www.MegaLab.it

da **cutigno** » ven ago 17, 2007 5:23 pm

Salve a tutti,
vi espongo il mio problema:

da questa mattina ZoneAlarm blocca l'accesso a internet di iexplore_32.exe inoltre cliccando sui link presenti come collegamento sul desktop mi appare una finestra di avviso che mi dice che non è possibile trovare il file: "http://www......" e nello stesso tempo mi apre una pagina bianca di explorer che poi si riaggiorna sulla mia "pagina iniziale" mentre se explorer è gia aperto i link funzionano correttamente.

Ho notato anche la presenza di questo file: 8161647.dll che non riesco ad eliminare.

Preciso che utilizzo soltanto ZoneAlarme e una periodica scansione con ad-Aware che mi ha trovato circa 600 file infetti da Win32.TrojanClicker, allego il log della scansione.

da **crazy.cat** » ven ago 17, 2007 5:39 pm

Non hai un antivirus installato?

Fai la scansione con Panda antirootkit ed elimina quello che trova
http://www.MegaLab.it/2714/2
poi usa unlocker o killbox per eliminare 8161647.dll o iexplore_32.exe se panda non ci riesce.

Se ancora falliscono, dopo un riavvio del pc fai una scansione con gmer
http://www.MegaLab.it/2675
e posta qui il log della sezione autostart.
Leggi l'articolo è tutto spiegato come farlo.

da **cutigno** » ven ago 17, 2007 6:29 pm

Salve, grazie per la tempestività della risposta,

ho provato a fare la scansione con panda ma mi ha trovato solo c:\windows\svchost.exe.

Non l'ho ancora cancellato, mi pare sia qualcosa che riguarda la rete lan o la stampante di rete.

da **crazy.cat** » ven ago 17, 2007 6:38 pm

No, in quella cartella non è niente di buono.
Il file giusto si trova in windows\system32, quello lo puoi eliminare.

fai il log con gmer, e vediamo anche quello di hijackthis.
Copia e incolla il testo che ne esce nella discussione.

da **cutigno** » ven ago 17, 2007 7:00 pm

OK, ho cancellato svchost.exe con panda.

domani mattina continuerò con la procedura.

da **cutigno** » sab ago 18, 2007 8:30 am

Ecco il log della scansione con gmer

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-18 09:22:24
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!_abnormal_termination + 1D5 804E2831 3 Bytes [ 14, BC, F4 ]

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F4BAF590] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F4BAFAD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F4BAFC30] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F4BAF700] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F4BAF700] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F4BAF590] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F4BAFAD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F4BAFC30] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F4BAF590] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F4BAFC30] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F4BAFAD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F4BAF700] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F4BAFC30] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F4BAFAD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F4BAF590] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F4BAF700] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F4BAF590] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F4BAFAD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F4BAFC30] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F4BCD980] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F4BAF590] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F4BAF700] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F4BAFC30] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F4BAFAD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F4BA8630] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F4BA8580] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F4BA86F0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F4BA84A0] \SystemRoot\System32\vsdatant.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BCD230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F4BCD230] vsdatant.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN F3DADC74
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP F3DAA400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP F3DAA400
Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible F3DADBCE

---- Registry - GMER 1.0.13 ----

Reg \Registry\USER\S-1-5-21-1220945662-1343024091-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\Tvnasenapb\Erprag\uggc--jcbc1.yvoreb.vg-ptv-ova-jroznvy.ptv-Ahbib_Qbphzragb_qv_Zvpebfbsg_Jbeq.qbpVQ=VTYuj7qzpw3mpVu0gIyeINLpS19RBolyE7bNKo8rLQ&Npg_Ivrj=1&E_Sbyqre=nJ5vo3t=&zftVQ=7&Obql=2&svyranzr=Ahbib_Qbphzragb_qv_Zvpebfbsg_J.yax 0x37 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-1220945662-1343024091-842925246-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count@HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\Tvnasenapb\Erprag\uggc--jcbc2.yvoreb.vg-ptv-ova-jroznvy.ptv-Dhrfgn_?_han_onapn.qbpVQ=V0SrNmhOD7qHc9QG8WR0g7Tp3X9htkrUfMEZNeBtcHX9MwjLCQxTje&Npg_Ivrj=1&E_Sbyqre=nJ5vo3t=&zftVQ=186&Obql=2&svyranzr=Dhrfgn_?_han_onapn.qbp.yax 0x65 0x01 0x00 0x00 ...

---- EOF - GMER 1.0.13 ----

da **cutigno** » sab ago 18, 2007 8:42 am

Ecco anche la scansione con HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9.41.33, on 18/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\funk.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\MegaLab\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://liberomail.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SC2300USBPNP] C:\WINDOWS\TWAIN_32\SiPix\SC-2300\USBPNP.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = D:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Programmi\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 5.lnk = C:\Programmi\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {64F2AAC0-5677-4B53-99D0-E0CB73E7C95C} (SmartCardReader.UCSmartCardReader) - https://reseller.indexpoint.it/DWL/SmartCardReader.cab
O16 - DPF: {F3D34410-6F9A-4FDD-987E-410C6F7AEA27} (ESPluginInstallProgress Class) - http://www.edgestream.com/software/ES_EasyInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64292BCF-A919-4D1A-A600-50384A46BF9E}: NameServer = 151.99.0.100,151.99.125.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB3D6391-165A-462D-BDAE-CABD7C407EAC}: NameServer = 151.99.0.100,151.99.125.1
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4408 bytes

da **crazy.cat** » sab ago 18, 2007 9:01 am

Ti avevo chiesto il log di gmer nella sezione autostart, ci arrivi premendo le doppi>>, quello che hai postato non mi dice quello che mi serve.

crazy.cat ha scritto:dopo un riavvio del pc fai una scansione con gmer
http://www.MegaLab.it/2675
e posta qui il log della sezione autostart.
Leggi l'articolo è tutto spiegato come farlo.

perché non usi un antivirus?
Già dal log di hijackthis si vedono svariati virus, figuriamoci quelli che non si vedono.

Controlla sei hai questo file w32dbg.exe nel tuo pc.

Avvia il registro di configurazione (start esegui regedit) e vai a questa chiave di registro
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options e cerca se ci sono altre due sottochiavi con explorer.exe e iexplore.exe.

da **cutigno** » sab ago 18, 2007 11:13 am

Ho trovato w32dbg.exe in c:\windows e W32DBG.EXE-32B9725A.pf in c:\windows\prefetch

Le due sottochiavi explorer.exe e iexplore.exe sono presenti entrambe in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

ecco il log con gmer dalla sezione autostart:

GMER 1.0.13.12551 - http://www.gmer.net
Autostart scan 2007-08-18 12:07:07
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
SCardSvr /*smart card*/@ = %SystemRoot%\System32\SCardSvr.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@funkfunk.exe = funk.exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_01\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
@QuickTime Task"D:\Programmi\QuickTime\qttask.exe" -atboottime = "D:\Programmi\QuickTime\qttask.exe" -atboottime
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@SC2300USBPNPC:\WINDOWS\TWAIN_32\SiPix\SC-2300\USBPNP.exe /*file not found*/ = C:\WINDOWS\TWAIN_32\SiPix\SC-2300\USBPNP.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MsnMsgr"C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background = "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
@Windows installerC:\winstall.exe /*file not found*/ = C:\winstall.exe /*file not found*/
@spoolwC:\WINDOWS\system32\spoolw.exe = C:\WINDOWS\system32\spoolw.exe
@igfxsvcC:\WINDOWS\system32\igfxsvc.exe = C:\WINDOWS\system32\igfxsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@UPnPMonitorC:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@WPDShServiceObjC:\WINDOWS\system32\WPDShServiceObj.dll = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe@Debugger = C:\WINDOWS\w32dbg.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Periferiche Plug and Play universali*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/D:\Programmi\Real\RealPlayer\rpshell.dll = D:\Programmi\Real\RealPlayer\rpshell.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = D:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://liberomail.libero.it/ = http://liberomail.libero.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{64292BCF-A919-4D1A-A600-50384A46BF9E} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.3 = 192.168.0.3
@NameServer151.99.0.100,151.99.125.1 = 151.99.0.100,151.99.125.1
@DefaultGateway192.168.0.2 = 192.168.0.2
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BB3D6391-165A-462D-BDAE-CABD7C407EAC} /*Connessione alla rete locale (LAN) 3*/ >>>
@IPAddress192.168.0.6 = 192.168.0.6
@NameServer151.99.0.100,151.99.125.1 = 151.99.0.100,151.99.125.1
@DefaultGateway192.168.0.2 = 192.168.0.2
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
HPAiODevice(hp officejet g series) - 3.lnk = HPAiODevice(hp officejet g series) - 3.lnk
HPAiODevice(hp officejet g series) - 5.lnk = HPAiODevice(hp officejet g series) - 5.lnk
Microsoft Office.lnk = Microsoft Office.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.13 ----

da **crazy.cat** » sab ago 18, 2007 12:34 pm

Intanto cancelli quelle due chiavi di registro che ti ho indicato.

Poi utilizzando avanger, leggi bene l'articolo,
http://www.MegaLab.it/2656
gli dai in pasto questo script, non sono sicurissimo delle ultime due righe visto che i file non si vedono neanche nel log di gmer, se il loro percorso è diverso cambia tu le cartelle.

Files to delete:
c:\windows\w32dbg.exe
C:\WINDOWS\system32\funk.exe
C:\WINDOWS\system32\spoolw.exe
C:\WINDOWS\system32\igfxsvc.exe
C:\winstall.exe
c:\windows\8161647.dll
c:\windows\iexplore_32.exe

dopo il riavvio del pc, ti esce fuori un file txt, ne copi il testo qui nella discussione così vediamo se ha tolto tutto.

Rifai la scansione con hijackthis e selezioni le caselle di queste righe poi premi fix checked per eliminarle.

O4 - HKLM\..\Run: [funk] funk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe

Visto che non vuoi usare antivirus non ti suggerirò una scansione con virit che potrebbe scoprire altri problemi.

da **cutigno** » sab ago 18, 2007 4:09 pm

Ecco il log di avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\svefswab

*******************

Script file located at: \??\C:\WINDOWS\fholdrsl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\w32dbg.exe deleted successfully.
File C:\WINDOWS\system32\spoolw.exe deleted successfully.
File C:\WINDOWS\system32\igfxsvc.exe deleted successfully.
File c:\windows\iexplore_32.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Ho anche rifatto la scansione con hijackthis e eliminato le righe che mi hai indicato.

Spero non dovrebbero esserci altri problemi...
almeno per ora!

Per quanto riguarda l'antivirus, in genere prendono molte risorse e fanno anche altre cose che non mi interessano, saresti in grado di consigliarmene uno leggero e che faccia solo il suo lavoro?

da **crazy.cat** » sab ago 18, 2007 4:23 pm

Mancano questi due dal log?
C:\WINDOWS\system32\funk.exe
c:\windows\8161647.dll

controlla se sono spariti.

Antivir pe, ottimo e molto leggero, e freeware.
http://www.free-av.com/down/windows/ant ... u_en_h.exe

da **cutigno** » sab ago 18, 2007 6:47 pm

Hai ragione, mancano dal log perché li avavo eliminati con unlocker

Per quanto riguarda l'antivirus proverò questo che mi hai suggerito.

Ancora grazie e ti farò sapere

www.MegaLab.it

ZoneAlarm bolcca l'accesso a internet di iexplore_32.exe

ZoneAlarm bolcca l'accesso a internet di iexplore_32.exe

Chi c’è in linea