Precedente :: Successivo |
Autore |
Messaggio |
mortisia Mortale devoto
Registrato: 12/07/06 17:31 Messaggi: 13
|
Inviato: 13 Lug 2006 20:21 Oggetto: Aiuto con LinkOptimizer [risolto] |
|
|
Cara Holifay, ecco di seguito i log:
Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 20.33.20, on 13/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\SYSTEM32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\System32\\Ati2evxx.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\Programmi\\Windows Defender\\MsMpEng.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\WINDOWS\\SYSTEM32\\Ati2evxx.exe
C:\\WINDOWS\\Explorer.EXE
C:\\Programmi\\ewido anti-malware\\ewidoctrl.exe
C:\\WINDOWS\\system32\\gearsec.exe
C:\\Programmi\\File comuni\\Microsoft Shared\\VS7Debug\\mdm.exe
C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
C:\\Programmi\\Eset\\nod32krn.exe
C:\\Programmi\\Analog Devices\\SoundMAX\\SMTray.exe
C:\\WINDOWS\\system32\\dla\\tfswctrl.exe
C:\\Programmi\\ahead\\InCD\\InCD.exe
C:\\Programmi\\Eset\\nod32kui.exe
C:\\Programmi\\Analog Devices\\SoundMAX\\SMAgent.exe
C:\\Programmi\\Java\\jre1.5.0_06\\bin\\jusched.exe
C:\\Programmi\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe
C:\\Programmi\\QuickTime\\qttask.exe
C:\\WINDOWS\\System32\\UAService7.exe
C:\\Programmi\\Windows Defender\\MSASCui.exe
C:\\VEXPLITE\\viritsvc.exe
C:\\VEXPLITE\\MONLITE.EXE
C:\\Programmi\\Zone Labs\\ZoneAlarm\\zlclient.exe
C:\\WINDOWS\\Temp\\uvll1.exe
C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe
C:\\Programmi\\Messenger\\msmsgs.exe
C:\\Programmi\\Microsoft ActiveSync\\WCESCOMM.EXE
C:\\Programmi\\Alice ti aiuta\\bin\\mpbtn.exe
C:\\Programmi\\WinZip\\WZQKPICK.EXE
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\system32\\wscntfy.exe
C:\\HJT\\HijackThis.exe
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.alice.it/aliceadsl/index.html
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Window Title = Microsoft Internet Explorer fornito da Infinito
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\\Programmi\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\\Programmi\\Java\\jre1.5.0_06\\bin\\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\\programmi\\google\\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\\programmi\\google\\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\\Programmi\\Yahoo!\\Companion\\Installs\\cpn\\yt.dll
O4 - HKLM\\..\\Run: [ATIPTA] C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
O4 - HKLM\\..\\Run: [Smapp] C:\\Programmi\\Analog Devices\\SoundMAX\\SMTray.exe
O4 - HKLM\\..\\Run: [StorageGuard] \"C:\\Programmi\\File comuni\\Sonic\\Update Manager\\sgtray.exe\" /r
O4 - HKLM\\..\\Run: [dla] C:\\WINDOWS\\system32\\dla\\tfswctrl.exe
O4 - HKLM\\..\\Run: [InCD] C:\\Programmi\\ahead\\InCD\\InCD.exe
O4 - HKLM\\..\\Run: [Synchronization Manager] %SystemRoot%\\system32\\mobsync.exe /logon
O4 - HKLM\\..\\Run: [LaunchList] C:\\Programmi\\Pinnacle\\Studio 8\\LaunchList.exe
O4 - HKLM\\..\\Run: [NeroFilterCheck] C:\\WINDOWS\\system32\\NeroCheck.exe
O4 - HKLM\\..\\Run: [nod32kui] C:\\Programmi\\Eset\\nod32kui.exe /WAITSERVICE
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] C:\\Programmi\\Java\\jre1.5.0_06\\bin\\jusched.exe
O4 - HKLM\\..\\Run: [Adobe Photo Downloader] \"C:\\Programmi\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"
O4 - HKLM\\..\\Run: [QuickTime Task] \"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime
O4 - HKLM\\..\\Run: [Windows Defender] \"C:\\Programmi\\Windows Defender\\MSASCui.exe\" -hide
O4 - HKLM\\..\\Run: [VIRIT LITE MONITOR] C:\\VEXPLITE\\MONLITE.EXE
O4 - HKLM\\..\\Run: [Zone Labs Client] C:\\Programmi\\Zone Labs\\ZoneAlarm\\zlclient.exe
O4 - HKLM\\..\\Run: [uvll1.exe] C:\\WINDOWS\\Temp\\uvll1.exe
O4 - HKCU\\..\\Run: [MSMSGS] \"C:\\Programmi\\Messenger\\msmsgs.exe\" /background
O4 - HKCU\\..\\Run: [H/PC Connection Agent] \"C:\\Programmi\\Microsoft ActiveSync\\WCESCOMM.EXE\"
O4 - HKCU\\..\\Run: [Skype] \"C:\\Programmi\\Skype\\Phone\\Skype.exe\" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\\Programmi\\File comuni\\Adobe\\Calibration\\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\\Programmi\\Alice ti aiuta\\bin\\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\\Programmi\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\\Programmi\\Microsoft Office\\Office10\\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\\Programmi\\WinZip\\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\\Programmi\\Google\\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\\Programmi\\Google\\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\\Programmi\\Google\\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\\Programmi\\Google\\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\\Programmi\\Google\\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Programmi\\Java\\jre1.5.0_06\\bin\\ssv.dll
O9 - Extra \'Tools\' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\Programmi\\Java\\jre1.5.0_06\\bin\\ssv.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\\Programmi\\Microsoft ActiveSync\\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\\Programmi\\Microsoft ActiveSync\\INetRepl.dll
O9 - Extra \'Tools\' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\\Programmi\\Microsoft ActiveSync\\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Programmi\\Messenger\\msmsgs.exe
O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Programmi\\Messenger\\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.infinito.it/bnl
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147925811015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\\System\\CCS\\Services\\Tcpip\\..\\{DF4C9733-09D3-4A3A-B3B0-81FE7C196515}: NameServer = 85.37.17.14 85.38.28.78
O23 - Service: Ati HotKey Poller - Unknown owner - C:\\WINDOWS\\System32\\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\\WINDOWS\\system32\\ati2sgag.exe
O23 - Service: Estensione eventi dll (evedll) - Unknown owner - C:\\WINDOWS\\Downlo~1\\h0rbk4r\\d7gw42.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\\Programmi\\ewido anti-malware\\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\\WINDOWS\\system32\\gearsec.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\\Programmi\\Eset\\nod32krn.exe
O23 - Service: odf - Unknown owner - C:\\:OET.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\\Programmi\\Analog Devices\\SoundMAX\\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\\WINDOWS\\System32\\UAService7.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\\VEXPLITE\\viritsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe
e i due di GMER:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-13 20:44:08
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.10 ----
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwConnectPort
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwCreateFile
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwCreateKey
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwCreateProcess
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwCreateProcessEx
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwCreateSection
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwDeleteFile
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwDeleteKey
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwDeleteValueKey
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwDuplicateObject
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwLoadKey
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwOpenFile
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwOpenProcess
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwOpenThread
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwReplaceKey
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwRequestWaitReplyPort
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwRestoreKey
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwSecureConnectPort
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwSetInformationFile
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwSetValueKey
SSDT \\SystemRoot\\System32\\vsdatant.sys ZwTerminateProcess
---- Devices - GMER 1.0.10 ----
Device \\FileSystem\\Udfs \\UdfsCdRom IRP_MJ_DEVICE_CONTROL [B6B794AC] BsUDF.SYS
Device \\FileSystem\\Udfs \\UdfsDisk IRP_MJ_DEVICE_CONTROL [B6B794AC] BsUDF.SYS
Device \\Driver\\Tcpip \\Device\\Ip IRP_MJ_CREATE [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Ip IRP_MJ_CLOSEIRP_MJ_READ [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Ip IRP_MJ_SHUTDOWN [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Ip IRP_MJ_CREATE_MAILSLOT [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Tcp IRP_MJ_CREATE [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Tcp IRP_MJ_CLOSEIRP_MJ_READ [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Tcp IRP_MJ_SHUTDOWN [B6EE8230] vsdatant.sys
Device \\Driver\\Tcpip \\Device\\Tcp IRP_MJ_CREATE_MAILSLOT [B6EE8230] vsdatant.sys
Device \\FileSystem\\Fs_Rec \\FileSystem\\UdfsCdRomRecognizer IRP_MJ_DEVICE_CONTROL [B6B797F0] BsUDF.SYS
Device \\FileSystem\\Fs_Rec \\FileSystem\\CdfsRecognizer IRP_MJ_DEVICE_CONTROL [B6B797F0] BsUDF.SYS
Device \\FileSystem\\Fs_Rec \\FileSystem\\FatCdRomRecognizer IRP_MJ_DEVICE_CONTROL [B6B797F0] BsUDF.SYS
Device \\FileSystem\\Fs_Rec \\FileSystem\\FatDiskRecognizer IRP_MJ_DEVICE_CONTROL [B6B797F0] BsUDF.SYS
Device \\FileSystem\\Fs_Rec \\FileSystem\\UdfsDiskRecognizer IRP_MJ_DEVICE_CONTROL [B6B797F0] BsUDF.SYS
Device \\FileSystem\\Cdfs \\Cdfs IRP_MJ_DEVICE_CONTROL [B6B794AC] BsUDF.SYS
---- Registry - GMER 1.0.10 ----
Reg \\Registry\\MACHINE\\SOFTWARE\\SecuROM\\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xAF 0xB5 0x5D 0x06 ...
Reg \\Registry\\MACHINE\\SOFTWARE\\SecuROM\\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xA4 0x23 0x9F 0xAF ...
---- Files - GMER 1.0.10 ----
File C:\\System Volume Information\\MountPointManagerRemoteDatabase
File C:\\System Volume Information\\tracking.log
File C:\\System Volume Information\\_restore{F4BAA166-C2BC-47C6-8360-761A3D5862F9}
File C:\\WINDOWS\\gdlct1.dll
File C:\\WINDOWS\\gdlct1.upd
---- EOF - GMER 1.0.10 ----
GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-07-13 20:34:24
Windows 5.1.2600 Service Pack 2
HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\SubSystems@Windows = %SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon@Userinit = C:\\WINDOWS\\system32\\userinit.exe,
HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\AtiExtEvent@DLLName = Ati2evxx.dll
HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows@AppInit_DLLs = C:\\:biodm.rom
HKLM\\SYSTEM\\CurrentControlSet\\Services\\ >>>
Ati HotKey Poller@ = %SystemRoot%\\System32\\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\\WINDOWS\\system32\\ati2sgag.exe
evedll /*Estensione eventi dll*/@ = C:\\WINDOWS\\Downlo~1\\h0rbk4r\\d7gw42.exe /*file not found*/
ewido security suite control /*ewido security suite control*/@ = C:\\Programmi\\ewido anti-malware\\ewidoctrl.exe
GEARSecurity@ = system32\\gearsec.exe
MDM /*Machine Debug Manager*/@ = \"C:\\Programmi\\File comuni\\Microsoft Shared\\VS7Debug\\mdm.exe\"
NOD32krn /*NOD32 Kernel Service*/@ = C:\\Programmi\\Eset\\nod32krn.exe
odf /*odf*/@ = \"C:\\:OET.exe\"
ScsiPort@ = %SystemRoot%\\system32\\drivers\\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\\Programmi\\Analog Devices\\SoundMAX\\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\\system32\\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\\WINDOWS\\System32\\wdfmgr.exe
UserAccess7 /*SecuROM User Access Service (V7)*/@ = C:\\WINDOWS\\System32\\UAService7.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\\VEXPLITE\\viritsvc.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe -service
WinDefend /*Windows Defender Service*/@ = \"C:\\Programmi\\Windows Defender\\MsMpEng.exe\"
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run >>>
@ATIPTAC:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe = C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
@SmappC:\\Programmi\\Analog Devices\\SoundMAX\\SMTray.exe = C:\\Programmi\\Analog Devices\\SoundMAX\\SMTray.exe
@StorageGuard\"C:\\Programmi\\File comuni\\Sonic\\Update Manager\\sgtray.exe\" /r = \"C:\\Programmi\\File comuni\\Sonic\\Update Manager\\sgtray.exe\" /r
@dlaC:\\WINDOWS\\system32\\dla\\tfswctrl.exe = C:\\WINDOWS\\system32\\dla\\tfswctrl.exe
@InCDC:\\Programmi\\ahead\\InCD\\InCD.exe = C:\\Programmi\\ahead\\InCD\\InCD.exe
@Synchronization Manager%SystemRoot%\\system32\\mobsync.exe /logon = %SystemRoot%\\system32\\mobsync.exe /logon
@LaunchListC:\\Programmi\\Pinnacle\\Studio 8\\LaunchList.exe /*file not found*/ = C:\\Programmi\\Pinnacle\\Studio 8\\LaunchList.exe /*file not found*/
@NeroFilterCheckC:\\WINDOWS\\system32\\NeroCheck.exe = C:\\WINDOWS\\system32\\NeroCheck.exe
@nod32kuiC:\\Programmi\\Eset\\nod32kui.exe /WAITSERVICE = C:\\Programmi\\Eset\\nod32kui.exe /WAITSERVICE
@SunJavaUpdateSchedC:\\Programmi\\Java\\jre1.5.0_06\\bin\\jusched.exe = C:\\Programmi\\Java\\jre1.5.0_06\\bin\\jusched.exe
@Adobe Photo Downloader\"C:\\Programmi\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\" = \"C:\\Programmi\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"
@QuickTime Task\"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime = \"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime
@Windows Defender\"C:\\Programmi\\Windows Defender\\MSASCui.exe\" -hide = \"C:\\Programmi\\Windows Defender\\MSASCui.exe\" -hide
@VIRIT LITE MONITORC:\\VEXPLITE\\MONLITE.EXE = C:\\VEXPLITE\\MONLITE.EXE
@Zone Labs ClientC:\\Programmi\\Zone Labs\\ZoneAlarm\\zlclient.exe = C:\\Programmi\\Zone Labs\\ZoneAlarm\\zlclient.exe
@uvll1.exeC:\\WINDOWS\\Temp\\uvll1.exe = C:\\WINDOWS\\Temp\\uvll1.exe
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run >>>
@MSMSGS\"C:\\Programmi\\Messenger\\msmsgs.exe\" /background = \"C:\\Programmi\\Messenger\\msmsgs.exe\" /background
@H/PC Connection Agent\"C:\\Programmi\\Microsoft ActiveSync\\WCESCOMM.EXE\" = \"C:\\Programmi\\Microsoft ActiveSync\\WCESCOMM.EXE\"
@Skype\"C:\\Programmi\\Skype\\Phone\\Skype.exe\" /nosplash /minimized = \"C:\\Programmi\\Skype\\Phone\\Skype.exe\" /nosplash /minimized
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks >>>
@{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}C:\\PROGRA~1\\WIFD1F~1\\MpShHook.dll = C:\\PROGRA~1\\WIFD1F~1\\MpShHook.dll
@{54D9498B-CF93-414F-8984-8CE7FDE0D391}C:\\Programmi\\ewido anti-malware\\shellhook.dll = C:\\Programmi\\ewido anti-malware\\shellhook.dll
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/(null) =
@{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\\Programmi\\Eset\\nodshex.dll = C:\\Programmi\\Eset\\nodshex.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\\WINDOWS\\System32\\twext.dll = C:\\WINDOWS\\System32\\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\\WINDOWS\\System32\\twext.dll = C:\\WINDOWS\\System32\\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\\WINDOWS\\System32\\extmgr.dll = C:\\WINDOWS\\System32\\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\\PROGRA~1\\FILECO~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL = C:\\PROGRA~1\\FILECO~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\\Programmi\\Microsoft Office\\Office10\\OLKFSTUB.DLL = C:\\Programmi\\Microsoft Office\\Office10\\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\\Programmi\\Microsoft Office\\Office10\\msohev.dll = C:\\Programmi\\Microsoft Office\\Office10\\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL = C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL = C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL = C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL = C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\\PROGRA~1\\FILECO~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL
HKLM\\Software\\Classes\\*\\shellex\\ContextMenuHandlers\\ >>>
ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\\Programmi\\ewido anti-malware\\context.dll
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\\Programmi\\Eset\\nodshex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL
HKLM\\Software\\Classes\\Directory\\shellex\\ContextMenuHandlers\\ >>>
ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\\Programmi\\ewido anti-malware\\context.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL
HKLM\\Software\\Classes\\Folder\\shellex\\ContextMenuHandlers\\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\\Programmi\\Eset\\nodshex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\\PROGRA~1\\WINZIP\\WZSHLSTB.DLL
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\\Programmi\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll = C:\\Programmi\\Adobe\\Acrobat 7.0\\ActiveX\\AcroIEHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\\Programmi\\Java\\jre1.5.0_06\\bin\\ssv.dll = C:\\Programmi\\Java\\jre1.5.0_06\\bin\\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\\programmi\\google\\googletoolbar1.dll = c:\\programmi\\google\\googletoolbar1.dll
HKCU\\Control Panel\\Desktop@SCRNSAVE.EXE = C:\\WINDOWS\\System32\\ssbezier.scr
HKLM\\Software\\Microsoft\\Internet Explorer\\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local PageC:\\windows\\system32\\blank.htm = C:\\windows\\system32\\blank.htm
HKCU\\Software\\Microsoft\\Internet Explorer\\Main >>>
@Start Pagehttp://www.alice.it/aliceadsl/index.html = http://www.alice.it/aliceadsl/index.html
@Local PageC:\\windows\\system32\\blank.htm = C:\\windows\\system32\\blank.htm
HKLM\\Software\\Classes\\PROTOCOLS\\Handler\\ >>>
cdo@CLSID = C:\\Programmi\\File comuni\\Microsoft Shared\\Web Folders\\PKMCDO.DLL
dvd@CLSID = C:\\WINDOWS\\system32\\msvidctl.dll
its@CLSID = C:\\WINDOWS\\System32\\itss.dll
mctp@CLSID = C:\\Programmi\\Microsoft ActiveSync\\aatp.dll
mhtml@CLSID = %SystemRoot%\\System32\\inetcomm.dll
ms-its@CLSID = C:\\WINDOWS\\System32\\itss.dll
ms-itss@CLSID = C:\\Programmi\\File comuni\\Microsoft Shared\\Information Retrieval\\MSITSS.DLL
tv@CLSID = C:\\WINDOWS\\system32\\msvidctl.dll
wia@CLSID = C:\\WINDOWS\\System32\\wiascr.dll
HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\ >>>
000000000001@PackedCatalogItem = imon.dll
000000000002@PackedCatalogItem = imon.dll
000000000003@PackedCatalogItem = imon.dll
000000000004@PackedCatalogItem = imon.dll
000000000005@PackedCatalogItem = imon.dll
HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000021@PackedCatalogItem = imon.dll
C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzione automatica >>>
Adobe Gamma Loader.exe.lnk = Adobe Gamma Loader.exe.lnk
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk
---- EOF - GMER 1.0.10 ----
Nella cartella Documents and Settings ci sono le seguenti cartelle:
Administrator, All Users, Default User, LocalService, NetworkService, Proprietario create tutte nel febbraio 2004
e la cartella:
SVVGRKiZSyUFqjREYL creata giovedì 11 maggio 2006, 17.47.19
... considerando che è un virus che ho da maggio...
in C:/Programmi non ci sono files nascosti (cartelle, sì)
NB:Mammamia è due mesi che ci sto dietro a questo simpaticone
Grazie
m. |
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 13 Lug 2006 21:46 Oggetto: |
|
|
benvenuta mortisia nei nostri forum si vede che è più di un mese che te lo porti dietro
Vabbè, vediamo se riusciamo a toglierlo in un colpo solo
disinstalla dal Pannello di Controllo >> Installazione Applicazioni tutte le voci che trovi di JAVA, JUVA RUNTIME. Al termine della pulizia potrai installare l'ultimo aggiornamento
scarica The Avenger ed estrai l'eseguibile sul desktop.
scarica ATFCleaner da Atribune e salvalo sul desktop
copia in un file del blocco note il contenuto del riquadro qui sotto e salvalo sul desktop con estensione bat. Chiamalo forum.bat e avvialo (doppio click)
Citazione: | sc stop evedll
sc disable evedll
sc delete evedll
sc stop odf
sc disable odf
sc delete odf |
Avvia HijackThis, poi chiudi tutte le finestre e le applicazioni. Lascia aperto solo HijackThis. Clicca Do a system scan only, metti un segno di spunta su queste voci e premi Fix checked
Citazione: | O4 - HKLM\..\Run: [uvll1.exe] C:\WINDOWS\Temp\uvll1.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O23 - Service: Estensione eventi dll (evedll) - Unknown owner - C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe (file missing)
O23 - Service: odf - Unknown owner - C:\:OET.exe |
Seleziona con il mouse il contenuto di questo riquadro qui sotto e premi (CTRL+C) per metterlo negli appunti
Citazione: | Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Files to replace with dummy:
C:\WINDOWS\Temp\uvll1.exe
C:\:OET.exe
C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe
C:\WINDOWS\gdlct1.dll
C:\WINDOWS\gdlct1.upd
C:\:biodm.rom
Files to delete:
C:\WINDOWS\Temp\uvll1.exe
C:\:OET.exe
C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe
C:\WINDOWS\gdlct1.dll
C:\WINDOWS\gdlct1.upd
C:\:biodm.rom
Folders to Delete:
C:\DOCUMENTS AND SETTINGS\SVVGRKiZSyUFqjREYL
C:\WINDOWS\Temp |
- avvia The Avenger e seleziona "Input Script Manually"
- clicca sulla icona con la lente di ingrandimento
- si aprirà una nuova finestra con scritto "View/edit script"
- incolla quanto copiato sopra premendo Ctrl+V
- clicca Done
- clicca l'icona con il semaforo con la luce verde per avviare lo script
- rispondi "Yes" due volte
se non si riavvia, riavvialo tu.
Al riavvio controlla con HijackThis se le voci che avevi fixato prima sono scomparse. Se le rivedi eliminale di nuovo
Sempre con HijackThis, clicca Open the misc tools section >> open Uninstall Manager. Seleziona la voce linkoptimizer e premi Delete this entry.
Avvia ATF cleaner clicca sul menu main e poi seleziona la casella Select All. Adesso clicca sul pulsante Empty selected e aspetta il messaggio "Done Cleaning!".
Riavvia in modalità provvisoria (F8 al boot) e fai una scansione con VIRIT
Riavvia in modalità normale e scarica RegSrch.zip. Estrai lo script RegSrch.vbs dall´archivio e mettilo sul desktop. Poi avvialo e nella finestra che si apre scrivi gdlct1.dll. Poi attendi.....quando si apre una finestra di wordpad, copia /incolla qui il contenuto
Posta anche il contenuto del file c:\avenger.txt e un nuovo log di HijackThis
Ciao! |
|
Top |
|
|
mortisia Mortale devoto
Registrato: 12/07/06 17:31 Messaggi: 13
|
Inviato: 14 Lug 2006 19:32 Oggetto: |
|
|
Ecco fatto!
Log di Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qjmbkuh^
*******************
Script file located at: \??\C:\Program Files\apfsgyjw.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\Temp\uvll1.exe replaced with dummy successfully.
Could not back up file C:\:OET.exe
Replacement with dummy of file C:\:OET.exe failed!
Could not process line:
C:\:OET.exe
Status: 0xc0000033
File C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe not found!
Replacement with dummy of file C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe failed!
Could not process line:
C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe
Status: 0xc0000034
File C:\WINDOWS\gdlct1.dll replaced with dummy successfully.
File C:\WINDOWS\gdlct1.upd replaced with dummy successfully.
Could not back up file C:\:biodm.rom
Replacement with dummy of file C:\:biodm.rom failed!
Could not process line:
C:\:biodm.rom
Status: 0xc0000033
File C:\WINDOWS\Temp\uvll1.exe deleted successfully.
Could not delete file C:\:OET.exe
Deletion of file C:\:OET.exe failed!
Could not process line:
C:\:OET.exe
Status: 0xc0000033
File C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe not found!
Deletion of file C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe failed!
Could not process line:
C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe
Status: 0xc0000034
File C:\WINDOWS\gdlct1.dll deleted successfully.
File C:\WINDOWS\gdlct1.upd deleted successfully.
Could not delete file C:\:biodm.rom
Deletion of file C:\:biodm.rom failed!
Could not process line:
C:\:biodm.rom
Status: 0xc0000033
Folder C:\DOCUMENTS AND SETTINGS\SVVGRKiZSyUFqjREYL deleted successfully.
Folder C:\WINDOWS\Temp deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Completed script processing.
*******************
Finished! Terminate.
Log di Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 20.07.23, on 14/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\ahead\InCD\InCD.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice.it/aliceadsl/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infinito
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Programmi\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\JavaSoft\JRE\1.3.1_13\bin\npjava131_13.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\JavaSoft\JRE\1.3.1_13\bin\npjava131_13.dll (file missing)
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.infinito.it/bnl
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147925811015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF4C9733-09D3-4A3A-B3B0-81FE7C196515}: NameServer = 85.37.17.14 85.38.28.78
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Estensione eventi dll (evedll) - Unknown owner - C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Come noterai la riga:
O23 - Service: Estensione eventi dll (evedll) - Unknown owner - C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe (file missing)
non riesco proprio a cancellarla ( e che mi dici delle righe 09 - Extra button (no name)...?)
Il RegScrh dice di non aver trovato il "gdlct1.dll"
ho trovato una cartella in windows di java, la devo cancellare?
GrazieGrazie, cara Holifay! |
|
Top |
|
|
mortisia Mortale devoto
Registrato: 12/07/06 17:31 Messaggi: 13
|
Inviato: 15 Lug 2006 11:00 Oggetto: |
|
|
Cara Holi,
mi sono accorta che facendo una scansione con Panda Online risulto ancora con "adware/searchaid" (gli altri due sono programmi che mi aveva dato Marco).
ti posto il log:
Incident Status Location
Adware:adware/searchaid Not disinfected c:\windows\n_uydcpf.dat
Virus:W32/Bagle.pwdzip Disinfected C:\Documents and Settings\Proprietario\Desktop\Amvinfe - Marco de Felice\SmitfraudFix.zip
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Proprietario\Desktop\Amvinfe - Marco de Felice\smtfrd\SmitfraudFix\Process.exe
Inoltre nella cartella windows sono senza cartella temp, devo re-inserirla?
NB: Mi ero un po' demoralizzata (sai, dopo due mesi...), ma la tua sicurezza è contagiosa... Grazie
m. |
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 15 Lug 2006 14:25 Oggetto: |
|
|
OK, io direi che andiamo bene: secondo me lo abbiamo disattivato
Ci resta ancora da eliminare qualche residuo ormai inattivo dal computer. I sintomi di linkoptimizer non dovrebbero più esserci... come ti sembra che va il PC?
Per finire il lavoro:
prima cancelliamo il servizio. Apri una finestra di DOS (Start >> Esegui, nella finsestra digita CMD e premi invio) e in quella finestra digita in sequenza, premi invio alla fine dei comandi:
sc stop evedll
sc delete evedll
Dimmi che messaggi ricevi, per favore.
Poi avvia HijackThis e con tutte le finestre chiuse, elimina queste voci:
Citazione: | O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\JavaSoft\JRE\1.3.1_13\bin\npjava131_13.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\JavaSoft\JRE\1.3.1_13\bin\npjava131_13.dll (file missing)
O23 - Service: Estensione eventi dll (evedll) - Unknown owner - C:\WINDOWS\Downlo~1\h0rbk4r\d7gw42.exe (file missing) |
Rifai il log per vedere se è andato via quel servizio. Se la voce 023 è ancora presente, usa RegSrch.vbs e nella finestra di ricerca scrivi d7gw42.exe, se la finestra che si apre trova delle chiavi del registro, riportale qui. Se non trova niente, ripeti mettendo come valore da cercare evedll
Poi verifica per favore se trovi questa cartella h0rbk4r sotto C:\windows\downlo~1\ (nota che questo è un nome corto, il nome vero che vedrai sarà più lungo, del tipo downloaded programs o qualcosa del genere)
Adesso cancelliamo il searchaid (dovrebbe esssere comunque inattivo). Cancella semplicemente il file C:\windows\n_uydcpf.dat. Se non riesci da explorer, usa Avenger come prima mettendo questo script:
Citazione: | Files to replace with dummy:
C:\windows\n_uydcpf.dat
Files to delete:
C:\windows\n_uydcpf.dat |
Ora cerchiamo di capire dove sono finiti i file che Avenger non è riuscito a cancellare:
1) cerca con explorer se trovi i file :biodm.rom e :OET.exe. Dovrebbero essere in C:\ Cercali ovviamente con le cartelle nascoste/sistema visibili
2) Visto che il loro nome inizia con i due punti, potrebbero essere invece negli ADS, quindi facciamo subito un controllo. Apri HijackThis, premi Open the misc tools section, poi clicca su Open Ads Spy... e togli il segno di spunta dalla casella Quick Scan. Al termine salva il log e incollalo nella successiva risposta
Infine fai ancora le scansioni con GMER (tab rootkit + autorun)
Nella prossima tua risposta mi dovresti riportare:
- log nuovo di HijackThis
- log degli ADS fatto con HijackThis
- i due log di GMER
- se hai trovato la cartella h0rbk4r e se sei riuscita a cancellare il file C:\windows\n_uydcpf.dat
Ciao
PS: la cartella java è piena o vuota? La cartella c:\windows\temp dovrebbe ricrearla windows in caso di necessità. |
|
Top |
|
|
mortisia Mortale devoto
Registrato: 12/07/06 17:31 Messaggi: 13
|
Inviato: 16 Lug 2006 11:02 Oggetto: |
|
|
Carissima Dea Patatina
sembra proprio che il problema sia stato finalmente sradicato alla radice
Ecco il log di Hijack:
Logfile of HijackThis v1.99.1
Scan saved at 10.44.59, on 16/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\ahead\InCD\InCD.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Windows Defender\MSASCui.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\gearsec.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Eset\nod32krn.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\UAService7.exe
C:\VEXPLITE\viritsvc.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.alice.it/aliceadsl/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Infinito
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [LaunchList] C:\Programmi\Pinnacle\Studio 8\LaunchList.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Programmi\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.infinito.it/bnl
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147925811015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
..quello degli ADS:
C:\Documents and Settings\Proprietario\Documenti\DVD\Archivio Foto\Archivio Foto.dvd : Afp_AfpInfo (48 bytes)
C:\Documents and Settings\Proprietario\Documenti\DVD\Foto 2003 e 2004\Foto 2003 e 2004.dvd : Afp_AfpInfo (48 bytes)
C:\Documents and Settings\Proprietario\Documenti\DVD\Foto 2003 e 2004\Sources\Menus\Video_Dpgc_Tsf.mpg : Afp_AfpInfo (48 bytes)
C:\Documents and Settings\Proprietario\Documenti\DVD\mago pancione\mago pancione.dvd : Afp_AfpInfo (48 bytes)
C:\Documents and Settings\Proprietario\Documenti\DVD\Matrimonio\Matrimonio.dvd : Afp_AfpInfo (48 bytes)
C:\Documents and Settings\Proprietario\Documenti\DVD\prova\prova.dvd : Afp_AfpInfo (48 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\A love so beautiful - Orbison_ses\A love so beautiful - Orbison.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Acquarius_ses\Acquarius.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Amor Mio - Mina_ses\Amor Mio - Mina.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Angelo - Renga_ses\Angelo - Renga.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Annie's Song New Age_ses\Annie's Song New Age.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Ci Sarai - Renga_ses\Ci Sarai - Renga.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Colonne sonore Karnak\It's raining Men (Il diario di Bridget Jones)_ses\It's raining Men (Il diario di Bridget Jones).ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Colonne sonore Karnak\When a man loves a woman (When a man loves a woman)_ses\When a man loves a woman (When a man loves a woman).ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Di sole e d'azzurro - Giorgia_ses\Di sole e d'azzurro - Giorgia.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Fuori dal Tunnel - Caparezza_ses\Fuori dal Tunnel - Caparezza.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Imbranato - Ferro_ses\Imbranato - Ferro.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\La finestra di fronte - Giogia_ses\La finestra di fronte - Giogia.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Last of the mohicans Thme_ses\Last of the mohicans Thme.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\May it Be - Enya_ses\May it Be - Enya.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Obsession - Avventura_ses\Obsession - Avventura.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Pachelbel's Canon - violini_ses\Pachelbel's Canon - violini.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Pachelbel's Canon_ses\Pachelbel's Canon.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Paid my dues - Anastacia_ses\Paid my dues - Anastacia.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Pulstar - Vangelis_ses\Pulstar - Vangelis.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Stairway to Heaven New Age Intro_ses\Stairway to Heaven New Age Intro.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\The Comedians - Orbison_ses\The Comedians - Orbison.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Vacanze Romane - Matia Bazar_ses\Vacanze Romane - Matia Bazar.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Vengo dalla luna - Caparezza_ses\Vengo dalla luna - Caparezza.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Musica\Per Fotografie\Volteggiandoci_ses\Volteggiandoci.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Video\Balletto intero_ses\Balletto intero.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Video\magopanc_ses\magopanc.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Video\Matrimonio ClaTho_ses\Matrimonio ClaTho.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Video\Matrimonio_ses\Matrimonio.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Video\Matr_com_ses\Matr_com.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Video\Per filmato Francia\Senza titolo_20040818_5_ses\Senza titolo_20040818_5.ses : Afp_AfpInfo (32 bytes)
C:\Documents and Settings\Proprietario\Documenti\Video\sfondo matrimonio_ses\sfondo matrimonio.ses : Afp_AfpInfo (32 bytes)
C:\WINDOWS\$NtUninstallKB896358_0$\hh.exe : tszvk (7473 bytes)
C:\WINDOWS\jautoexp.dat : khyit (7473 bytes)
C:\WINDOWS\MAPPER.INI : hiwoi (4870 bytes)
C:\WINDOWS\ODBC.INI : mwtcr (11152 bytes)
C:\WINDOWS\rsoftinfo.dat : dcvds (0 bytes)
C:\WINDOWS\wmprfrus.prx : ksyki (0 bytes)
C:\WINDOWS\Zapotec.bmp : igupt (11152 bytes)
...i due di GMER:
GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-07-16 10:33:11
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.10 ----
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
---- Devices - GMER 1.0.10 ----
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DEVICE_CONTROL [F80671C9] tfsnifs.sys
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DEVICE_CONTROL [F80671C9] tfsnifs.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [EB857230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [EB857230] vsdatant.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_DEVICE_CONTROL [F801B7F0] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_DEVICE_CONTROL [F801B7F0] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_DEVICE_CONTROL [F801B7F0] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_DEVICE_CONTROL [F801B7F0] BsUDF.SYS
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_DEVICE_CONTROL [F801B7F0] BsUDF.SYS
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL [F801B4AC] BsUDF.SYS
---- Registry - GMER 1.0.10 ----
Reg \Registry\MACHINE\SOFTWARE\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xAF 0xB5 0x5D 0x06 ...
Reg \Registry\MACHINE\SOFTWARE\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0xA4 0x23 0x9F 0xAF ...
---- Files - GMER 1.0.10 ----
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{F4BAA166-C2BC-47C6-8360-761A3D5862F9}
---- EOF - GMER 1.0.10 ----
GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-07-16 10:38:33
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName = Ati2evxx.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\System32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
ewido security suite control /*ewido security suite control*/@ = C:\Programmi\ewido anti-malware\ewidoctrl.exe
GEARSecurity@ = system32\gearsec.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
NOD32krn /*NOD32 Kernel Service*/@ = C:\Programmi\Eset\nod32krn.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe
UserAccess7 /*SecuROM User Access Service (V7)*/@ = C:\WINDOWS\System32\UAService7.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
WinDefend /*Windows Defender Service*/@ = "C:\Programmi\Windows Defender\MsMpEng.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ATIPTAC:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
@SmappC:\Programmi\Analog Devices\SoundMAX\SMTray.exe = C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
@StorageGuard"C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r = "C:\Programmi\File comuni\Sonic\Update Manager\sgtray.exe" /r
@dlaC:\WINDOWS\system32\dla\tfswctrl.exe = C:\WINDOWS\system32\dla\tfswctrl.exe
@InCDC:\Programmi\ahead\InCD\InCD.exe = C:\Programmi\ahead\InCD\InCD.exe
@Synchronization Manager%SystemRoot%\system32\mobsync.exe /logon = %SystemRoot%\system32\mobsync.exe /logon
@LaunchListC:\Programmi\Pinnacle\Studio 8\LaunchList.exe /*file not found*/ = C:\Programmi\Pinnacle\Studio 8\LaunchList.exe /*file not found*/
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@nod32kuiC:\Programmi\Eset\nod32kui.exe /WAITSERVICE = C:\Programmi\Eset\nod32kui.exe /WAITSERVICE
@Adobe Photo Downloader"C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" = "C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@Windows Defender"C:\Programmi\Windows Defender\MSASCui.exe" -hide = "C:\Programmi\Windows Defender\MSASCui.exe" -hide
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@H/PC Connection Agent"C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE" = "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
@Skype"C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized = "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}C:\PROGRA~1\WIFD1F~1\MpShHook.dll = C:\PROGRA~1\WIFD1F~1\MpShHook.dll
@{54D9498B-CF93-414F-8984-8CE7FDE0D391}C:\Programmi\ewido anti-malware\shellhook.dll = C:\Programmi\ewido anti-malware\shellhook.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/(null) =
@{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programmi\ewido anti-malware\context.dll
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programmi\ewido anti-malware\context.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar1.dll = c:\programmi\google\googletoolbar1.dll
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssbezier.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.alice.it/aliceadsl/index.html = http://www.alice.it/aliceadsl/index.html
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mctp@CLSID = C:\Programmi\Microsoft ActiveSync\aatp.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = imon.dll
000000000002@PackedCatalogItem = imon.dll
000000000003@PackedCatalogItem = imon.dll
000000000004@PackedCatalogItem = imon.dll
000000000005@PackedCatalogItem = imon.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021@PackedCatalogItem = imon.dll
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.exe.lnk = Adobe Gamma Loader.exe.lnk
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk
---- EOF - GMER 1.0.10 ----
Non ho trovato la cartella "h0rbk4r" e sono riuscita a cancellare (al primo colpo) il file "C:\windows\n_uydcpf.dat"
Quando sono andata in DOS ho avuto i seguenti risultati:
"sc stop evedll" [SC] ControlService FAILED 1062: Servizio non avviato
"sc delete evedll" [SC] DeleteService SUCCESS
Già al primo avvio con Hijack non c'era più la famigerata voce: 023 - Service: Estensione eventi dll (evedll) ...ecc.
Quando poi ho cercato (comunque) evedll con RegSrch mi ha dato questa risposta:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "evedll" 16/07/2006 9.48.33
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_EVEDLL]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_EVEDLL\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_EVEDLL\0000]
"Service"="evedll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\evedll]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\evedll\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\evedll\Security]
è tutto OK?
Non ho trovato da nessuna parte i files ":biodm.rom" e ":OET.exe" è nelle certelle visibili nè in quelle nascoste.
La cartella di Java è piena (10,9 MB) con le sottocartelle: classes, Packages, trustlib.
A proposito posso reinstallarlo ora? dove lo trovo?
Cara Holi, ancora grazie, Grazie, GRAZIE!
m. |
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 16 Lug 2006 18:20 Oggetto: |
|
|
Mi faresti un pacchetto regalo visto che hai risolto?
Scarica CAT.ZIP ed estrai l'eseguibile cat.exe sul desktop. poi copia il contenuto di questo riquadro qui sotto in un file di testo a cui darai estensione bat. Chiamalo ad esempio zncat.bat. Ora avvialo con il doppio click.
Citazione: | cat C:\WINDOWS\$NtUninstallKB896358_0$\hh.exe:tszvk > tszvk.bak
cat C:\WINDOWS\jautoexp.dat:khyit > khyit.bak
cat C:\WINDOWS\MAPPER.INI:hiwoi > hiwoi.bak
cat C:\WINDOWS\ODBC.INI:mwtcr > mwtcr.bak
cat C:\WINDOWS\Zapotec.bmp:igupt > igupt.bak |
Dopo qualche istante dovresti 5 file con estensione bak sul tuo desktop
Fai un bel file zip, in cui li metterai dentro insieme anche a questi:
C:\WINDOWS\$NtUninstallKB896358_0$\hh.exe
C:\WINDOWS\jautoexp.dat
C:\WINDOWS\MAPPER.INI
C:\WINDOWS\ODBC.INI
C:\WINDOWS\rsoftinfo.dat
C:\WINDOWS\wmprfrus.prx
C:\WINDOWS\Zapotec.bmp
Sono quindi 12 file. Poi mi invii l'archivio a www.suspectfile.com , grazie
Dopo di che, in attesa della risposta di Suspectfile, avvia hijackThis e fai una scansione degli ADS come prima (Open ADS SPY). Seleziona con un segno di spunta nella casella queste voci e poi premi Remove Selected (nota: non vengono cancellati i file, ma solo il contenuto nascosto negli ADS e a loro "agganciato". Se necessario quei file li cancelleremo in seguito)
Citazione: | C:\WINDOWS\$NtUninstallKB896358_0$\hh.exe : tszvk (7473 bytes)
C:\WINDOWS\jautoexp.dat : khyit (7473 bytes)
C:\WINDOWS\MAPPER.INI : hiwoi (4870 bytes)
C:\WINDOWS\ODBC.INI : mwtcr (11152 bytes)
C:\WINDOWS\rsoftinfo.dat : dcvds (0 bytes)
C:\WINDOWS\wmprfrus.prx : ksyki (0 bytes)
C:\WINDOWS\Zapotec.bmp : igupt (11152 bytes) |
Adesso ogni traccia di LinkOptimizer è andata va dal tuo PC
ti consiglio comunque di installlare la patch contro la vulnerabilità exploit wmf (trovi il link nel post in rilievo su linkoptimizer) altrimenti rischi di infettarti ancora navigando in Internet.
E già che ci sei, fai un pensierino se non sia il caso si usare Firefox o Opera
Ciao! |
|
Top |
|
|
mortisia Mortale devoto
Registrato: 12/07/06 17:31 Messaggi: 13
|
Inviato: 17 Lug 2006 22:00 Oggetto: |
|
|
WOW!!!!
Cara Holifay, sei un vero TESORO!!
Per il regalo ci sto ! Dimmi solo dove recapitarlo. Wowowow!!
Ben due mesi di agonia ed ora... puff! Svanito!
Ahhh, che sospiro di sollievo!
Comunque devo dire quasi grazie al Tipetto Insidioso perché mi ha fatto scoprire questo meraviglioso Forum (ho già dato qualche sbirciata anche al di fuori della "sicurezza").
Sto anche incominciando a capirne un po' di più di PC (da "imbranatissima" ad "abbastanza imbranata" ... è un passo avanti!) e devo ammettere che è un mondo incredibile.
Per me le tue "magie" rimangono ancora un totale mistero ma, cammina, cammina... chissà.
GRAZIE ancora a Te e agli altri "DEI", siete veramente preziosi!
PS: La patch l'ho inserita, poi... per quanto riguarda Firefox e Opera... prima capisco cosa sono (girando nell'Olimpo) e poi...
Ciaociao da mortisia |
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 17 Lug 2006 23:45 Oggetto: |
|
|
Grazie per il regalo
Non so cosa siano quei file negli ADS e nessun Antivirus li riconosce, ma non dovrebbero essere lì.
Quindi io li cancellerei. Apri HijaackThis, premi Open the mix tools section > Open ADS SPY..., metti un segno di spunta accanto a queste voci e premi Remove selected
Citazione: | C:\WINDOWS\$NtUninstallKB896358_0$\hh.exe : tszvk (7473 bytes)
C:\WINDOWS\jautoexp.dat : khyit (7473 bytes)
C:\WINDOWS\MAPPER.INI : hiwoi (4870 bytes)
C:\WINDOWS\ODBC.INI : mwtcr (11152 bytes)
C:\WINDOWS\rsoftinfo.dat : dcvds (0 bytes)
C:\WINDOWS\wmprfrus.prx : ksyki (0 bytes)
C:\WINDOWS\Zapotec.bmp : igupt (11152 bytes)
|
Così non ci pensiamo più
Cosa è Firefox? E' da provare: http://www.mozillaitalia.org/firefox/
Ciao |
|
Top |
|
|
mortisia Mortale devoto
Registrato: 12/07/06 17:31 Messaggi: 13
|
Inviato: 18 Lug 2006 17:34 Oggetto: |
|
|
Ciao,
avevo già premuto "Remove selected"
Citazione: | fai una scansione degli ADS come prima (Open ADS SPY). Seleziona con un segno di spunta nella casella queste voci e poi premi Remove Selected (nota: non vengono cancellati i file, ma solo il contenuto nascosto negli ADS e a loro "agganciato". Se necessario quei file li cancelleremo in seguito)
|
e infatti non li trovo più lì...
...ora devo cancellare i files direttamente dalle cartelle che mi hai indicato l'altra volta?
Citazione: | C:\WINDOWS\$NtUninstallKB896358_0$\hh.exe
C:\WINDOWS\jautoexp.dat
C:\WINDOWS\MAPPER.INI
C:\WINDOWS\ODBC.INI
C:\WINDOWS\rsoftinfo.dat
C:\WINDOWS\wmprfrus.prx
C:\WINDOWS\Zapotec.bmp
|
Grazie cara...
m. |
|
Top |
|
|
holifay Dio maturo
Registrato: 08/03/05 09:48 Messaggi: 2912 Residenza: Milano
|
Inviato: 18 Lug 2006 19:27 Oggetto: |
|
|
Nooooo sono legittimi !
altrimenti te lo avrei detto
Ciao! |
|
Top |
|
|
mortisia Mortale devoto
Registrato: 12/07/06 17:31 Messaggi: 13
|
Inviato: 19 Lug 2006 17:33 Oggetto: |
|
|
Oooops! stavo per fare un danno....
Grazie
m. |
|
Top |
|
|
|
|
Non puoi inserire nuovi argomenti Non puoi rispondere a nessun argomento Non puoi modificare i tuoi messaggi Non puoi cancellare i tuoi messaggi Non puoi votare nei sondaggi
|
|