Indice del forum Olimpo Informatico
I Forum di Zeus News
Leggi la newsletter gratuita - Attiva il Menu compatto
 
 FAQFAQ   CercaCerca   Lista utentiLista utenti   GruppiGruppi   RegistratiRegistrati 
 ProfiloProfilo   Messaggi privatiMessaggi privati   Log inLog in 

    Newsletter RSS Facebook Twitter Contatti Ricerca
problemi con link optimizer
Nuovo argomento   Rispondi    Indice del forum -> Pronto Soccorso Virus
Precedente :: Successivo  
Autore Messaggio
pino
Eroe in grazia degli dei
Eroe in grazia degli dei


Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
MessaggioInviato: 21 Set 2006 15:25    Oggetto: problemi con link optimizer Rispondi citando
ciao a tutti, mi sono imbattuto nel vostro forum perche' mi sono accorto di aver il virus in oggetto

mi sono accorto perche' mi sono trovato bloccato nel mio account la posibilita' di gestire i criteri di protezione locale

facendo una ricerca per risolvere il problema ho trovato il vostro sito.

questa e' la situazione

dopo aver riscontrato i vari sintomi, presenza di un nuovo utente, la cartella con lo stesso nome in c:\documents and settings (crata l'11 settembre), la presenza in rimouvi applicazioni di connectionservices ....

leggendo i vari post sull'argomento mi sono scaricato il tool per la rimozione automatica e l'ho lanciato

all'inizio della scansione mi ha dato un messaggio tipo cm non trovato poi ha proseguito la scansione, l'ha portata a termine con il messaggio scan finished normally

ho fatto un reboot poi ho fatto un controllo, l'utente generato dal virus è ancora presente, il mio nome utente ha ancora le autorizzazioni bloccate, è ancora presente in rimuovi applicazioni connectionservices avast mi ha trovato c:winnt\temp\gajt1.exe

allora ho pensato bene di rilanciare il tool di rimozione e mi da il messaggio che il virus non è presente con il seguente log:
Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINNT
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

purtroppo la nuova scansione ha cnacellato il log precedente

il virus è da considerare rimosso?
se si, come posso procedere a cancellare tutti i residui , areimpostare i diritti al mio nome utente etc?

allego qui sotto anche il lo hijackthis, nel caso potesse servire

grazie anticipate per l'aiuto

P.S. ho scoperto di aver lo stesso virus anche sul portatile e su un altro PC, cosa faccio aspetto un attimo? sull'altro PC e' uscito il la finestra opup ieri per la prima volta e oggi non riesco piu' ad avviarlo in modalita' normale perche' mi dice errore in explorer.exe (almeno mi sembra) posso solo avviarlo in modalita' provvisoria


Logfile of HijackThis v1.99.1
Scan saved at 14.56.03, on 21/09/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
g:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
D:\Bus\Msde\binn\sqlservr.exe
C:\WINNT\system32\PDFCreatorMessages.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
D:\Bus\Msde\binn\sqlagent.exe
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
G:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
G:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\Dit.exe
G:\Programmi\QuickTime\qttask.exe
C:\WINNT\DitExp.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\VoiceAge\Common\VaCtrl.exe
C:\pippo\prevxremovaltool.exe
C:\WINNT\system32\internat.exe
G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
G:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\Programmi\VoiceAge\Common\VaLangInterf.exe
D:\Bus\Msde\Binn\sqlmangr.exe
G:\Programmi\FreePOPs\freepopsd.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
g:\Programmi\Alwil Software\Avast4\ashWebSv.exe
g:\Programmi\Alwil Software\Avast4\ashSimpl.exe
C:\WINNT\system32\mshta.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magni.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F671824-ABD4-6000-978C-EA99BC9881E5} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] g:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [PDFCreatorClient] g:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VaCtrl] C:\Programmi\VoiceAge\Common\VaCtrl.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [UIWatcher] G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [RealPlayer] "g:\Programmi\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: Collegamento a freepopsd.exe.lnk = G:\Programmi\FreePOPs\freepopsd.exe
O4 - Global Startup: Service Manager.lnk = D:\Bus\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: Scarica con Download &Express - g:\Programmi\Download Express\Add_Url.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - g:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - g:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - g:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122529522031
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 151.99.125.2,151.99.250.2
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programmi\Iomega\AutoDisk\ADService.exe
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 21 Set 2006 15:43    Oggetto: Rispondi citando
Ciao e benvenuto Smile

per vedere se è ancora attivo fai presto: elimina da hijackthis queste voci e guarda se al reboot di ricreano

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3F671824-ABD4-6000-978C-EA99BC9881E5} - (no file)

Comunque c´è qualcosa ancora da eliminare, qualche residuo. Dimmi il nome della cartella utente e posta i due log di GMER, fatti secondo le indicazioni della guida che trovi in cima al forum
Top
Profilo Invia messaggio privato
pino
Eroe in grazia degli dei
Eroe in grazia degli dei


Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
MessaggioInviato: 21 Set 2006 16:16    Oggetto: Rispondi citando
grazie per la rapidea risposta questi sono le informazioni che mi hai chiesto

nome utente intendi l'utente che uso di solito per loggarmi? Administrator

questi sono gli scan

GMER rootkit
GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-21 16:20:18
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwClose
SSDT \??\C:\WINNT\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwCreateDirectoryObject
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwCreateFile
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwCreateProcess
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwCreateSection
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwOpenFile
SSDT \??\C:\WINNT\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwSetInformationFile
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwWriteFile

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [BB48F7C0] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSE [BB48F7C0] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_DEVICE_CONTROL [BB48F7C0] vsdatant.sys
Device \Driver\AFD \Device\Afd FastIoDeviceControl [BB48F180] vsdatant.sys

---- Processes - GMER 1.0.11 ----

Process services.exe (*** hidden *** ) [252] 815BE860
Process CSRSS.EXE (*** hidden *** ) [204] 815C8020
Process ashWebSv.exe (*** hidden *** ) [1192] 8142E020
Process ashServ.exe (*** hidden *** ) [560] 81533020
Process System (*** hidden *** ) [8] 81888AE0
Process sqlservr.exe (*** hidden *** ) [648] 815AE980
Process vsmon.exe (*** hidden *** ) [1968] 813A85E0
Process svchost.exe (*** hidden *** ) [608] 81524940
Process lsass.exe (*** hidden *** ) [272] 815BC020
Process svchost.exe (*** hidden *** ) [464] 81583940
Process PDFCreatorMessa (*** hidden *** ) [708] 81516D60
Process svchost.exe (*** hidden *** ) [428] 8149B960
Process WinMgmt.exe (*** hidden *** ) [896] 81466800
Process winlogon.exe (*** hidden *** ) [224] 81608640
Process zapro.exe (*** hidden *** ) [1640] 813CDA20
Process sqlagent.exe (*** hidden *** ) [1108] 814504C0
Process spoolsv.exe (*** hidden *** ) [492] 815403E0
Process ashMaiSv.exe (*** hidden *** ) [1244] 814306A0
Process SMSS.EXE (*** hidden *** ) [180] 816418E0
Process aswUpdSv.exe (*** hidden *** ) [544] 815375A0
Process CDANTSRV.EXE (*** hidden *** ) [588] 81527A80
Process regsvc.exe (*** hidden *** ) [652] 81530D60
Process mstask.exe (*** hidden *** ) [744] 8150CD60
Process stisvc.exe (*** hidden *** ) [952] 814E0D60

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\Administrator\Dati applicazioni\Microsoft\Firme elettroniche\logo moto club_80x80px.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Dati applicazioni\Microsoft\Firme elettroniche\logo moto club_80x80px.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\Copy of ago_4.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Desktop\Copy of ago_4.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\Copy2 of ago_4.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Desktop\Copy2 of ago_4.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\Copy3of ago_4.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Desktop\Copy3of ago_4.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\logo motoclub.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Desktop\logo motoclub.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\logo motoclub.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS ...
ADS D:\prealpina\IMG_0213_2.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS D:\prealpina\IMG_0213_2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS D:\prealpina\IMG_0214_2.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS D:\prealpina\IMG_0214_2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS D:\prealpina\IMG_0358_2.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS D:\prealpina\IMG_0358_2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\1.gif:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\1.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\1.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\1.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\ago_arturo_1.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\ago_arturo_1.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\ago_arturo_2.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\ago_arturo_2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\ARTURO3.GIF:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\ARTURO3.GIF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\bolletino enel 2006.BMP:Q30lsldxJoudresxAaaqpcawXc
ADS ...
ADS H:\hailwood\Copy of hailwood.gif:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\Copy of hailwood.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\Copy of logo motoclub.gif:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\Copy of logo motoclub.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\fmi copia.gif:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\fmi copia.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\Fmi.bmp:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\Fmi.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\fmi.gif:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\fmi.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\hailwood.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS ...

---- EOF - GMER 1.0.11 ----

GMER autostart

GMER 1.0.11.11349 - http://www.gmer.net
Autostart 2006-09-21 16:20:58
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
ActiveSync@DLLName = WcesWlgn.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "g:\Programmi\Alwil Software\Avast4\ashServ.exe"
C-DillaSrv /*C-DillaSrv*/@ = C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
MSSQLServer /*MSSQLServer*/@ = D:\Bus\Msde\binn\sqlservr.exe
PDFCreatorMessages /*PDFCreatorMessages*/@ = C:\WINNT\system32\PDFCreatorMessages.exe
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
SecJkj /*SecJkj*/@ = "C:\Programmi\File comuni\System\yIx.exe" /*file not found*/
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SQLServerAgent /*SQLServerAgent*/@ = D:\Bus\Msde\binn\sqlagent.exe
StiSvc /*Still Image Service*/@ = %systemroot%\system32\stisvc.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINNT\system32\ZoneLabs\vsmon.exe -service
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
_IOMEGA_ACTIVE_DISK_SERVICE_ /*Iomega Active Disk*/@ = "C:\Programmi\Iomega\AutoDisk\ADService.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@SmappC:\Programmi\Analog Devices\SoundMAX\Smtray.exe = C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
@PMXInitC:\WINNT\System32\pmxinit.exe = C:\WINNT\System32\pmxinit.exe
@CreateCD50"C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe" -r = "C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe" -r
@AdaptecDirectCD"C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
@ADUserMonC:\Programmi\Iomega\AutoDisk\ADUserMon.exe = C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
@Iomega Drive Iconsg:\Programmi\Iomega\DriveIcons\ImgIcon.exe = g:\Programmi\Iomega\DriveIcons\ImgIcon.exe
@Deskupg:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART = g:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@Zone Labs ClientG:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe = G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
@PDFCreatorClientg:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe = g:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
@NeroCheckC:\WINNT\system32\NeroCheck.exe = C:\WINNT\system32\NeroCheck.exe
@CorelDRAW Graphics Suite 11b /*file not found*/ = /*file not found*/
@SunJavaUpdateSchedG:\Programmi\Java\jre1.5.0_01\bin\jusched.exe = G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
@DitDit.exe = Dit.exe
@RegistryMechanic /*file not found*/ = /*file not found*/
@QuickTime Task"G:\Programmi\QuickTime\qttask.exe" -atboottime = "G:\Programmi\QuickTime\qttask.exe" -atboottime
@avast!g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@VaCtrlC:\Programmi\VoiceAge\Common\VaCtrl.exe = C:\Programmi\VoiceAge\Common\VaCtrl.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@internat.exeinternat.exe = internat.exe
@UIWatcherG:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe = G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
@H/PC Connection Agent"G:\Programmi\Microsoft ActiveSync\wcescomm.exe" = "G:\Programmi\Microsoft ActiveSync\wcescomm.exe"
@RealPlayer"g:\Programmi\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot = "g:\Programmi\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot

HKLM\Software\Classes\.scr@ = C:\WINNT\NOTEPAD.EXE "%1"

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/g:\Programmi\Unlocker\UnlockerCOM.dll = g:\Programmi\Unlocker\UnlockerCOM.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = g:\Programmi\Alwil Software\Avast4\ashShell.dll
EncodeDivXExt@{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = g:\Programmi\DivX\Dr.DivX\EncodeDivXExt.dll
Rename-It!@{A64BBF5F-1250-4083-924C-B79661B75AAE} = g:\Programmi\Rename-It!\SimpleExt.dll
RExpCtxU@{D9F81151-62CA-4858-B45E-82B3EC41A549} = C:\Programmi\Resco\Pocket Encryption\RExpCtxU.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = G:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
Rename-It!@{A64BBF5F-1250-4083-924C-B79661B75AAE} = g:\Programmi\Rename-It!\SimpleExt.dll
RExpCtxU@{D9F81151-62CA-4858-B45E-82B3EC41A549} = C:\Programmi\Resco\Pocket Encryption\RExpCtxU.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = G:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = g:\Programmi\Alwil Software\Avast4\ashShell.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = g:\Programmi\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = G:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = G:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.magni.it/

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
its@CLSID = C:\WINNT\system32\itss.dll
mctp@CLSID = {d7b95390-b1c5-11d0-b111-0080c712fe82} /*file not found*/
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\system32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\system32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.2 = 192.168.1.2
@NameServer151.99.125.2,151.99.250.2 = 151.99.125.2,151.99.250.2
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica = Collegamento a freepopsd.exe.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = Service Manager.lnk

---- EOF - GMER 1.0.11 ----



hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 16.22.31, on 21/09/06
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
g:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
C:\WINNT\System32\svchost.exe
D:\Bus\Msde\binn\sqlservr.exe
C:\WINNT\system32\PDFCreatorMessages.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
D:\Bus\Msde\binn\sqlagent.exe
g:\Programmi\Alwil Software\Avast4\ashWebSv.exe
g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
G:\Programmi\Iomega\DriveIcons\ImgIcon.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
G:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\Dit.exe
G:\Programmi\QuickTime\qttask.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\DitExp.exe
C:\Programmi\VoiceAge\Common\VaCtrl.exe
C:\WINNT\system32\internat.exe
G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Programmi\VoiceAge\Common\VaLangInterf.exe
G:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Bus\Msde\Binn\sqlmangr.exe
G:\Programmi\FreePOPs\freepopsd.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Windows NT\Accessori\wordpad.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magni.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PMXInit] C:\WINNT\System32\pmxinit.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] g:\Programmi\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] g:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [PDFCreatorClient] g:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [VaCtrl] C:\Programmi\VoiceAge\Common\VaCtrl.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [UIWatcher] G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [RealPlayer] "g:\Programmi\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: Collegamento a freepopsd.exe.lnk = G:\Programmi\FreePOPs\freepopsd.exe
O4 - Global Startup: Service Manager.lnk = D:\Bus\Msde\Binn\sqlmangr.exe
O8 - Extra context menu item: Scarica con Download &Express - g:\Programmi\Download Express\Add_Url.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - g:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - g:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferito portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - g:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - g:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122529522031
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7}: NameServer = 151.99.125.2,151.99.250.2
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - g:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINNT\system32\PDFCreatorMessages.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programmi\Iomega\AutoDisk\ADService.exe
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 21 Set 2006 17:03    Oggetto: Rispondi citando
scusa, non mi ero spiegata bene Rolling Eyes

mi serve sapere il nome della cartella utente fittizio con nome random, creata il giorno dell´infezione in c:/documents and settings
Top
Profilo Invia messaggio privato
pino
Eroe in grazia degli dei
Eroe in grazia degli dei


Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
MessaggioInviato: 21 Set 2006 17:06    Oggetto: Rispondi citando
figurati, questo e' il nome della cartella e del nuovo utente

gXlIbaBlMsmLJbMa
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 21 Set 2006 17:21    Oggetto: Rispondi citando
Scarica The Avenger ed estrai l´eseguibile sul desktop.

Seleziona con il mouse il contenuto del riquadro qui sotto e copialo negli appunti (premi CTRL+C).

Citazione:

folders to delete:
c:\documents and settings\gXlIbaBlMsmLJbMa

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SecJkj

files to delete:
C:\Programmi\File comuni\System\yIx.exe


- avvia The Avenger e seleziona Input Script Manually
- clicca sulla icona con la lente di ingrandimento
- si aprirà una nuova finestra con scritto View/edit script
- incolla quanto copiato sopra premendo Ctrl+V
- clicca Done
- clicca l´icona con il semaforo con la luce verde per avviare lo script
- rispondi Yes due volte



poi posta il log di avenger che trovi in C:

Ciao Smile
Top
Profilo Invia messaggio privato
pino
Eroe in grazia degli dei
Eroe in grazia degli dei


Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
MessaggioInviato: 21 Set 2006 17:40    Oggetto: Rispondi citando
rieccomi....
questo il log di avenger


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mbocrqfs

*******************

Script file located at: \??\C:\WINNT\yttorhbw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder c:\documents and settings\gXlIbaBlMsmLJbMa deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Services\SecJkj deleted successfully.


File C:\Programmi\File comuni\System\yIx.exe not found!
Deletion of file C:\Programmi\File comuni\System\yIx.exe failed!

Could not process line:
C:\Programmi\File comuni\System\yIx.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

-> la cartella in c:documents and settings non c'e' piu'

-> mi è rimasto l'utente fittizio cosa faccio lo cancello manulamente?

-> e se apro pannello di controllo - strumenti di amministrazione - impostazioni locali trovo ancora le cartelle criteri account e criteri locali bloccate, come fare per poter assegnare i diritti di debug se le cartelle sono bloccate?

ciao

P.S devo uscire, tornero' tra un'ora circa... ci sentaimo dopo grazie
Top
Profilo Invia messaggio privato
pino
Eroe in grazia degli dei
Eroe in grazia degli dei


Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
MessaggioInviato: 21 Set 2006 20:16    Oggetto: Rispondi citando
P.S

mi è rimasto anche internetconnections in rimuovi applicazioni.... Rolling Eyes

ciao
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 22 Set 2006 12:35    Oggetto: Rispondi citando
Per rimuovere internetconnections dall´elenco delle applicazioni usa HijackThis, premi open the misc tools section >>open uninstall manager. Dalla lista trovi l´applicazione da eliminare, la selezioni e premi Delete this entry

L´utente lo rimuovi a mano, poi reimposti i diritii. Se non hai i privilegi di debug (ma credevo li reimpostasse il tool della Prevx!) prova ad usare questo fix: http://download.bleepingcomputer.com/sUBs/SeDebug-Restore.exe

Ciao Smile
Top
Profilo Invia messaggio privato
pino
Eroe in grazia degli dei
Eroe in grazia degli dei


Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
MessaggioInviato: 22 Set 2006 14:19    Oggetto: Rispondi citando
ciao holifay

questa mattina internetconnection non era più presente nell'elenco delle applicazioni Shocked e dire che ieri avevo fatto più di un reboot...

tolto l'utente e anche dopo reboot non ricompare

lanciato il tool ma i privilegi di debug sono ancora bloccati Evil or Very Mad

di seguito i log di gmer

grazie ancora per la tua pazienza

ciao Laughing


GMER rootkit

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-22 14:21:26
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwClose
SSDT \??\C:\WINNT\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwCreateDirectoryObject
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwCreateFile
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwCreateProcess
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwCreateSection
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwOpenFile
SSDT \??\C:\WINNT\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwSetInformationFile
SSDT \SystemRoot\System32\Drivers\aswMon.SYS ZwWriteFile

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BB491060] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BB491060] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [BB48F7C0] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSE [BB48F7C0] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_DEVICE_CONTROL [BB48F7C0] vsdatant.sys
Device \Driver\AFD \Device\Afd FastIoDeviceControl [BB48F180] vsdatant.sys

---- Processes - GMER 1.0.11 ----

Process zapro.exe (*** hidden *** ) [1628] 81414520
Process vsmon.exe (*** hidden *** ) [840] 81356300

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\Administrator\Dati applicazioni\Microsoft\Firme elettroniche\logo moto club_80x80px.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Dati applicazioni\Microsoft\Firme elettroniche\logo moto club_80x80px.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\Copy of ago_4.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Desktop\Copy of ago_4.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\Copy2 of ago_4.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Desktop\Copy2 of ago_4.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\Copy3of ago_4.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Desktop\Copy3of ago_4.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\logo motoclub.gif:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\Administrator\Desktop\logo motoclub.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Administrator\Desktop\logo motoclub.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS ...
ADS D:\prealpina\IMG_0213_2.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS D:\prealpina\IMG_0213_2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS D:\prealpina\IMG_0214_2.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS D:\prealpina\IMG_0214_2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS D:\prealpina\IMG_0358_2.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS D:\prealpina\IMG_0358_2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\1.gif:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\1.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\1.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\1.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\ago_arturo_1.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\ago_arturo_1.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\ago_arturo_2.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\ago_arturo_2.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\ARTURO3.GIF:Q30lsldxJoudresxAaaqpcawXc
ADS G:\12 revival\ARTURO3.GIF:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS G:\12 revival\bolletino enel 2006.BMP:Q30lsldxJoudresxAaaqpcawXc
ADS ...
ADS H:\hailwood\Copy of hailwood.gif:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\Copy of hailwood.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\Copy of logo motoclub.gif:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\Copy of logo motoclub.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\fmi copia.gif:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\fmi copia.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\Fmi.bmp:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\Fmi.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\fmi.gif:Q30lsldxJoudresxAaaqpcawXc
ADS H:\hailwood\fmi.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS H:\hailwood\hailwood.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS ...

---- EOF - GMER 1.0.11 ----


GMER autostart

GMER 1.0.11.11349 - http://www.gmer.net
Autostart 2006-09-22 14:22:55
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
ActiveSync@DLLName = WcesWlgn.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "g:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "g:\Programmi\Alwil Software\Avast4\ashServ.exe"
C-DillaSrv /*C-DillaSrv*/@ = C:\WINNT\system32\DRIVERS\CDANTSRV.EXE
MSSQLServer /*MSSQLServer*/@ = D:\Bus\Msde\binn\sqlservr.exe
PDFCreatorMessages /*PDFCreatorMessages*/@ = C:\WINNT\system32\PDFCreatorMessages.exe
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SQLServerAgent /*SQLServerAgent*/@ = D:\Bus\Msde\binn\sqlagent.exe
StiSvc /*Still Image Service*/@ = %systemroot%\system32\stisvc.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINNT\system32\ZoneLabs\vsmon.exe -service
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe
_IOMEGA_ACTIVE_DISK_SERVICE_ /*Iomega Active Disk*/@ = "C:\Programmi\Iomega\AutoDisk\ADService.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@SmappC:\Programmi\Analog Devices\SoundMAX\Smtray.exe = C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
@PMXInitC:\WINNT\System32\pmxinit.exe = C:\WINNT\System32\pmxinit.exe
@CreateCD50"C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe" -r = "C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe" -r
@AdaptecDirectCD"C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Programmi\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
@ADUserMonC:\Programmi\Iomega\AutoDisk\ADUserMon.exe = C:\Programmi\Iomega\AutoDisk\ADUserMon.exe
@Iomega Drive Iconsg:\Programmi\Iomega\DriveIcons\ImgIcon.exe = g:\Programmi\Iomega\DriveIcons\ImgIcon.exe
@Deskupg:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART = g:\Programmi\Iomega\DriveIcons\deskup.exe /IMGSTART
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@Zone Labs ClientG:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe = G:\PROGRA~1\ZONELA~1\ZoneAlarm\zapro.exe
@PDFCreatorClientg:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe = g:\Programmi\JawsSystems\Jaws PDF Creator\PDFClient.exe
@NeroCheckC:\WINNT\system32\NeroCheck.exe = C:\WINNT\system32\NeroCheck.exe
@CorelDRAW Graphics Suite 11b /*file not found*/ = /*file not found*/
@SunJavaUpdateSchedG:\Programmi\Java\jre1.5.0_01\bin\jusched.exe = G:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
@DitDit.exe = Dit.exe
@RegistryMechanic /*file not found*/ = /*file not found*/
@QuickTime Task"G:\Programmi\QuickTime\qttask.exe" -atboottime = "G:\Programmi\QuickTime\qttask.exe" -atboottime
@avast!g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = g:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@VaCtrlC:\Programmi\VoiceAge\Common\VaCtrl.exe = C:\Programmi\VoiceAge\Common\VaCtrl.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@internat.exeinternat.exe = internat.exe
@UIWatcherG:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe = G:\Programmi\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
@H/PC Connection Agent"G:\Programmi\Microsoft ActiveSync\wcescomm.exe" = "G:\Programmi\Microsoft ActiveSync\wcescomm.exe"
@RealPlayer"g:\Programmi\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot = "g:\Programmi\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot

HKLM\Software\Classes\.scr@ = C:\WINNT\NOTEPAD.EXE "%1"

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/g:\Programmi\Unlocker\UnlockerCOM.dll = g:\Programmi\Unlocker\UnlockerCOM.dll
@{BB7DF450-F119-11CD-8465-00AA00425D90} /*Microsoft Access Custom Icon Handler*/G:\Programmi\Microsoft Office\Office\soa800.dll = G:\Programmi\Microsoft Office\Office\soa800.dll
@{59850401-6664-101B-B21C-00AA004BA90B} /*Utilità di separazione di Raccoglitore Office.*/G:\Programmi\Microsoft Office\Office\UNBIND.DLL = G:\Programmi\Microsoft Office\Office\UNBIND.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/G:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = G:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/G:\Programmi\Microsoft Office\Office10\msohev.dll = G:\Programmi\Microsoft Office\Office10\msohev.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = g:\Programmi\Alwil Software\Avast4\ashShell.dll
EncodeDivXExt@{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = g:\Programmi\DivX\Dr.DivX\EncodeDivXExt.dll
Rename-It!@{A64BBF5F-1250-4083-924C-B79661B75AAE} = g:\Programmi\Rename-It!\SimpleExt.dll
RExpCtxU@{D9F81151-62CA-4858-B45E-82B3EC41A549} = C:\Programmi\Resco\Pocket Encryption\RExpCtxU.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = G:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
Rename-It!@{A64BBF5F-1250-4083-924C-B79661B75AAE} = g:\Programmi\Rename-It!\SimpleExt.dll
RExpCtxU@{D9F81151-62CA-4858-B45E-82B3EC41A549} = C:\Programmi\Resco\Pocket Encryption\RExpCtxU.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = G:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = g:\Programmi\Alwil Software\Avast4\ashShell.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = g:\Programmi\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = G:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = G:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.magni.it/

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
its@CLSID = C:\WINNT\system32\itss.dll
mctp@CLSID = {d7b95390-b1c5-11d0-b111-0080c712fe82} /*file not found*/
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
vnd.ms.radio@CLSID = C:\WINNT\system32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0C6B7DC0-D0D1-40BF-BB6F-109728E384E7} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.2 = 192.168.1.2
@NameServer151.99.125.2,151.99.250.2 = 151.99.125.2,151.99.250.2
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica = Collegamento a freepopsd.exe.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio Office.lnk = Avvio Office.lnk
Microsoft Office.lnk = Microsoft Office.lnk
Ricerca rapida.lnk = Ricerca rapida.lnk
Service Manager.lnk = Service Manager.lnk

---- EOF - GMER 1.0.11 ----
Top
Profilo Invia messaggio privato
pino
Eroe in grazia degli dei
Eroe in grazia degli dei


Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
MessaggioInviato: 22 Set 2006 14:34    Oggetto: Rispondi citando
pino ha scritto:


lanciato il tool ma i privilegi di debug sono ancora bloccati Evil or Very Mad

--


mi autoquoto

sono stato precipitoso... Embarassed .. le cartelle "assegnazione dirritti utente" etc hanno l'icona con la cartella con il lucchetto, ma adesso se le clicco ci posso accedere mentre prima mi dava errore di accesso

comunque anche qui gmer mi ha dato il messaggio di attività di rootkit

ciao
Top
Profilo Invia messaggio privato
holifay
Dio maturo
Dio maturo


Registrato: 08/03/05 10:48
Messaggi: 2912
Residenza: Milano
MessaggioInviato: 23 Set 2006 17:33    Oggetto: Rispondi citando
Sì, è uno dei difetti di GMER: vede rootkit anche dove non ci sono. Tu hai Zone Alarm che usa tecniche di rootkit, e lui le vede Wink

A me sembra tutto a posto adesso. Ti dà ancora qualche problema il PC?
Fai comunque qualche scansione online (Kaspersky, Panda...) e vedrai che troveranno ancora qualcosa, è normale.

Però non dovrebbe esserci niente di attivo. Tutto quello che ti trovano lo puoi cancellare manualmente.

Ciao Smile
Top
Profilo Invia messaggio privato
pino
Eroe in grazia degli dei
Eroe in grazia degli dei


Registrato: 21/09/06 14:39
Messaggi: 126
Residenza: varese
MessaggioInviato: 24 Set 2006 16:07    Oggetto: Rispondi
grazie ancora !!

ciao Ciao
Top
Profilo Invia messaggio privato
Mostra prima i messaggi di:   
Nuovo argomento   Rispondi    Indice del forum -> Pronto Soccorso Virus Tutti i fusi orari sono GMT + 2 ore
Pagina 1 di 1

 
Vai a:  
Non puoi inserire nuovi argomenti
Non puoi rispondere a nessun argomento
Non puoi modificare i tuoi messaggi
Non puoi cancellare i tuoi messaggi
Non puoi votare nei sondaggi