Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Virus stranissimo!!

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Virus stranissimo!!

Messaggioda psychopath » lun gen 08, 2007 3:34 pm

Salve ragazzi sono nuovo da queste parti.
Innanzitutto auguri di buon 2007!!!
Allora...
Inizio subito col dire che mi si è disattivato avast e ho letto tante cose a riguardo qua dentro. Poi come altra cosa piu importante non mi funziona piu assolutamente MSN live messenger con cui lavoro quindi è abbastanza grave. In pratica quando clicco su accedi si blocca e devo chiuderlo dal task.

Ho fatto subito un log con hjack:

Logfile of HijackThis v1.99.1
Scan saved at 14.30.11, on 08/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\FILECO~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\D-Tools\daemon.exe
C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\vsnpstd.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\Security Administrator\newadmin.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Winamp\winampa.exe
C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\checkers5.exe
C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programmi\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programmi\Netropa\Onscreen Display\OSD.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\programmi\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Options\explorer.exe
C:\Documents and Settings\crazyt\Desktop\_a_i_g_i_a_c_k_t_h_i_s.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programmi\ICQToolbar\tbuB\toolbaru.dll
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Programmi\DAP\DAPBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programmi\ICQToolbar\tbuB\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programmi\ICQToolbar\tbuB\toolbaru.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmi\D-Tools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Programmi\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [00saskda] "C:\Programmi\Security Administrator\newadmin.exe" saskda
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programmi\Winamp\winampa.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [checkers] C:\WINDOWS\checkers5.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programmi\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://djtauros.spaces.msn.com//PhotoUp ... nPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7B678D5-EECC-4C1A-9649-5EEFB3131EDB}: NameServer = 85.37.17.39 85.38.28.71
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FILECO~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DirectX Service (DirectWylb) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\programmi\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmi\File comuni\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
Avatar utente
psychopath
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: lun gen 08, 2007 3:26 pm

Messaggioda crazy.cat » lun gen 08, 2007 3:47 pm

fai sparire questo file, usa unlocker
O4 - HKCU\..\Run: [checkers] C:\WINDOWS\checkers5.exe
poi lancia una scansione completa con avast all'avvio del pc.
potrebbero esserci delle altre cose
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda Amantide » lun gen 08, 2007 3:49 pm

In che senso ti si è disattivato Avast? Per caso è sparito l'eseguibile del programma? Altri programmi di sicurezza ti funzionano?
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Messaggioda Amantide » lun gen 08, 2007 3:59 pm

Ho trovato in rete questa immagine
Immagine

Sembra che si tratta della variante del virus Bagle e visto il comportamento del Avast direi che sia proprio cosi. Qui puoi vedere i due casi simili.
Scarica da qui GMER, fai la scansione delle sezioni Autostart e Rootkit e posta qui i log (clicca su Copy e poi incolla qui).
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda psychopath » mar gen 09, 2007 12:59 am

AUTOSTART

GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-01-09 00:03:35
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = autocheck autochk * /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\SYSTEM\CurrentControlSet\Control\WOW@cmdline = %SystemRoot%\system32\ntvdm.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@ShellExplorer.exe = Explorer.exe
@System =
@UIHostLogonUI.EXE = LogonUI.EXE

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
crypt32chain@DLLName = crypt32.dll
cryptnet@DLLName = cryptnet.dll
cscdll@DLLName = cscdll.dll
MCPClient@DLLName = C:\PROGRA~1\FILECO~1\Stardock\mcpstub.dll
ScCertProp@DLLName = wlnotify.dll
Schedule@DLLName = wlnotify.dll
sclgntfy@DLLName = sclgntfy.dll
SensLogn@DLLName = WlNotify.dll
termsrv@DLLName = wlnotify.dll
WBSrv@DLLName = C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
wlballoon@DLLName = wlnotify.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = wbsys.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AudioSrv /*Audio Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
BITS /*Servizio trasferimento intelligente in background*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Browser /*Browser di computer*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
CryptSvc /*Servizi di crittografia*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
DcomLaunch /*Utilità di avvio processo server DCOM*/@ = %SystemRoot%\system32\svchost -k DcomLaunch
Dhcp /*Client DHCP*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
DirectWylb /*DirectX Service*/@ = C:\WINDOWS\system32\directx.exe
dmserver /*Gestione dischi logici*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Dnscache /*Client DNS*/@ = %SystemRoot%\System32\svchost.exe -k NetworkService
ERSvc /*Servizio di segnalazione errori*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Eventlog /*Registro eventi*/@ = %SystemRoot%\system32\services.exe
helpsvc /*Guida in linea e supporto tecnico*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanserver /*Server*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
lanmanworkstation /*Workstation*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
LmHosts /*Helper NetBIOS di TCP/IP*/@ = %SystemRoot%\System32\svchost.exe -k LocalService
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
MSSQL$PINNACLESYS /*MSSQL$PINNACLESYS*/@ = "C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS
nhksrv /*Netropa NHK Server*/@ = C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
PinnacleSys.MediaServer /*Pinnacle Systems Media Service*/@ = c:\programmi\pinnacle\shared files\programs\mediaserver\pmshost.exe
PlugPlay /*Plug and Play*/@ = %SystemRoot%\system32\services.exe
PolicyAgent /*Servizi IPSEC*/@ = %SystemRoot%\System32\lsass.exe
ProtectedStorage /*Archiviazione protetta*/@ = %SystemRoot%\system32\lsass.exe
RemoteRegistry /*Registro di sistema remoto*/@ = %SystemRoot%\system32\svchost.exe -k LocalService
RpcSs /*RPC (Remote Procedure Call)*/@ = %SystemRoot%\system32\svchost -k rpcss
SamSs /*Gestione account di protezione (SAM)*/@ = %SystemRoot%\system32\lsass.exe
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
seclogon /*Accesso secondario*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
SENS /*Notifica eventi di sistema*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
ShellHWDetection /*Rilevamento hardware shell*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
srservice /*Servizio Ripristino configurazione di sistema*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
StarWindService /*StarWind iSCSI Service*/@ = C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe /*file not found*/
stisvc /*Acquisizione di immagini di Windows (WIA)*/@ = %SystemRoot%\System32\svchost.exe -k imgsvc
TabletService /*TabletService*/@ = C:\WINDOWS\system32\Tablet.exe
Themes /*Temi*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
TrkWks /*Manutenzione collegamenti distribuiti client*/@ = %SystemRoot%\system32\svchost.exe -k netsvcs
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe
W32Time /*Ora di Windows*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs
WebClient /*WebClient*/@ = %SystemRoot%\System32\svchost.exe -k LocalService
winmgmt /*Strumentazione gestione Windows*/@ = %systemroot%\system32\svchost.exe -k netsvcs
WMDM PMSP Service /*WMDM PMSP Service*/@ = C:\WINDOWS\System32\MsPMSPSv.exe
WZCSVC /*Zero Configuration reti senza fili*/@ = %SystemRoot%\System32\svchost.exe -k netsvcs

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@WINDVDPatchCTHELPER.EXE = CTHELPER.EXE
@UpdRegC:\WINDOWS\UpdReg.EXE = C:\WINDOWS\UpdReg.EXE
@Jet DetectionC:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe = C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
@DAEMON Tools-1033"C:\Programmi\D-Tools\daemon.exe" -lang 1033 -lock = "C:\Programmi\D-Tools\daemon.exe" -lang 1033 -lock
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_01\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_01\bin\jusched.exe
@NeroFilterCheckC:\WINDOWS\System32\NeroCheck.exe = C:\WINDOWS\System32\NeroCheck.exe
@DataLayerC:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE = C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
@snpstdC:\WINDOWS\vsnpstd.exe = C:\WINDOWS\vsnpstd.exe
@PinnacleDriverCheckC:\WINDOWS\system32\PSDrvCheck.exe -CheckReg = C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
@UnlockerAssistantC:\Programmi\Unlocker\UnlockerAssistant.exe = C:\Programmi\Unlocker\UnlockerAssistant.exe
@00saskda"C:\Programmi\Security Administrator\newadmin.exe" saskda = "C:\Programmi\Security Administrator\newadmin.exe" saskda
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe /*file not found*/ = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe /*file not found*/
@WinampAgentC:\Programmi\Winamp\winampa.exe = C:\Programmi\Winamp\winampa.exe
@MULTIMEDIA KEYBOARDC:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe = C:\Programmi\Netropa\Multimedia Keyboard\MMKeybd.exe
@RegistryMechanic /*file not found*/ = /*file not found*/
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" = "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@msnmsgr"C:\Programmi\MSN Messenger\msnmsgr.exe" /background = "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
@ttoolC:\WINDOWS\9129837.exe = C:\WINDOWS\9129837.exe
@checkersC:\WINDOWS\checkers5.exe /*file not found*/ = C:\WINDOWS\checkers5.exe /*file not found*/
@hldrrrC:\WINDOWS\system32\hldrrr.exe /*file not found*/ = C:\WINDOWS\system32\hldrrr.exe /*file not found*/
@drvsyskitC:\Documents and Settings\crazyt\Dati applicazioni\hidires\hidr.exe = C:\Documents and Settings\crazyt\Dati applicazioni\hidires\hidr.exe
@german.exeC:\WINDOWS\system32\wintems.exe /*file not found*/ = C:\WINDOWS\system32\wintems.exe /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@0aMCPClientC:\PROGRA~1\FILECO~1\stardock\MCPCore.dll = C:\PROGRA~1\FILECO~1\stardock\MCPCore.dll
@PostBootReminder%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@CDBurn%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@WebCheck%SystemRoot%\System32\webcheck.dll = %SystemRoot%\System32\webcheck.dll
@SysTrayC:\WINDOWS\System32\stobject.dll = C:\WINDOWS\System32\stobject.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler >>>
@{438755C2-A8BA-11D1-B96B-00A0C90312E1}%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll
@{8C7461EF-2B13-11d2-BE35-3078302C2030}%SystemRoot%\System32\browseui.dll = %SystemRoot%\System32\browseui.dll

HKLM\Software\Classes\Folder\shell\open\command@ = %SystemRoot%\Explorer.exe /idlist,%I,%L

HKLM\Software\Classes\Folder\shell\explore\command@ = %SystemRoot%\Explorer.exe /e,/idlist,%I,%L

HKLM\Software\Classes\ >>>
.exe@ = "%1" %*
.com@ = "%1" %*
.cmd@ = "%1" %*
.bat@ = "%1" %*
.pif@ = "%1" %*
.scr@ = "%1" /S
.hta@ = C:\WINDOWS\System32\mshta.exe "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{AEB6717E-7E19-11d0-97EE-00C04FD91972}shell32.dll = shell32.dll
@{54D9498B-CF93-414F-8984-8CE7FDE0D391}C:\Programmi\ewido anti-malware\shellhook.dll = C:\Programmi\ewido anti-malware\shellhook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{202863C7-D154-4D54-B9BD-077353FA9A08} /*Fast Audio Converter*/C:\Programmi\LitexMedia\Fast Audio Converter\FastACShellExt.dll = C:\Programmi\LitexMedia\Fast Audio Converter\FastACShellExt.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} /*jetAudio*/C:\Programmi\JetAudio\JetFlExt.dll = C:\Programmi\JetAudio\JetFlExt.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/C:\Programmi\Unlocker\UnlockerCOM.dll = C:\Programmi\Unlocker\UnlockerCOM.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{5F327514-6C5E-4d60-8F16-D07FA08A78ED} /*Auto Update Property Sheet Extension*/C:\WINDOWS\system32\wuaucpl.cpl = C:\WINDOWS\system32\wuaucpl.cpl
@{21569614-B795-46b1-85F4-E737A8DC09AD} /*Shell Search Band*/%SystemRoot%\system32\browseui.dll = %SystemRoot%\system32\browseui.dll
@{8DD448E6-C188-4aed-AF92-44956194EB1F} /*Windows Media Player Play as Playlist Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} /*Windows Media Player Burn Audio CD Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} /*Windows Media Player Add to Playlist Context Menu Handler*/C:\WINDOWS\system32\wmpshell.dll = C:\WINDOWS\system32\wmpshell.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{906b0e6e-61ce-11d3-8ee2-0060080a7242} /*QuickSFV Shell Extension*/C:\Programmi\QuickSFV\QSFVShll.dll = C:\Programmi\QuickSFV\QSFVShll.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/C:\Programmi\ICQLite\ICQLiteShell.dll = C:\Programmi\ICQLite\ICQLiteShell.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@{2F5AC606-70CF-461C-BFE1-734234536262} /*WindowBlinds CPL Extension*/C:\Programmi\Stardock\Object Desktop\WindowBlinds\wbui.dll = C:\Programmi\Stardock\Object Desktop\WindowBlinds\wbui.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AEVITAWipeDelete@{047234B3-8B93-4396-8EB5-F4DF8CDA1F10} = C:\PROGRA~1\AEVITA~1\WIPEDE~1.DLL
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programmi\ewido anti-malware\context.dll
FastACShellExt@{202863C7-D154-4D54-B9BD-077353FA9A08} = C:\Programmi\LitexMedia\Fast Audio Converter\FastACShellExt.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programmi\ICQLite\ICQLiteShell.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Programmi\MagicISO\misosh.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
Open With@{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
Open With EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
QuickSFV Shell Extension@{906b0e6e-61ce-11d3-8ee2-0060080a7242} = C:\Programmi\QuickSFV\QSFVShll.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers >>>
@{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}%SystemRoot%\system32\SHELL32.dll = %SystemRoot%\system32\SHELL32.dll
@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AEVITAWipeDelete@{047234B3-8B93-4396-8EB5-F4DF8CDA1F10} = C:\PROGRA~1\AEVITA~1\WIPEDE~1.DLL
EncryptionMenu@{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Programmi\ewido anti-malware\context.dll
FastACShellExt@{202863C7-D154-4D54-B9BD-077353FA9A08} = C:\Programmi\LitexMedia\Fast Audio Converter\FastACShellExt.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programmi\ICQLite\ICQLiteShell.dll
jetAudio@{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} = C:\Programmi\JetAudio\JetFlExt.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Programmi\MagicISO\misosh.dll
Offline Files@{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
QuickSFV Shell Extension@{906b0e6e-61ce-11d3-8ee2-0060080a7242} = C:\Programmi\QuickSFV\QSFVShll.dll
Sharing@{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AEVITAWipeDelete@{047234B3-8B93-4396-8EB5-F4DF8CDA1F10} = C:\PROGRA~1\AEVITA~1\WIPEDE~1.DLL
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
jetAudio@{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8} = C:\Programmi\JetAudio\JetFlExt.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = C:\Programmi\MagicISO\misosh.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = C:\Programmi\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{0000CC75-ACF3-4cac-A0A9-DD3868E06852}C:\Programmi\DAP\DAPBHO.dll = C:\Programmi\DAP\DAPBHO.dll
@{02478D38-C3F9-4EFB-9B51-7695ECA05670}C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll = C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
@{055FD26D-3A88-4e15-963D-DC8493744B1D}C:\Programmi\ICQToolbar\tbuB\toolbaru.dll = C:\Programmi\ICQToolbar\tbuB\toolbaru.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redi ... ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\ >>>
application/octet-stream@CLSID = C:\WINDOWS\System32\mscoree.dll
application/x-complus@CLSID = C:\WINDOWS\System32\mscoree.dll
application/x-msdownload@CLSID = C:\WINDOWS\System32\mscoree.dll
Class Install Handler@CLSID = C:\WINDOWS\system32\urlmon.dll
deflate@CLSID = C:\WINDOWS\system32\urlmon.dll
gzip@CLSID = C:\WINDOWS\system32\urlmon.dll
lzdhtml@CLSID = C:\WINDOWS\system32\urlmon.dll
text/webviewhtml@CLSID = %SystemRoot%\system32\SHELL32.dll
text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
about@CLSID = %SystemRoot%\System32\mshtml.dll
cdl@CLSID = C:\WINDOWS\system32\urlmon.dll
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
file@CLSID = C:\WINDOWS\system32\urlmon.dll
ftp@CLSID = C:\WINDOWS\system32\urlmon.dll
gopher@CLSID = C:\WINDOWS\system32\urlmon.dll
http@CLSID = C:\WINDOWS\system32\urlmon.dll
https@CLSID = C:\WINDOWS\system32\urlmon.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
javascript@CLSID = %SystemRoot%\System32\mshtml.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
local@CLSID = C:\WINDOWS\system32\urlmon.dll
mailto@CLSID = %SystemRoot%\System32\mshtml.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
mk@CLSID = C:\WINDOWS\system32\urlmon.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
res@CLSID = %SystemRoot%\System32\mshtml.dll
sysimage@CLSID = %SystemRoot%\System32\mshtml.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
vbscript@CLSID = %SystemRoot%\System32\mshtml.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\System32\mswsock.dll
000000000002@LibraryPath = %SystemRoot%\System32\winrnr.dll
000000000003@LibraryPath = %SystemRoot%\System32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000004@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000005@PackedCatalogItem = %SystemRoot%\system32\rsvpsp.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll
000000000018@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019@PackedCatalogItem = %SystemRoot%\system32\mswsock.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = Adobe Gamma Loader.lnk

---- EOF - GMER 1.0.12 ----


ROOTKIT

[i]GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-09 00:06:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT d347bus.sys ZwClose
SSDT \??\C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys ZwCreateFile
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwCreatePagingFile
SSDT \??\C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT d347bus.sys ZwOpenKey
SSDT \??\C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys ZwQueryKey
SSDT \??\C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys ZwQuerySystemInformation
SSDT d347bus.sys ZwQueryValueKey
SSDT d347bus.sys ZwSetSystemPowerState
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + E1 804E273D 3 Bytes [ D5, DF, AA ]
.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 1 Byte [ D0 ]
.text ntoskrnl.exe!_abnormal_termination + F2 804E274E 2 Bytes [ 39, F7 ]
.text USBPORT.SYS!DllUnload F6A7862C 5 Bytes JMP 865D9960

---- User code sections - GMER 1.0.12 ----

.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C827C2
.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C8278D
.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00C81912
.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00C81804
.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 00C824D0
.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00C82406
.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00C82642
.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00C82628
.text C:\Programmi\Netropa\Multimedia Keyboard\nhksrv.exe[708] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 00C8188B
.text C:\WINDOWS\system32\winlogon.exe[760] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D227C2
.text C:\WINDOWS\system32\winlogon.exe[760] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D2278D
.text C:\WINDOWS\system32\winlogon.exe[760] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00D21912
.text C:\WINDOWS\system32\winlogon.exe[760] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00D21804
.text C:\WINDOWS\system32\winlogon.exe[760] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 00D224D0
.text C:\WINDOWS\system32\winlogon.exe[760] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00D22406
.text C:\WINDOWS\system32\winlogon.exe[760] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00D22642
.text C:\WINDOWS\system32\winlogon.exe[760] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00D22628
.text C:\WINDOWS\system32\winlogon.exe[760] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 00D2188B
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000427C2
.text C:\WINDOWS\system32\services.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0004278D
.text C:\WINDOWS\system32\services.exe[808] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00041912
.text C:\WINDOWS\system32\services.exe[808] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00041804
.text C:\WINDOWS\system32\services.exe[808] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 000424D0
.text C:\WINDOWS\system32\services.exe[808] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00042406
.text C:\WINDOWS\system32\services.exe[808] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00042642
.text C:\WINDOWS\system32\services.exe[808] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00042628
.text C:\WINDOWS\system32\services.exe[808] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 0004188B
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D327C2
.text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D3278D
.text C:\WINDOWS\system32\lsass.exe[820] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00D31912
.text C:\WINDOWS\system32\lsass.exe[820] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00D31804
.text C:\WINDOWS\system32\lsass.exe[820] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 00D324D0
.text C:\WINDOWS\system32\lsass.exe[820] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00D32406
.text C:\WINDOWS\system32\lsass.exe[820] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00D32642
.text C:\WINDOWS\system32\lsass.exe[820] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00D32628
.text C:\WINDOWS\system32\lsass.exe[820] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 00D3188B
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F627C2
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F6278D
.text C:\WINDOWS\system32\svchost.exe[980] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00F61912
.text C:\WINDOWS\system32\svchost.exe[980] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00F61804
.text C:\WINDOWS\system32\svchost.exe[980] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 00F624D0
.text C:\WINDOWS\system32\svchost.exe[980] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00F62406
.text C:\WINDOWS\system32\svchost.exe[980] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00F62642
.text C:\WINDOWS\system32\svchost.exe[980] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00F62628
.text C:\WINDOWS\system32\svchost.exe[980] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 00F6188B
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 014727C2
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0147278D
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 01471912
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 01471804
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 014724D0
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 01472406
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 01472642
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 01472628
.text C:\Programmi\Netropa\Multimedia Keyboard\Traymon.exe[1012] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 0147188B
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BC27C2
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BC278D
.text C:\WINDOWS\system32\svchost.exe[1028] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00BC1912
.text C:\WINDOWS\system32\svchost.exe[1028] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00BC1804
.text C:\WINDOWS\system32\svchost.exe[1028] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 00BC24D0
.text C:\WINDOWS\system32\svchost.exe[1028] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00BC2406
.text C:\WINDOWS\system32\svchost.exe[1028] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00BC2642
.text C:\WINDOWS\system32\svchost.exe[1028] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00BC2628
.text C:\WINDOWS\system32\svchost.exe[1028] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 00BC188B
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BC27C2
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BC278D
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00BC1912
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00BC1804
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 00BC24D0
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00BC2406
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00BC2642
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00BC2628
.text C:\Programmi\Netropa\Onscreen Display\osd.exe[1068] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 00BC188B
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 021927C2
.text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0219278D
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 02191912
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!HttpSendRequestA 77196249 5 Bytes JMP 02191804
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetReadFile 771980F4 5 Bytes JMP 021924D0
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 02192406
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetReadFileExW 771C7451 8 Bytes JMP 02192642
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetReadFileExA 771C8158 5 Bytes JMP 02192628
.text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 0219188B
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008C27C2
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008C278D
.text C:\WINDOWS\system32\svchost.exe[1136] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 008C1912
.text C:\WINDOWS\system32\svchost.exe[1136] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 008C1804
.text C:\WINDOWS\system32\svchost.exe[1136] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 008C24D0
.text C:\WINDOWS\system32\svchost.exe[1136] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 008C2406
.text C:\WINDOWS\system32\svchost.exe[1136] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 008C2642
.text C:\WINDOWS\system32\svchost.exe[1136] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 008C2628
.text C:\WINDOWS\system32\svchost.exe[1136] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 008C188B
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B627C2
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B6278D
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00B61912
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!HttpSendRequestA 77196249 5 Bytes JMP 00B61804
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetReadFile 771980F4 5 Bytes JMP 00B624D0
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00B62406
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00B62642
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00B62628
.text C:\WINDOWS\system32\svchost.exe[1256] WININET.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 00B6188B
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AF27C2
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AF278D
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00AF1912
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00AF1804
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 00AF24D0
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00AF2406
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00AF2642
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 00AF2628
.text C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1284] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 00AF188B
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02EF27C2
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02EF278D
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 02EF1912
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 02EF1804
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 02EF24D0
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 02EF2406
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 02EF2642
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] wininet.dll!InternetReadFileExA 771C8158 5 Bytes JMP 02EF2628
.text C:\Programmi\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe[1344] wininet.dll!HttpSendRequestW 771E1D04 5 Bytes JMP 02EF188B
.text C:\PROGRA~1\FILECO~1\stardock\SDMCP.exe[1364] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FE27C2
.text C:\PROGRA~1\FILECO~1\stardock\SDMCP.exe[1364] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FE278D
.text C:\PROGRA~1\FILECO~1\stardock\SDMCP.exe[1364] wininet.dll!InternetCloseHandle 77194D6C 5 Bytes JMP 00FE1912
.text C:\PROGRA~1\FILECO~1\stardock\SDMCP.exe[1364] wininet.dll!HttpSendRequestA 77196249 5 Bytes JMP 00FE1804
.text C:\PROGRA~1\FILECO~1\stardock\SDMCP.exe[1364] wininet.dll!InternetReadFile 771980F4 5 Bytes JMP 00FE24D0
.text C:\PROGRA~1\FILECO~1\stardock\SDMCP.exe[1364] wininet.dll!InternetQueryDataAvailable 771A8A0F 5 Bytes JMP 00FE2406
.text C:\PROGRA~1\FILECO~1\stardock\SDMCP.exe[1364] wininet.dll!InternetReadFileExW 771C7451 8 Bytes JMP 00FE2642
.text C:\PROGRA~1\FILECO~1\stardock\SDMCP.exe[1364] wininet.dll!InternetReadFileExA
Avatar utente
psychopath
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: lun gen 08, 2007 3:26 pm

Messaggioda Amantide » mar gen 09, 2007 1:27 pm

Ora scarica The Avenger, estrai archivio ed avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno della finestra che si apre copia ed incolla queste righe:

Files to delete:
C:\WINDOWS\HIDE_EVR2.SYS
C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys
C:\WINDOWS\9129837.exe
C:\WINDOWS\checkers5.exe
C:\WINDOWS\system32\hldrrr.exe
C:\Documents and Settings\crazyt\Dati applicazioni\hidires\hidr.exe
C:\WINDOWS\system32\wintems.exe

folders to delete:
C:\Documents and Settings\crazyt\Dati applicazioni\hidires

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hide_evr2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\m_hook

registry values to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | ttool
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | checkers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | drvsyskit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | german.exe


Dopodiche clicca sul pulsante Done, poi 2 volte sull'icona del semaforo verde e rispondi due volte Yes .

Il pc dovrebbe riavviarsi da solo,se cosi non fosse riavvialo manualmente.
Alla fine allegami il log di Avenger che appare al riavvio in una finestra DOS, lo stesso che si trova anche in C:/avenger.txt

Molto probabilmente riceverai un errore che Avenger non riesce a processare i valori del registro che si trovano in HKEY_CURRENT_USER, in questo caso dovrai eliminarli manualmente.
Apri il registro (vai su Start --> Esegui --> scrivi regedit --> premi Ok.
Espandi le voci fino ad arrivare a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Nella parte a destra trova questi valori ed eliminali (tasto destro sopra --> Elimina):
ttool
checkers
hldrrr
drvsyskit
german.exe
Ultima modifica di Amantide il mar gen 09, 2007 9:38 pm, modificato 1 volta in totale.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda psychopath » mar gen 09, 2007 2:53 pm

grassie ;)

comunque non ce bisogno di tanta elementarità con me...ma comunque grazie lo stesso ;)
Avatar utente
psychopath
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: lun gen 08, 2007 3:26 pm

Messaggioda Amantide » mar gen 09, 2007 3:06 pm

psychopath ha scritto:grassie ;)

comunque non ce bisogno di tanta elementarità con me...ma comunque grazie lo stesso ;)

Purtroppo io non posso sapere chi si trova dall'altra parte del pc [:)] , c'è anche la gente che non sa nemmeno dell'esistenza del registro o cose simili e quindi per prevenire le domande future, cerco di fornire tutta l'informazione sin dal primo messaggio [;)] Non era per sminuire la tua bravura, assolutamente no [bleh]

P.S. Mi puoi fare un favore? Questo virus oramai lo incontro per la quinta volta in una settimana, avrei voluto studiarlo meglio per poi, magari, scrivere un articoletto.
Vedi se riesci a mettere la cartella C:\Avenger in un archivio zippato ed inviarmelo. Te ne sarei grata [:)]
Questa cartella è protetta, quindi prova prima di spostarla con aiuto, per esempio di Unlocker, in modo da sbloccarla. Un altra cosa: questo virus pare che si installa cliccando sull'allegato di un email spam, se riesci ad individuarla ed inviarmela te ne sarei grata infinitamente [^]

Fammi sapere, cosi ti mando il mio indirizzo email. Grazie.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda Amantide » mar gen 09, 2007 7:55 pm

Ci sono gli aggiornamenti che riguardano il virus Bagle, per non riscrivere stessa cosa più volte, posto direttamente il link
http://www.MegaLab.it/forum/viewtopic.p ... 642#220642

P.S. Per il campione del virus non preoccuparti più, ho risolto. Sul eMule è pieno di gente infetta che inconsapevolmente tra altre cose condivide anche i virus [fischio]
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda psychopath » gio gen 11, 2007 2:55 pm

assurdo....non mi fa installare nessun antivirus...NESSUNO!......ho provato con avast, nod32, kaspersky....NIENTE!.....please se qualcuno ha la soluzione per favore.....in caso contrario sarei costretto a formatt e mi scoccia un casino anche perke ho degli archivi sul pc che neanke 3 pile da 25 dvd sarebbero capaci a contenerli.....PLEASE HELP ME!!! [cry+]
Avatar utente
psychopath
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: lun gen 08, 2007 3:26 pm

Messaggioda crazy.cat » gio gen 11, 2007 2:58 pm

Hai provato a fare quello suggerito da amantide?
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda psychopath » gio gen 11, 2007 4:14 pm

si, ma non fa nulla...ogni volta sempre daccapo...comunque @amantide mandami la tua email che ti invio la cartella che mi hai chiesto....
Avatar utente
psychopath
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: lun gen 08, 2007 3:26 pm

Messaggioda Amantide » gio gen 11, 2007 4:24 pm

psychopath ha scritto:si, ma non fa nulla...ogni volta sempre daccapo...comunque @amantide mandami la tua email che ti invio la cartella che mi hai chiesto....

Fatto.
Mi puoi postare il log di avenger che si trova in C:\Avenger? Cosi potrò vedere dove sta il problema.
Riposta magari anche il nuovo log di Gmer.

P.S. Non è che avevi usati i punti di ripristino dopo aver eseguito lo script? Già che ci sei, disabilitali per eliminare i file infetti anche dai punti di ripristino, da riattivare a pulizie terminate.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda psychopath » gio gen 11, 2007 5:06 pm

AVENGER LOG



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: Services\hide_evr2


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | ttool


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | checkers


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | drvsyskit


Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | german.exe
Avatar utente
psychopath
Neo Iscritto
Neo Iscritto
 
Messaggi: 6
Iscritto il: lun gen 08, 2007 3:26 pm

Messaggioda Amantide » gio gen 11, 2007 5:14 pm

Evidentemente Avenger non riuscendo a "digerire" i HKEY_CURRENT_USER ha bloccato proprio l'esecuzione dello script.
Prova ad eseguire solo il primo pezzo dello script:
Codice: Seleziona tutto
Files to delete:
C:\WINDOWS\HIDE_EVR2.SYS
C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys
C:\WINDOWS\9129837.exe
C:\WINDOWS\checkers5.exe
C:\WINDOWS\system32\hldrrr.exe
C:\Documents and Settings\crazyt\Dati applicazioni\hidires\hidr.exe
C:\WINDOWS\system32\wintems.exe

folders to delete:
C:\Documents and Settings\crazyt\Dati applicazioni\hidires

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hide_evr2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\m_hook


I restanti valori, indicati nel mio primo messaggio, eliminali a mano.

P.S. Se postavi sin dall'inizio il log di Avenger, forse riuscivi a risolvere prima. [bleh] Intanto aspetto la tua mail. [;)]
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda Amantide » gio gen 11, 2007 6:05 pm

Nell'archivio che mi hai inviato è presente anche un altro log:
Codice: Seleziona tutto
//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path.  Line will be ignored.
Error code: 2
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run | drvsyskit


Syntax error in line --- does not appear to be a valid registry path.  Line will be ignored.
Error code: 2
Line: HKCU\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr


Syntax error in line --- does not appear to be a valid registry path.  Line will be ignored.
Error code: 2
Line: HKEY_CURRENT_USER\Software\FirstRRRun


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xvxggxfb

*******************

Script file located at: \??\C:\Documents and Settings\acbfqyvu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\hldrrr.exe deleted successfully.


Could not open file C:\Documents and Settings\Administrator\Dati applicazioni\hidires\hidr.exe for deletion
Deletion of file C:\Documents and Settings\Administrator\Dati applicazioni\hidires\hidr.exe failed!

Could not process line:
C:\Documents and Settings\Administrator\Dati applicazioni\hidires\hidr.exe
Status: 0xc000003a



Could not open file C:\Documents and Settings\Administrator\Dati applicazioni\hidires\m_hook.sys for deletion
Deletion of file C:\Documents and Settings\Administrator\Dati applicazioni\hidires\m_hook.sys failed!

Could not process line:
C:\Documents and Settings\Administrator\Dati applicazioni\hidires\m_hook.sys
Status: 0xc000003a

File C:\Windows\System32\wintems.exe deleted successfully.


Folder C:\Documents and Settings\Administrator\Dati applicazioni\hidires not found!
Deletion of folder C:\Documents and Settings\Administrator\Dati applicazioni\hidires failed!

Could not process line:
C:\Documents and Settings\Administrator\Dati applicazioni\hidires
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\m_hook deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|hldrrr deleted successfully.


Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|NWEReboot
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|NWEReboot failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.

Questo vuol dire che alcuni file non sono stati eliminati, a dire il vero sono stati eliminati solo 2 di quelli indicati:
C:\Windows\System32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe

Prova ad eseguire prima questo script in modo da eliminare prima il rootkit:
Codice: Seleziona tutto
Files to delete:
C:\Documents and Settings\crazyt\Dati applicazioni\hidires\m_hook.sys


Poi, al riavvio del computer esegui anche quest' altro:
Codice: Seleziona tutto
Files to delete:
C:\WINDOWS\HIDE_EVR2.SYS 
C:\WINDOWS\9129837.exe
C:\WINDOWS\checkers5.exe
C:\Documents and Settings\crazyt\Dati applicazioni\hidires\hidr.exe

folders to delete:
C:\Documents and Settings\crazyt\Dati applicazioni\hidires

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hide_evr2


Postami i log di Avenger alla fine. [;)]
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 3 ospiti

cron
Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising