Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

dialer 0202

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

dialer 0202

Messaggioda evergreen » mer dic 27, 2006 9:22 am

Salve, da parecchi giorni sto "lottando" contro un maledetto dialer che mi apre nuove connessioni dal nome "0202" che si collegano a numeri 899. Avendo l'adsl non mi preoccupo per il bollettone telecom, ma è praticamente impossibile navigare a causa delle continue intrusioni di questa connessione.
Aiutatemi perché non mi rimarrebbe che formattare e voglio bene al mio hard disk [acc2]
ecco il file log di hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 6.08.42, on 27/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\GSICON.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\InterVideo\WinDVR\WinScheduler.exe
C:\Programmi\Screenshot Utility\ScreenshotUtility.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\DOCUME~1\EMATHE~1\IMPOST~1\Temp\L404.exe
C:\DOCUME~1\EMATHE~1\IMPOST~1\Temp\L446.exe
C:\DOCUME~1\EMATHE~1\IMPOST~1\Temp\L281.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ema The Voice\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freeforumzone.leonardo.it/viewforum.aspx?f=12780
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find.fm/?aid=3827&sid=99
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET
O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [TerraTec Remote Control] C:\Programmi\TerraTec\Cinergy 400 TV\TTTVRC.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programmi\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [H2O] C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programmi\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Screenshot Utility.lnk = C:\Programmi\Screenshot Utility\ScreenshotUtility.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digisoft AntiDialer.lnk = C:\Programmi\Digisoft AntiDialer\AntiDialer.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Programmi\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {01E69986-A054-4C52-ABE8-EF63DF1C5211} - http://www.peakclick.com/toolbar/3827/toolbar.cab
O16 - DPF: {0F222EC8-205D-463F-90C9-D7249B333F09} - http://advnt01.biz/dialer/int_ver1.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Damage Cleanup Server Control) - http://213.158.72.33/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b31267.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.trafficredlight.net/10243-23.exe
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/i ... c929e00dac
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B95D902B-1E7B-4FCE-A965-BDF6C8278DB6}: NameServer = 85.37.17.39 85.38.28.71
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe

---------------------------------------------
grazie in anticipo
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Re: dialer 0202

Messaggioda crazy.cat » mer dic 27, 2006 9:47 am

Svuota i file in questa cartella
C:\DOCUME~1\EMATHE~1\IMPOST~1\Temp\L404.exe
C:\DOCUME~1\EMATHE~1\IMPOST~1\Temp\L446.exe
C:\DOCUME~1\EMATHE~1\IMPOST~1\Temp\L281.exe

Rifai la scansione con hijackthis, metti il flag nelle caselle di queste righe e poi premi fix.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find.fm/?aid=3827&sid=99
R3 - Default URLSearchHook is missing
O1 - Hosts: 200.73.174.154 STORAGE.HOSTANCE.NET
O1 - Hosts: 200.73.174.154 STORAGE-TASP.COM
O16 - DPF: {01E69986-A054-4C52-ABE8-EF63DF1C5211} - http://www.peakclick.com/toolbar/3827/toolbar.cab
O16 - DPF: {0F222EC8-205D-463F-90C9-D7249B333F09} - http://advnt01.biz/dialer/int_ver1.CAB
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.trafficredlight.net/10243-23.exe
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/i ... c929e00dac
O20 - AppInit_DLLs:

Sai cosa sono questi due programmi?
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O4 - Startup: Screenshot Utility.lnk = C:\Programmi\Screenshot Utility\ScreenshotUtility.exe
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda evergreen » mer dic 27, 2006 12:46 pm

allora prima di tutto grazie mille per la tua risposta cosi' celere, poi ho eliminato e fixato tutto cio' che mi hai detto tranne questo:
O20 - AppInit_DLLs:
mi da un errore di routine se non sbaglio, come procedo?

Poi per i due programmi che mi hai linkato SCREENSHOT UTILITY è un programma che utilizzo per fare gli screen shot dal desktop (quindi un programma "pulito") l'altro dovrebbe essere uno dei 1000 programmi che avevo scaricato per eliminare sto maledetto dialer, controllo e ti faccio sapere.
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am


Messaggioda evergreen » mer dic 27, 2006 12:50 pm

no il primo non so cosa sia, lo rimuovo?
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Messaggioda crazy.cat » mer dic 27, 2006 1:19 pm

evergreen ha scritto:no il primo non so cosa sia, lo rimuovo?

Potrebbe essere la protezione di qualche gioco o programma, però non ne sono sicuro.
ci sono un mucchio di informazioni su siti russi o polacchi ma non capisco niente.
Potresti provare a caricare il file sfrem01.exe sul sito www.virustotal.com e vedere se si tratta di un virus o se è pulito.

Hai fatto una scansione completa con superantispyware, c'erano alcuni adware da ripulire più a fondo.

Codice: Seleziona tutto
O20 - AppInit_DLLs:
mi da un errore di routine se non sbaglio, come procedo?

Potresti dare il messaggio preciso?
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda evergreen » mer dic 27, 2006 1:32 pm

come non detto :| facendo la scansione con hijackthis "O20 - AppInit_DLLs" non compare piu', forse era solo un avviso prima di cancellare i file selezionati.
comunque scansionando con i 3000 mila antivirus che ci sono in quel bellissimo sito che mi hai dato non ha trovato virus in quell'exe. Ora faccio la scansione con SUPERAntiSpyware e ti faccio sapere cosa mi dice (anche se prima di togliere i file infetti mi dava come unico pericolo i cokie [uhm] )
comunque fin'ora nessuna disconnessione e nessun tentativo di aprire pagine con avast, solo che da quando mi è comparso sto dialer adesso sia incredimail che il rivelatore di periferiche di cubase non mi partono piu' all'avvio, si puo' far qualcosa per questo?
Grazie ancora per la tua gentilezza, sei stato l'unico a darmi una soluzione in tutto il web [rotfl]
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Messaggioda crazy.cat » mer dic 27, 2006 1:58 pm

evergreen ha scritto:sia incredimail che il rivelatore di periferiche di cubase non mi partono piu' all'avvio, si puo' far qualcosa per questo?

Impostazioni - barra delle applicazioni e menù avvio - Aggiungi e con sfoglia selezioni gli eseguibili del programma che vuoi far avviare e li metti poi in esecuzione automatica.
Al riavvio del pc partiranno pure i due programmi.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda Amantide » gio dic 28, 2006 3:54 pm

crazy.cat ha scritto:
evergreen ha scritto:no il primo non so cosa sia, lo rimuovo?

Potrebbe essere la protezione di qualche gioco o programma, però non ne sono sicuro.
ci sono un mucchio di informazioni su siti russi o polacchi ma non capisco niente.
Potresti provare a caricare il file sfrem01.exe sul sito www.virustotal.com e vedere se si tratta di un virus o se è pulito.

Da quel che c'è scritto sul forum di Kaspersky (quei siti in russo [fischio] ) sembra di capire che anche sfrem01.exe fa parte della infezione i files della quale si trovavano in cartella Temp, dovrebbe essere un Trojan.Downloader.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda evergreen » gio dic 28, 2006 4:56 pm

allora il problema del dialer è definitivamente scomparso [crylol] solo che ora ho un altro problema, mi si formano degli exe come quelli che mi hai fatto togliere:
C:\DOCUME~1\EMATHE~1\IMPOST~1\Temp\L404.exe
cambiano sempre i numeri ma iniziano sempre con L e vanno in esecuzione, ogni volta devo cancellarli dai processi in esecuzione e poi eliminarli dalla cartella temp, c'e' quindi ancora qualcosa di infetto [cry] che faccio?
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Messaggioda Amantide » gio dic 28, 2006 5:02 pm

Posta un nuovo log di Hijackthis, cosi vediamo se è rimasto qualcosa che genera questi file. Sicuramente si tratta di un "nucleo" del trojan.downloader che non è stato eliminato e continua a riempire il computer di file infetti.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda evergreen » gio dic 28, 2006 5:14 pm

eccolo:



Logfile of HijackThis v1.99.1
Scan saved at 9.25.48, on 28/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\GSICON.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programmi\InterVideo\WinDVR\WinScheduler.exe
C:\Programmi\Screenshot Utility\ScreenshotUtility.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\eMule\emule.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ema The Voice\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freeforumzone.leonardo.it/viewforum.aspx?f=12780
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programmi\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122006 serial=DR12WES-3007622-EUW lang=IT
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [TerraTec Remote Control] C:\Programmi\TerraTec\Cinergy 400 TV\TTTVRC.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Programmi\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [H2O] C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programmi\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Screenshot Utility.lnk = C:\Programmi\Screenshot Utility\ScreenshotUtility.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Programmi\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Aggiungi all'elenco di stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Anteprima Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Stampa ad alta velocità Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Stampa Easy-WebPrint - res://C:\Programmi\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Damage Cleanup Server Control) - http://213.158.72.33/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Ba ... b31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B95D902B-1E7B-4FCE-A965-BDF6C8278DB6}: NameServer = 85.37.17.39 85.38.28.71
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Messaggioda Amantide » gio dic 28, 2006 5:29 pm

Infatti, è sempre lui, lo sfrem01.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe

Visto che nel log non si vede nessun altro file sospetto, direi che è proprio sfrem01.exe essere la causa dei files che si ricreano in Temp.

Con aiuto di Unlocker prova ad eliminare questo file, dopodichè dev' essere eliminato anche il servizio, prova a farlo cosi:
Vai su Start--> Esegui--> digita sc stop SF FrontLine Drivers Auto Removal (v1) (sfrem01) e premi Ok.
Poi ripeti l'operazione eseguendo il secondo comando
sc delete SF FrontLine Drivers Auto Removal (v1) (sfrem01)

Visto il nome un po' lungo del servizio potresti non riuscire ad eliminarlo in questo modo, in tal caso usa il metodo sugerito da crazy.cat.

Per sicurezza fai una scansione con Kaspersky online e posta qui il log, ho letto che hanno implementato il riconoscimento di questo trojan, cosi potremmo vedere se c'è qualcosa non visibile nel log di Hijackthis.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda evergreen » gio dic 28, 2006 6:42 pm

ho eliminato con Unlocker il file sfrem01.exe da system32, poi dal comando esegui ho inserito quelle due stringhe e mi si aperta per un frammento di secondo una finestra di dos, vuol dire che ha preso il comando? ho rifatto la scansione con hijackthis e pero' mi spunta:
023 Service: SF frontLine Drivers Auto Removal (v1) (sfrem01) - unknown owner - C:\WINDOWS\system32\sfrem01.exe (file missing)

al momento sto scansionando con kaspersky
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Messaggioda Amantide » gio dic 28, 2006 6:50 pm

Come avevo sospettato, a causa del nome lungo con le varie parentesi, il servizio non è stato eliminato. Poco male, prova ad eliminarlo in quest altro modo e facci sapere se quel file si rigenerano ancora.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda evergreen » gio dic 28, 2006 9:27 pm

allora ho eliminato il processo dal regedit ed adesso non è piu' comparso ne nella cartella system32 ne tra i processi. La scansione con kaspersky mi ha evidenziato 4 virus ma non li ha cancellati ecco il log:

C:\Documents and Settings\Ema The Voice\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Cronologia\History.IE5\MSHist012006122820061229\index.dat Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temp\PXR2.tmp Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temp\PXR3.tmp Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temp\PXR4.tmp Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temp\PXR5.tmp Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temp\PXR6.tmp Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temp\PXR7.tmp Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temp\PXR8.tmp Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temp\PXR9.tmp Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\8PMNC96Z\drf1167158234[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\8PMNC96Z\drf1167158234[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\8PMNC96Z\drf1167158234[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\8PMNC96Z\drf1167158234[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\ABS7Q143\drf1167053975[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\ABS7Q143\drf1167053975[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\ABS7Q143\drf1167053975[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\ABS7Q143\drf1167053975[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\GDIZKPMF\drf1167173119[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\GDIZKPMF\drf1167173119[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\GDIZKPMF\drf1167173119[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\GDIZKPMF\drf1167173119[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\KD2NKXEV\drf1167216862[1].htm Infected: Trojan.Win32.Dialer.qn skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\KD2NKXEV\drf1167216862[1].htm.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\NJPHFB3T\drf1167290124[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\NJPHFB3T\drf1167290124[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\NJPHFB3T\drf1167290124[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\NJPHFB3T\drf1167290124[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1166707391[1].htm.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1167019942[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1167019942[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1167019942[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1167019942[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1167267793[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1167267793[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1167267793[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\O9Y7WTAZ\drf1167267793[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\SLMVK5MJ\drf1167042275[1].htm Infected: Trojan.Win32.Dialer.qn skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\SLMVK5MJ\drf1167042275[1].htm.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\SLMVK5MJ\drf1167297565[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\SLMVK5MJ\drf1167297565[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\SLMVK5MJ\drf1167297565[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\Impostazioni locali\Temporary Internet Files\Content.IE5\SLMVK5MJ\drf1167297565[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Ema The Voice\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Ema The Voice\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Ema The Voice\UserData\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166475589[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166475589[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166475589[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166475589[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166791798[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166791798[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166791798[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166791798[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166857559[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166857559[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166857559[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\L3SAJAII\drf1166857559[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166599670[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166599670[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166599670[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166599670[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166705893[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166705893[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166705893[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166705893[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166776918[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166776918[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166776918[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166776918[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166799238[1].htm Infected: Trojan.Win32.Dialer.qn skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\OXYZ412Z\drf1166799238[1].htm.exe Infected: Trojan.Win32.Dialer.qn skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\Z1R60L6Z\drf1166468149[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\Z1R60L6Z\drf1166468149[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\Z1R60L6Z\drf1166468149[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\Z1R60L6Z\drf1166468149[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\Z1R60L6Z\drf1166784358[1].htm/EXE-file Infected: Trojan.Win32.Dialer.ri skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\Z1R60L6Z\drf1166784358[1].htm Embedded EXE: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\Z1R60L6Z\drf1166784358[1].htm UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\Impostazioni locali\Temporary Internet Files\Content.IE5\Z1R60L6Z\drf1166784358[1].htm PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Programmi\Alwil Software\Avast4\DATA\report\Protezione residente.txt Object is locked skipped

C:\Programmi\eMule\Temp\001.part Object is locked skipped

C:\Programmi\File comuni\System\zsXjI.exe Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\ajumdjkc.exe Infected: Trojan-Clicker.Win32.Costrat.v skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\116na\50b97yw.exe Infected: Trojan-Downloader.Win32.Small.dij skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{5FB4AB05-021B-4EC9-865A-503150199E02}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{A2829916-BC7C-450A-B9A8-D4E1553BECC0}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd5949.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_5c8.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

----------------------------
ho eliminato i cokie ed i file di internet visto che alcuni spuntavano di li, adesso che devo fare?

PS. grazie ancora per tutto quello che state facendo, mi sto rendendo conto che nel mio pc c'erano una marea di skifezze :|
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Messaggioda Amantide » gio dic 28, 2006 9:39 pm

Mi sa che i file infetti in Temp erano dovuti non al servizio eliminato (che comunque era da eliminare) ma ad una variante di LinkOptimizer (in cima alla sezione Sicurezza c'è una guida) o qualcosa di simile.

Mentre ricontrollo il log ed individuo i file da eliminare, mi fai la scansione con Gmer delle sezioni Autostart e Rootkit? Cosi avrò il quadro completo e ti dirò come poter eliminare tutto in una volta.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda evergreen » gio dic 28, 2006 10:27 pm

eccoti l'autostart:

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-12-28 13:34:52
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
AtiExtEvent@DLLName = Ati2evxx.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
acpWiFi /*Accesso periferica Wi-Fi Ex*/@ = C:\WINDOWS\Downlo~1\116na\50b97yw.exe
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
C-DillaCdaC11BA /*C-DillaCdaC11BA*/@ = C:\WINDOWS\system32\drivers\CDAC11BA.EXE
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SNDSrvc /*Symantec Network Drivers Service*/@ = "C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe" /*file not found*/
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UleadBurningHelper /*Ulead Burning Helper*/@ = C:\Programmi\File comuni\Ulead Systems\DVD\ULCDRSvr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@CorelDRAW Graphics Suite 11bC:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122006 serial=DR12WES-3007622-EUW lang=IT /*file not found*/ = C:\Programmi\Corel\Corel Graphics 12\Languages\IT\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=122006 serial=DR12WES-3007622-EUW lang=IT /*file not found*/
@GSICONEXEGSICON.EXE = GSICON.EXE
@TerraTec Remote ControlC:\Programmi\TerraTec\Cinergy 400 TV\TTTVRC.exe /*file not found*/ = C:\Programmi\TerraTec\Cinergy 400 TV\TTTVRC.exe /*file not found*/
@AudioHQC:\Programmi\Creative\SBLive\AudioHQ\AHQTB.EXE = C:\Programmi\Creative\SBLive\AudioHQ\AHQTB.EXE
@SSBkgdUpdateC:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot /*file not found*/ = C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot /*file not found*/
@H2OC:\Programmi\SyncroSoft\Pos\H2O\cledx.exe /*file not found*/ = C:\Programmi\SyncroSoft\Pos\H2O\cledx.exe /*file not found*/
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime /*file not found*/ = "C:\Programmi\QuickTime\qttask.exe" -atboottime /*file not found*/
@Easy-PrintToolBoxC:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon /*file not found*/ = C:\Programmi\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon /*file not found*/
@UnlockerAssistant"C:\Documents and Settings\Ema The Voice\Desktop\Unlocker\UnlockerAssistant.exe" = "C:\Documents and Settings\Ema The Voice\Desktop\Unlocker\UnlockerAssistant.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@IncrediMailC:\Programmi\IncrediMail\bin\IncMail.exe /c = C:\Programmi\IncrediMail\bin\IncMail.exe /c
@BitTorrent"C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized /*file not found*/ = "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized /*file not found*/
@SUPERAntiSpywareC:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe = C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} = C:\Programmi\SUPERAntiSpyware\SASSEH.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.5 Context Menu Shell Extension*/(null) =
@{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.5 DragDrop Shell Extension*/(null) =
@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.5 Context Menu Shell Extension*/(null) =
@{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.5 Property Sheet Shell Extension*/(null) =
@CorelDRAW Shell Extension Component /*CorelDRAW Shell Extension Component*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Documents and Settings\Ema The Voice\Desktop\Unlocker\UnlockerCOM.dll = C:\Documents and Settings\Ema The Voice\Desktop\Unlocker\UnlockerCOM.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
DAP_Menu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Documents and Settings\Ema The Voice\Desktop\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll = C:\Programmi\MegauploadToolbar\megauploadtoolbar.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://freeforumzone.leonardo.it/vi ... px?f=12780 = http://freeforumzone.leonardo.it/viewforum.aspx?f=12780
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Ema The Voice\Menu Avvio\Programmi\Esecuzione automatica = Screenshot Utility.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
InterVideo WinCinema Manager.lnk = InterVideo WinCinema Manager.lnk
InterVideo WinScheduler.lnk = InterVideo WinScheduler.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.10 ----


-----------------------------------------------------------------------------
il rook:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-12-28 13:56:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT a347bus.sys ZwClose
SSDT a347bus.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT a347bus.sys ZwSetSystemPowerState
SSDT sptd.sys ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 82F8D940
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 82FD92D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 82FD92D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 82FD92D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 82FD92D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B95D902B-1E7B-4FCE-A965-BDF6C8278DB6} IRP_MJ_CREATE 82B6D0E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 82FD9590
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSEIRP_MJ_READ 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82CD71A8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP_POWER 82CD71A8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 82D91C18
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 82C90840
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 82C90840
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSEIRP_MJ_READ 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 82F61A00
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP_POWER 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSEIRP_MJ_READ 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP_POWER 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSEIRP_MJ_READ 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 82F61A00
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP_POWER 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSEIRP_MJ_READ 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLEANUP 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_MAILSLOT 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_SECURITY 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_SECURITY 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CHANGE 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_QUOTA 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_QUOTA 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 82F61A00
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP_POWER 82F61A00
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82B6D0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82B6D0E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 82F8DBF8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 82CD7508
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 82CD7508
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 82BC70E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 82BC70E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 82C690E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 82C690E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 82C690E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 82C906E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 82C690E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 82C690E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 82C690E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 82FD9590
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 82CB10E8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLOSEIRP_MJ_READ 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_WRITE 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_EA 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_POWER 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_PNP 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_PNP_POWER 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSEIRP_MJ_READ 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 820F14A8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP_POWER 820F14A8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 82CE2CF8

---- Modules - GMER 1.0.10 ----

Module _________ F8369000

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Messaggioda Amantide » gio dic 28, 2006 10:39 pm

Stranamente nel log di Gmer non si vede nulla di sospetto, nemmeno i file visibili nel log di Kaspersky.
Ora scarica The Avenger, estrai archivio ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno della finestra che si apre copia ed incolla queste righe:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\Downloaded Program Files\116na\50b97yw.exe
C:\WINDOWS\ajumdjkc.exe
C:\Programmi\File comuni\System\zsXjI.exe


Dopodiche clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi due volte Yes .

Il pc dovrebbe riavviarsi da solo, se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt (lo stesso che ti apparirà in una finestra DOS al riavvio).
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda evergreen » gio dic 28, 2006 10:57 pm

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ffbsudrn

*******************

Script file located at: \??\C:\Program Files\ifbylgdp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\Downloaded Program Files\116na\50b97yw.exe deleted successfully.
File C:\WINDOWS\ajumdjkc.exe deleted successfully.
File C:\Programmi\File comuni\System\zsXjI.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished! Terminate.
Avatar utente
evergreen
Aficionado
Aficionado
 
Messaggi: 47
Iscritto il: mer dic 27, 2006 9:15 am

Messaggioda Amantide » gio dic 28, 2006 11:01 pm

Ok, ora il computer dovrebbe essere apposta [;)] ... o quasi.... dovresti installare anche un buon firewall, Comodo Firewall o Zone Alarm.
Facci sapere se noti qualche comportamento sospetto.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Prossimo

Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 16 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising