Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

eliminare bagle

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

eliminare bagle

Messaggioda margi75_ » lun mar 05, 2007 10:15 pm

ciao, sono nuova,ieri cercando qualche soluzione per eliminare bagle ho trovato il vostro forum e ho seguito passo passo il dcoumento postato da voi , ho lanciato gmer e successivamente avenger..avendo constatato la presenza dei file citati. ma il bagle non se ne va. Quando accendo il pc mi si apre una pagina del notebook con scritto questo


[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

vi posto il log di gmer sperando che possiate aiutarmi.. ho provato + volte a seguire la procedura ma non è servito, inoltre nel task manager ho un sacco di voci strane ma non hldrr.exe.
sono certa di avere il virus perché antivir me lo rileva. ho anche un trojan.


GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-05 21:09:07
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT d347bus.sys ZwClose
SSDT \??\C:\Documents and Settings\marica\Dati applicazioni\hidires\m_hook.sys ZwCreateFile
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwCreatePagingFile
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\Documents and Settings\marica\Dati applicazioni\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\C:\Documents and Settings\marica\Dati applicazioni\hidires\m_hook.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT d347bus.sys ZwOpenKey
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT \??\C:\Documents and Settings\marica\Dati applicazioni\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\C:\Documents and Settings\marica\Dati applicazioni\hidires\m_hook.sys ZwQueryKey
SSDT \??\C:\Documents and Settings\marica\Dati applicazioni\hidires\m_hook.sys ZwQuerySystemInformation
SSDT d347bus.sys ZwQueryValueKey
SSDT d347bus.sys ZwSetSystemPowerState
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text tcpip.sys!IPTransmit + 10BC F0441CFA 6 Bytes CALL F96C0C20 Teefer.sys
.text tcpip.sys!IPTransmit + 2810 F044344E 6 Bytes CALL F96C0C20 Teefer.sys
.text tcpip.sys!ARPRcv + 506D F04484E0 6 Bytes CALL F96C0C20 Teefer.sys
.text wanarp.sys F99BE3FD 4 Bytes CALL F96C0D70 Teefer.sys
.text wanarp.sys F99BE402 2 Bytes [ 90, 90 ]

---- User code sections - GMER 1.0.12 ----

.text C:\Programmi\MSN Messenger\msnmsgr.exe[132] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004DE392 C:\Programmi\MSN Messenger\MsnMsgr.Exe

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 812A48E0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ FF9D8B00
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F997A220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F997A480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F997A5A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F997A5D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F997A220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F997A480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F997A5A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F997A5D0] wpsdrvnt.sys
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA FF973CF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP FF973CF0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ FFA998A8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA FF973CF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP FF973CF0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA FF97DBA8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA FF97DBA8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP
Avatar utente
margi75_
Aficionado
Aficionado
 
Messaggi: 86
Iscritto il: lun mar 05, 2007 9:32 pm

Messaggioda Amantide » lun mar 05, 2007 10:25 pm

Ciao e benvenuta Marica (è il tuo nome, vero? [rolleyes] )

Intanto esegui questo script per Avenger:

Files to delete:
C:\Documents and Settings\marica\Dati applicazioni\hidires\m_hook.sys
C:\Documents and Settings\marica\Dati applicazioni\hidires\hidr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe

folders to delete:
C:\Documents and Settings\marica\Dati applicazioni\hidires
C:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr


Mi dovresti postare anche il log del tab Autostart, devi avviare Gmer, cliccare su >>>, selezionare tab Autostart, spuntare la voce Show all e premere Scan.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda margi75_ » lun mar 05, 2007 10:31 pm

GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-03-05 21:28:29
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk * /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\SYSTEM\CurrentControlSet\Control\WOW@cmdline = %SystemRoot%\system32\ntvdm.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\Userinit.exe = C:\WINDOWS\system32\Userinit.exe
@ShellExplorer.exe = Explorer.exe
@System =
@UIHostlogonui.exe = logonui.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
crypt32chain@DLLName = crypt32.dll
cryptnet@DLLName = cryptnet.dll
cscdll@DLLName = cscdll.dll
igfxcui@DLLName = igfxdev.dll
ScCertProp@DLLName = wlnotify.dll
Schedule@DLLName = wlnotify.dll
sclgntfy@DLLName = sclgntfy.dll
SensLogn@DLLName = WlNotify.dll
termsrv@DLLName = wlnotify.dll
WgaLogon@DLLName = WgaLogon.dll
wlballoon@DLLName = wlnotify.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AntiVirScheduler /*AntiVir Scheduler*/@ = C:\Programmi\AntiVir PersonalEdition Classic\sched.exe /*file not found*/
AntiVirService /*AntiVir PersonalEdition Classic Service*/@ = C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe /*file not found*/
AudioSrv /*Audio Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Browser /*Browser di computer*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
CFSvcs /*ConfigFree Service*/@ = C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
CryptSvc /*Servizi di crittografia*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
DcomLaunch /*Utilità di avvio processo server DCOM*/@ = %SystemRoot%\system32\svchost -k DcomLaunch
Dhcp /*Client DHCP*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Dnscache /*Client DNS*/@ = %SystemRoot%\System32\svchost.exe -k NetworkService
ERSvc /*Servizio di segnalazione errori*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Eventlog /*Registro eventi*/@ = %SystemRoot%\system32\services.exe
helpsvc /*Guida in linea e supporto tecnico*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanserver /*Server*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanworkstation /*Workstation*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
LmHosts /*Helper NetBIOS di TCP/IP*/@ = %SystemRoot%\System32\svchost.exe -k LocalService
PlugPlay /*Plug and Play*/@ = %SystemRoot%\system32\services.exe
PolicyAgent /*Servizi IPSEC*/@ = %SystemRoot%\System32\lsass.exe
ProtectedStorage /*Archiviazione protetta*/@ = %SystemRoot%\system32\lsass.exe
RpcSs /*RPC (Remote Procedure Call)*/@ = %SystemRoot%\system32\svchost -k rpcss
SamSs /*Gestione account di protezione (SAM)*/@ = %SystemRoot%\system32\lsass.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
seclogon /*Accesso secondario*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SENS /*Notifica eventi di sistema*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
ShellHWDetection /*Rilevamento hardware shell*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
srservice /*Servizio Ripristino configurazione di sistema*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
stisvc /*Acquisizione di immagini di Windows (WIA)*/@ = %SystemRoot%\System32\svchost.exe -k imgsvc
Themes /*Temi*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
TrkWks /*Manutenzione collegamenti distribuiti client*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe
W32Time /*Ora di Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
WebClient /*WebClient*/@ = %SystemRoot%\System32\svchost.exe -k LocalService
winmgmt /*Strumentazione gestione Windows*/@ = %systemroot%\system32\svchost.exe -k netsvcs
WZCSVC /*Zero Configuration reti senza fili*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@00THotkeyC:\WINDOWS\System32\00THotkey.exe = C:\WINDOWS\System32\00THotkey.exe
@000StTHK000StTHK.exe = 000StTHK.exe
@LTSMMSGLTSMMSG.exe = LTSMMSG.exe
@ApointC:\Programmi\Apoint2K\Apoint.exe = C:\Programmi\Apoint2K\Apoint.exe
@TouchEDC:\Programmi\TOSHIBA\TouchED\TouchED.Exe = C:\Programmi\TOSHIBA\TouchED\TouchED.Exe
@PadTouch"C:\Programmi\TOSHIBA\PadTouch\PadExe.exe = "C:\Programmi\TOSHIBA\PadTouch\PadExe.exe
@TFNF5TFNF5.exe = TFNF5.exe
@TPSMainTPSMain.exe = TPSMain.exe
@TFncKyTFncKy.exe /*file not found*/ = TFncKy.exe /*file not found*/
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@SmcServiceC:\PROGRA~1\Sygate\SPF\smc.exe -startgui /*file not found*/ = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui /*file not found*/
@Excite PlatformC:\PROGRA~1\Excite\Platform\ExLaunch.exe = C:\PROGRA~1\Excite\Platform\ExLaunch.exe
@EPSON Stylus C66 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
@{0228e555-4f9c-4e35-a3ec-b109a192b4c2}C:\Programmi\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe = C:\Programmi\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
@UserFaultCheck%systemroot%\system32\dumprep 0 -u = %systemroot%\system32\dumprep 0 -u
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@avgnt"C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min /*file not found*/ = "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min /*file not found*/
@igfxtrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@igfxhkcmdC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@igfxpersC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe
@DAEMON Tools-1033"C:\Programmi\D-Tools\daemon.exe" -lang 1033 = "C:\Programmi\D-Tools\daemon.exe" -lang 1033
@Excite Private Messenger PipeC:\Programmi\Excite\PrvtMsgr\bin\x8IMPipe.exe = C:\Programmi\Excite\PrvtMsgr\bin\x8IMPipe.exe
@PrevxRootkitRemovalTool"C:\Documents and Settings\marica\Impostazioni locali\Temporary Internet Files\Content.IE5\7Z30VLHD\D54966B[1].exe" -scan /*file not found*/ = "C:\Documents and Settings\marica\Impostazioni locali\Temporary Internet Files\Content.IE5\7Z30VLHD\D54966B[1].exe" -scan /*file not found*/
@fgquglpjC:\wqymxwaq.bat /*file not found*/ = C:\wqymxwaq.bat /*file not found*/
@hldrrrC:\WINDOWS\system32\hldrrr.exe = C:\WINDOWS\system32\hldrrr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@TOSCDSPDC:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe = C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
@EPSON Stylus C66 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU" + ? ??? ?? K? ??? ?a?w? , ? `??? ?????? ??? ?b?w ??`??? ;???8?? ? ??? h??w ??`??? z??w`??? ????? )??| ?? = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU" + ? ??? ?? K? ??? ?a?w? , ? `??? ?????? ??? ?b?w ??`??? ;???8?? ? ??? h??w ??`??? z??w`??? ????? )??| ??
@swgC:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
@hldrrrC:\WINDOWS\system32\hldrrr.exe = C:\WINDOWS\system32\hldrrr.exe
@drvsyskitC:\Documents and Settings\marica\Dati applicazioni\hidires\hidr.exe = C:\Documents and Settings\marica\Dati applicazioni\hidires\hidr.exe
@german.exeC:\WINDOWS\system32\wintems.exe = C:\WINDOWS\system32\wintems.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@PostBootReminder%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@CDBurn%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@WebCheck%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@SysTrayC:\WINDOWS\System32\stobject.dll = C:\WINDOWS\System32\stobject.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler >>>
@{438755C2-A8BA-11D1-B96B-00A0C90312E1}%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{8C7461EF-2B13-11d2-BE35-3078302C2030}%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll

HKLM\Software\Classes\Folder\shell\open\command@ = %SystemRoot%\Explorer.exe /idlist,%I,%L

HKLM\Software\Classes\Folder\shell\explore\command@ = %SystemRoot%\Explorer.exe /e,/idlist,%I,%L

HKLM\Software\Classes\ >>>
.exe@ = "%1" %*
.com@ = "%1" %*
.cmd@ = "%1" %*
.bat@ = "%1" %*
.pif@ = "%1" %*
.scr@ = "%1" /S
.hta@ = C:\WINDOWS\System32\mshta.exe "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{AEB6717E-7E19-11d0-97EE-00C04FD91972}shell32.dll = shell32.dll
@{67BB6BD1-7317-486F-BFAD-A032691D5E86}C:\WINDOWS\System32\ogxhr32.dll /*file not found*/ = C:\WINDOWS\System32\ogxhr32.dll /*file not found*/
@{5169AEE2-DFCE-43D5-6CAC-40CE6AC0739C}C:\WINDOWS\System32\kbmam32.dll /*file not found*/ = C:\WINDOWS\System32\kbmam32.dll /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{00022613-0000-0000-C000-000000000046} /*Proprietà dei file Multimedia*/mmsys.cpl = mmsys.cpl
@{176d6597-26d3-11d1-b350-080036a75b03} /*Gestore scanner ICM*/icmui.dll = icmui.dll
@{1F2E5C40-9550-11CE-99D2-00AA006E086C} /*Pagina di protezione NTFS*/rshx32.dll = rshx32.dll
@{3EA48300-8CF6-101B-84FB-666CCB9BCD32} /*Pagina di proprietà di Docfile OLE*/docprop.dll = docprop.dll
@{40dd6e20-7c17-11ce-a804-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/%SystemRoot%\System32\themeui.dll = %SystemRoot%\System32\themeui.dll
@{42071712-76d4-11d1-8b24-00a0c9068ff3} /*Estensione scheda video del Pannello di controllo*/deskadp.dll = deskadp.dll
@{42071713-76d4-11d1-8b24-00a0c9068ff3} /*Estensione monitor del Pannello di controllo*/deskmon.dll = deskmon.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{4E40F770-369C-11d0-8922-00A024AB2DBB} /*Pagina di protezione DS*/dssec.dll = dssec.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Pagina compatibilità*/SlayerXP.dll = SlayerXP.dll
@{56117100-C0CD-101B-81E2-00AA004AE837} /*Gestore dati dei ritagli di shell*/shscrap.dll = shscrap.dll
@{59099400-57FF-11CE-BD94-0020AF85B590} /*Estensione copia dischi*/diskcopy.dll = diskcopy.dll
@{59be4990-f85c-11ce-aff7-00aa003ca9f6} /*Estensioni shell per oggetti Rete Microsoft Windows*/ntlanui2.dll = ntlanui2.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*Gestore monitor ICM*/%SystemRoot%\System32\icmui.dll = %SystemRoot%\System32\icmui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*Gestore stampante ICM*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{764BF0E1-F219-11ce-972D-00AA00A14F56} /*Estensioni shell per la compressione dei file*/(null) =
@{77597368-7b15-11d0-a0c2-080036af3f03} /*Estensione shell per la stampante Web*/printui.dll = printui.dll
@{7988B573-EC89-11cf-9C00-00AA00A14F56} /*Disk Quota UI*/dskquoui.dll = dskquoui.dll
@{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} /*Menu di scelta rapida di crittografia*/(null) =
@{85BBD920-42A0-1069-A2E4-08002B30309D} /*Sincronia file*/syncui.dll = syncui.dll
@{88895560-9AA2-1069-930E-00AA0030EBC8} /*Estensione di icona di HyperTerminal*/C:\WINDOWS\System32\hticons.dll = C:\WINDOWS\System32\hticons.dll
@{BD84B380-8CA2-1069-AB1D-08000948F534} /*Tipi di carattere*/fontext.dll = fontext.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*Profilo ICC*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} /*Pagina di protezione della stampante*/rshx32.dll = rshx32.dll
@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{f92e8c40-3d33-11d2-b1aa-080036a75b03} /*Display TroubleShoot CPL Extension*/deskperf.dll = deskperf.dll
@{7444C717-39BF-11D1-8CD9-00C04FC29D45} /*Estensione Crypto PKO*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7444C719-39BF-11D1-8CD9-00C04FC29D45} /*Estensione firma crittografata*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7007ACC7-3202-11D1-AAD2-00805FC1270E} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{992CFFA0-F557-101A-88EC-00DD010CCC48} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{E211B736-43FD-11D1-9EFB-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{905667aa-acd6-11d2-8080-00805f6596d2} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{3F953603-1008-4f6e-A73A-04AAC7A992F1} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{83bbcbf3-b28a-4919-a5aa-73027445d672} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{F0152790-D56E-4445-850E-4F3117DB740C} /*Remote Sessions CPL Extension*/C:\WINDOWS\System32\remotepg.dll = C:\WINDOWS\System32\remotepg.dll
@{5F327514-6C5E-4d60-8F16-D07FA08A78ED} /*Auto Update Property Sheet Extension*/C:\WINDOWS\system32\wuaucpl.cpl = C:\WINDOWS\system32\wuaucpl.cpl
@{60254CA5-953B-11CF-8C96-00AA00B8708C} /*Estensione shell per Windows Script Host*/C:\WINDOWS\System32\wshext.dll = C:\WINDOWS\System32\wshext.dll
@{2206CDB2-19C1-11D1-89E0-00C04FD7A829} /*Microsoft Data Link*/C:\Programmi\File comuni\System\Ole DB\oledb32.dll = C:\Programmi\File comuni\System\Ole DB\oledb32.dll
@{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Icon Handler*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Shell Extension*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{D6277990-4C6A-11CF-8D87-00AA0060F5BF} /*Operazioni pianificate*/C:\WINDOWS\System32\mstask.dll = C:\WINDOWS\System32\mstask.dll
@{0DF44EAA-FF21-4412-828E-260A8728E7F1} /*Barra delle applicazioni e menu di avvio*/(null) =
@{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} /*Cerca*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} /*Esegui...*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} /*Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} /*Posta elettronica*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524152} /*Tipi di carattere*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524153} /*Strumenti di amministrazione*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{E4B29F9D-D390-480b-92FD-7DDB47101D71} /*Wav Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{87D62D94-71B3-4b9a-9489-5FE6850DC73E} /*Avi Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{A6FD9E45-6E44-43f9-8644-08598F5A74D9} /*Midi Properties Handler*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\shmedia.dll = %SystemRoot%\System32\shmedia.dll
@{5E6AB780-7743-11CF-A12B-00AA004AE837} /*Barra degli strumenti Microsoft Internet*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{22BF0C20-6DA7-11D0-B373-00A0C9034938} /*Stato del download*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{91EA3F8B-C99B-11d0-9815-00C04FD91972} /*Shell Folder accresciuto*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6413BA2C-B461-11d1-A18A-080036B11A03} /*Shell Folder 2 accresciuto*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{F61FFEC1-754F-11d0-80CA-00AA005B4383} /*BandProxy*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7BA4C742-9E81-11CF-99D3-00AA004AE837} /*Microsoft BrowserBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*SearchBand*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{169A0691-8DF9-11d1-A1C4-00C04FD75D13} /*Ricerca all'interno*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{07798131-AF23-11d1-9111-00A0C98BA67D} /*Ricerca Web*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{AF4F6510-F982-11d0-8595-00AA004CD6D8} /*Utilità opzioni della struttura del Registro di sistema*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{01E04581-4EEE-11d0-BFE9-00AA005B4383} /*&Indirizzo*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{A08C11D2-A228-11d0-825B-00AA005B4383} /*Address EditBox*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2763-6A77-11D0-A535-00C04FD7D062} /*Completamento automatico Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7376D660-C583-11d0-A3A5-00C04FD706EC} /*TridentImageExtractor*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6756A641-DE71-11d0-831B-00AA005B4383} /*Elenco di Completamento automatico MRU*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} /*Elenco di Completamento automatico MRU personalizzato*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{7e653215-fa25-46bd-a339-34a2790f3cb7} /*Accessibile*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{acf35015-526e-4230-9596-becbe19f0ac9} /*Indicatore di avanzamento popup*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{E0E11A09-5CB8-4B6C-8332-E00720A168F2} /*Parser della barra degli indirizzi*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2764-6A77-11D0-A535-00C04FD7D062} /*Elenco di Completamento automatico della Cronologia di Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{03C036F1-A186-11D0-824A-00AA005B4383} /*Elenco di Completamento automatico di Shell Folder di Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{00BB2765-6A77-11D0-A535-00C04FD7D062} /*Contenitore dell'elenco di Completamento automatico multiplo Microsoft*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4E-521C-11D0-B792-00A0C90312E1} /*Shell Band Site Menu*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} /*Shell DeskBarApp*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4C-521C-11D0-B792-00A0C90312E1} /*Shell DeskBar*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{ECD4FC4D-521C-11D0-B792-00A0C90312E1} /*Shell Rebar BandSite*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{DD313E04-FEFF-11d1-8ECD-0000F87A470C} /*Assistenza utente*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} /*Impostazioni cartella globale*/%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{EFA24E61-B078-11d0-89E4-00C04FC9E26E} /*Favorites Band*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{0A89A860-D7B1-11CE-8350-444553540000} /*Shell Automation Inproc Service*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} /*Microsoft Browser Architecture*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/shdocvw.dll = shdocvw.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Servizio Cronologia Url Microsoft*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*Cronologia*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Hook per la ricerca di URL Microsoft*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} /*Schermata iniziale applicazioni Internet Explorer 4*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{67EA19A0-CCEF-11d0-8024-00C04FD75D13} /*CDF Extension Copy Hook*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{131A6951-7F78-11D0-A979-00C04FD705A2} /*ISFBand OC*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{9461b922-3c5a-11d2-bf8b-00c04fb93661} /*Search Assistant OC*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*Internet*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{EFA24E64-B078-11d0-89E4-00C04FC9E26E} /*Explorer Band*/%SystemRoot%\System32\shdocvw.dll = %SystemRoot%\System32\shdocvw.dll
@{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\System32\sendmail.dll = C:\WINDOWS\System32\sendmail.dll
@{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\System32\sendmail.dll = C:\WINDOWS\System32\sendmail.dll
@{88C6C381-2E85-11D0-94DE-444553540000} /*Cartella cache ActiveX*/%SystemRoot%\System32\occache.dll = %SystemRoot%\System32\occache.dll
@{E6FB5E20-DE35-11CF-9C87-00AA005127ED} /*WebCheck*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} /*Subscription Mgr*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{F5175861-2688-11d0-9C5E-00AA00A45957} /*Cartella Subscription*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{08165EA0-E946-11CF-9C87-00AA005127ED} /*WebCheckWebCrawler*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} /*WebCheckChannelAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} /*TrayAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{7D559C10-9FE9-11d0-93F7-00AA0059CE02} /*Code Download Agent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} /*ConnectionAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{D8BD2030-6FC9-11D0-864F-00AA006809D9} /*PostAgent*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} /*WebCheck SyncMgr Handler*/%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@{352EC2B7-8B9A-11D1-B8AE-006008059382} /*Gestione applicazioni shell*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{0B124F8F-91F0-11D1-B8B5-006008059382} /*Enumeratore applicazioni installate*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{CFCCC7A0-A282-11D1-9082-006008059382} /*Darwin App Publisher*/%SystemRoot%\System32\appwiz.cpl = %SystemRoot%\System32\appwiz.cpl
@{e84fda7c-1d6a-45f6-b725-cb260c236066} /*Shell Image Verbs*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} /*Shell Image Data Factory*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*GDI + programma di estrazione file in anteprima*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{9DBD2C50-62AD-11d0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{EAB841A0-9550-11cf-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINDOWS\System32\shimgvw.dll = C:\WINDOWS\System32\shimgvw.dll
@{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} /*Shell Image Property Handler*/%SystemRoot%\System32\shimgvw.dll = %SystemRoot%\System32\shimgvw.dll
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Pubblicazione guidata sul Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Ordinazione di stampe tramite Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Oggetto Pubblicazione guidata sul Web*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{58f1f272-9240-4f51-b6d4-fd63d1618591} /*Creazione guidata profilo Passport*/%SystemRoot%\System32\netplwiz.dll = %SystemRoot%\System32\netplwiz.dll
@{7A9D77BD-5403-11d2-8785-2E0420524153} /*Account utente*/(null) =
@{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} /*Cartella compressa*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{BD472F60-27FA-11cf-B8B4-444553540000} /*Compressed (zipped) Folder Right Drag Handler*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} /*Compressed (zipped) Folder SendTo Target*/%SystemRoot%\System32\zipfldr.dll = %SystemRoot%\System32\zipfldr.dll
@{f39a0dc0-9cc8-11d0-a599-00c04fd64433} /*File del canale*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} /*Collegamento al canale*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} /*Channel Handler Object*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3da0dc0-9cc8-11d0-a599-00c04fd64437} /*Channel Menu*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} /*Channel Properties*/%SystemRoot%\System32\cdfview.dll = %SystemRoot%\System32\cdfview.dll
@{63da6ec0-2e98-11cf-8d82-444553540000} /*FTP Folders Webview*/C:\WINDOWS\System32\msieftp.dll = C:\WINDOWS\System32\msieftp.dll
@{883373C3-BF89-11D1-BE35-080036B11A03} /*Microsoft DocProp Shell Ext*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{A9CF0EAE-901A-4739-A481-E35B73E47F6D} /*Microsoft DocProp Inplace Edit Box Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{8EE97210-FD1F-4B19-91DA-67914005F020} /*Microsoft DocProp Inplace ML Edit Box Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} /*Microsoft DocProp Inplace Droplist Combo Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{6A205B57-2567-4A2C-B881-F787FAB579A3} /*Microsoft DocProp Inplace Calendar Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} /*Microsoft DocProp Inplace Time Control*/C:\WINDOWS\System32\docprop2.dll = C:\WINDOWS\System32\docprop2.dll
@{8A23E65E-31C2-11d0-891C-00A024AB2DBB} /*Directory Query UI*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} /*Directory Object Find*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{F020E586-5264-11d1-A532-0000F8757D7E} /*Directory Start/Search Find*/%SystemRoot%\System32\dsquery.dll = %SystemRoot%\System32\dsquery.dll
@{0D45D530-764B-11d0-A1CA-00AA00C16E65} /*Directory Property UI*/%SystemRoot%\System32\dsuiext.dll = %SystemRoot%\System32\dsuiext.dll
@{62AE1F9A-126A-11D0-A14B-0800361B1103} /*Directory Context Menu Verbs*/%SystemRoot%\System32\dsuiext.dll = %SystemRoot%\System32\dsuiext.dll
@{ECF03A33-103D-11d2-854D-006008059367} /*MyDocs Copy Hook*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{ECF03A32-103D-11d2-854D-006008059367} /*MyDocs Drop Target*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{4a7ded0a-ad25-11d0-98a8-0800361b1103} /*MyDocs Properties*/%SystemRoot%\System32\mydocs.dll = %SystemRoot%\System32\mydocs.dll
@{750fdf0e-2a26-11d1-a3ea-080036587f03} /*Offline Files Menu*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{10CFC467-4392-11d2-8DB4-00C04FA31A66} /*Offline Files Folder Options*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} /*Cartella file non in linea*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{143A62C8-C33B-11D1-84FE-00C04FA34A14} /*Microsoft Agent Character Property Sheet Handler*/C:\WINDOWS\msagent\agentpsh.dll = C:\WINDOWS\msagent\agentpsh.dll
@{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} /*DfsShell*/C:\WINDOWS\System32\dfsshlex.dll = C:\WINDOWS\System32\dfsshlex.dll
@{60fd46de-f830-4894-a628-6fa81bc0190d} /*%DESC_PublishDropTarget%*/%SystemRoot%\System32\photowiz.dll = %SystemRoot%\System32\photowiz.dll
@{7A80E4A8-8005-11D2-BCF8-00C04F72C717} /*MMC Icon Handler*/%SystemRoot%\System32\mmcshext.dll = %SystemRoot%\System32\mmcshext.dll
@{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} /*.CAB file viewer*/cabview.dll = cabview.dll
@{32714800-2E5F-11d0-8B85-00AA0044F941} /*&Contatti...*/C:\Programmi\Outlook Express\wabfind.dll = C:\Programmi\Outlook Express\wabfind.dll
@{8DD448E6-C188-4aed-AF92-44956194EB1F} /*Windows Media Player Play as Playlist Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} /*Windows Media Player Burn Audio CD Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} /*Windows Media Player Add to Playlist Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{1D2680C9-0E2A-469d-B787-065558BC7D43} /*Fusion Cache*/C:\WINDOWS\system32\mscoree.dll = C:\WINDOWS\system32\mscoree.dll
@{C4213067-97B3-4929-9B98-B5600FBBBA13} /*TouchED*/C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll = C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{68f32140-2ca3-11d0-acc1-444553540000} /*PicaView*/C:\PROGRA~1\ACDSYS~1\PicaView\PicaView.dll = C:\PROGRA~1\ACDSYS~1\PicaView\PicaView.dll
@{640167b4-59b0-47a6-b335-a6b3c0695aea} /*Portable Media Devices*/%SystemRoot%\System32\Audiodev.dll = %SystemRoot%\System32\Audiodev.dll
@{cc86590a-b60a-48e6-996b-41d25ed39a1e} /*Portable Media Devices Menu*/%SystemRoot%\System32\Audiodev.dll = %SystemRoot%\System32\Audiodev.dll
@{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} /*Set Program Access and Defaults*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
@{21569614-B795-46b1-85F4-E737A8DC09AD} /*Shell Search Band*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/(null) =
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
@{4ADF8C01-0AC7-4403-888C-012E6EA2F67E} /*Sims2Pack Clean Installer Shell Extension*/mscoree.dll = mscoree.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Open With@{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
Open With EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
PicaView@{68f32140-2ca3-11d0-acc1-444553540000} = C:\PROGRA~1\ACDSYS~1\PicaView\PicaView.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} = %SystemRoot%\system32\SHELL32.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Sharing@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
S2PCI@{4ADF8C01-0AC7-4403-888C-012E6EA2F67E} = mscoree.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar4.dll = c:\programmi\google\googletoolbar4.dll
@{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll = C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\ >>>
.fpx@Location = C:\Programmi\Internet Explorer\PLUGINS\NPRVRT34.dll
.ivr@Location = C:\Programmi\Internet Explorer\PLUGINS\NPRVRT34.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://it.yahoo.com = http://it.yahoo.com
@Start Pagehttp://www.msn.com = http://www.msn.com
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/octet-stream@CLSID = mscoree.dll
application/x-complus@CLSID = mscoree.dll
application/x-msdownload@CLSID = mscoree.dll
Class Install Handler@CLSID = C:\WINDOWS\system32\urlmon.dll
deflate@CLSID = C:\WINDOWS\system32\urlmon.dll
gzip@CLSID = C:\WINDOWS\system32\urlmon.dll
lzdhtml@CLSID = C:\WINDOWS\system32\urlmon.dll
text/webviewhtml@CLSID = %SystemRoot%\system32\SHELL32.dll

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
about@CLSID = %SystemRoot%\System32\mshtml.dll
cdl@CLSID = C:\WINDOWS\system32\urlmon.dll
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
file@CLSID = C:\WINDOWS\system32\urlmon.dll
ftp@CLSID = C:\WINDOWS\system32\urlmon.dll
gopher@CLSID = C:\WINDOWS\system32\urlmon.dll
http@CLSID = C:\WINDOWS\system32\urlmon.dll
https@CLSID = C:\WINDOWS\system32\urlmon.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
javascript@CLSID = %SystemRoot%\System32\mshtml.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
local@CLSID = C:\WINDOWS\system32\urlmon.dll
mailto@CLSID = %SystemRoot%\System32\mshtml.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
mk@CLSID = C:\WINDOWS\system32\urlmon.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
res@CLSID = %SystemRoot%\System32\mshtml.dll
sysimage@CLSID = %SystemRoot%\System32\mshtml.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
vbscript@CLSID = %SystemRoot%\System32\mshtml.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\System32\mswsock.dll
000000000002@LibraryPath = %SystemRoot%\System32\winrnr.dll
000000000003@LibraryPath = %SystemRoot%\System32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000004@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000005@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll

---- EOF - GMER 1.0.12 ----
Avatar utente
margi75_
Aficionado
Aficionado
 
Messaggi: 86
Iscritto il: lun mar 05, 2007 9:32 pm


Messaggioda margi75_ » lun mar 05, 2007 10:38 pm

ciao amantide, grazie per aver risposto subito. si mi chiamo Marica piacere. ho postato il log di autostart.. adesso provo a inserire lo script che mi hai dato in avenger anche se lo ho gia inserito ieri sera senza risultato. ciao e grazie
Avatar utente
margi75_
Aficionado
Aficionado
 
Messaggi: 86
Iscritto il: lun mar 05, 2007 9:32 pm

Messaggioda Amantide » lun mar 05, 2007 10:40 pm

Altri virus non si vedono, quindi esegui lo script di prima e poi segui le istruzioni dell'articolo. [:)]
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda margi75_ » lun mar 05, 2007 10:54 pm

non so come ringraziarti! sono riuscita a reistallare antivir ehehehe. ma le voci dal registro non le trovo.. forse perché le avevo gia' eliminate ieri sera seguendo l'articolo?.. secondo te sono pulita anche senza ripulire il registro?. grazie ancora :-))
Avatar utente
margi75_
Aficionado
Aficionado
 
Messaggi: 86
Iscritto il: lun mar 05, 2007 9:32 pm

Messaggioda margi75_ » lun mar 05, 2007 11:02 pm

tutto a postoooo grazie grazieee.. ho trovato tutto.:-9
Avatar utente
margi75_
Aficionado
Aficionado
 
Messaggi: 86
Iscritto il: lun mar 05, 2007 9:32 pm

Messaggioda Amantide » lun mar 05, 2007 11:04 pm

margi75_ ha scritto:secondo te sono pulita anche senza ripulire il registro?. grazie ancora :-))

Si, a questo punto direi di si. [;)]
Per eliminare i residui dovrebbe bastare la scansione con antivirus.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

anch'io ho lo stesso problema

Messaggioda nicola82 » mar mar 06, 2007 1:27 pm

vi posto quello che gmer mi ha loggato - ho letto i post di questo forum e non sono riuscito a rimuovere nulla, purtroppo
Avatar utente
nicola82
Aficionado
Aficionado
 
Messaggi: 75
Iscritto il: lun mar 05, 2007 8:17 pm

Messaggioda Amantide » mar mar 06, 2007 1:53 pm

Ciao Nicola e benvenuto [:)]

Scarica The Avenger, estrai archivio in una cartella ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno del form copia ed incolla questo script:

Files to delete:
C:\Documents and Settings\Nicola\Dati applicazioni\hidires\m_hook.sys
C:\Documents and Settings\Nicola\Dati applicazioni\hidires\hidr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe

folders to delete:
C:\Documents and Settings\Nicola\Dati applicazioni\hidires
C:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr


Dopodichè clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi alle successive domande Si .
Il pc dovrebbe riavviarsi da solo,se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt

Dopo segui questo articolo su come eliminare i residui e ripristinare l'uso della modalità provvisoria ed alcuni servizi terminati.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda angel_in_the_ska » mar mar 06, 2007 3:26 pm

aiuto...qualcuno può aiutarmi dicendomi come si crea lo script dopo aver fatto lo scan con il gmer?? questi sono i log
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-03-06 14:24:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Documents and Settings\valentina\Dati applicazioni\hidires\m_hook.sys ZwCreateFile
SSDT \??\C:\Documents and Settings\valentina\Dati applicazioni\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\C:\Documents and Settings\valentina\Dati applicazioni\hidires\m_hook.sys ZwEnumerateValueKey
SSDT \??\C:\Documents and Settings\valentina\Dati applicazioni\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\C:\Documents and Settings\valentina\Dati applicazioni\hidires\m_hook.sys ZwQueryKey
SSDT \??\C:\Documents and Settings\valentina\Dati applicazioni\hidires\m_hook.sys ZwQuerySystemInformation

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\system32\hldrrr.exe (*** hidden *** ) 428
Process C:\WINDOWS\system32\hldrrr.exe (*** hidden *** ) 508

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Security,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>00}qZ=`RaAFZQ{?{DArt?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@CustomMarshalers,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>e}GvMMOnH@hg(nYnu%p8?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@Accessibility,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>aPzKX=15Z?*VmZwfL?5??
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Configuration.Install,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>]-2y_C5dWAq8t'Ahp=bS?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.DirectoryServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>IvR7u6?dq8g4^Yd4V1J6?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Drawing.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>8P8fd9s@-?D*V},`V=T3?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.ServiceProcess,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>xY=TG9CqU@W)~p?RO_w[?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Web,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>C)z]OrW%R=wF2GW{Mgf2?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Web.RegularExpressions,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>hWlcu7oG*9ybzp+^-VdU?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Web.Services,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>_FJM`5byo=hcOs8jwB`u?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Windows.Forms,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>^'5*]IAel?w8MnWaY[Jf?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Xml,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>'.E-h@SP~=w?DXL*AL.m?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Data,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>=6xEmQ}b$?[kDPAt*+Mv?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>?7w%[IH(QA(f_Nv)g1+u?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>6_Lp.YrKG=t~lt)yuC(b?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Drawing,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>Av^oip*aw@nLUAKMX6tN?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Messaging,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>vQk-c(tl+9_q.YVyjkqq?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@IEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>R,YAg8Uzf?q9ZRNgCdW.?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@IIEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.0.5000.0" %EmAj?C%k9W7cNB_.[t[Redist_Package>nV30Foad^=4D0FLgllXd?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@ISymWrapper,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>W**YR.kDv?kTe!evxZOf?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@mscorcfg,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>{?^lW%IQJ=DGh@&,glnR?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@mscorlib,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>v~Yw+7RXK?*n7r]K90Xd?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Management,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>PCwF,UKRl=)zd@Q'%%3G?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Runtime.Remoting,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>oaxX*et~F@1qEj-wm]ZH?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|WINDOWS|Microsoft.NET|Framework|v1.1.4322|mscorwks.dll@System.Runtime.Serialization.Formatters.Soap,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>hXM40zsHQ9T~regpU=Bb?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft_VsaVb,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>ZYT6Y}7@o?che(HR+=APT?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.Vsa,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>vC~AI=2_U=jP1y7`PgEK?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.VisualBasic.Vsa,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>dxy+{V6B(@+d{@(0_+AQ?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@cscompmgd,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>.[PYtUR-d8WP[=+EL+1O?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.JScript,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>2Y]8C*W[d@g,InfZq=QO?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.VisualBasic,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>uqOdb3z0A9nOM3DNwRap?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Microsoft.VisualC,Version="7.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="7.10.3052.4" %EmAj?C%k9W7cNB_.[t[Redist_Package>w=KLXB[Xr=7Tk@&xP9mc?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Regcode,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>HgVH13*D4=(W~'P?(s2v?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.EnterpriseServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>e64H(FT9aAe*?nR&Hqu&?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Security,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>,.idGaf+a@p?-Q++qW2k?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@CustomMarshalers,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>NA^,LBxBWAO8^5,~v&8R?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@Accessibility,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>kgT}+.%vy?ikM)Pm%j(e?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Configuration.Install,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>NLc&){D?)A$1sUX?25sO?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.DirectoryServices,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>$v^BT?)o-=UTn*mAe$WC?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Drawing.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>5FJq?3gMD@zhYonAA7zP?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.ServiceProcess,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>&n!BoCXqG=-dnT!D_K^F?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>lWHd$@tF]9]5,Sm%4[C+?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.RegularExpressions,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>Z4gl`yrv7=muBlQnQKLc?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.Services,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>aNAK!_!Eo=`)&1S{-9qF?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Windows.Forms,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>VM.bWln_GA'bH^9b4zy!?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Xml,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>%$f[5O}U(A5g(F1lojgF?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Data,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>&E8MWjh%YAwnpr?O'Yi%?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Design,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>C*F%G*9^O@W5=%1gR^8-?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Drawing,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>SksH4=PK%=e-_b0RuAPa?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>fHeMP]gBr8xqs@n2Co?]?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Messaging,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>(GwSNVGT+@7fT)]}SlJ_?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@IEExecRemote,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>bbB7w3YPI?^u?S_0}W8T?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@IEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>{e[a-{V).94C1..jDAj.?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@IIEHost,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.0.5000.0" %EmAj?C%k9W7cNB_.[t[Redist_Package>a+z?fXORD?MQ[Q9IU8rM?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@ISymWrapper,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>)FaXaBH81?z8.(n5Ifk0?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@mscorcfg,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>?Apg'v4Ao8k8Bcl_)c@q?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Data.OracleClient,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>LSv0fvZqn=B^x-K9?$ZH?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Management,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>E-9C,Ky_,=`o0ZsSt.K4?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Runtime.Remoting,Version="1.0.5000.0",PublicKeyToken="b77a5c561934e089",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>$AqI^d@FOAa}lhk6lCx6?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Runtime.Serialization.Formatters.Soap,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>b(NwVxq^D9N$NykQh&F=?
Reg \Registry\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global@System.Web.Mobile,Version="1.0.5000.0",PublicKeyToken="b03f5f7f11d50a3a",Culture="neutral",FileVersion="1.1.4322.573" %EmAj?C%k9W7cNB_.[t[Redist_Package>f8hJ=QM?g(Z1z?VXB]2d?
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\NaturallySpeaking8\Data\Ita\ita_general_medium\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\NaturallySpeaking8\Data\Ita\ita_general_small\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\NaturallySpeaking8\Data\Ita\dvce\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\NaturallySpeaking8\Data\Ita\dvce\general\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\NaturallySpeaking8\Data\Ita\dvcu\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\NaturallySpeaking8\Data\Ita\dvcu\general\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\NaturallySpeaking8\Data\Training\ita\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\NaturallySpeaking8\Data\Training\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\Help\ita\personal\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\Help\ita\power\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\Help\ita\pref\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\Help\ita\profrt\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\Program\Upgrdmod10\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\Program\Upgrdmod11\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\Program\Upgrdmod7\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\Program\Upgrdmod\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\File comuni\InstallShield\UpdateService\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\File comuni\Scansoft Shared\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Dati applicazioni\ScanSoft\SSBkgdUpdate\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\ScanSoft\NaturallySpeaking8\tutorial\ita\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Documents and Settings\All Users\Menu Avvio\Programmi\Dragon NaturallySpeaking 8.0\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\WINDOWS\Installer\{DDDD0C4B-57F7-4A85-ACF0-DB3FC8F1DBB4}\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders@C:\Programmi\Google\Toolbar for Firefox\
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@hldrrr C:\WINDOWS\system32\hldrrr.exe
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@hldrrr C:\WINDOWS\system32\hldrrr.exe
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\zrffratre erzbiny gbby\Jvaqbjf Zrffratre Erzbiny Gbby\JvaZrffErzbi.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\frghc.rkr 0xF2 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\nit71serr_405n791.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY 0x0B 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Pbyyrtnzragb n Vagrearg.yax 0x0B 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\Vagrearg Rkcybere\vrkcyber.rkr 0x0B 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\JvaZrffErzbi.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\Vafgnyy_Zrffratre.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\zrffratre erzbiny gbby\zrffratre erzbiny gbby\Jvaqbjf Zrffratre Erzbiny Gbby\JvaZrffErzbi.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\BSSVPR 2003\QJGEVT20.RKR 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\JVAQBJF\uu.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\BSSVPR 2003\FRGHC.RKR 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\areb 6.0\ArebOheaEvtugfVafgnyyre.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\areb 6.0\Areb Oheavat Ebz 6601.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\areb 6.0\Areb Ivfvba Rqvg 3014.rkr 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Areb\Areb 6 Qrzb\Areb Rkcerff.yax 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Areb\Areb 6 Qrzb 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Areb 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Fcvqre.yax 0x0B 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\fcvqre.rkr 0x0B 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\inyragvan\Qrfxgbc\NezlOhvyqre\NezlOyqe.rkr 0x0C 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\inyragvan\Qrfxgbc\NezlOhvyqre\HAJVFR.RKR 0x0C 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\JVAQBJF\flfgrz32\ehaqyy32.rkr 0x0B 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Jvaqbjf Yvir Zrffratre.yax 0x06 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\ZFA Zrffratre\zfazfte.rkr 0x07 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\nhgbcynl.rkr 0x10 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHAPCY:"P:\JVAQBJF\flfgrz32\znva.pcy",Zbhfr 0x10 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Zvpebfbsg Bssvpr Jbeq 2003.yax 0xCD 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\Zvpebfbsg Bssvpr\2003\BSSVPR11\JVAJBEQ.RKR 0xF2 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:{90110410-6000-11Q3-8PSR-0150048383P9} 0xF1 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\Vafgnyyre.rkr 0x55 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Jbeyq bs Jnepensg\Jbeyq bs Jnepensg Ernq Zr.yax 0x11 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Jbeyq bs Jnepensg\Jbeyq bs Jnepensg Znahny.yax 0x11 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Jbeyq bs Jnepensg.yax 0x09 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Jbeyq bs Jnepensg 0x11 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\_FRGVZT\RCQRGRPG.RKR 0x12 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:::{2559N1S4-21Q7-11Q4-OQNS-00P04S60O9S0} 0xF3 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\CEBTEN~1\ZVPEBF~2\2003\BSSVPR11\BHGYBBX.RKR 0x19 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:::{2559N1S5-21Q7-11Q4-OQNS-00P04S60O9S0} 0x19 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:pnegryyn srqrevpb tnyyvan.yax 0x23 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:aba ncever.yax 0x23 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\inyragvan\Qrfxgbc\fcvqre.yax 0x07 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Fgnzcnagv RCFBA\Svyr qv Nvhgb cre RCFBA Fglyhf P60 Frevrf.yax 0x28 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Fgnzcnagv RCFBA 0x28 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\JVAQBJF\Flfgrz32\jvauyc32.rkr 0x28 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Fgnzcnagv RCFBA\RCFBA Fglyhf P60 Frevrf Nffvfgramn grpavpn.hey 0x28 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\RCFBA 0x28 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\kc trahvar\qc-KCtra15540nhgb.rkr 0x2B 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\kc trahvar\qc-kctra1540zhygvcngpu.rkr 0xA4 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Cynl Fgebatubyq 2.yax 0x2B 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Cebtenzzv\npebong ernqre\NqorEqe708_ra_HF.rkr 0x2B 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:::{645SS040-5081-101O-9S08-00NN002S954R} 0x07 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\CEBTEN~1\ZVPEBF~2\2003\BSSVPR11\BVF.RKR 0xEE 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\Npprffbev 0x0B 0x01 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:%pfvqy2%\GbzGbz\Qvfvafgnyyner GbzGbz UBZR.yax 0x4A 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\inyragvan\Qrfxgbc\znzr\znzr32.rkr 0x4F 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHAPCY:"P:\JVAQBJF\flfgrz32\nccjvm.pcy",Vafgnyynmvbar nccyvpnmvbav 0x53 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\ZnsvnYnhapure.RKR 0x60 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Q:\Nhgbeha.rkr 0x64 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-329068152-746137067-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACNGU:Tbguvp VV fcvryra.yax
Avatar utente
angel_in_the_ska
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: mar mar 06, 2007 2:36 pm

Messaggioda Amantide » mar mar 06, 2007 3:30 pm

Ciao e benvenuta [:)]

Scarica The Avenger, estrai archivio in una cartella ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno del form copia ed incolla questo script:

Files to delete:
C:\Documents and Settings\valentina\Dati applicazioni\hidires\m_hook.sys
C:\Documents and Settings\valentina\Dati applicazioni\hidires\hidr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe

folders to delete:
C:\Documents and Settings\valentina\Dati applicazioni\hidires
C:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr


Dopodichè clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi alle successive domande Si .
Il pc dovrebbe riavviarsi da solo,se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che si trova in C:/avenger.txt

Dopo leggi questa guida su come eliminare i residui e ripristinare l'uso della modalità provvisoria ed alcuni servizi terminati.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

ecco qui

Messaggioda angel_in_the_ska » mar mar 06, 2007 3:44 pm

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ooobhkep

*******************

Script file located at: \??\C:\WINDOWS\system32\kyemwbtn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\valentina\Dati applicazioni\hidires\m_hook.sys deleted successfully.
File C:\Documents and Settings\valentina\Dati applicazioni\hidires\hidr.exe deleted successfully.
File C:\WINDOWS\system32\wintems.exe deleted successfully.
File C:\WINDOWS\system32\hldrrr.exe deleted successfully.
Folder C:\Documents and Settings\valentina\Dati applicazioni\hidires deleted successfully.
Folder C:\WINDOWS\exefld deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Services\m_hook deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
Avatar utente
angel_in_the_ska
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: mar mar 06, 2007 2:36 pm

Messaggioda Amantide » mar mar 06, 2007 3:47 pm

L'esito di Avenger è positivo [^] , ora prosegui con la guida.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

ci siamo quasi :)

Messaggioda angel_in_the_ska » mar mar 06, 2007 3:56 pm

ultima cosuccia :)
sono all'ultimo passo nei SERVICES da abilitare se disabilitati..ma l'opzioni abilita non me la da, mi dice: automatico o manuale...che faccio??
grazie mille..e ultima cosa sul safe boot è necessario farlo o posso anche evitare...perché anche lì non è che ci abbia capito molto :(
Avatar utente
angel_in_the_ska
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: mar mar 06, 2007 2:36 pm

ci siamo quasi :)

Messaggioda angel_in_the_ska » mar mar 06, 2007 3:58 pm

un'ultima cosuccia..sono al passo abilita nei SERVICES..alcuni sono effettivamente disabilitati..ma nn mi da l'opzione abilita ma solo: manuale o automatico..cosa faccio??
e anche una cosa...l'ultimo passo della guida..sul safe boot..posso saltarlo? non per altro,è che anche lì non ci avrei capito molto sul da farsi...
grazie mille..sopratttutto per la pazienza [;)]
Avatar utente
angel_in_the_ska
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: mar mar 06, 2007 2:36 pm

ehm

Messaggioda angel_in_the_ska » mar mar 06, 2007 4:01 pm

ehm---risolto da sola per i services..la prossima volta ci provo prima e poi chiedo...sorry :)
..e per il boot safe invece??
Avatar utente
angel_in_the_ska
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: mar mar 06, 2007 2:36 pm

Re: ci siamo quasi :)

Messaggioda Amantide » mar mar 06, 2007 4:02 pm

angel_in_the_ska ha scritto:ultima cosuccia :)
sono all'ultimo passo nei SERVICES da abilitare se disabilitati..ma l'opzioni abilita non me la da, mi dice: automatico o manuale...che faccio??

Impostali su Automatico e poi clicca su Avvia.
grazie mille..e ultima cosa sul safe boot è necessario farlo o posso anche evitare...perché anche lì non è che ci abbia capito molto :(

Se non usi e non hai mai usato la modalità provvisoria allora puoi anche saltare questo passaggio, ma comunque ti consiglio di riabilitarla lo stesso, che non si sa mai se un giorno ti servirà.
Dovrai semplicemente scaricare il file SafeBoot allegato all'articolo (clicca sulla scritta SafeBoot sotto al titolo dell'articolo per scaricarlo), estrai il file sul desktop e clicca sopra. Rispondi per 2 volte Si e riavvia il pc.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 17 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising