www.MegaLab.it

[eowyn87]

Ho provato a eliminare LinkOptimizer seguendo la guida del vostro sito. Nella guida si consiglia di postare per ricevere aiuto i file log di gmer. Il problema è che il mio pc si rifiuta di eseguire gmer: apre il programma per pochi istanti e poi lo richiude subito. La stessa cosa capita se provo ad aprire HijackThis.
Non essendo un'esperta non so che fare e chiedo aiuto. Grazie in anticipo.

[Amantide]

Ciao e benvenuto

Per risolvere questo problema dovresti ripulire il valore del registro di sistema UserInit, vedi qui come si fa. I file di troppo che saranno indicati all'interno della stringa dovranno essere eliminati dalla modalità provvisoria. Fatto ciò potrai usare Gmer e postare qui i log della scansione.

[crazy.cat]

Non bastava il bagle, adesso ritorna fuori anche il gromozon......

scaricati questo tools e lo lanci (speriamo che parta almeno questo)
http://www.mediafire.com/?anz023gjjni
(premi click here to start download)

Poi proviamo anche questo, da installare e fare una scansione completa.
http://www.tgsoft.it/files/vnlt6157.exe

[eowyn87]

ecco il log di VirIT

VirIT eXplorer Lite Log

[SCANSIONE DELLA MEMORIA]
OK
--------------------------------------------------------
22/02/2007 - 17:07:05

[SCANSIONE DEL REGISTRO]
{1D6711C8-7154-40BB-8380-3DEA45B69CBF} Infetto da Trojan.Win32.WebP2P.A
* * * RIMOSSO * * *
{DECEAAA2-370A-49BB-9362-68C3A58DDC62} Infetto da Trojan.Win32.180Search.AA
* * * RIMOSSO * * *
{2ee25147-37d4-4640-832c-fccfac8b21d9} Infetto da BHO.Agent.AR
* * * RIMOSSO * * *

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Programmi\WinRAR\Uninstall.Exe Infetto da Backdoor.PoeBot.D
* * * RIMOSSO * * *

Chiavi Registro infette: 3.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 122075.
Files Totali: 122075.
Chiavi Registro rimosse: 3.
Virus Rimossi: 1.

avevo già fatto l'analisi con il tool di prevx e non aveva trovato il gromozon.
ho rifatto l'analisi e il file log dice:

removal tool loaded into memory
gromozon rootkit component not detected - searching for other components
scanning: c:\windows
scanning: c:\programmi\file comuni

trojan.gromozon does not exist - your sistem is clean

[Amantide]

Per risolvere questo problema dovresti ripulire il valore del registro di sistema UserInit, vedi qui come si fa. I file di troppo che saranno indicati all'interno della stringa dovranno essere eliminati dalla modalità provvisoria. Fatto ciò potrai usare Gmer e postare qui i log della scansione.

[eowyn87]

scusa se non ho seguito anche i tuoi consigli ma io non ho mai editato il registro di sistema e mi spaventa un po' farlo

[Amantide]

scusa se non ho seguito anche i tuoi consigli ma io non ho mai editato il registro di sistema e mi spaventa un po' farlo

Su su, che ce la farai
Al limite una volta arrivato alla chiave giusta postami uno screenshot della schermata.

[eowyn87]

sperando di aver capito cosa devo fare, ho avviato in modalità provvisoria, ho cercato questi file (abilitando la visione dei file nascosti)
c:\windows\ibmdrv.exe
c:\windows\nvidiadrv.exe
c:\windows\toshibachecker.exe

ma non ci sono, vado a modificare comunque le chiavi di registro?

[Amantide]

sperando di aver capito cosa devo fare, ho avviato in modalità provvisoria, ho cercato questi file (abilitando la visione dei file nascosti)
c:\windows\ibmdrv.exe
c:\windows\nvidiadrv.exe
c:\windows\toshibachecker.exe

ma non ci sono, vado a modificare comunque le chiavi di registro?

Non devi cercare questi file, questi file si trovavano sul pc di quell'altra persona, sul computer tuo potrebbero avere i nomi diversi.
Si, devi aprire il registro e verificare che il parametro del valore UserInit contiene solo questa stringa, la virgola finale compresa:
C:\WINDOWS\system32\userinit.exe,

Tutto ciò che si trova dopo la virgola dev'essere eliminato. Non dimenticare di annotare il percorso dei file dopo la virgola.

[eowyn87]

ok!
questa è la stringa di userinit
c:\windows\system32\userinit.exe," c:\windows\corelsensor.exe", "c:\windows\seagate-tool.exe"," c:\windows\system32\corel-center.exe", "c:\windows\system32\macromedia-utility.exe",

cancello tutto quello che c'è di troppo sempre im modalità provvisoria, giusto?
scusa sono un po' pedante!

[Amantide]

ok!
questa è la stringa di userinit
c:\windows\system32\userinit.exe," c:\windows\corelsensor.exe", "c:\windows\seagate-tool.exe"," c:\windows\system32\corel-center.exe", "c:\windows\system32\macromedia-utility.exe",

cancello tutto quello che c'è di troppo sempre im modalità provvisoria, giusto?
scusa sono un po' pedante!

Sisi, dovrai lasciare solo la parte indicata in blu.
Fatto ciò sempre dalla modalità provvisoria elimina questi file:
c:\windows\corelsensor.exe
c:\windows\seagate-tool.exe
c:\windows\system32\corel-center.exe
c:\windows\system32\macromedia-utility.exe

Alla fine fai la scansione con Gmer delle sezioni Autostart e Rootkit e posta qui i log.

[eowyn87]

di quei 4 file ho trovato solo macromedia-utility.exe e quando provo a eliminarlo mi dice: impossibile eliminare macromedia-utility: accesso negato. controllare che il disco non sia pieno o protetto da scrittura e che il file non sia attualmente in uso.
devo usare unlocker per cancellarlo?

[Amantide]

Facciamo in altro modo (tanto ora Avenger dovrebbe funzionare).

Scarica The Avenger, estrai archivio in una cartella ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno del form copia ed incolla questo script:

Files to delete:
c:\windows\corelsensor.exe
c:\windows\seagate-tool.exe
c:\windows\system32\corel-center.exe
c:\windows\system32\macromedia-utility.exe

Dopodichè clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi alle successive domande Si .
Il pc dovrebbe riavviarsi da solo,se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt

[eowyn87]

avenger si apre per pochi istanti e poi si chiude. ho riaperto il registro e nella stringa di userinit è ricomparso un pezzo che avevo cancellato.
c:\windows\system32\userinit.exe,"c:\windows\system32\macromedia-utility.exe",
l'ho cancellato e ho proato ad aprire avenger, con gli stessi risultati di prima. ho ricontrollato il registro e la stringa torna sempre uguale anche se ogni volta la modifico.

[Amantide]

Facciamo cosi.
Apri il task manager (ctrl+alt+canc) e termina il processo macromedia-utility.exe.
Dopo apri il registro ed elimina la riga relativa al file.
Alla fine prova ad eliminare il file stesso.

[eowyn87]

chiuso il processo, cancellata la stringa, ma il programma non ne vuole proprio sapere, non si lascia cancellare. tuttavia adesso la stringa nel registro rimane giusta.
ora però gmer si apre, questo è il risultato della scansione di autostart

GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-02-22 23:00:17
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = c:\windows\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
avldr@DLLName = avldr.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Panda Software Controller /*Panda Software Controller*/@ = "C:\Programmi\Panda Software\Panda Antivirus 2007\PsCtrls.exe"
PAVSRV /*Panda anti-virus service*/@ = "C:\Programmi\Panda Software\Panda Antivirus 2007\pavsrv51.exe"
PSIMSVC /*Panda IManager Service*/@ = "C:\Programmi\Panda Software\Panda Antivirus 2007\PsImSvc.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SysKuh /*SysKuh*/@ = "C:\Programmi\File comuni\System\vSo.exe" /*file not found*/
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
UserAccess /*SecuROM User Access Service*/@ = C:\WINDOWS\system32\UAService.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@WinampAgentC:\Programmi\Winamp\winampa.exe = C:\Programmi\Winamp\winampa.exe
@SystemTraySysTray.Exe = SysTray.Exe
@RemoteControl"C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" = "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@iTunesHelperC:\Programmi\iTunes\iTunesHelper.exe /*file not found*/ = C:\Programmi\iTunes\iTunesHelper.exe /*file not found*/
@APVXDWIN"C:\Programmi\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s = "C:\Programmi\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
@NeroFilterCheckC:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe = C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
@InstantAccessC:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h = C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@CloneDVDElbyDelay"C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay = "C:\Programmi\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE
@UnlockerAssistant"C:\Programmi\Unlocker\UnlockerAssistant.exe" = "C:\Programmi\Unlocker\UnlockerAssistant.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Spamihilator"C:\Programmi\Spamihilator\spamihilator.exe" /*file not found*/ = "C:\Programmi\Spamihilator\spamihilator.exe" /*file not found*/
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe" = "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@UPnPMonitor = C:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINDOWS\SYSTEM32\THUMBVW.DLL = C:\WINDOWS\SYSTEM32\THUMBVW.DLL
@{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22} /*Programma di estrazione immagini predefinito per Proprietà*/C:\WINDOWS\SYSTEM32\THUMBVW.DLL = C:\WINDOWS\SYSTEM32\THUMBVW.DLL
@{0b044461-e89c-4536-92e6-0e5506d70127} /*SD/MMC Digital Audio PlayerShell Hook*/GDT1580h.dll = GDT1580h.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter 1*/C:\Programmi\Illustrate\dBpowerAMP\dBShell.dll = C:\Programmi\Illustrate\dBpowerAMP\dBShell.dll
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music Converter*/C:\Programmi\Illustrate\dBpowerAMP\dMCShell.dll = C:\Programmi\Illustrate\dBpowerAMP\dMCShell.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Documents and Settings\User\Documenti\NUOVA CARTELLA (3)\rarext.dll /*file not found*/ = C:\Documents and Settings\User\Documenti\NUOVA CARTELLA (3)\rarext.dll /*file not found*/
@{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.61 Context Menu Shell Extension*/(null) =
@{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.61 DragDrop Shell Extension*/(null) =
@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.61 Context Menu Shell Extension*/(null) =
@{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.61 Property Sheet Shell Extension*/(null) =
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/(null) =
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{65756541-C65C-11CD-0000-4B656E696100} /*Panda Antivirus*/C:\Programmi\Panda Software\Panda Antivirus 2007\ShellTit.dll = C:\Programmi\Panda Software\Panda Antivirus 2007\ShellTit.dll
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*Gestore icona firma digitale di AutoCAD*/C:\WINDOWS\system32\AcSignIcon.dll = C:\WINDOWS\system32\AcSignIcon.dll
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Programmi\Unlocker\UnlockerCOM.dll = C:\Programmi\Unlocker\UnlockerCOM.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{59850401-6664-101B-B21C-00AA004BA90B} /*Microsoft Office Binder Unbind*/C:\PROGRA~1\MICROS~1\OFFICE\1040\UNBIND.DLL = C:\PROGRA~1\MICROS~1\OFFICE\1040\UNBIND.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~1\OFFICE\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~1\OFFICE\OLKFSTUB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Panda Antivirus@{65756541-C65C-11CD-0000-4B656E696100} = C:\Programmi\Panda Software\Panda Antivirus 2007\ShellTit.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Documents and Settings\User\Documenti\NUOVA CARTELLA (3)\rarext.dll /*file not found*/
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Documents and Settings\User\Documenti\NUOVA CARTELLA (3)\rarext.dll /*file not found*/
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Panda Antivirus@{65756541-C65C-11CD-0000-4B656E696100} = C:\Programmi\Panda Software\Panda Antivirus 2007\ShellTit.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmi\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Documents and Settings\User\Documenti\NUOVA CARTELLA (3)\rarext.dll /*file not found*/
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{31FF080D-12A3-439A-A2EF-4BA95A3148E8}C:\Programmi\GetRight\xx2gr.dll = C:\Programmi\GetRight\xx2gr.dll
@{6D5E98A4-4CEB-B818-3A53-F5E06D0A5551}C:\WINDOWS\ecoii1.dll /*file not found*/ = C:\WINDOWS\ecoii1.dll /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local PageC:\WINDOWS\SYSTEM\blank.htm = C:\WINDOWS\SYSTEM\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.yahoo.it/ = http://www.yahoo.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ndwiat@CLSID = C:\WINDOWS\system32\wiascr.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\SYSTEM32\msdxm.ocx
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{05F40DBF-ECC0-468C-8B33-D95B5A1DBC81} /*Connessione alla rete locale (LAN) 2*/ >>>
@IPAddress192.168.1.86 = 192.168.1.86
@NameServer151.99.125.2,151.99.125.3 = 151.99.125.2,151.99.125.3
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{35503F76-82FE-42CB-9ECC-41DC4332032B} /*Connessione alla rete locale (LAN) 3*/ >>>
@IPAddress192.168.1.87 = 192.168.1.87
@NameServer151.99.125.2,151.99.125.3 = 151.99.125.2,151.99.125.3
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{59B93C0A-829B-4EE3-95F2-A8AEB2E2D823} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.194 = 192.168.1.194
@NameServer151.99.125.2,151.99.125.3 = 151.99.125.2,151.99.125.3
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = c:\programmi\panda software\panda antivirus 2007\pavlsp.dll
000000000002@PackedCatalogItem = c:\programmi\panda software\panda antivirus 2007\pavlsp.dll
000000000003@PackedCatalogItem = c:\programmi\panda software\panda antivirus 2007\pavlsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021@PackedCatalogItem = c:\programmi\panda software\panda antivirus 2007\pavlsp.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Exif Launcher.lnk = Exif Launcher.lnk
Microsoft Office.lnk = Microsoft Office.lnk
Photo Express Calendar Checker SE.lnk = Photo Express Calendar Checker SE.lnk
SkyServer.lnk = SkyServer.lnk
Tasto di scelta rapida per l'avvio di AutoCAD.lnk = Tasto di scelta rapida per l'avvio di AutoCAD.lnk
Watch.lnk = Watch.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.12 ----

scansione di rootkit
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-22 23:33:41
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text USBPORT.SYS!DllUnload F7ED262C 5 Bytes JMP 81A59970

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\explorer.exe[1588] SHELL32.dll!SHFileOperationW 7CA7FCDA 5 Bytes JMP 02401102 C:\Programmi\Unlocker\UnlockerHook.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 823701D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 823701D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 81A52990
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 81A52990
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 81A52990
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 81A52990
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CREATE 81A52990
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CLOSE 81A52990
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_POWER 81A52990
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_PNP 81A52990
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 823D81D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 823D81D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 81A581D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 81A581D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 81A581D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A581D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 81A581D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 81A581D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 81A581D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{05F40DBF-ECC0-468C-8B33-D95B5A1DBC81} IRP_MJ_CREATE 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{05F40DBF-ECC0-468C-8B33-D95B5A1DBC81} IRP_MJ_CLOSE 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{05F40DBF-ECC0-468C-8B33-D95B5A1DBC81} IRP_MJ_DEVICE_CONTROL 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{05F40DBF-ECC0-468C-8B33-D95B5A1DBC81} IRP_MJ_INTERNAL_DEVICE_CONTROL 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{05F40DBF-ECC0-468C-8B33-D95B5A1DBC81} IRP_MJ_CLEANUP 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{05F40DBF-ECC0-468C-8B33-D95B5A1DBC81} IRP_MJ_PNP 818191D8
Device \Driver\usbohci \Device\USBPDO-3 IRP_MJ_CREATE 81A52990
Device \Driver\usbohci \Device\USBPDO-3 IRP_MJ_CLOSE 81A52990
Device \Driver\usbohci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-3 IRP_MJ_POWER 81A52990
Device \Driver\usbohci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 81A52990
Device \Driver\usbohci \Device\USBPDO-3 IRP_MJ_PNP 81A52990
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CREATE 81A53990
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CLOSE 81A53990
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_DEVICE_CONTROL 81A53990
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A53990
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_POWER 81A53990
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_SYSTEM_CONTROL 81A53990
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_PNP 81A53990
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 823721D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 823721D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 8233C990
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 823711D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 823711D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 823711D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 823711D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 823711D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 823711D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 823711D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLOSE 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_POWER 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SYSTEM_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLOSE 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_POWER 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SYSTEM_CONTROL 823711D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP 823711D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 8233C990
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 8233C990
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 818191D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 818191D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 818191D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 818191D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 818191D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 818191D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 818191D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 818191D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 818191D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 818191D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 818191D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{35503F76-82FE-42CB-9ECC-41DC4332032B} IRP_MJ_CREATE 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{35503F76-82FE-42CB-9ECC-41DC4332032B} IRP_MJ_CLOSE 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{35503F76-82FE-42CB-9ECC-41DC4332032B} IRP_MJ_DEVICE_CONTROL 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{35503F76-82FE-42CB-9ECC-41DC4332032B} IRP_MJ_INTERNAL_DEVICE_CONTROL 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{35503F76-82FE-42CB-9ECC-41DC4332032B} IRP_MJ_CLEANUP 818191D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{35503F76-82FE-42CB-9ECC-41DC4332032B} IRP_MJ_PNP 818191D8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CREATE 81A52990
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CLOSE 81A52990
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_POWER 81A52990
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_PNP 81A52990
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_CREATE 81A52990
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_CLOSE 81A52990
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_POWER 81A52990
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_PNP 81A52990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 817AE990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 817AE990
Device \Driver\usbohci \Device\USBFDO-2 IRP_MJ_CREATE 81A52990
Device \Driver\usbohci \Device\USBFDO-2 IRP_MJ_CLOSE 81A52990
Device \Driver\usbohci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-2 IRP_MJ_POWER 81A52990
Device \Driver\usbohci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 81A52990
Device \Driver\usbohci \Device\USBFDO-2 IRP_MJ_PNP 81A52990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 817AE990
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 817AE990
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_CREATE 81A53990
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_CLOSE 81A53990
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_DEVICE_CONTROL 81A53990
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A53990
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_POWER 81A53990
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_SYSTEM_CONTROL 81A53990
Device \Driver\usbehci \Device\USBFDO-3 IRP_MJ_PNP 81A53990
Device \Driver\usbuhci \Device\USBFDO-4 IRP_MJ_CREATE 81A581D8
Device \Driver\usbuhci \Device\USBFDO-4 IRP_MJ_CLOSE 81A581D8
Device \Driver\usbuhci \Device\USBFDO-4 IRP_MJ_DEVICE_CONTROL 81A581D8
Device \Driver\usbuhci \Device\USBFDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 81A581D8
Device \Driver\usbuhci \Device\USBFDO-4 IRP_MJ_POWER 81A581D8
Device \Driver\usbuhci \Device\USBFDO-4 IRP_MJ_SYSTEM_CONTROL 81A581D8
Device \Driver\usbuhci \Device\USBFDO-4 IRP_MJ_PNP 81A581D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 823721D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 823721D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 81788990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 81788990

---- EOF - GMER 1.0.12 ----

[Amantide]

Prova ad eliminare il file con questo tool.
Io intanto controllo il log.

***edit***

Vedi se ora riesci ad eseguire questo script con Avenger.
Avvia Avenger.exe e seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno del form copia ed incolla questo script:

Files to delete:
C:\Programmi\File comuni\System\vSo.exe
c:\windows\corelsensor.exe
c:\windows\seagate-tool.exe
c:\windows\system32\corel-center.exe
c:\windows\system32\macromedia-utility.exe
C:\WINDOWS\ecoii1.dll

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\SysKuh
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D5E98A4-4CEB-B818-3A53-F5E06D0A5551}

Dopodichè clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi alle successive domande Si .
Il pc dovrebbe riavviarsi da solo, se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt

[eowyn87]

ecco il log di avenger

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fjtvaipc

*******************

Script file located at: vspqyagb

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

[Amantide]

Si è verificato un errore.

Prova a riscaricare Avenger ed eseguire lo script dalla modalità provvisoria.

[eowyn87]

secondo tentativo

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yifsyfgs

*******************

Script file located at: \??\C:\WINDOWS\system32\xhbvemws.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Programmi\File comuni\System\vSo.exe not found!
Deletion of file C:\Programmi\File comuni\System\vSo.exe failed!

Could not process line:
C:\Programmi\File comuni\System\vSo.exe
Status: 0xc0000034



File c:\windows\corelsensor.exe not found!
Deletion of file c:\windows\corelsensor.exe failed!

Could not process line:
c:\windows\corelsensor.exe
Status: 0xc0000034



File c:\windows\seagate-tool.exe not found!
Deletion of file c:\windows\seagate-tool.exe failed!

Could not process line:
c:\windows\seagate-tool.exe
Status: 0xc0000034



File c:\windows\system32\corel-center.exe not found!
Deletion of file c:\windows\system32\corel-center.exe failed!

Could not process line:
c:\windows\system32\corel-center.exe
Status: 0xc0000034



File c:\windows\system32\macromedia-utility.exe not found!
Deletion of file c:\windows\system32\macromedia-utility.exe failed!

Could not process line:
c:\windows\system32\macromedia-utility.exe
Status: 0xc0000034



File C:\WINDOWS\ecoii1.dll not found!
Deletion of file C:\WINDOWS\ecoii1.dll failed!

Could not process line:
C:\WINDOWS\ecoii1.dll
Status: 0xc0000034

Registry key HKLM\SYSTEM\CurrentControlSet\Services\SysKuh deleted successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D5E98A4-4CEB-B818-3A53-F5E06D0A5551} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.