www.MegaLab.it

da **Ran85** » lun ott 20, 2008 6:24 pm

Rieccomi di nuovo...
Pensavo di essere riuscita a debellarlo invece stamattina appena acceso il computer ecco là antivirus scomparso di nuovo... stessi sintomi di prima tutto uguale (premetto che non ho ne' scaricato ne' installato nulla di nuovo)...
Ho provato con lo stesso metodo di qualche giorno fa ma niente stavolta non funziona...
Vi posto il log di combofix che mi è uscito:

ComboFix 08-10-15.08 - Administrator 2008-10-20 10.11.53.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1661 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Administrator\Desktop\roba virus\ComboFix.exe
Interruttori di comando utilizzati :: C:\Documents and Settings\Administrator\Desktop\roba virus\CFScript.txt
* Creato nuovo punto di ripristino
* Resident AV is active

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys
.

((((((((((((((((((((((((( Files Creati Da 2008-09-20 al 2008-10-20 )))))))))))))))))))))))))))))))))))
.

2008-10-20 10:07 . 2008-10-20 10:07 168 --a------ C:\log.udt
2008-10-20 10:00 . 2008-10-20 10:00 185,360 --a------ C:\WINDOWS\572E7957932142F93932B175667526BC.exe
2008-10-17 19:08 . 2008-10-17 19:37 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-10-17 16:56 . 2008-10-17 16:56 313,871 --------- C:\WINDOWS\system32\e0c29e3d5df1cb4c31d8f18a6360ea11.TMP
2008-10-17 16:28 . 2008-10-17 16:43 <DIR> d-------- C:\Programmi\FindyKill
2008-10-17 15:04 . 2008-10-17 15:04 8,704 --ahsc--- C:\WINDOWS\system32\dllcache\Thumbs.db
2008-10-17 10:21 . 2008-10-17 10:21 <DIR> d-------- C:\Programmi\TeamViewer3
2008-10-17 10:21 . 2008-10-17 10:21 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\TeamViewer
2008-10-17 10:20 . 2008-10-17 10:20 <DIR> d-------- C:\Documents and Settings\Administrator\temp
2008-10-16 20:23 . 2004-08-13 18:30 45,056 --a------ C:\SDTrestore.exe
2008-10-16 20:23 . 2004-08-13 18:30 34,244 --a------ C:\SDTrestore.cpp
2008-10-16 20:23 . 2004-08-13 18:30 192 --a------ C:\compile.bat
2008-10-15 15:29 . 2008-10-15 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\GameHouse
2008-10-15 15:24 . 2008-10-15 15:24 <DIR> d-------- C:\WINDOWS\Delicious Emilys Tea Garden
2008-10-15 15:24 . 2008-10-15 19:05 <DIR> d-------- C:\Programmi\Delicious Emilys Tea Garden
2008-10-13 14:34 . 2008-10-13 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Gogii
2008-10-13 14:33 . 2008-10-13 14:33 <DIR> d-------- C:\WINDOWS\The Hidden Object Show Season 2
2008-10-13 14:33 . 2008-10-17 19:08 <DIR> d-------- C:\Programmi\The Hidden Object Show Season 2
2008-10-12 15:50 . 2008-10-12 15:50 <DIR> d-------- C:\WINDOWS\Cake Shop
2008-10-12 15:50 . 2008-10-13 14:30 <DIR> d-------- C:\Programmi\Cake Shop
2008-10-12 15:50 . 2008-10-12 15:50 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\EleFun Games
2008-10-09 17:38 . 2008-10-09 17:38 <DIR> d-------- C:\Programmi\PlayFirst
2008-09-24 01:24 . 2008-09-24 01:24 244 --ah----- C:\sqmnoopt05.sqm
2008-09-24 01:24 . 2008-09-24 01:24 244 --ah----- C:\sqmnoopt04.sqm
2008-09-24 01:24 . 2008-09-24 01:24 232 --ah----- C:\sqmdata05.sqm
2008-09-24 01:24 . 2008-09-24 01:24 232 --ah----- C:\sqmdata04.sqm
2008-09-23 22:11 . 2008-09-23 22:11 244 --ah----- C:\sqmnoopt03.sqm
2008-09-23 22:11 . 2008-09-23 22:11 232 --ah----- C:\sqmdata03.sqm
2008-09-23 22:08 . 2008-09-23 22:08 244 --ah----- C:\sqmnoopt02.sqm
2008-09-23 22:08 . 2008-09-23 22:08 232 --ah----- C:\sqmdata02.sqm
2008-09-23 21:14 . 2008-09-23 21:14 244 --ah----- C:\sqmnoopt01.sqm
2008-09-23 21:14 . 2008-09-23 21:14 232 --ah----- C:\sqmdata01.sqm
2008-09-23 21:13 . 2008-09-23 21:13 244 --ah----- C:\sqmnoopt00.sqm
2008-09-23 21:13 . 2008-09-23 21:13 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-18 18:17 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-10-14 11:33 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\HPAppData
2008-10-13 12:30 --------- d-----w C:\Programmi\Farm Frenzy 2
2008-10-13 10:41 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-09 15:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\PlayFirst
2008-10-09 15:39 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\PlayFirst
2008-09-24 08:01 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-09-17 11:54 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-12 23:46 --------- d-----w C:\Programmi\Gravity
2008-09-09 16:37 --------- d-----w C:\Programmi\Eset
2008-09-04 10:42 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Jasc
2008-09-02 14:00 512,096 ----a-w C:\WINDOWS\system32\drivers\_mon.s00
2008-09-02 14:00 15,424 ----a-w C:\WINDOWS\system32\drivers\_od32drv.s00
2008-09-02 13:53 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-09-02 13:53 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-09-02 13:53 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-09-02 13:05 --------- d-----w C:\Programmi\EsetOnlineScanner
2008-08-29 19:14 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-08-29 19:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-08-29 19:14 --------- d-----w C:\Programmi\File comuni\xing shared
2008-08-29 19:14 --------- d-----w C:\Programmi\File comuni\Real
2008-08-29 11:01 --------- d-----w C:\Programmi\Photo Story 3 for Windows
2008-08-28 12:41 --------- d-----w C:\Programmi\Pinnacle
2008-08-27 10:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Pinnacle VideoSpin
2008-08-27 09:05 --------- d-----w C:\Programmi\Google
2008-08-27 09:03 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\VideoSpin
2008-08-27 09:02 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Pinnacle
2008-08-27 08:51 --------- d-----w C:\Programmi\File comuni\Ulead Systems
2008-08-27 08:51 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Ulead Systems
2008-08-27 08:41 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Ulead Systems
2008-08-27 07:31 --------- d-----w C:\Programmi\Jasc Software Inc
2008-08-27 07:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InstallShield
2008-08-27 07:29 --------- d-----w C:\Programmi\File comuni\Jasc Software Inc
2008-08-27 07:29 --------- d-----w C:\Programmi\File comuni\InstallShield
2008-08-27 07:28 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Jasc Software Inc
2008-08-25 20:42 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\FarmFrenzy2
2008-08-25 17:31 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Gamelab
2008-08-25 17:00 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Go-Go Gourmet Chef of the Year
.

((((((((((((((((((((((((((((( snapshot@2008-10-16_17.53.24.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-06-07 10:15:03 52,240 ----a-w C:\WINDOWS\system32\cunta.dll
+ 2006-04-08 10:20:46 52,240 ----a-w C:\WINDOWS\system32\cunta.dll
- 2004-06-07 10:15:14 313,871 ----a-w C:\WINDOWS\system32\fdbbcbeeefebc.dll
+ 2006-04-08 10:20:48 313,871 ----a-w C:\WINDOWS\system32\fdbbcbeeefebc.dll
- 2008-08-01 18:08:26 62,422 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-17 14:45:18 62,422 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-01 18:08:26 74,518 ----a-w C:\WINDOWS\system32\perfc010.dat
+ 2008-10-17 14:45:18 74,518 ----a-w C:\WINDOWS\system32\perfc010.dat
- 2008-08-01 18:08:26 400,760 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-17 14:45:18 400,760 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-08-01 18:08:26 447,418 ----a-w C:\WINDOWS\system32\perfh010.dat
+ 2008-10-17 14:45:18 447,418 ----a-w C:\WINDOWS\system32\perfh010.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" [2007-04-04 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 8466432]
"UnlockerAssistant"="C:\Programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-03-28 413696]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2008-08-29 185896]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2008-09-02 949376]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 172032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdbbcbeeefebc]
2006-04-08 12:20 313871 C:\WINDOWS\system32\fdbbcbeeefebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dfaaaefdaf]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 04:14 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-05-15 15:55 1057328 C:\Programmi\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Programmi\File comuni\Ahead\lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 18:43 8466432 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-06-28 18:43 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Programmi\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-05-15 15:55 1628208 C:\Programmi\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 19:19 15872 C:\Programmi\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 12:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-14 04:14 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 12416]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10752]
S2 Wlansvc;@%SystemRoot%\System32\wlansvc.dll,-257;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-20 10:15:15
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\d1ae6bf2a2fdd47d259b1c5be3f614d7]
"ImagePath"="system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSO: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\fdbbcbeeefebc.dll
-> C:\Programmi\Eset\pr_imon.dll

PROCESSO: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-10-20 10.19.05
ComboFix-quarantined-files.txt 2008-10-20 08:19:01
ComboFix2.txt 2008-10-17 14:58:54
ComboFix3.txt 2008-10-16 15:54:35

Pre-Run: 72.571.006.976 byte disponibili
Post-Run: 72,628,060,160 byte disponibili

221 --- E O F --- 2008-07-07 23:58:30

Spero riusciate ad aiutarmi di nuovo [cry]

da **Amantide** » lun ott 20, 2008 7:16 pm

Proviamo ad usare la nuova versione di OtMoveIt3 che permette di fare qualcosina in più rispetto alle precedenti.

Scarica OtMoveIt3, avvialo ed assicurati che la voce Unregister Dll's and Ocx's sia spuntata.
Nello spazio bianco sotto alla voce Paste Instructions for items to be Moved incolla seguente script e clicca su MoveIt!:

Codice: Seleziona tutto: :files C:\log.udt C:\WINDOWS\572E7957932142F93932B175667526BC.exe C:\WINDOWS\system32\e0c29e3d5df1cb4c31d8f18a6360ea11.TMP C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys C:\WINDOWS\system32\fdbbcbeeefebc.dll C:\WINDOWS\system32\dfaaaefdaf.dll :reg [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdbbcbeeefebc] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dfaaaefdaf] :services d1ae6bf2a2fdd47d259b1c5be3f614d7 :commands [purity] [emptytemp]

Il log dell'operazione verrà salvato nella cartella C:\_OtMoveIt\MovedFiles sotto la forma del file [nome_e_data].LOG
Copia il suo contenuto ed inseriscilo qui.

da **Ran85** » lun ott 20, 2008 7:24 pm

Ho fatto come hai detto ma nulla di nuovo...
Ecco il log

========== FILES ==========
C:\log.udt moved successfully.
C:\WINDOWS\572E7957932142F93932B175667526BC.exe moved successfully.
C:\WINDOWS\system32\e0c29e3d5df1cb4c31d8f18a6360ea11.TMP moved successfully.
File/Folder C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys not found.
LoadLibrary failed for C:\WINDOWS\system32\fdbbcbeeefebc.dll
C:\WINDOWS\system32\fdbbcbeeefebc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\fdbbcbeeefebc.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\dfaaaefdaf.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdbbcbeeefebc\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dfaaaefdaf\\ deleted successfully.
========== SERVICES/DRIVERS ==========
Unable to stop service d1ae6bf2a2fdd47d259b1c5be3f614d7 .
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\~DFCF11.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\~DFCF1E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\~DFE272.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\~DFE27F.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10202008_202021

Files moved on Reboot...
LoadLibrary failed for C:\WINDOWS\system32\fdbbcbeeefebc.dll
C:\WINDOWS\system32\fdbbcbeeefebc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\fdbbcbeeefebc.dll scheduled to be moved on reboot.
File C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\~DFCF11.tmp not found!
File C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\~DFCF1E.tmp not found!
File C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\~DFE272.tmp not found!
File C:\DOCUME~1\ADMINI~1\IMPOST~1\Temp\~DFE27F.tmp not found!

da **enea83** » lun ott 20, 2008 7:35 pm

perdonatemi se mi intrometto, [fischio]

pero una volta che amantide e ste95 ti avranno aiutato a risolvere il problema ti consiglio una scansione decente con kaspersky tool+malwarebytes, entrambi strumenti gratuiti ma efficacissimi!!! [std]

se no domani sarai punto e a capo. [:D]

e ovviamente cambia AV!! come ti ha consigliato amantide!!! [^]

ciao

da **Amantide** » lun ott 20, 2008 9:11 pm

enea83 ha scritto:perdonatemi se mi intrometto, pero una volta che amantide e ste95 ti avranno aiutato a risolvere il problema ti consiglio una scansione decente con .....malwarebytes, entrambi strumenti gratuiti ma efficacissimi!!! se no domani sarai punto e a capo.
e ovviamente cambia AV!! come ti ha consigliato amantide!!! ciao

Se hai fatto caso è la mia cilieggina sulla torta, da usare alla fine [;)]

@ Ran85

Riesci ad eseguire Avenger?

da **Ran85** » lun ott 20, 2008 10:10 pm

Purtroppo avenger non va... ne' la vecchia versione ne' la nuova...

Comunque malware bytes ce l'ho e a volte lo uso (anche perché adesso stranamente è una delle poche cose che funge) ho anche fatto una scansione poco fa... dice di aver trovato ed eliminato 5 file infetti ma la situazione non è cambiata di una virgola [cry]

da **Amantide** » lun ott 20, 2008 10:23 pm

Se Avenger non va, dobbiamo cercare per forza le alternative.

Prova ad eseguire un altra volta lo script con otmoveit ma questa volta dalla modalità provvisoria.

da **Ran85** » lun ott 20, 2008 10:40 pm

niente da fare.... ti metto il log

========== FILES ==========
File/Folder C:\log.udt not found.
File/Folder C:\WINDOWS\572E7957932142F93932B175667526BC.exe not found.
File/Folder C:\WINDOWS\system32\e0c29e3d5df1cb4c31d8f18a6360ea11.TMP not found.
File/Folder C:\WINDOWS\system32\d1ae6bf2a2fdd47d259b1c5be3f614d7.sys not found.
LoadLibrary failed for C:\WINDOWS\system32\fdbbcbeeefebc.dll
C:\WINDOWS\system32\fdbbcbeeefebc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\fdbbcbeeefebc.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\dfaaaefdaf.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdbbcbeeefebc\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dfaaaefdaf\\ not found.
========== SERVICES/DRIVERS ==========
Service d1ae6bf2a2fdd47d259b1c5be3f614d7 stopped successfully.
Service d1ae6bf2a2fdd47d259b1c5be3f614d7 deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10202008_233019

Files moved on Reboot...
LoadLibrary failed for C:\WINDOWS\system32\fdbbcbeeefebc.dll
C:\WINDOWS\system32\fdbbcbeeefebc.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\fdbbcbeeefebc.dll scheduled to be moved on reboot.

da **Amantide** » mar ott 21, 2008 9:09 pm

Riesci ad avviare Gmer?
Se si, fai la scansione delle sezioni Autostart e Rootkit e posta qui i log. Per fare la scansione, scegli la scheda desiderata, spunta a destra tutte le voci e premi Scan. A scansione terminata premi il bottone Copy ed incolla il risultato qui tramite il tag LOG.

da **Ran85** » mer ott 22, 2008 11:55 am

Ok GMer sembra che funzioni.. ti posto i log:

GMER 1.0.14.14205 - http://www.gmer.net
Autostart scan 2008-10-22 12:18:47
Windows 5.1.2600 Service Pack 3

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk * lsdelete /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\SYSTEM\CurrentControlSet\Control\WOW@cmdline = %SystemRoot%\system32\ntvdm.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@ShellExplorer.exe = Explorer.exe
@System =
@UIHostlogonui.exe = logonui.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
crypt32chain@DLLName = crypt32.dll
cryptnet@DLLName = cryptnet.dll
cscdll@DLLName = cscdll.dll
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
fdbbcbeeefebc@DLLName = C:\WINDOWS\system32\fdbbcbeeefebc.dll
ScCertProp@DLLName = wlnotify.dll
Schedule@DLLName = wlnotify.dll
sclgntfy@DLLName = sclgntfy.dll
SensLogn@DLLName = WlNotify.dll
termsrv@DLLName = wlnotify.dll
wlballoon@DLLName = wlnotify.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs =

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = C:\Programmi\Lavasoft\Ad-Aware\aawservice.exe
Alerter@ = %SystemRoot%\system32\svchost.exe -k LocalService
Apple Mobile Device@ = "C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
ATKKeyboardService@ = C:\WINDOWS\ATKKBService.exe
AudioSrv@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Bonjour Service@ = C:\Programmi\Bonjour\mDNSResponder.exe
Browser@ = %SystemRoot%\system32\svchost.exe -k netsvcs
BthServ@ = %SystemRoot%\system32\svchost.exe -k bthsvcs
CryptSvc@ = %SystemRoot%\system32\svchost.exe -k netsvcs
DcomLaunch@ = %SystemRoot%\system32\svchost -k DcomLaunch
Dhcp@ = %SystemRoot%\system32\svchost.exe -k netsvcs
dmserver@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Dnscache@ = %SystemRoot%\system32\svchost.exe -k NetworkService
EapHost@ = %SystemRoot%\System32\svchost.exe -k eapsvcs
ERSvc@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Eventlog@ = %SystemRoot%\system32\services.exe
helpsvc@ = %SystemRoot%\System32\svchost.exe -k netsvcs
hpqddsvc@ = %SystemRoot%\system32\svchost.exe -k hpdevmgmt
InCDsrv@ = C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
lanmanserver@ = %SystemRoot%\system32\svchost.exe -k netsvcs
lanmanworkstation@ = %SystemRoot%\system32\svchost.exe -k netsvcs
LmHosts@ = %SystemRoot%\system32\svchost.exe -k LocalService
MDM@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
Net Driver HPZ12@ = %SystemRoot%\System32\svchost.exe -k HPZ12
NOD32krn@ = "C:\Programmi\Eset\nod32krn.exe"
NVSvc@ = %SystemRoot%\system32\nvsvc32.exe
PlugPlay@ = %SystemRoot%\system32\services.exe
Pml Driver HPZ12@ = %SystemRoot%\System32\svchost.exe -k HPZ12
PolicyAgent@ = %SystemRoot%\system32\lsass.exe
ProtectedStorage@ = %SystemRoot%\system32\lsass.exe
RemoteRegistry@ = %SystemRoot%\system32\svchost.exe -k LocalService
RpcSs@ = %SystemRoot%\system32\svchost -k rpcss
SamSs@ = %SystemRoot%\system32\lsass.exe
Schedule@ = %SystemRoot%\System32\svchost.exe -k netsvcs
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
seclogon@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SENS@ = %SystemRoot%\system32\svchost.exe -k netsvcs
SharedAccess@ = %SystemRoot%\System32\svchost.exe -k netsvcs
ShellHWDetection@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Spooler@ = %SystemRoot%\system32\spoolsv.exe
srservice@ = %SystemRoot%\system32\svchost.exe -k netsvcs
stisvc@ = %SystemRoot%\system32\svchost.exe -k imgsvc
Themes@ = %SystemRoot%\System32\svchost.exe -k netsvcs
TrkWks@ = %SystemRoot%\system32\svchost.exe -k netsvcs
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe
W32Time@ = %SystemRoot%\System32\svchost.exe -k netsvcs
WebClient@ = %SystemRoot%\system32\svchost.exe -k LocalService
winmgmt@ = %systemroot%\system32\svchost.exe -k netsvcs
Wlansvc@ = %SystemRoot%\system32\svchost.exe -k LocalSystemNetworkRestricted
wscsvc@ = %SystemRoot%\System32\svchost.exe -k netsvcs
WZCSVC@ = %SystemRoot%\System32\svchost.exe -k netsvcs

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe"
@HP Software UpdateC:\Programmi\HP\HP Software Update\HPWuSchd2.exe = C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@UnlockerAssistant"C:\Programmi\Unlocker\UnlockerAssistant.exe" = "C:\Programmi\Unlocker\UnlockerAssistant.exe"
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
@MSConfigC:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto = C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MsnMsgr"C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background = "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
@DAEMON Tools"C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033 = "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@PostBootReminder%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@CDBurn%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@WebCheck%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@SysTray%systemroot%\system32\stobject.dll = %systemroot%\system32\stobject.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler >>>
@{438755C2-A8BA-11D1-B96B-00A0C90312E1}%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{8C7461EF-2B13-11d2-BE35-3078302C2030}%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll

HKLM\Software\Classes\Folder\shell\open\command@ = %SystemRoot%\Explorer.exe /idlist,%I,%L

HKLM\Software\Classes\Folder\shell\explore\command@ = %SystemRoot%\Explorer.exe /e,/idlist,%I,%L

HKLM\Software\Classes\ >>>
.exe@ = "%1" %*
.com@ = "%1" %*
.cmd@ = "%1" %*
.bat@ = "%1" %*
.pif@ = "%1" %*
.scr@ = "%1" /S
.hta@ = C:\WINDOWS\system32\mshta.exe "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{AEB6717E-7E19-11d0-97EE-00C04FD91972} = shell32.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{00022613-0000-0000-C000-000000000046} /*Proprietà dei file Multimedia*/mmsys.cpl = mmsys.cpl
@{176d6597-26d3-11d1-b350-080036a75b03} /*Gestore scanner ICM*/icmui.dll = icmui.dll
@{1F2E5C40-9550-11CE-99D2-00AA006E086C} /*Pagina di protezione NTFS*/rshx32.dll = rshx32.dll
@{3EA48300-8CF6-101B-84FB-666CCB9BCD32} /*Pagina di proprietà di Docfile OLE*/docprop.dll = docprop.dll
@{40dd6e20-7c17-11ce-a804-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{41E300E0-78B6-11ce-849B-444553540000} /*PlusPack CPL Extension*/%SystemRoot%\system32\themeui.dll = %SystemRoot%\system32\themeui.dll
@{42071712-76d4-11d1-8b24-00a0c9068ff3} /*Estensione scheda video del Pannello di controllo*/deskadp.dll = deskadp.dll
@{42071713-76d4-11d1-8b24-00a0c9068ff3} /*Estensione monitor del Pannello di controllo*/deskmon.dll = deskmon.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{4E40F770-369C-11d0-8922-00A024AB2DBB} /*Pagina di protezione DS*/dssec.dll = dssec.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Pagina compatibilità*/SlayerXP.dll = SlayerXP.dll
@{56117100-C0CD-101B-81E2-00AA004AE837} /*Gestore dati dei ritagli di shell*/shscrap.dll = shscrap.dll
@{59099400-57FF-11CE-BD94-0020AF85B590} /*Estensione copia dischi*/diskcopy.dll = diskcopy.dll
@{59be4990-f85c-11ce-aff7-00aa003ca9f6} /*Estensioni shell per oggetti Rete Microsoft Windows*/ntlanui2.dll = ntlanui2.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*Gestore monitor ICM*/%SystemRoot%\System32\icmui.dll = %SystemRoot%\System32\icmui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*Gestore stampante ICM*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{764BF0E1-F219-11ce-972D-00AA00A14F56} /*Estensioni shell per la compressione dei file*/(null) =
@{77597368-7b15-11d0-a0c2-080036af3f03} /*Estensione shell per la stampante Web*/printui.dll = printui.dll
@{7988B573-EC89-11cf-9C00-00AA00A14F56} /*Disk Quota UI*/dskquoui.dll = dskquoui.dll
@{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} /*Menu di scelta rapida di crittografia*/(null) =
@{85BBD920-42A0-1069-A2E4-08002B30309D} /*Sincronia file*/syncui.dll = syncui.dll
@{88895560-9AA2-1069-930E-00AA0030EBC8} /*Estensione di icona di HyperTerminal*/C:\WINDOWS\system32\hticons.dll = C:\WINDOWS\system32\hticons.dll
@{BD84B380-8CA2-1069-AB1D-08000948F534} /*Tipi di carattere*/fontext.dll = fontext.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*Profilo ICC*/%SystemRoot%\system32\icmui.dll = %SystemRoot%\system32\icmui.dll
@{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} /*Pagina di protezione della stampante*/rshx32.dll = rshx32.dll
@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} /*Estensioni shell per la condivisione*/ntshrui.dll = ntshrui.dll
@{f92e8c40-3d33-11d2-b1aa-080036a75b03} /*Display TroubleShoot CPL Extension*/deskperf.dll = deskperf.dll
@{7444C717-39BF-11D1-8CD9-00C04FC29D45} /*Estensione Crypto PKO*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7444C719-39BF-11D1-8CD9-00C04FC29D45} /*Estensione firma crittografata*/C:\WINDOWS\system32\cryptext.dll = C:\WINDOWS\system32\cryptext.dll
@{7007ACC7-3202-11D1-AAD2-00805FC1270E} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{992CFFA0-F557-101A-88EC-00DD010CCC48} /*Connessioni di rete*/C:\WINDOWS\system32\NETSHELL.dll = C:\WINDOWS\system32\NETSHELL.dll
@{E211B736-43FD-11D1-9EFB-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{905667aa-acd6-11d2-8080-00805f6596d2} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{3F953603-1008-4f6e-A73A-04AAC7A992F1} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{83bbcbf3-b28a-4919-a5aa-73027445d672} /*Scanner e fotocamere digitali*/wiashext.dll = wiashext.dll
@{F0152790-D56E-4445-850E-4F3117DB740C} /*Remote Sessions CPL Extension*/C:\WINDOWS\system32\remotepg.dll = C:\WINDOWS\system32\remotepg.dll
@{60254CA5-953B-11CF-8C96-00AA00B8708C} /*Estensione shell per Windows Script Host*/C:\WINDOWS\system32\wshext.dll = C:\WINDOWS\system32\wshext.dll
@{2206CDB2-19C1-11D1-89E0-00C04FD7A829} /*Microsoft Data Link*/C:\Programmi\File comuni\System\Ole DB\oledb32.dll = C:\Programmi\File comuni\System\Ole DB\oledb32.dll
@{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Icon Handler*/C:\WINDOWS\system32\mstask.dll = C:\WINDOWS\system32\mstask.dll
@{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} /*Tasks Folder Shell Extension*/C:\WINDOWS\system32\mstask.dll = C:\WINDOWS\system32\mstask.dll
@{D6277990-4C6A-11CF-8D87-00AA0060F5BF} /*Operazioni pianificate*/C:\WINDOWS\system32\mstask.dll = C:\WINDOWS\system32\mstask.dll
@{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} /*Set Program Access and Defaults*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{5F327514-6C5E-4d60-8F16-D07FA08A78ED} /*Auto Update Property Sheet Extension*/C:\WINDOWS\system32\wuaucpl.cpl = C:\WINDOWS\system32\wuaucpl.cpl
@{0DF44EAA-FF21-4412-828E-260A8728E7F1} /*Barra delle applicazioni e menu di avvio*/(null) =
@{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} /*Cerca*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} /*Guida in linea e supporto tecnico*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} /*Esegui...*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} /*Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} /*Posta elettronica*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524152} /*Tipi di carattere*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{D20EA4E1-3957-11d2-A40B-0C5020524153} /*Strumenti di amministrazione*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{E4B29F9D-D390-480b-92FD-7DDB47101D71} /*Wav Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{87D62D94-71B3-4b9a-9489-5FE6850DC73E} /*Avi Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{A6FD9E45-6E44-43f9-8644-08598F5A74D9} /*Midi Properties Handler*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\system32\shmedia.dll = %SystemRoot%\system32\shmedia.dll
@{5E6AB780-7743-11CF-A12B-00AA004AE837} /*Barra degli strumenti Microsoft Internet*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{22BF0C20-6DA7-11D0-B373-00A0C9034938} /*Stato del download*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{91EA3F8B-C99B-11d0-9815-00C04FD91972} /*Shell Folder accresciuto*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6413BA2C-B461-11d1-A18A-080036B11A03} /*Shell Folder 2 accresciuto*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{F61FFEC1-754F-11d0-80CA-00AA005B4383} /*BandProxy*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7BA4C742-9E81-11CF-99D3-00AA004AE837} /*Microsoft BrowserBand*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*SearchBand*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{169A0691-8DF9-11d1-A1C4-00C04FD75D13} /*Ricerca all'interno*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{07798131-AF23-11d1-9111-00A0C98BA67D} /*Ricerca Web*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{AF4F6510-F982-11d0-8595-00AA004CD6D8} /*Utilità opzioni della struttura del Registro di sistema*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{01E04581-4EEE-11d0-BFE9-00AA005B4383} /*&Indirizzo*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{A08C11D2-A228-11d0-825B-00AA005B4383} /*Address EditBox*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2763-6A77-11D0-A535-00C04FD7D062} /*Completamento automatico Microsoft*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7376D660-C583-11d0-A3A5-00C04FD706EC} /*TridentImageExtractor*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6756A641-DE71-11d0-831B-00AA005B4383} /*Elenco di Completamento automatico MRU*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} /*Elenco di Completamento automatico MRU personalizzato*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{7e653215-fa25-46bd-a339-34a2790f3cb7} /*Accessibile*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{acf35015-526e-4230-9596-becbe19f0ac9} /*Indicatore di avanzamento popup*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2764-6A77-11D0-A535-00C04FD7D062} /*Elenco di Completamento automatico della Cronologia di Microsoft*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{03C036F1-A186-11D0-824A-00AA005B4383} /*Elenco di Completamento automatico di Shell Folder di Microsoft*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{00BB2765-6A77-11D0-A535-00C04FD7D062} /*Contenitore dell'elenco di Completamento automatico multiplo Microsoft*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4E-521C-11D0-B792-00A0C90312E1} /*Shell Band Site Menu*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} /*Shell DeskBarApp*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4C-521C-11D0-B792-00A0C90312E1} /*Shell DeskBar*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{ECD4FC4D-521C-11D0-B792-00A0C90312E1} /*Shell Rebar BandSite*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{DD313E04-FEFF-11d1-8ECD-0000F87A470C} /*Assistenza utente*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} /*Impostazioni cartella globale*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{EFA24E61-B078-11d0-89E4-00C04FC9E26E} /*Favorites Band*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{0A89A860-D7B1-11CE-8350-444553540000} /*Shell Automation Inproc Service*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} /*Microsoft Browser Architecture*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/shdocvw.dll = shdocvw.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Servizio Cronologia Url Microsoft*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*Cronologia*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*File temporanei Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Hook per la ricerca di URL Microsoft*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} /*Schermata iniziale applicazioni Internet Explorer 4*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{67EA19A0-CCEF-11d0-8024-00C04FD75D13} /*CDF Extension Copy Hook*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{131A6951-7F78-11D0-A979-00C04FD705A2} /*ISFBand OC*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{9461b922-3c5a-11d2-bf8b-00c04fb93661} /*Search Assistant OC*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*Internet*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{EFA24E64-B078-11d0-89E4-00C04FC9E26E} /*Explorer Band*/%SystemRoot%\system32\shdocvw.dll = %SystemRoot%\system32\shdocvw.dll
@{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\system32\sendmail.dll = C:\WINDOWS\system32\sendmail.dll
@{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} /*Sendmail service*/C:\WINDOWS\system32\sendmail.dll = C:\WINDOWS\system32\sendmail.dll
@{88C6C381-2E85-11D0-94DE-444553540000} /*Cartella cache ActiveX*/%SystemRoot%\system32\occache.dll = %SystemRoot%\system32\occache.dll
@{E6FB5E20-DE35-11CF-9C87-00AA005127ED} /*WebCheck*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} /*Subscription Mgr*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{F5175861-2688-11d0-9C5E-00AA00A45957} /*Cartella Subscription*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{08165EA0-E946-11CF-9C87-00AA005127ED} /*WebCheckWebCrawler*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} /*WebCheckChannelAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} /*TrayAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{7D559C10-9FE9-11d0-93F7-00AA0059CE02} /*Code Download Agent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} /*ConnectionAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{D8BD2030-6FC9-11D0-864F-00AA006809D9} /*PostAgent*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} /*WebCheck SyncMgr Handler*/%SystemRoot%\system32\webcheck.dll = %SystemRoot%\system32\webcheck.dll
@{352EC2B7-8B9A-11D1-B8AE-006008059382} /*Gestione applicazioni shell*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{0B124F8F-91F0-11D1-B8B5-006008059382} /*Enumeratore applicazioni installate*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{CFCCC7A0-A282-11D1-9082-006008059382} /*Darwin App Publisher*/%SystemRoot%\system32\appwiz.cpl = %SystemRoot%\system32\appwiz.cpl
@{e84fda7c-1d6a-45f6-b725-cb260c236066} /*Shell Image Verbs*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} /*Shell Image Data Factory*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*GDI + programma di estrazione file in anteprima*/C:\WINDOWS\system32\shimgvw.dll = C:\WINDOWS\system32\shimgvw.dll
@{9DBD2C50-62AD-11d0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINDOWS\system32\shimgvw.dll = C:\WINDOWS\system32\shimgvw.dll
@{EAB841A0-9550-11cf-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINDOWS\system32\shimgvw.dll = C:\WINDOWS\system32\shimgvw.dll
@{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} /*Shell Image Property Handler*/%SystemRoot%\system32\shimgvw.dll = %SystemRoot%\system32\shimgvw.dll
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Pubblicazione guidata sul Web*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Ordinazione di stampe tramite Web*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Oggetto Pubblicazione guidata sul Web*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{58f1f272-9240-4f51-b6d4-fd63d1618591} /*Creazione guidata profilo Passport*/%SystemRoot%\system32\netplwiz.dll = %SystemRoot%\system32\netplwiz.dll
@{7A9D77BD-5403-11d2-8785-2E0420524153} /*Account utente*/(null) =
@{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} /*Cartella compressa*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{BD472F60-27FA-11cf-B8B4-444553540000} /*Compressed (zipped) Folder Right Drag Handler*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} /*Compressed (zipped) Folder SendTo Target*/%SystemRoot%\system32\zipfldr.dll = %SystemRoot%\system32\zipfldr.dll
@{f39a0dc0-9cc8-11d0-a599-00c04fd64433} /*File del canale*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} /*Collegamento al canale*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} /*Channel Handler Object*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{f3da0dc0-9cc8-11d0-a599-00c04fd64437} /*Channel Menu*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} /*Channel Properties*/%SystemRoot%\system32\cdfview.dll = %SystemRoot%\system32\cdfview.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{63da6ec0-2e98-11cf-8d82-444553540000} /*FTP Folders Webview*/C:\WINDOWS\system32\msieftp.dll = C:\WINDOWS\system32\msieftp.dll
@{883373C3-BF89-11D1-BE35-080036B11A03} /*Microsoft DocProp Shell Ext*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{A9CF0EAE-901A-4739-A481-E35B73E47F6D} /*Microsoft DocProp Inplace Edit Box Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{8EE97210-FD1F-4B19-91DA-67914005F020} /*Microsoft DocProp Inplace ML Edit Box Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} /*Microsoft DocProp Inplace Droplist Combo Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{6A205B57-2567-4A2C-B881-F787FAB579A3} /*Microsoft DocProp Inplace Calendar Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} /*Microsoft DocProp Inplace Time Control*/C:\WINDOWS\system32\docprop2.dll = C:\WINDOWS\system32\docprop2.dll
@{8A23E65E-31C2-11d0-891C-00A024AB2DBB} /*Directory Query UI*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} /*Directory Object Find*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{F020E586-5264-11d1-A532-0000F8757D7E} /*Directory Start/Search Find*/%SystemRoot%\system32\dsquery.dll = %SystemRoot%\system32\dsquery.dll
@{0D45D530-764B-11d0-A1CA-00AA00C16E65} /*Directory Property UI*/%SystemRoot%\system32\dsuiext.dll = %SystemRoot%\system32\dsuiext.dll
@{62AE1F9A-126A-11D0-A14B-0800361B1103} /*Directory Context Menu Verbs*/%SystemRoot%\system32\dsuiext.dll = %SystemRoot%\system32\dsuiext.dll
@{ECF03A33-103D-11d2-854D-006008059367} /*MyDocs Copy Hook*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{ECF03A32-103D-11d2-854D-006008059367} /*MyDocs Drop Target*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{4a7ded0a-ad25-11d0-98a8-0800361b1103} /*MyDocs Properties*/%SystemRoot%\system32\mydocs.dll = %SystemRoot%\system32\mydocs.dll
@{750fdf0e-2a26-11d1-a3ea-080036587f03} /*Offline Files Menu*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{10CFC467-4392-11d2-8DB4-00C04FA31A66} /*Offline Files Folder Options*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} /*Cartella file non in linea*/%SystemRoot%\System32\cscui.dll = %SystemRoot%\System32\cscui.dll
@{143A62C8-C33B-11D1-84FE-00C04FA34A14} /*Microsoft Agent Character Property Sheet Handler*/C:\WINDOWS\msagent\agentpsh.dll = C:\WINDOWS\msagent\agentpsh.dll
@{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} /*DfsShell*/C:\WINDOWS\system32\dfsshlex.dll = C:\WINDOWS\system32\dfsshlex.dll
@{60fd46de-f830-4894-a628-6fa81bc0190d} /*%DESC_PublishDropTarget%*/%SystemRoot%\system32\photowiz.dll = %SystemRoot%\system32\photowiz.dll
@{7A80E4A8-8005-11D2-BCF8-00C04F72C717} /*MMC Icon Handler*/%SystemRoot%\System32\mmcshext.dll = %SystemRoot%\System32\mmcshext.dll
@{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} /*.CAB file viewer*/cabview.dll = cabview.dll
@{32714800-2E5F-11d0-8B85-00AA0044F941} /*&Contatti...*/C:\Programmi\Outlook Express\wabfind.dll = C:\Programmi\Outlook Express\wabfind.dll
@{8DD448E6-C188-4aed-AF92-44956194EB1F} /*Windows Media Player Play as Playlist Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} /*Windows Media Player Burn Audio CD Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} /*Windows Media Player Add to Playlist Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{21569614-B795-46b1-85F4-E737A8DC09AD} /*Shell Search Band*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{CAE3251E-9B15-4810-B268-852AD9792A59} /*InCDShellExt extension*/C:\Programmi\Nero\Nero 7\InCD\InCDshx.dll = C:\Programmi\Nero\Nero 7\InCD\InCDshx.dll
@{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} /*NeroCoverEd Live Icons*/C:\Programmi\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll = C:\Programmi\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll
@{B3D9AEDE-B2C3-406d-A254-6BE07767B08B} /*InCDUdfPerm extension*/C:\Programmi\Nero\Nero 7\InCD\InCDUP.dll = C:\Programmi\Nero\Nero 7\InCD\InCDUP.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\Windows Live\Messenger\fsshext.8.5.1302.1018.dll = C:\Programmi\Windows Live\Messenger\fsshext.8.5.1302.1018.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Programmi\Unlocker\UnlockerCOM.dll = C:\Programmi\Unlocker\UnlockerCOM.dll
@{79BC0345-1015-11D2-A299-006008312725} /*blue.shell*/C:\Programmi\Pinnacle\VideoSpin\Programs\BlueShellExt.dll /*file not found*/ = C:\Programmi\Pinnacle\VideoSpin\Programs\BlueShellExt.dll /*file not found*/
@{640167b4-59b0-47a6-b335-a6b3c0695aea} /*Portable Media Devices*/%SystemRoot%\system32\Audiodev.dll = %SystemRoot%\system32\Audiodev.dll
@{cc86590a-b60a-48e6-996b-41d25ed39a1e} /*Portable Media Devices Menu*/%SystemRoot%\system32\Audiodev.dll = %SystemRoot%\system32\Audiodev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{B089FE88-FB52-11D3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Cover Designer@{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} = C:\Programmi\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll
InCDShellExt@{CAE3251E-9B15-4810-B268-852AD9792A59} = C:\Programmi\Nero\Nero 7\InCD\InCDshx.dll
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Open With@{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
Open With EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers >>>
@{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
InCDShellExt@{CAE3251E-9B15-4810-B268-852AD9792A59} = C:\Programmi\Nero\Nero 7\InCD\InCDshx.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Sharing@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
InCDShellExt@{CAE3251E-9B15-4810-B268-852AD9792A59} = C:\Programmi\Nero\Nero 7\InCD\InCDshx.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Programmi\Malwarebytes' Anti-Malware\mbamext.dll
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmi\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{0347C33E-8762-4905-BF09-768834316C61}C:\Programmi\HP\Smart Web Printing\hpswp_printenhancer.dll = C:\Programmi\HP\Smart Web Printing\hpswp_printenhancer.dll
@{053F9267-DC04-4294-A72C-58F732D338C0}C:\Programmi\HP\Smart Web Printing\hpswp_framework.dll = C:\Programmi\HP\Smart Web Printing\hpswp_framework.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{3049C3E9-B461-4BC5-8870-4C09146192CA}C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll = C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.6.0_06\bin\ssv.dll = C:\Programmi\Java\jre1.6.0_06\bin\ssv.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/octet-stream@CLSID = mscoree.dll
application/x-complus@CLSID = mscoree.dll
application/x-msdownload@CLSID = mscoree.dll
Class Install Handler@CLSID = C:\WINDOWS\system32\urlmon.dll
deflate@CLSID = C:\WINDOWS\system32\urlmon.dll
gzip@CLSID = C:\WINDOWS\system32\urlmon.dll
lzdhtml@CLSID = C:\WINDOWS\system32\urlmon.dll
text/webviewhtml@CLSID = %SystemRoot%\system32\SHELL32.dll
text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
about@CLSID = %SystemRoot%\system32\mshtml.dll
cdl@CLSID = C:\WINDOWS\system32\urlmon.dll
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
file@CLSID = C:\WINDOWS\system32\urlmon.dll
ftp@CLSID = C:\WINDOWS\system32\urlmon.dll
gopher@CLSID = C:\WINDOWS\system32\urlmon.dll
http@CLSID = C:\WINDOWS\system32\urlmon.dll
https@CLSID = C:\WINDOWS\system32\urlmon.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
javascript@CLSID = %SystemRoot%\system32\mshtml.dll
livecall@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
local@CLSID = C:\WINDOWS\system32\urlmon.dll
mailto@CLSID = %SystemRoot%\system32\mshtml.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
mk@CLSID = C:\WINDOWS\system32\urlmon.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
res@CLSID = %SystemRoot%\system32\mshtml.dll
sysimage@CLSID = %SystemRoot%\system32\mshtml.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
vbscript@CLSID = %SystemRoot%\system32\mshtml.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\System32\mswsock.dll
000000000002@LibraryPath = %SystemRoot%\System32\winrnr.dll
000000000003@LibraryPath = %SystemRoot%\System32\mswsock.dll
000000000004@LibraryPath = C:\Programmi\Bonjour\mdnsNSP.dll
000000000005@LibraryPath = %SystemRoot%\system32\wshbth.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000002@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000003@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000004@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000005@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000019@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000020@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000021@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022@PackedCatalogItem = C:\WINDOWS\system32\imon.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = HP Digital Imaging Monitor.lnk

---- EOF - GMER 1.0.14 ----

da **Ran85** » mer ott 22, 2008 11:57 am

E questo è l'altro...

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-10-22 12:50:14
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xBA6C00D0]
SSDT sptd.sys ZwEnumerateKey [0xBA6C5E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C61BA]
SSDT sptd.sys ZwOpenKey [0xBA6C00B0]
SSDT sptd.sys ZwQueryKey [0xBA6C6292]
SSDT sptd.sys ZwQueryValueKey [0xBA6C6112]
SSDT sptd.sys ZwSetValueKey [0xBA6C6324]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys Impossibile accedere al file. Il file è utilizzato da un altro processo.
.text USBPORT.SYS!DllUnload B97858AC 5 Bytes JMP 8A47C1C8
? System32\Drivers\aajxe1az.SYS Impossibile trovare il percorso specificato. !

---- User code sections - GMER 1.0.14 ----

.text C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe[188] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[1904] SHELL32.dll!SHFileOperationW 7CA8083C 5 Bytes JMP 10001102 C:\Programmi\Unlocker\UnlockerHook.dll

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6C0AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6C0C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6C0B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6C1748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6C161E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D5ACA] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A61B1E8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)

Device \Driver\usbohci \Device\USBPDO-0 8A47B1E8
Device \Driver\usbohci \Device\USBPDO-1 8A47B1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A68E1E8
Device \Driver\dmio \Device\DmControl\DmConfig 8A68E1E8
Device \Driver\dmio \Device\DmControl\DmPnP 8A68E1E8
Device \Driver\dmio \Device\DmControl\DmInfo 8A68E1E8
Device \Driver\usbohci \Device\USBPDO-2 8A47B1E8
Device \Driver\usbohci \Device\USBPDO-3 8A47B1E8
Device \Driver\PCI_NTPNP2740 \Device\00000048 sptd.sys
Device \Driver\usbohci \Device\USBPDO-4 8A47B1E8
Device \Driver\usbehci \Device\USBPDO-5 8A443420
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A61D1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89B31528
Device \Driver\NetBT \Device\NetbiosSmb 89B31528
Device \Driver\NetBT \Device\NetBT_Tcpip_{6A107FB3-B4D5-403A-809C-00BB7C711178} 89B31528
Device \Driver\usbohci \Device\USBFDO-0 8A47B1E8
Device \Driver\usbohci \Device\USBFDO-1 8A47B1E8
Device \Driver\usbohci \Device\USBFDO-2 8A47B1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B2C7A0
Device \Driver\usbohci \Device\USBFDO-3 8A47B1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B2C7A0
Device \Driver\Ftdisk \Device\FtControl 8A61D1E8
Device \Driver\usbohci \Device\USBFDO-4 8A47B1E8
Device \Driver\usbehci \Device\USBFDO-5 8A443420
Device \Driver\aajxe1az \Device\Scsi\aajxe1az1Port4Path0Target0Lun0 8A41B1E8
Device \Driver\aajxe1az \Device\Scsi\aajxe1az1 8A41B1E8
Device \FileSystem\Cdfs \Cdfs 8A4B51E8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0011b107a2fb
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programmi\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEB 0xCC 0x80 0x44 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x94 0xB1 0x39 0xFE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x84 0x63 0xCC 0x9B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0011b107a2fb
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programmi\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEB 0xCC 0x80 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x94 0xB1 0x39 0xFE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x84 0x63 0xCC 0x9B ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@DisplayName ??
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@DeviceDesc ??
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@ProviderName ???????
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@MFG ?????
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@ReinstallString .10.1000.7
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
@DeviceInstanceIds d:\drivers\chipset\driver\x86_x64\sbdrv\smbus\smbusati.inf
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...

---- EOF - GMER 1.0.14 ----

Ho dovuto metterli in due messaggi diversi perché mi diceva che avevo superato i 60.000 caratteri

da **Amantide** » mer ott 22, 2008 12:39 pm

Proviamo allora a debellare questi trojan con l'aiuto di Gmer.

Per caso ti è apparsa qualche voce rossa nei log di Gmer?

Riaprilo e cerca nelle schede Processes, Rootkit e Services i riferimenti a questi file:

C:\WINDOWS\system32\fdbbcbeeefebc.dll
C:\WINDOWS\System32\Drivers\aajxe1az.SYS

Selezionali uno alla volta e cerca di rimuoverli tramite il menu di tasto destro con le voci Kill o Delete.

Se riesci a farlo, riavvia il pc e postami i nuovi log di Gmer.

da **Ran85** » mer ott 22, 2008 1:14 pm

Non me li fa togliere mi dice impossibile trovare il percorso specificato...
E se provo a levarli con ComboFix?

da **Amantide** » mer ott 22, 2008 2:02 pm

Ran85 ha scritto:Non me li fa togliere mi dice impossibile trovare il percorso specificato...

Riprova un altra volta però dalla modalità provvisoria.

Ran85 ha scritto:E se provo a levarli con ComboFix?

Possiamo anche provare. [:)]

Copia queste righe su blocconote e salva il file con il nome CFScript.txt

Codice: Seleziona tutto: File: C:\WINDOWS\system32\fdbbcbeeefebc.dll C:\WINDOWS\System32\Drivers\aajxe1az.SYS Registry: [-HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdbbcbeeefebc]

Trascina il file CFScipt.exe sull'icona di Combofix.exe, ed aspetta che termina la scansione. Postami il log creato.

da **Ran85** » mer ott 22, 2008 2:34 pm

Anche in modalità provvisoria stesso problema...
Comunque questo è il log di ComboFix:

ComboFix 08-10-21.04 - Administrator 2008-10-22 15:22:11.12 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.1605 [GMT 2:00]
Eseguito da: C:\Documents and Settings\Administrator\Desktop\roba virus\ComboFix.exe
Interruttori di comando utilizzati :: C:\Documents and Settings\Administrator\Desktop\roba virus\CFScript.txt
* Creato nuovo punto di ripristino
* Resident AV is active

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((( Files Creati Da 2008-09-22 al 2008-10-22 )))))))))))))))))))))))))))))))))))
.

2008-10-20 20:44 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-17 19:08 . 2008-10-17 19:37 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-10-17 16:28 . 2008-10-17 16:43 <DIR> d-------- C:\Programmi\FindyKill
2008-10-17 15:04 . 2008-10-17 15:04 8,704 --ahsc--- C:\WINDOWS\system32\dllcache\Thumbs.db
2008-10-17 10:21 . 2008-10-17 10:21 <DIR> d-------- C:\Programmi\TeamViewer3
2008-10-17 10:21 . 2008-10-17 10:21 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\TeamViewer
2008-10-17 10:20 . 2008-10-17 10:20 <DIR> d-------- C:\Documents and Settings\Administrator\temp
2008-10-16 20:23 . 2004-08-13 18:30 45,056 --a------ C:\SDTrestore.exe
2008-10-16 20:23 . 2004-08-13 18:30 34,244 --a------ C:\SDTrestore.cpp
2008-10-16 20:23 . 2004-08-13 18:30 192 --a------ C:\compile.bat
2008-10-15 15:29 . 2008-10-15 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\GameHouse
2008-10-15 15:24 . 2008-10-15 15:24 <DIR> d-------- C:\WINDOWS\Delicious Emilys Tea Garden
2008-10-15 15:24 . 2008-10-15 19:05 <DIR> d-------- C:\Programmi\Delicious Emilys Tea Garden
2008-10-13 14:34 . 2008-10-13 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Gogii
2008-10-13 14:33 . 2008-10-13 14:33 <DIR> d-------- C:\WINDOWS\The Hidden Object Show Season 2
2008-10-13 14:33 . 2008-10-17 19:08 <DIR> d-------- C:\Programmi\The Hidden Object Show Season 2
2008-10-12 15:50 . 2008-10-12 15:50 <DIR> d-------- C:\WINDOWS\Cake Shop
2008-10-12 15:50 . 2008-10-13 14:30 <DIR> d-------- C:\Programmi\Cake Shop
2008-10-12 15:50 . 2008-10-12 15:50 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\EleFun Games
2008-10-09 17:38 . 2008-10-09 17:38 <DIR> d-------- C:\Programmi\PlayFirst
2008-09-24 01:24 . 2008-09-24 01:24 244 --ah----- C:\sqmnoopt05.sqm
2008-09-24 01:24 . 2008-09-24 01:24 244 --ah----- C:\sqmnoopt04.sqm
2008-09-24 01:24 . 2008-09-24 01:24 232 --ah----- C:\sqmdata05.sqm
2008-09-24 01:24 . 2008-09-24 01:24 232 --ah----- C:\sqmdata04.sqm
2008-09-23 22:11 . 2008-09-23 22:11 244 --ah----- C:\sqmnoopt03.sqm
2008-09-23 22:11 . 2008-09-23 22:11 232 --ah----- C:\sqmdata03.sqm
2008-09-23 22:08 . 2008-09-23 22:08 244 --ah----- C:\sqmnoopt02.sqm
2008-09-23 22:08 . 2008-09-23 22:08 232 --ah----- C:\sqmdata02.sqm
2008-09-23 21:14 . 2008-09-23 21:14 244 --ah----- C:\sqmnoopt01.sqm
2008-09-23 21:14 . 2008-09-23 21:14 232 --ah----- C:\sqmdata01.sqm
2008-09-23 21:13 . 2008-09-23 21:13 244 --ah----- C:\sqmnoopt00.sqm
2008-09-23 21:13 . 2008-09-23 21:13 232 --ah----- C:\sqmdata00.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 21:59 196,608 ----a-w C:\WINDOWS\system32\drivers\nStandard.bin
2008-10-20 18:44 --------- d-----w C:\Programmi\Malwarebytes' Anti-Malware
2008-10-20 17:18 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-10-20 17:17 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-10-16 18:25 15,504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-10-14 11:33 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\HPAppData
2008-10-13 12:30 --------- d-----w C:\Programmi\Farm Frenzy 2
2008-10-09 15:39 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\PlayFirst
2008-10-09 15:39 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\PlayFirst
2008-09-24 08:01 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-09-17 11:54 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-12 23:46 --------- d-----w C:\Programmi\Gravity
2008-09-09 16:37 --------- d-----w C:\Programmi\Eset
2008-09-04 10:42 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Jasc
2008-09-02 14:00 512,096 ----a-w C:\WINDOWS\system32\drivers\_mon.s00
2008-09-02 14:00 15,424 ----a-w C:\WINDOWS\system32\drivers\_od32drv.s00
2008-09-02 13:53 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-09-02 13:53 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-09-02 13:53 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-09-02 13:05 --------- d-----w C:\Programmi\EsetOnlineScanner
2008-08-29 19:14 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-08-29 19:14 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-08-29 19:14 --------- d-----w C:\Programmi\File comuni\xing shared
2008-08-29 19:14 --------- d-----w C:\Programmi\File comuni\Real
2008-08-29 11:01 --------- d-----w C:\Programmi\Photo Story 3 for Windows
2008-08-28 12:41 --------- d-----w C:\Programmi\Pinnacle
2008-08-27 10:13 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Pinnacle VideoSpin
2008-08-27 09:05 --------- d-----w C:\Programmi\Google
2008-08-27 09:03 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\VideoSpin
2008-08-27 09:02 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Pinnacle
2008-08-27 08:51 --------- d-----w C:\Programmi\File comuni\Ulead Systems
2008-08-27 08:51 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Ulead Systems
2008-08-27 08:41 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Ulead Systems
2008-08-27 07:31 --------- d-----w C:\Programmi\Jasc Software Inc
2008-08-27 07:30 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\InstallShield
2008-08-27 07:29 --------- d-----w C:\Programmi\File comuni\Jasc Software Inc
2008-08-27 07:29 --------- d-----w C:\Programmi\File comuni\InstallShield
2008-08-27 07:28 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Jasc Software Inc
2008-08-25 20:42 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\FarmFrenzy2
2008-08-25 17:31 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Gamelab
2008-08-25 17:00 --------- d-----w C:\Documents and Settings\Administrator\Dati applicazioni\Go-Go Gourmet Chef of the Year
.

((((((((((((((((((((((((((((( snapshot@2008-10-16_17.53.24.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-06-07 10:15:14 313,871 ----a-w C:\WINDOWS\system32\fdbbcbeeefebc.dll
+ 2006-04-08 10:20:48 313,871 ----a-w C:\WINDOWS\system32\fdbbcbeeefebc.dll
- 2008-08-01 18:08:26 62,422 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-17 14:45:18 62,422 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-01 18:08:26 74,518 ----a-w C:\WINDOWS\system32\perfc010.dat
+ 2008-10-17 14:45:18 74,518 ----a-w C:\WINDOWS\system32\perfc010.dat
- 2008-08-01 18:08:26 400,760 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-17 14:45:18 400,760 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2008-08-01 18:08:26 447,418 ----a-w C:\WINDOWS\system32\perfh010.dat
+ 2008-10-17 14:45:18 447,418 ----a-w C:\WINDOWS\system32\perfh010.dat
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"DAEMON Tools"="C:\Programmi\DAEMON Tools\daemon.exe" [2007-04-04 165784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 8466432]
"UnlockerAssistant"="C:\Programmi\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-03-28 413696]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2008-08-29 185896]
"nod32kui"="C:\Programmi\Eset\nod32kui.exe" [2008-09-02 949376]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 172032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fdbbcbeeefebc]
2006-04-08 12:20 313871 C:\WINDOWS\system32\fdbbcbeeefebc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Avvio^Programmi^Esecuzione automatica^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 04:14 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-05-15 15:55 1057328 C:\Programmi\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Programmi\File comuni\Ahead\lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 18:43 8466432 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-06-28 18:43 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Programmi\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 2007-05-15 15:55 1628208 C:\Programmi\Nero\Nero 7\InCD\NBHGui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 19:19 15872 C:\Programmi\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 12:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-14 04:14 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-28 18:43 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-04-12 11:33 16132608 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\eMule AdunanzA\\eMule_AdnzA.exe"=

R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-07-12 12416]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-07-12 10752]
S2 Wlansvc;@%SystemRoot%\System32\wlansvc.dll,-257;C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 15:24:09
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSO: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\fdbbcbeeefebc.dll
-> C:\Programmi\Eset\pr_imon.dll

PROCESSO: C:\WINDOWS\system32\lsass.exe
-> C:\Programmi\Eset\pr_imon.dll
.
Ora fine scansione: 2008-10-22 15:29:04
ComboFix-quarantined-files.txt 2008-10-22 13:28:38
ComboFix2.txt 2008-10-20 17:36:06
ComboFix3.txt 2008-10-20 08:19:07
ComboFix4.txt 2008-10-17 14:58:54
ComboFix5.txt 2008-10-20 21:18:56

Pre-Run: 71,790,784,512 byte disponibili
Post-Run: 71,854,452,736 byte disponibili

214 --- E O F --- 2008-07-07 23:58:30

da **Amantide** » mer ott 22, 2008 9:32 pm

Mi spiace dirtelo ma il file C:\WINDOWS\system32\fdbbcbeeefebc.dll sta sempre li [V]

A questo punto ti consiglierei di creare il MegaLab CD e rimuoverlo dal pc con il suo aiuto.
Sempre dal MegaLab CD puoi fare anche la scansione con Antivir ed altri antimalware.

da **Ran85** » gio ott 23, 2008 9:03 pm

Non posso farlo il MegaLab cd perché non ho il cd di windows...

Vabbè fa niente uno di questi giorni porterò il pc da qualche tecnico e gli farò fare un formattone generale >.<

Grazie comunque dell'aiuto!!!! [applauso+]

da **Amantide** » gio ott 23, 2008 10:21 pm

Visto che non puoi creare il MegaLab CD puoi provare con un Linux Live CD.

Prima di mollare completamente prova anche a fare la scansione con alcuni di questi antirootkit.

da **Ran85** » ven ott 24, 2008 5:25 pm

Allora... sono riuscita a fare una scansione on-line usando Panda active scan (praticamente l'unico che sono riuscita a far funzionare... tutti gli altri mi chiudeva explorer appena cliccavo sul link)...
Mi ha tirato fuori questi:
-Downloader.MDW
-Generic Malware
-Booto.C
-Xor-encoded.A

Questo è il log che mi è uscito:

MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00048327 adware/startpage.na Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
00110244 adware/mydailyhoroscope Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@bs.serving-sys[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[3].txt
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[4].txt
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP44\A0014476.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP40\A0010440.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP38\A0008353.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP38\A0008359.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP40\A0010444.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP8\A0001354.sys
03009106 W32/Xor-encoded.A Virus No 0 Yes No C:\Programmi\Eset\infected\1ZWUIZDA.NQF
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP35\A0005333.exe[327882R2FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP44\A0013509.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP44\A0013510.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP39\A0009385.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP44\A0014508.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP47\A0015611.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP47\A0016521.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP57\A0026979.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP37\A0006304.exe[327882R2FWJFW\catchme.cfexe]
03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{003C1E0C-5ADD-4280-B568-4F79AFEB6DC7}\RP55\A0021877.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\boh\psexec.cfexe
No C:\Documents and Settings\Administrator\Desktop\roba virus\boh.exe[32788R22FWJFW\psexec.cfexe]
No C:\Documents and Settings\Administrator\Desktop\roba virus\ComboFix.exe[32788R22FWJFW\psexec.cfexe]
No C:\games\Parking Dash\Parking_Dash.exe
No C:\SDTrestore.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Non so se può essere utile... ormai sto per perdere le speranze [cry]

da **Amantide** » ven ott 24, 2008 5:44 pm

Panda ha trovato solo i cookie ed i punti di ripristino infetti, niente di che...

Il problema del tuo pc non è che non sappiamo di cosa si tratta, è che lo sappiamo ma non riusciamo a rimuovere quel file infetto con nessun programma, ma visto che nonostante tutto non hai ancora perso la voglia di tentare, possiamo provare un altro programmino. [;)]

Scarica OtScanIt, clicca sopra ed estrai i file.

Chiudi tutti programmi attivi in memoria.
Apri la cartella OtScanIt e clicca sul file OtScanIt.exe per avviare il programma.
Spunta la voce Scan All Users
In Basic Scans spunta le seguenti voci:
In Additional Scans spunta:
Ora clicca su Run Scan ed aspetta il termine della scansione.
A scansione terminata verrà aperto un file di blocco note con il report della scansione, carica il file OtScanIt.txt su http://www.mediafire.com/ e posta qui il link per il download.

www.MegaLab.it

Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Re: Ennesimo virus....

Chi c’è in linea