoot%\System32\mshtml.dll cdl@CLSID = C:\WINNT\system32\urlmon.dll file@CLSID = C:\WINNT\system32\urlmon.dll ftp@CLSID = C:\WINNT\system32\urlmon.dll gopher@CLSID = C:\WINNT\system32\urlmon.dll http@CLSID = C:\WINNT\system32\urlmon.dll https@CLSID = C:\WINNT\system32\urlmon.dll its@CLSID = C:\WINNT\system32\ITSS.DLL javascript@CLSID = %SystemRoot%\System32\mshtml.dll local@CLSID = C:\WINNT\system32\urlmon.dll mailto@CLSID = %SystemRoot%\System32\mshtml.dll mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll mk@CLSID = C:\WINNT\system32\urlmon.dll ms-its@CLSID = C:\WINNT\system32\ITSS.DLL res@CLSID = %SystemRoot%\System32\mshtml.dll sysimage@CLSID = %SystemRoot%\System32\mshtml.dll vbscript@CLSID = %SystemRoot%\System32\mshtml.dll vnd.ms.radio@CLSID = C:\WINNT\System32\msdxm.ocx HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7BC84508-C772-4385-91D7-9102AFF7306E} /*Connessione alla rete locale (LAN) 2*/ >>> @IPAddress82.56.122.187 = 82.56.122.187 @NameServer = @DefaultGateway82.56.122.187 = 82.56.122.187 @Domain = HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>> 000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll 000000000002@LibraryPath = %SystemRoot%\System32\winrnr.dll HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>> 000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000004@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll 000000000005@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll 000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll 000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = ATI CATALYST System Tray.lnk ---- EOF - GMER 1.0.11 ----

Citazione:

Incident Status Location Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\WINNT\system32\dhcp\bootdrv.dll Potentially unwanted tool:Application/HideApp.A Not disinfected C:\WINNT\system32\dhcp\hideapp.exe Potentially unwanted tool:Application/PrcView.A Not disinfected C:\WINNT\system32\dhcp\libparse.exe Hacktool:HackTool/Scansql.B Not disinfected C:\WINNT\system32\dhcp\sqlpass.dic Potentially unwanted tool:Application/ToolWget Not disinfected C:\WINNT\system32\dhcp\wget.exe Virus:W32/Akbot.T.worm Disinfected C:\WINNT\system32\hqghumea.dll Adware:Adware/SystemDoctor Not disinfected C:\WINNT\176228241166.exe Virus:W32/Sdbot.IFP.worm Disinfected C:\WINNT\eraseme_86256.exe Virus:Trj/SecurityDown.A Disinfected C:\Documents and Settings\Max1\Desktop\DellDsk.zip[DellDsk.exe] Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Max1\Cookies\max1@toplist[1].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Max1\Cookies\max1@tradedoubler[2].txt Adware:Adware/Maxifiles Not disinfected C:\Programmi\File comuni\{E421B49B-06B3-1040-0830-010501110027}\Update.exe Adware:Adware/Mytoolbar Not disinfected C:\Programmi\ToolBar888\MyToolBar.dll Adware:Adware/Mytoolbar Not disinfected C:\Programmi\ToolBar888\Activate.exe Adware:Adware/IconAds Not disinfected C:\Programmi\ToolBar888\Uninst.exe

Citazione:

Logfile of HijackThis v1.99.1 Scan saved at 8:39:27 PM, on 9/18/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe C:\Programmi\Norton Internet Security\NISUM.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Programmi\Norton Internet Security\ccPxySvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\mgabg.exe C:\Programmi\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\soundman.exe C:\Programmi\File comuni\Symantec Shared\ccApp.exe C:\WINNT\system32\Linksts.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmi\ATI Technologies\ATI.ACE\cli.exe C:\Programmi\D4\D4.exe C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\rundll32.exe C:\Programmi\File comuni\{E421B49B-06B3-1040-0830-010501110027}\Update.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\aws32.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\rundll32.exe C:\Documents and Settings\Max1\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.tiscali.it/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programmi\ToolBar888\MyToolBar.dll O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024 O4 - HKLM\..\Run: [Microsoft Explorer] msl.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Update] C:\Programmi\AntiVir PersonalEdition Classic\preupd.exe /CALLSCHEDULER /DM="0" /CALLSCHEDULER O4 - HKLM\..\Run: [Dimension4] C:\Programmi\D4\D4.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [timlib] rundll32.exe C:\WINNT\system32\timlib.dll,start O4 - HKLM\..\Run: [bthsvc] rundll32.exe C:\WINNT\system32\bthsvc.dll,start O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122736782765 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/v_mywebex/webex/ieatgpc.cab O16 - DPF: {E84D31FB-302A-4F6D-86F7-94A685E9672B} (CQGGUID.GUIDGenerator) - https://www.cqgtrader.com/Global/CQGGUID.CAB O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4784/mcfscan.cab O16 - DPF: {F5BC716E-2650-4B08-9235-C110CF95017F} (Connessione Tiscali) - http://selfcare.tiscali.it/scripts/oneclick/ConnessioneTiscali.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPxySvc.exe O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programmi\Norton Internet Security\NISUM.EXE O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe

[Paolo333]

Ecco cosa mi compare al riavvio. Anche se clicco "annulla", vengo reindirizzato sul sito

Cosa devo fare.

Sono riuscito ad eliminare il Trojan Downloader Generic2.NUA (...almeno mi sembra perchè dopo averlo trovato e cestinato AVG non lo rileva più), mentre lp3.ksa si trova nella cartella di WINNT\system32, ma non riesco a portarlo nel cestino. quando cerco di trascinarlo, mi compare un messaggio con scritto: Impossibile eliminare lp3. impossibile trovare il file specificato

Grazie

[holifay]

mmmmmm

Allora, vediamo un po´ i log che hai postato li hai fatti prima o dopo le nuove infezioni? Avevi il firewall disattivato?. Se i log di GMER li hai fatti prima delle nuove infezioni, ti chiedo di rifarli. In ogni caso fai prima quanto segue:

Scarica sysprotect (da atribune), avvialo e clicca su Remove Now

Scaricati sul desktop VundoFix.EXE
. chiudi tutte le finestre prima di continuare
. esegui il file VundoFix.exe
. premi Scan for Vundo e poi, se trova qualcosa, premi Remove Vundo
. se ti verrà chiesto di spegnere il pc, dai l´OK

Al riavvio, apri HijackThis ed elimina queste voci (se presenti):
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programmi\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [Microsoft Explorer] msl.exe
O4 - HKLM\..\Run: [timlib] rundll32.exe C:\WINNT\system32\timlib.dll,start
O4 - HKLM\..\Run: [bthsvc] rundll32.exe C:\WINNT\system32\bthsvc.dll,start

Avvia il file avenger.exe
Seleziona l'opzione Input Script Manually
Clicca sulla lente di ingrandimento

Ti si apre una finestra View/edit script
All'interno del box bianco,copia e incolla le scritte in rosso:

registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\delldsk
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1C

files to delete:
C:\WINNT\system32\Lpt3.ksa
C:\WINNT\176228241166.exe
C:\WINNT\system32\aws32.exe
C:\WINNT\system32\timlib.dll
C:\WINNT\system32\bthsvc.dll

folders to delete:
C:\Programmi\ToolBar888
C:\Programmi\File comuni\{E421B49B-06B3-1040-0830-010501110027}


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


posta il contenuto di questi file:
- c:\avenger.txt
- c:\vundofix.txt (se hai usato vundofix)

Un nuovo log di HijackThis

[Paolo333]

Holifay,

Il programma Hijackthis viene chiuso in modo automatico, appena finita la scansione con il seguente messaggio:

Errore dell'applicazione
Hijackthis.exe ha provocato errori e verrà chiuso. Sarà necessario riavviare il programma
Creazione del registro errori in corso.

I problemi che ho attualmente sono relativi alla navigazione
Quando attivo un motore di ricerca, mi si apre la solita finestra di pop up di cui sopra, anche se non visualizza nulla perchè ho inserito il sito in questione, tra quelli con restrizioni
Anche quando navigo normalmente sul un qualsiasi sito ad un certo punto (non sempre), scompare la barra delle applicazioni di windows e tutti gli oggetti sul desktop, dopodichè mi si riapre ma con meno icone sulla barra e talvolta (non sempre) cade la connessione

Ecco i log che mi hai richiesto:

Citazione:

Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\uxob^qgl ******************* Script file located at: \??\C:\Program Files\pqmghujp.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINNT\system32\Lpt3.ksa not found! Deletion of file C:\WINNT\system32\Lpt3.ksa failed! Could not process line: C:\WINNT\system32\Lpt3.ksa Status: 0xc0000034 File C:\WINNT\176228241166.exe not found! Deletion of file C:\WINNT\176228241166.exe failed! Could not process line: C:\WINNT\176228241166.exe Status: 0xc0000034 File C:\WINNT\system32\aws32.exe not found! Deletion of file C:\WINNT\system32\aws32.exe failed! Could not process line: C:\WINNT\system32\aws32.exe Status: 0xc0000034 File C:\WINNT\system32\timlib.dll not found! Deletion of file C:\WINNT\system32\timlib.dll failed! Could not process line: C:\WINNT\system32\timlib.dll Status: 0xc0000034 File C:\WINNT\system32\bthsvc.dll not found! Deletion of file C:\WINNT\system32\bthsvc.dll failed! Could not process line: C:\WINNT\system32\bthsvc.dll Status: 0xc0000034 Folder C:\Programmi\ToolBar888 not found! Deletion of folder C:\Programmi\ToolBar888 failed! Could not process line: C:\Programmi\ToolBar888 Status: 0xc0000034 Folder C:\Programmi\File comuni\{E421B49B-06B3-1040-0830-010501110027} deleted successfully. Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer not found! Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer failed! Status: 0xc0000034 Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\delldsk not found! Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\delldsk failed! Status: 0xc0000034 Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1C not found! Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1C failed! Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate.

Il log di VundoFix riporta solo: No infected files were found.


Hijackthis:

Citazione:

Logfile of HijackThis v1.99.1 Scan saved at 10:16:59 AM, on 9/23/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programmi\File comuni\Symantec Shared\ccProxy.exe C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\mgabg.exe C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINNT\system32\svchost.exe C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\WINNT\soundman.exe C:\WINNT\system32\Linksts.exe C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programmi\ATI Technologies\ATI.ACE\cli.exe C:\Programmi\File comuni\Symantec Shared\ccApp.exe C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe C:\Programmi\D4\D4.exe C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\internat.exe C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\wuauclt.exe C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE C:\WINNT\system32\taskmgr.exe C:\PROGRA~1\Alice\ALICEE~1\app\EnterNet.exe C:\Programmi\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Max1\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.tiscali.it/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file) O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] soundman.exe O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024 O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATICCC] "C:\Programmi\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Update] C:\Programmi\AntiVir PersonalEdition Classic\preupd.exe /CALLSCHEDULER /DM="0" /CALLSCHEDULER O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programmi\File comuni\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Dimension4] C:\Programmi\D4\D4.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Programmi\ATI Technologies\ATI.ACE\CLI.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Cerca con Google - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Traduci parola in italiano - res://C:\Programmi\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Link a ritroso - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Pagine simili - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Versione cache della pagina - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html O12 - Plugin for .aspx: C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122736782765 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://esignaltraining.webex.com/client/v_mywebex/webex/ieatgpc.cab O16 - DPF: {E84D31FB-302A-4F6D-86F7-94A685E9672B} (CQGGUID.GUIDGenerator) - https://www.cqgtrader.com/Global/CQGGUID.CAB O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4784/mcfscan.cab O16 - DPF: {F5BC716E-2650-4B08-9235-C110CF95017F} (Connessione Tiscali) - http://selfcare.tiscali.it/scripts/oneclick/ConnessioneTiscali.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmi\Norton Internet Security\comHost.exe O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\Alice\ALICEE~1\app\pppoeservice.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe

Non dirmi che devo far riformattare il Pc per favore.......

Grazie comunque per l'aiuto

[Paolo333]

Ho lasciato il PC con la connessione avviata a internet per circa due ore, con l'EXPLORER chiuso, lavorando solo su programmi interni, WORD e simili.

Appena mi ha aperto EXPLORER, giusto il tempo di arrivare quì sul forum, e il PC si è piantanto dopo pochi click.

Le finestre dei programmi sono rimaste aperte, scomparsa la barra di WINDOWS, sono riuscito a malapena ad aprire il task manager per vedere che la CPU su EXPLORER.EXE era a 98%

Ho dovuto spegnere il PC manualmente (si è spento con il comando ARRESTO del SISTEMA, ma stranamente il PC è rimasto acceso)

Ogni aiuto....è il benvenuto

Sono rimasto solo?

[holifay]

Rispetto a prima la situazione è migliorata di parecchio

Da hijackThis, elimina anche questa voce:
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
Controlla se riesci ad eliminarla

Fai una scansione online con Panda e poi salva il report al termine e postalo qui.

Poi scarica GMER da www.gmer.net e fa due log, uno dal tab Rootkit, l´altro dal tab Autostart. Puoi copiarli premendo il tasto Copy e incollarli qui