Olimpo Informatico

[holifay]

NOOOOOOOOOO me l´hai ammazzato !!!!!


Il mio file NUL.ETZ.... quello che non si riusciva a zippare lo avevo coccolato, nello script non avvevo messo apposta il comando per cancellarlo in modo da farlo andare in C:>Avenger e tu cosa hei fatto? Hai avviato Virit che l´ha cancellato

Vabbè, mandami almeno questo C:>Avenger>hiberfil.sys

Per il Log di GMER, azzidenti quanto è lungo... non è che hai selezionato l´opzione di mostrare tutti i driver nascosti (anche quewlli sicuri?). C´è un flag Show all che devi lasciare deselezionato.

Adesso me lo studio nel weekend, spero di finire per lunedì

PS: non usare ancora quel PC in Internet...

Ciao

[excelsis]

Mi dispiace...
Non conoscevo i tuoi progetti.
In uno degli ultimi post mi avevi invitato a riprovare a prendere NUL.ETZ, ma avevi aggiunto che non aveva importanza e che le informazioni che avevamo erano sufficienti.
Cosi" non mi sono dato pena.
Se vuoi provo a riprendere il Virus. Non sono capace di negarti nulla...

Come ti ho scritto nell)ultimo post, AVENGER l'ho fatto girare con l'opzione SHOW ALL selezionata. Non avevo istruzioni e sono andato a sentimento.

Prima che tu faccia lavoro inutile, lo ripasso come vuoi tu e ti posto il log.

Non uso quel PC in rete, ma é un po' complicato...

[excelsis]

Dimenticavo di ringraziarti...
Ah, PS: il file che non si riusciva a zippare era lpt6.exe, e quello te l'ho preso. Nul.etz era quello che dava zero byte... Disperazione uguale?

PS 2:

In C:\Doc&Settings\SalvatoreCeli\ImpLocali\Temporary Internet Files\Content IE5 ho tutta una serie di files non evidenziati dalla Gestione Risorse di Win XP.
Li cancello con Avenger? Farlo uno alla volta con DarkSpy mi sembra impresa ardua?

[excelsis]

Ecco GMER LOG ridotto (show all deselezionato) come volevi.
Rispetto alla scansione completa che già hai, sono scomparsi tutti gli avvisi di attività rootkit. Me ne dai una brevissima spiegazione?



SCANSIONE ROOTKIT:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-08 02:39:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT SSI.SYS ZwCreateKey
SSDT SSI.SYS ZwCreateProcess
SSDT SSI.SYS ZwCreateProcessEx
SSDT SSI.SYS ZwDeleteKey
SSDT SSI.SYS ZwDeleteValueKey
SSDT SSI.SYS ZwRenameKey
SSDT SSI.SYS ZwSetInformationKey
SSDT SSI.SYS ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F74EF20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [F74EF20C] SSI.SYS

---- EOF - GMER 1.0.10 ----


SCANSIONE AUTOSTART:
GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-07-08 03:49:27
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WRNotifier@DLLName = WRLogonNTF.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
ewido security suite control /*ewido security suite control*/@ = D:\Programmi 2\ewido anti-malware\ewidoctrl.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
svcWRSSSDK /*Webroot Spy Sweeper Engine*/@ = C:\Programmi\Webroot\Spy Sweeper\WRSSSDK.exe
viritsvclite /*Virit eXplorer Lite*/@ = D:\VEXPLITE\viritsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@VIRIT LITE MONITORD:\VEXPLITE\MONLITE.EXE = D:\VEXPLITE\MONLITE.EXE
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@LManagerC:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE = C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@CloneCDTray"C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s = "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@ApointC:\Programmi\Apoint2K\Apoint.exe = C:\Programmi\Apoint2K\Apoint.exe
@AGRSMMSGAGRSMMSG.exe = AGRSMMSG.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{54D9498B-CF93-414F-8984-8CE7FDE0D391} = D:\Programmi 2\ewido anti-malware\shellhook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} /*Webroot Spy Sweeper Context Menu Integration*/C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL = D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL = D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/D:\Programmi 2\Microsoft Office\OFFICE11\msohev.dll = D:\Programmi 2\Microsoft Office\OFFICE11\msohev.dll
@{506F4668-F13E-4AA1-BB04-B43203AB3CC0} /*{506F4668-F13E-4AA1-BB04-B43203AB3CC0}*/D:\Programmi 2\Microsoft Office\Visio11\VISSHE.DLL = D:\Programmi 2\Microsoft Office\Visio11\VISSHE.DLL
@{D66DC78C-4F61-447F-942B-3FB6980118CF} /*{D66DC78C-4F61-447F-942B-3FB6980118CF}*/D:\Programmi 2\Microsoft Office\Visio11\VISSHE.DLL = D:\Programmi 2\Microsoft Office\Visio11\VISSHE.DLL
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Programmi\Unlocker\UnlockerCOM.dll = C:\Programmi\Unlocker\UnlockerCOM.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WhoLockMe@{81ED7E40-2DE4-47ae-91CA-C3E8E8E98E22} = D:\Programmi 2\WhoLockMe\WhoLockMe.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
SpySweeper@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmi\Unlocker\UnlockerCOM.dll
WhoLockMe@{81ED7E40-2DE4-47ae-91CA-C3E8E8E98E22} = D:\Programmi 2\WhoLockMe\WhoLockMe.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://global.acer.com = http://global.acer.com
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.vodafone.it/vodafone/trilogy/jsp/homePage.do?tabName=HOME%20VODAFONE&ty_skip_md=true = http://www.vodafone.it/vodafone/trilogy/jsp/homePage.do?tabName=HOME%20VODAFONE&ty_skip_md=true
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mctp@CLSID = d:\programmi 2\Microsoft ActiveSync\aatp.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = NkbMonitor.exe.lnk

---- EOF - GMER 1.0.10 ----




La novità è costituita dal fatto che ho scoperto di avere LinkOptimizer tra i programmi della lista Add/Remove Software di Windows. La ricerca di qualunque traccia ?Link Optimizer? su Windows ha dato esito negativo.
Che cosa devo fare?

Mytempdir non accetta il file hiberfil.sys perché é troppo grande anche compresso. Non è che è il file d?ibernazione? Ti ricordo che il PC infetto è un portatile?

Scusami i ritardi, ma sono in viaggio ed il portatile infetto servirebbe... Ho qualche difficoltà a trovare un PC per internet.

[excelsis]

Il File Hiberfil.sys ha 507 Mb in originale e circa la metà compresso. Secondo me è il file d'ibernazione, che è più o meno grande come la RAM di sistema.
Tra l'altro, alla scansione con Avast questo file è sempre stato interdetto.

[holifay]

@excelsis: dunque, il file hiberfil.sys è sicuramente quello della sospensione di windows. Mi dispiace avertelo fatto spostare con avenger, non avevo cercato riferimenti in Internet perchè avevo capito che era un file nuovo sul PC, installato con quei nuovi dialer che Avast ti aveva trovato.
Non so se fartelo rimettere dove era o cancellarlo e farne creare uno nuovo da Windows.

Adesso in C: ce ne è un altro? Se sì cancella quello di backup nella cartella di Avenger.


Per quanto riguarda il log di GMER: adesso è tutto OK
GMER come altri antirootkit rileva i driver nascosti e li classifica come rootkit. Tra quelli però ci sono anche quelli di default Windows, che GMER riconosce e che non mostra a meno che non selezioni quella casella.

Anche il log di Autostart è a posto: la AppInit_Dlls è vuota, quindi dal punto di vista del trojan (che si carica da quella chiave) siamo tranquilli.

Mi resta una curiosità: tu avevi già controllato nell´elenco delle applicazioni se c´era linkptimizer vero? Mi pareva che ne avessimo parlato e che non l´avessi trovata... mentre adesso c´è. Mi viene il dubbio che il trojan nascondesse anche quel riferimento, per rendere più difficile la sua identificazione

Per cancellare quella voce, usa HijackTHis, quando lo apri clicca open the misc toos section, poi clicca uninstall manager, scorri l´elenco delle applicazioni, seleziona linkoptimizer e premi Delete this entry. Come in questa parte della guida: http://www.zeusnews.it/index.php3?ar=stampa&cod=4696

Io con avenger cancellerei tutta la cartella C:>Doc&Settings>tuo_user>ImpLocali>Temporary Internet Files, tanto è ricreata da Internet Explorer. Lo script deve essere del tipo:

[excelsis]

No, carissima Holifay, non abbiamo mai parlato di LinkOpt, ed io non ho mai controllato l)elenco Software di Win.

Del resto, all'inizio della nostra caccia non sapevamo della correlazione del nostro trj con LinkOpt

Ho Trovato LinkOpt analizzando ieri con HiJackThis. Credo che tu abbia ragione: dev'essere stato installato dal trj perchè non ricordo di averlo mai visto li ed ho buona memoria.

Stanotte opero e ti riferisco.
Grazie

[excelsis]

Scusa: sto usando una tastiera francese e faccio pasticci.
Intendevo dirti che il Trj probabilmente nascondeva il riferimento a LinkOpt.
Adesso che è annichilito la cosa é venuta fuori.
A presto e grazie

[excelsis]

@ HOLIFAY

Eccoti il mio report:
- il file C\hiberfil.sys è stato rigenerato dal sistema, identico a prima. Ho cancellato il backup di Avenger
- con un lavoro piuttosto lungo con Avenger ho cancellato la dir
C\Doc&Sett\Salvatore Celi\Impost locali\Temp Inter Files\Content.IE5. Ho dovuto procedere cartella per cartella.
- Con lavoro analogo ho cancellato anche la dir C\Doc&Sett\NetworkService\Impost locali\Temp Inter Files\Content.IE5
- e, siccome sono diventato guardingo, lì ho trovato un file che mi ha molto insospettito:
C\Doc&Sett\NetworkService\Impost locali\Temp Inter Files\Content.IE5\8L0HA1O7\putlcx[1]
L'ho postato in formato compresso su mytempdir (chiave: http://www.mytempdir.com/793410) ) Magari t'interessa...
- HijackThis: ho cancellato con successo l'entrata di LinkOptimizer secondo le istruzioni. Tuttavia ho i seguenti dubbi:
- ho cancellato solo l'entrata nella lista programmi di Win, o i files pericolosi che compongono l'infezione?
- da un regedit, infatti, scopro le voci seguenti:

HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
nome dei due valori: 000-001
dati di entrambi: LinkOptimizer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\LinkOptimizer
nome dei tre valori: Predefinito; Changed; SlowInfoCache
dati: nullo; 0; esadecimale
HKEY_USERS\S-1-5-21-1482789601-1449655655-3289834387-1005\Software\Microsoft\Search Assistant\ACMru\5603
nome valori: 000-001
dati: LinkOptimizer

- la prima e l'ultima credo non siano preoccupanti, ma quella di mezzo mi perplime...

- Nel suo ultimo log, Guia suggerisce di controllare il servizio Soundman. Se lo ritieni necessario, puoi darmi istruzioni
- Infine, noto che il mio Uninstall command (indicato da HijackThis) per LinkOptimizer è:
"C:\Programmi\Internet Explorer\iexplore.exe" "http://notetol.com/uninstall.php"
anch'esso fa riferimento ad un sito internet, come tu e Guia indicavate. Faccio una scansione anti rootkit?

Questo è tutto. Grazie ed a presto

[guia]

Ti rispondo per il Soundman e per il rootkit. Per quest'ultimo fai la scansione con Gmer, indicando di verificare anche i files: nel notebook che ho per le mani ora risultava in file come Windows ffcfy1.dll, sicuramente installato da LO; per il Soundman in un ME non era quel che voleva far credere ed era sempre associato a LO.
Cercalo (dovrebbe essere in C:\Windows o in System32 se non e' quel che sembra) e col tasto destro clicca su Proprieta' e vedi se ci sono informazioni sulla scheda versione (dovrebbe dare il produttore etc) Se non c'e' nulla la cosa e' sospetta: "impacchettalo" ed invialo ad Holifay.

[holifay]

segui pure i suggerimenti di Guia, io non ho avuto quel trojan personalmente sul PC

Il file che hai caricato su Mytempdir porta semplicemente al link del rinnovo di symantec.

Hai il rootkit? Lo abbiamo appena eliminato, spero di no! Copmunque puoi sempre fare una scansione con GMER e se il log è diverso dall´ultimo fatto, inizia ad insospettirti.

Per quanto riguarda Arpcache si tratta di una sezione del registro che riporta alcune informazioni aggiuntive per la disinstallazione del software (es frequenza di utilizzo...). Sarebbe interessante vedere se c´è qualche info utile.

Un programma che decodifica le entries di Arpcache è questo: http://superwin.swmirror.com/arpcachz.exe

Puoi usarlo e cercare nella lista LinkOptimizer e vedere cosa riporta.

Con HijackThis abbiamo solo cancellato il riferimento, non il trojan che (spero) abbiamo però già cancellato con Avenger. Almeno nelle sue componenti attive.

Quando hai tempo fai qualche scansione online antivirus.

Ciao

[guia]

Si! le scansioni online finali sono essenziali! poiche' spesso si porta degli "amichetti" che restano ben ben nascosti: su questo portatile la scansione online ha trovato ancora e sono sicura che c'e' ancora qualcosa (svchost con valori ancora elevati)

[excelsis]

@ HOLIFAY

ARPCACHE: che genere d'informazioni vorresti?

[holifay]

le informazioni aggiuntive se ce ne sono relative a linkoptimizer. Credo però che siano scritte in esadecimale, quindi dovresti usare un viewer come quello che ti ho linkato

[excelsis]

EDIT BY HOLIFAY: mi spiace ma ho modificato per errore il tuo post
Ne ho recuperato solo una parte...

[excelsis]

Ho appena finito la scansione online dell'intero sistema con Kaspersky AV, come mi avevi suggerito: non ha trovato nulla.

Te ne accludo il log:

KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 11, 2006 5:08:11 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/07/2006
Kaspersky Anti-Virus database records: 194002


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 26280
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 00:20:28

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\Paramete.evt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\TEMP\Perflib_Perfdata_6ec.dat Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\ModemLog_Agere Systems AC'97 Modem.txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{D82FFE9F-A59F-44F0-97D1-4E967DEA667C}.bin Object is locked skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS7BDA1273-C8C5-43A4-A085-BC493F65747B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSD74C0B8A-A64E-46E7-BECD-6594EEED2C54.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS2118D158-1C3C-4515-B9C9-A3FE312BF73C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSE4870F8F-F259-4B41-AC33-7FDBE8BCCA4F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS18214D20-E4DA-4C69-9213-8002575D910A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS32381390-6F20-47C0-A2B4-4D21437C1AE3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS21AEC725-1B50-4AFD-904A-50D3507EC1B2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS160F56EE-CF9D-4744-92B3-FD4FD7CD5FA1.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSE29FB471-CA40-44A8-9FAA-8E21F760ADEA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS2D7B4871-92B5-4E1E-B729-4358D000ADF2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSD753D61C-F266-4826-BBB7-3E700FD7AE2F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSE704449C-93C8-4FEE-B4AD-467F2094A9CF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS1B82B525-56A1-4834-A677-965F104AE91C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSE6F0F8C8-EC7D-4462-A97B-B642CE7F97F8.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS4924EF7D-6AEA-4B4E-9E91-5D6FD85701CD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS84AC0AC9-6A5E-4FFF-9342-E4892EC6E3A9.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS4E60113C-DA56-4F04-9CFD-EA57F6A92675.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS44CFC685-7903-4AA5-91F6-5C5BDD195485.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS1673BEE9-4023-4FA4-91DD-C4E67B183F89.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSE35619DC-806F-4156-9C45-BAFD37B06A10.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSBB36ED48-41B2-4C1C-94D4-42695ACFB152.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSB24E0FD6-24E8-4BA1-9842-9A4231DF818F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS5E6B9B62-0B5B-4E37-86C0-44D5B82540E0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSBC90CA8E-9B31-498F-82CC-AA7C5AE92D62.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS3C0A239E-D75B-49CF-8A6D-A1E3B7DF2F6A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSFABD53B1-95A3-4824-9C3F-468F563704D6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS82CC8811-14CC-4404-9D83-9133D6478562.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSA35B1469-C791-48B3-BF64-6FBD2EB9F509.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSBA1D25AC-1ECF-4390-84BD-E410F45A1E32.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSD803FA1C-3E02-4D55-93EB-7530F6DF6BFD.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSC694DC6C-56D3-42B6-B07B-99D90771FAED.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS8C42018E-34AB-423C-8E6B-89447722C52D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSBC7D92D7-070C-4992-91D5-7644F7846AC0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS1ED3F225-82F0-49FC-B01C-065F5BB20507.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS301A5054-F87E-446A-B996-157C5C2C7F06.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS3E77ABA1-7AB2-40C5-B043-698C5410CEDF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS26658B8C-25AE-4F33-AF9D-4627BB4420FA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSDB7270E3-E78E-48FA-9BD8-7F2208BF7550.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS7C21FABD-B50D-4FFF-B57C-1CEC9B7AA091.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS18F2F28C-26F0-46B9-AB4F-AC00CC67628F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS26D13026-9A56-4B9F-9696-FD8B0F8CED47.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS53816F49-AF40-412F-A9D5-170711084A4A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS208DE84E-61F4-4753-9D20-A4F89723A795.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSF7D3B3DB-1F6A-4A60-8524-570777F4BB23.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSFFF15991-DF99-4D50-918C-3CE7D08655A6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS3A19449B-6135-4678-A286-D54649BFB90C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS3814386D-060E-43AA-8F87-C4965959FB6E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS18B96B41-36BB-4E3E-B731-8AA71BA97026.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS2F711557-1B9A-4777-8604-368D1F50EE95.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSB4DE6AB6-CA8C-4863-B552-644D071C85C6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS2861BB24-DC78-45F6-84A8-8C51AC759812.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS36D6216A-45CE-470F-BA82-BFE6C71184FE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS753A179D-B2ED-4675-80EB-F9685FD9CA3E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS833B8834-D6EE-437F-AEE9-9D37813A1BE1.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS2D435535-AEDC-4D2C-8AF7-ADEBA8AE93E4.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS8E610BA2-317F-48E5-88F7-12EA1F139791.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS086BFE12-6965-473C-BF2B-48CD719F3B31.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSCAA46999-4693-4DB4-A60B-07714E77F59F.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSA8EB6F90-1B29-4824-9E67-75C167415921.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS057FD59C-2E3A-4398-AF6E-B89A34F1D914.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS1F0432E1-3FA7-4572-8973-038EE810DC8B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSFB9588C8-3F91-4B46-B6ED-F6EFA6BBE31E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS4CCD69E6-5354-42CE-8DC5-7810C7671FCA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS2938BD2F-0716-488C-8BC3-4774AF54EA5A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS5FAAA1F4-7CB8-4C44-8449-3ACFD4707E45.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS5DCCC6CF-7B17-4DF7-AEDC-D9B687161F8A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS795F214C-1DBB-44D3-8ADC-216E7CA3ADF2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCS36C6ECD8-A8FA-46C3-A69B-62182A3530A2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Dati applicazioni\Webroot\Spy Sweeper\Temp\SSCSE95E2EDE-ED6A-40E0-A6FA-38CFF3D5DA8C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Salvatore Celi\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Salvatore Celi\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Salvatore Celi\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Salvatore Celi\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Salvatore Celi\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Salvatore Celi\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Salvatore Celi\ntuser.dat Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP2\change.log Object is locked skipped

D:\System Volume Information\_restore{10DA8896-7ED5-4572-81C0-76222F761DCF}\RP2\change.log Object is locked skipped

D:\VEXPLITE\VIRITMON.LOG Object is locked skipped

D:\VEXPLITE\Salvatore Celi\reg.dat Object is locked skipped

D:\VEXPLITE\reg_ecc.dat Object is locked skipped

Scan process completed.


Pensi che ce l'abbiamo fatta?
Grazie. Sempre grazie.

[guia]

@excelsis: bene! non e' partito il rootkit (o lo avevi gia' eliminato) ed il Soundman e'quello legittimo!

[guia]

Update sul notebook con LinkOptimizer:
dopo averlo ripulito (anche lui aveva le dll in ads) restava una attivita' di svchost eccessiva nonostante il riavvio.
All'accensione di stamattina, per verifica, ecco il guaio! E' zoppo!, sparite le connessioni di rete, impossibili gestire il computer a parte la visualizzazione (non posso avviare o fermare servizi etc) alterato il funzionamento della barra programmi etc etc, in compenso l'attivvita' di svchost e' tornata normale!
Il notebook in questione era abbastanza abitato e presumo che si fosse creata una situazione di "interdipendenza" fra i vari virus. In cocnlusione, se oltre al LinkOptimizer c'e' qualcosa d'altro, attenzione!

[holifay]

@ excelsis

[guia]

Notebook risolto: e' stata una azione tipo Blaster (il servizio RPC inattivabile); cancellando la relativa voce dal registro , che lo legava evidentemente all'utente fittizio del Linkoptimizer, e' ripartito tutto per bene.