MegaLab.it

Inviato: **dom mag 20, 2007 9:02 pm**

Ciao a tutti, sono un nuovo iscritto, ho trovato questo forum cercando la soluzione al mio problema: non so come, scaricando alcuni programmini che mi consentivano di analizzare alcune molecole biologiche in 3D mi sono accorto che erano sparite le icone del mio antivirus AVAST e del mio SpyBoot-search and destroy. Impaurito per ciò mi precipitavo a scaricare dal sito di avira l'altro antivirus antivir che però non poteva essere installato perché questo qualcosa, che poi ho scoperto essere il file HDLRRR.exe, mi bloccava i file .exe di avira antivir, e persino della versione free di Norton presa da google. Ho provato anche con la scansione di Sophos, come letto dal vostro forum, ma non ha trovato il file HDLRRR.
Personalmente, avendo fatto la scansione con HiJackThis, ed avendo identificati il file HDLRRR.exe, ho cercato anche di eliminarlo dal taskmanager e da Windows System32, ma al riavvio del computer si è ripresentato. Come altro posso fare? Posto anche il log di HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 18.06.43, on 20/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmi\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\hldrrr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Spyware Doctor\svcntaux.exe
C:\Programmi\Spyware Doctor\swdsvc.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Programmi\Norton Security Scan\Nss.exe
C:\Programmi\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Luigi Marano\Desktop\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PmProxy] C:\Programmi\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk.disabled
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk.disabled
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mariokiss89.spaces.live.com//Pho ... nPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4762480199
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programmi\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Programmi\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Programmi\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe

Vi ringrazio per la disponibilità e per la gentilezza, ma non saprei come altro fare......!
Un abbraccio a tutti! Ciao Ciao!

Inviato: **dom mag 20, 2007 9:31 pm**

L'altro antivirus non te lo installa perché hai gai installato Avast.
Quindi per installare un antivirus free devi disinstallare Avast, cosi l'installazione dell' altro anti virus dovrebbe andere a buon fine.

Inviato: **lun mag 21, 2007 1:38 am**

Macchè, non è avast che ti blocca l'installazione di Antivir, ma un potente trojan (Bagle) che ti ha killato i processi dei tuoi programmi di sicurezza, segui questa guida:

http://www.MegaLab.it/2657/2

Inviato: **lun mag 21, 2007 11:04 am**

Grazie mille ragazzi, sto seguendo le istruzioni.....!
A questo punto però avrei bisogno di un altro aiuto....: mi potreste indicare l'esame del log di Gmer e lo script da eseguire con the avenger?
Grazie.....

Inviato: **lun mag 21, 2007 11:21 am**

per lo script di avenger devi dire la lettera del tuo hard disk e poi il nome della tua cartella sotto "Documents and settings".

Ps:quando avrai risolto disinstalla avast e metti un tools di sicurezza più adeguato

Inviato: **lun mag 21, 2007 12:39 pm**

Grazie a tutti ragazzi, sembra che il problema sia risolto.....!!!!! Ora sto installando antivirus più adeguati...., vi farò sapere gli sviluppi!!!!
Ancora grazie a tutti per la collaborazione!!!!

[rotolo]

Inviato: **mar mag 22, 2007 3:37 pm**

Ciao a tutti, sono nuova anch'io e non sono molto esperta di virus e simili....ma sono infetta
ho letto il forum ed ho scoperto di avere lo stesso problema: non va avast, non si può disinstallare, non posso installare nessun altro tipo di antivirus. ho guardato nel task ed ho trovato hldrrr.exe e services.exe.
sul vostro meraviglioso sito ho letto di scaricare hijackthis e salvare il log. l'ho fatto. dopodichè sempre sul vostro forum c'era scritto di scaricare avenger e l'ho fatto...
infine c'è scritto di postarvi il log, in caso di problemi!
eccomi qui, metto il log ed aspetto fiduciosa che qualcuno mi dica che fare!
grazie tante
ciao

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.21.35, on 22/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ESRI\License\arcgis9x\Lmgrd.exe
C:\Programmi\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Programmi\TOSHIBA\TME3\TMESBS32.EXE
C:\Programmi\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programmi\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Programmi\Toshiba\ConfigFree\NDSTray.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\FinePixViewer\QuickDCF.exe
C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\Skype\Phone\Skype.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
C:\Documents and Settings\francesca\Desktop\avenger.exe
D:\WINZIP\winzip32.exe
C:\Documents and Settings\francesca\Impostazioni locali\Temp\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PmProxy] C:\Programmi\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Programmi\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Programmi\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Programmi\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Programmi\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus G+ Wireless Adapter Utility.lnk = C:\Programmi\D-Link\D-Link AirPlus G+ Wireless Adapter Utility\DWLGTI.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programmi\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Cerca con Google - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\programmi\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Link a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b28578.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/file ... _it_IT.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {1F831FA9-42FC-11D4-95A6-0080AD30DCE1} (InstaFred) - file://C:\Programmi\AutoCAD 2002 Ita\InstFred.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://kapriccio79.spaces.live.com//Pho ... nPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/IT-IT/a-U ... E_UNO1.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://insanity.homeip.net:36/activex/AMC.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (Controllo AcDc oggi) - file://C:\Programmi\AutoCAD 2002 Ita\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b28578.cab
O16 - DPF: {AE563729-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Programmi\AutoCAD 2002 Ita\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (Controllo AcPreview) - file://C:\Programmi\AutoCAD 2002 Ita\AcPreview.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O22 - SharedTaskScheduler: Precaricatore Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon di cache delle categorie di componenti - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ArcGIS License Manager - Unknown owner - C:\Programmi\ESRI\License\arcgis9x\Lmgrd.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Programmi\TOSHIBA\TME3\Tmesbs32.exe

--
End of file - 10881 bytes

Inviato: **mar mag 22, 2007 3:48 pm**

francesca173 ha scritto:sul vostro meraviglioso sito ho letto di scaricare hijackthis e salvare il log. l'ho fatto. dopodichè sempre sul vostro forum c'era scritto di scaricare avenger e l'ho fatto...

Lo script per avenger è questo
http://www.MegaLab.it/forum/viewtopic.p ... 510#238510
Poi segui le istruzioni nell'articolo per ripristinare i servizi mancanti e danneggiati.

Inviato: **mar mag 22, 2007 3:48 pm**

francesca173 ha scritto:sul vostro meraviglioso sito ho letto di scaricare hijackthis e salvare il log. l'ho fatto. dopodichè sempre sul vostro forum c'era scritto di scaricare avenger e l'ho fatto...

Lo script per avenger è questo
http://www.MegaLab.it/forum/viewtopic.p ... 510#238510
Poi segui le istruzioni nell'articolo per ripristinare i servizi mancanti e danneggiati.

Inviato: **mer mag 23, 2007 10:11 am**

crazy.cat ha scritto:Lo script per avenger è questo
http://www.MegaLab.it/forum/viewtopic.p ... 510#238510
Poi segui le istruzioni nell'articolo per ripristinare i servizi mancanti e danneggiati.

Grazie, ho provato e pare che non ci sia più l'hldrrr.exe
ora devo ristabilire la mia connessione senza fili.
ho letto sempre sul vostro forum che consigliate come "comodo firewall". non me ne intendo e quindi ecco la domanda: io sono collegata tramite wireless, se installo il comodo firewall devo settare le porte dell'access point (se così si chiama?)
per adesso mi affido solo al firewall di windows, ma so che non è sufficiente...

In ogni caso vi ringrazio tanto per l'aiuto!

Inviato: **mer mag 23, 2007 11:28 am**

francesca173 ha scritto:io sono collegata tramite wireless, se installo il comodo firewall devo settare le porte dell'access point (se così si chiama?)

Mi intendo molto poco di wireless, quindi non posso aiutarti.

Inviato: **mer mag 23, 2007 7:14 pm**

ciao a tutti.

premetto: siete la mia ultima speranza [;)]

, sono nuovo iscritto e abbastanza ignorante in materia di logs, registry etc

mi sono ritrovato con hldrrr.exe che mi faceva degli [random].exe nella cartella ...exefld.

suddetti exe, però, sono stati bloccati da Antivir.

Ho cercato una soluzione, e quella + adatta mi è sembrata http://www.MegaLab.it/articoli.php?id=948&pagina=3

Prima di postare chilometrici log, vi spiego il mio problema: io non ho la cartella hidires, e in +, ho un portatile e quindi due hard disk diversi. La mia cartella "Documenti" non è in "Dati e applicazioni". Come posso fare? si tratta del trojan "giusto"?

ringrazio anticipatamente per le risposte.

Inviato: **mer mag 23, 2007 7:23 pm**

ferrarienzo360 ha scritto:Prima di postare chilometrici log, vi spiego il mio problema: io non ho la cartella hidires, e in +, ho un portatile e quindi due hard disk diversi. La mia cartella "Documenti" non è in "Dati e applicazioni". Come posso fare? si tratta del trojan "giusto"?

E' meglio se vediamo almeno il log di gmer, fai solo quello della sezione rootkit.
Non ti preoccupare della lunghezza, al limite lo dividi su due messaggi.

Inviato: **gio mag 24, 2007 1:40 pm**

Ciao a tutti.
ho seguito tutte le istruzioni dell'utilissimo articolo per la rimozione del worm bagle ( http://www.MegaLab.it/2657/3 ) solo che è sorto un problemino... [cry+]

Ho avviato il Avenger, ho selezionato l'opzione Input Script Manually, ho cliccato sulla lente di ingrandimento e, all'interno del form, ho incollatoe lo script precedentemente preparato
Ho cliccato prima Done e poi l'icona del semaforo verde e...
Error: selected file does not appear to be a valid script.
Error code: 0

perché mi domando io, stava filando tutto liscio, avevo anche quasi capito che stavo facendo e ecco che mi spunta questo incomprensibile errore [acc2]

che faccio? qualcuno sa aiutarmi?

Inviato: **gio mag 24, 2007 1:57 pm**

frattouno ha scritto:perché mi domando io, stava filando tutto liscio, avevo anche quasi capito che stavo facendo e ecco che mi spunta questo incomprensibile errore

Possiamo vedere lo script che gli hai dato in pasto.....

Inviato: **gio mag 24, 2007 2:46 pm**

eccolo:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-24 13:45:01
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\Documents and Settings\Fra\Dati applicazioni\hidires\m_hook.sys ZwCreateFile
SSDT \??\C:\Documents and Settings\Fra\Dati applicazioni\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\C:\Documents and Settings\Fra\Dati applicazioni\hidires\m_hook.sys ZwEnumerateValueKey
SSDT \??\C:\Documents and Settings\Fra\Dati applicazioni\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\C:\Documents and Settings\Fra\Dati applicazioni\hidires\m_hook.sys ZwQueryKey
SSDT \??\C:\Documents and Settings\Fra\Dati applicazioni\hidires\m_hook.sys ZwQuerySystemInformation

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Programmi\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 435FF205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 4378FF9F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 4378FF20 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 4378FF64 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 4378FEAC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 4378FEE6 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 4378FFDA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 436215D2 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Programmi\MSN Messenger\msnmsgr.exe[2424] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004DE392 C:\Programmi\MSN Messenger\msnmsgr.exe

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\system32\hldrrr.exe (*** hidden *** ) 180
Process C:\WINDOWS\system32\hldrrr.exe (*** hidden *** ) 1504

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Security,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>00}qZ=`RaAFZQ{?{DArt?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@CustomMarshalers,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>e}GvMMOnH@hg(nYnu%p8?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@Accessibility,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>aPzKX=15Z?*VmZwfL?5??
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Configuration.Install,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>]-2y_C5dWAq8t'Ahp=bS?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.DirectoryServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>IvR7u6?dq8g4^Yd4V1J6?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Drawing.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>8P8fd9s@-?D*V},`V=T3?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.ServiceProcess,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>xY=TG9CqU@W)~p?RO_w[?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Web,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>C)z]OrW%R=wF2GW{Mgf2?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Web.RegularExpressions,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>hWlcu7oG*9ybzp+^-VdU?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Web.Services,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>_FJM`5byo=hcOs8jwB`u?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Windows.Forms,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>^'5*]IAel?w8MnWaY[Jf?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Xml,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>'.E-h@SP~=w?DXL*AL.m?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Data,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>=6xEmQ}b$?[kDPAt*+Mv?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>?7w%[IH(QA(f_Nv)g1+u?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>6_Lp.YrKG=t~lt)yuC(b?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Drawing,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>Av^oip*aw@nLUAKMX6tN?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Messaging,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>vQk-c(tl+9_q.YVyjkqq?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@IEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>R,YAg8Uzf?q9ZRNgCdW.?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@IIEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.0.5000.0" %EmAj?C%k9W7cNB_.[t[Redist_Package>nV30Foad^=4D0FLgllXd?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@ISymWrapper,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>W**YR.kDv?kTe!evxZOf?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@mscorcfg,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>{?^lW%IQJ=DGh@&,glnR?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@mscorlib,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>v~Yw+7RXK?*n7r]K90Xd?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Management,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>PCwF,UKRl=)zd@Q'%%3G?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Runtime.Remoting,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>oaxX*et~F@1qEj-wm]ZH?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Runtime.Serialization.Formatters.Soap,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>hXM40zsHQ9T~regpU=Bb?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Office.Interop.Graph,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jiGraph_PIA>~6Q5^Ga-w@2Sn)lr)X{B?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Vsa.Vb.CodeDOMProcessor,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>(Zu=PHx%N9s[0$gto)K+?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft_VsaVb,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>ZYT6Y}7@o?che(HR+=APT?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Vsa,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>vC~AI=2_U=jP1y7`PgEK?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.VisualBasic.Vsa,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>dxy+{V6B(@+d{@(0_+AQ?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@cscompmgd,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>.[PYtUR-d8WP[=+EL+1O?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.JScript,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>2Y]8C*W[d@g,InfZq=QO?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.VisualBasic,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>uqOdb3z0A9nOM3DNwRap?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.VisualC,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>w=KLXB[Xr=7Tk@&xP9mc?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Regcode,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>HgVH13*D4=(W~'P?(s2v?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.EnterpriseServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>e64H(FT9aAe*?nR&Hqu&?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Security,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>,.idGaf+a@p?-Q++qW2k?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CustomMarshalers,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>NA^,LBxBWAO8^5,~v&8R?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Accessibility,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>kgT}+.%vy?ikM)Pm%j(e?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Configuration.Install,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>NLc&){D?)A$1sUX?25sO?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.DirectoryServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>$v^BT?)o-=UTn*mAe$WC?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Drawing.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>5FJq?3gMD@zhYonAA7zP?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.ServiceProcess,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>&n!BoCXqG=-dnT!D_K^F?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>lWHd$@tF]9]5,Sm%4[C+?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.RegularExpressions,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>Z4gl`yrv7=muBlQnQKLc?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.Services,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>aNAK!_!Eo=`)&1S{-9qF?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Windows.Forms,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>VM.bWln_GA'bH^9b4zy!?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Xml,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>%$f[5O}U(A5g(F1lojgF?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Data,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>&E8MWjh%YAwnpr?O'Yi%?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>C*F%G*9^O@W5=%1gR^8-?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Drawing,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>SksH4=PK%=e-_b0RuAPa?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>fHeMP]gBr8xqs@n2Co?]?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Messaging,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>(GwSNVGT+@7fT)]}SlJ_?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@IEExecRemote,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>bbB7w3YPI?^u?S_0}W8T?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@IEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>{e[a-{V).94C1..jDAj.?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@IIEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.0.5000.0" %EmAj?C%k9W7cNB_.[t[Redist_Package>a+z?fXORD?MQ[Q9IU8rM?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@ISymWrapper,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>)FaXaBH81?z8.(n5Ifk0?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@mscorcfg,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>?Apg'v4Ao8k8Bcl_)c@q?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Data.OracleClient,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>LSv0fvZqn=B^x-K9?$ZH?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Management,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>E-9C,Ky_,=`o0ZsSt.K4?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Runtime.Remoting,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>$AqI^d@FOAa}lhk6lCx6?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Runtime.Serialization.Formatters.Soap,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>b(NwVxq^D9N$NykQh&F=?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.Mobile,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>f8hJ=QM?g(Z1z?VXB]2d?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.JScript.resources,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="7.10.3052.4" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>xt?_kV[TL=1YsIA}j8nR?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.VisualBasic.resources,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="7.10.3052.4" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>{C}9ka0NP?[JXZ40*sono&?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Security.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>i5D~ev8`l@wdOrb7`v%t?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.EnterpriseServices.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>PfSXn7Q5f=EJFhAo+ACn?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Regcode.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>$~`k].=7g(X*z?VXB]2d?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.DirectoryServices.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>b3f0=M]_v9qN2l.yX1$v?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.ServiceProcess.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>3]9ZToAs[9t@ug]6wx8f?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>_lorO!11%@sD?*T9!ctc?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.Services.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>Jd75P~mpS?8gy(M-yt}6?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@SYSTEM.WINDOWS.FORMS.resources,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>X?WW3GI9p@VZT0tdnz[0?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.XML.resources,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>*PY+kd!_!9L@l~SNJb%Q?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Data.resources,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>,`Zt6!6sAAkxzRXOLa]h?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Design.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>Yh302W[px=t%@tz2lZq9?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Drawing.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>uwyWzXrpk?,o(App5E9T?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Messaging.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>+ly8{x[k}=1pW6*zLygW?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.resources,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>_^&sneG7n?QA~-cZ=ADM?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@mscorcfg.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>ti[ZWxsk9AarL!U)GOhV?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@mscorlib.resources,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>W$nostro(7iwC@&{o~)}MiTz?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Configuration.Install.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>Ivc$vDYb[A%nW6x2Cuk3?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Drawing.Design.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>UKXVo05uH?$a7Mh0?lK8?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@system.management.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>DO3uPNA+L?xlR41=@so,?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Runtime.Remoting.resources,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>[vDERFebj?Gv7JQlntpr?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Runtime.Serialization.Formatters.Soap.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>Cg?^mQr!L@a?sU.}rr2.?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.Mobile.resources,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="it",FileVersion="1.1.4322.573" *y`&wFVdi=-hSsrbZvu4Language_Pack_Redist_Package>G@hJ=QM?g(Z1z?VXB]2d?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.ReportSource,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>93S3[`w^RA,~ML&FN!iM?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.CrystalReports.Engine,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>k7eS)&2q2@!Na)1$ZM?w?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalReportPluginLib,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>Q{GLKFNPh9d?S2=kQ'p^?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalPluginMgrLib,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>Bm-fXMR$}8ICcPM{~DW9?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalKeyCodeLib,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>t}!8]-OE9AbQ*6utYoNA?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalInfoStoreLib,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>12FQ?[g*R9)%KDN]C-Zr?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalEnterpriseLib,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>9kC%b.,[z=l&$b3_k0=t?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.Web,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>ibrJf1P)N9.Zw[Ge!ZRK?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.Shared,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>VcV})t,Ew?xH3*OFwwG)?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.Windows.Forms,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="neutral",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`CrystalReports>g_HtWInB&9`$M@.$uU,+?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.Windows.Forms.resources,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="it",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`Crystal_RES_IT>H1LZYm5Y~?qk{NRNz!BN?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.Web.resources,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="it",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`Crystal_RES_IT>OgT@[WPyG?5jYm=a.yBg?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.Shared.resources,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="it",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`Crystal_RES_IT>'P*y1D$n)@-Yx!qH15A]?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.ReportSource.resources,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="it",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`Crystal_RES_IT>c5QjCtT-e=p]4%n@I[[Z?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CrystalDecisions.CrystalReports.Engine.resources,Version="9.1.5000.0",PublicKeyToken="692fbea5521e1304",Culture="it",FileVersion="9.1.9800.0" M}ftHr@!g8mQVI4p*'0`Crystal_RES_IT>ui*g`~X-O9,no69eLo0z?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Office.Interop.Access,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jiAccess_PIA>FLZepab2T=7DZ%Dy4.Pp?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Office.Interop.Excel,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jiExcel_PIA>h=N(]v='Z8fT~7.nB)gM?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Office.Interop.SmartTag,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jiSmartTag_PIA>e{^wB4=&?A{^nsSDeg`!?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Office.Interop.Owc11,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jidummy_OWC11_PIA>w-M$2K'.09U(LNnT^^5F?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Office,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jiWord_PIA>keY{BC!FC?%3@}W5_!Oa?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Office.Interop.PowerPoint,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jiPowerPoint_PIA>A*%D8^tU^@r`VP5(u&y)?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Office.Interop.Word,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jiWord_PIA>QYH2,E)&^@QK&Mt%QU}u?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@mscomctl,Version="10.0.4504.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",FileVersion="10.0.4504.0" .]gAVn-}f(ZXfeAR6.jidummy_OWC11_PIA>KA@hzZEP39+P$2)8P=ih?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@dao,Version="10.0.4504.0",Culture="neutral",PublicKeyToken="31bf3856ad364e35",FileVersion="10.0.4504.0" .]gAVn-}f(ZXfeAR6.jiAccess_PIA>6O_.hd.s6==YX^M9.,Kb?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Vbe.Interop,Version="11.0.0.0000",Culture="neutral",PublicKeyToken="71e9bce111e9429c",FileVersion="11.0.5530.0" .]gAVn-}f(ZXfeAR6.jiVSCommonPIAHidden>X.2kG@=8r=omnVtBlW4t?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@ADODB,Version="7.0.3300.00",Culture="neutral",PublicKeyToken="b03f5f7f11d50a3a",FileVersion="7.10.2346.0" .]gAVn-}f(ZXfeAR6.jiVSCommonPIAHidden>c)xOnBb5g(X*z?VXB]2d?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@MSDATASRC,Version="7.0.3300.0",Culture="neutral",PublicKeyToken="b03f5f7f11d50a3a",FileVersion="7.0.9466.0" .]gAVn-}f(ZXfeAR6.jiVSCommonPIAHidden>!*xOnBb5g(X*z?VXB]2d?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@stdole,Version="7.0.3300.0",Culture="neutral",PublicKeyToken="b03f5f7f11d50a3a",FileVersion="7.0.9466.0" .]gAVn-}f(ZXfeAR6.jiVSCommonPIAHidden>_*xOnBb5g(X*z?VXB]2d?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global@Microsoft.MSXML2R,publicKeyToken="6bd6b9abf345378f",version="4.1.0.0",type="win32",processorArchitecture="x86" kV0rGOFr]?%6NI9_u_XrMainApp>ITzaC}zyQ@Zq3QlMCb0e?Qsq1nZ.7+A+c@!1P4V+BDictionary>ITzaC}zyQ@Zq3QlMCb0e?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global@Microsoft.MSXML2,publicKeyToken="6bd6b9abf345378f",version="4.1.0.0",type="win32",processorArchitecture="x86" kV0rGOFr]?%6NI9_u_XrMainApp>2INR3`I9&?giP6x,s{bo?
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Menu Avvio\Programmi\Fujitsu Siemens Computers\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\WINDOWS\Installer\{286C22B5-F75E-420D-81B8-983D95B9F100}\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\Symantec\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Norton AntiVirus\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\AccessWeb\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\Libreria\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\QUERIES\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\XLSTART\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\OFFICE\DATA\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\OFFICE\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\1040\011\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\1040\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\Fra\Impostazioni locali\Dati applicazioni\Microsoft\OFFICE\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\Templates\Presentation Designs\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\Templates\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\STARTUP\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft.NET\Primary Interop Assemblies\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft.NET\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\MSDAIPP\OFFLINE\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\Microsoft\MSDAIPP\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\File comuni\Microsoft Shared\Smart Tag\LISTS\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\File comuni\Microsoft Shared\Smart Tag\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\WINDOWS\PCHEALTH\ERRORREP\ 1
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\BITMAPS\DBWIZ\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\BITMAPS\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\Templates\1040\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\WINDOWS\SHELLNEW\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\SAMPLES\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\1033\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\File comuni\SYSTEM\MSMAPI\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Microsoft Office\OFFICE11\ADDINS\

Inviato: **gio mag 24, 2007 3:00 pm**

@cardependat
guarda che anche tu hai sbagliato.non si tratta di un trojan ma di un worm

Inviato: **gio mag 24, 2007 3:13 pm**

PER TECNICO24

infatti si tratta del worm Bagle
ho seguito le istruzioni della pagina precedente ( http://www.MegaLab.it/2657/2 ), quella della rilevazione del worm, attraverso GMER e ho trovato questo :

Process C:\WINDOWS\system32\hldrrr.exe (*** hidden *** ) 180
Process C:\WINDOWS\system32\hldrrr.exe (*** hidden *** ) 1504

Inoltre l'antivirus non funziona, non posso installare alcun programma di sicurezza, e a questo punto credo anche di non poter riavviare il computer in modalità provvisoria...

Il mio problema resta quello di rimuoverlo con avanger

Inviato: **gio mag 24, 2007 4:19 pm**

devi rimuoverlo manualmente

Inviato: **gio mag 24, 2007 4:42 pm**

infatti. solo che tre post fa ho scritto:

"ho seguito tutte le istruzioni dell'utilissimo articolo per la rimozione del worm bagle ( http://www.MegaLab.it/2657/3 ) solo che è sorto un problemino...
Ho avviato il Avenger, ho selezionato l'opzione Input Script Manually, ho cliccato sulla lente di ingrandimento e, all'interno del form, ho incollatoe lo script precedentemente preparato
Ho cliccato prima Done e poi l'icona del semaforo verde e...
Error: selected file does not appear to be a valid script.
Error code: 0"

il problema quindi è che che non riesco a rimuoverlo manualmente perché mi da questo error code 0...

come ne esco?

aiutatemi!! [cry+]

MegaLab.it

hdlrrr.exe

hdlrrr.exe

hdlrrr

hdlrrr

Anch'io hldrrr.exe

Re: Anch'io hldrrr.exe

Re: Anch'io hldrrr.exe

Re: Anch'io hldrrr.exe

Re: Anch'io hldrrr.exe

disperazione totale

Re: disperazione totale