Aiuto! Cosa sono questi file?

[giordyclay]

I file in questione sono stati rilevati da Sophos Anti-Rootkit ma non è riuscito ad eliminarli...
Qualcuno sa dirmi cosa sono e se sono pericolosi per il PC e per la privacy?
Tenkyu!

[Luke57]

Ciao, sono inseriti da Gromozon.
Scarica questo tool:
http://pcalsicuro.phpsoft.it/FixGrom.exe
eseguilo con l'antivirus disattivato. Al riavvio del computer il programma terminerà la scansione nelle restanti cartelle di windows.
Sarà rilasciato un report della scansione in C:\Gromozon_emoval.log.

Posta il report nel forum.

[giordyclay]

Ciao Luke,
ho fatto come tu mi hai detto e questo è il report.

-----

Removal tool loaded into memory
Removing ADS stream: C:\:125208bk.cpx:$DATA
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: C:\:125208bk.cpx
Resetting file permissions...
Clearing attributes...
Impossibile trovare il file - C:\_cleaned.tmp
Removing file...
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\AKS.exe
Removing protected file: C:\Programmi\File comuni\System\amWfhR.exe
Removing protected file: C:\Programmi\File comuni\System\aNc.exe
Removing protected file: C:\Programmi\File comuni\System\AuD.exe
Removing protected file: C:\Programmi\File comuni\System\aZz.exe
Removing protected file: C:\Programmi\File comuni\System\bbr.exe
Removing protected file: C:\Programmi\File comuni\System\BukHGV.exe
Removing protected file: C:\Programmi\File comuni\System\BVO.exe
Removing protected file: C:\Programmi\File comuni\System\BVOKPp.exe
Removing protected file: C:\Programmi\File comuni\System\bYZKF.exe
Removing protected file: C:\Programmi\File comuni\System\bZpHk.exe
Removing protected file: C:\Programmi\File comuni\System\bzS.exe
Removing protected file: C:\Programmi\File comuni\System\ckH.exe
Removing protected file: C:\Programmi\File comuni\System\CNQcIK.exe
Removing protected file: C:\Programmi\File comuni\System\CpT.exe
Removing protected file: C:\Programmi\File comuni\System\cxD.exe
Removing protected file: C:\Programmi\File comuni\System\CXg.exe
Removing protected file: C:\Programmi\File comuni\System\cXh.exe
Removing protected file: C:\Programmi\File comuni\System\DFsMW.exe
Removing protected file: C:\Programmi\File comuni\System\DSPT.exe
Removing protected file: C:\Programmi\File comuni\System\dwJ.exe
Removing protected file: C:\Programmi\File comuni\System\dYy.exe
Removing protected file: C:\Programmi\File comuni\System\DzuJs.exe
Removing protected file: C:\Programmi\File comuni\System\dzw.exe
Removing protected file: C:\Programmi\File comuni\System\ECxM.exe
Removing protected file: C:\Programmi\File comuni\System\EdTAsv.exe
Removing protected file: C:\Programmi\File comuni\System\EgjVoo.exe
Removing protected file: C:\Programmi\File comuni\System\ehi.exe
Removing protected file: C:\Programmi\File comuni\System\EJM.exe
Removing protected file: C:\Programmi\File comuni\System\EkQ.exe
Removing protected file: C:\Programmi\File comuni\System\EkSC.exe
Removing protected file: C:\Programmi\File comuni\System\EQv.exe
Removing protected file: C:\Programmi\File comuni\System\esqTy.exe
Removing protected file: C:\Programmi\File comuni\System\Fca.exe
Removing protected file: C:\Programmi\File comuni\System\Fjg.exe
Removing protected file: C:\Programmi\File comuni\System\fMR.exe
Removing protected file: C:\Programmi\File comuni\System\Frb.exe
Removing protected file: C:\Programmi\File comuni\System\ftO.exe
Removing protected file: C:\Programmi\File comuni\System\FXM.exe
Removing protected file: C:\Programmi\File comuni\System\fzN.exe
Removing protected file: C:\Programmi\File comuni\System\gJDa.exe
Removing protected file: C:\Programmi\File comuni\System\GjGRd.exe
Removing protected file: C:\Programmi\File comuni\System\GPu.exe
Removing protected file: C:\Programmi\File comuni\System\gtQG.exe
Removing protected file: C:\Programmi\File comuni\System\gvD.exe
Removing protected file: C:\Programmi\File comuni\System\gviJ.exe
Removing protected file: C:\Programmi\File comuni\System\GyiDL.exe
Removing protected file: C:\Programmi\File comuni\System\GYq.exe
Removing protected file: C:\Programmi\File comuni\System\HbfRms.exe
Removing protected file: C:\Programmi\File comuni\System\HBoyS.exe
Removing protected file: C:\Programmi\File comuni\System\HcdcN.exe
Removing protected file: C:\Programmi\File comuni\System\HDt.exe
Removing protected file: C:\Programmi\File comuni\System\HutCbc.exe
Removing protected file: C:\Programmi\File comuni\System\Hziwy.exe
Removing protected file: C:\Programmi\File comuni\System\hZmm.exe
Removing protected file: C:\Programmi\File comuni\System\ieQNFQ.exe
Removing protected file: C:\Programmi\File comuni\System\ImC.exe
Removing protected file: C:\Programmi\File comuni\System\iTi.exe
Removing protected file: C:\Programmi\File comuni\System\iTm.exe
Removing protected file: C:\Programmi\File comuni\System\JEF.exe
Removing protected file: C:\Programmi\File comuni\System\jFW.exe
Removing protected file: C:\Programmi\File comuni\System\JhK.exe
Removing protected file: C:\Programmi\File comuni\System\Jho.exe
Removing protected file: C:\Programmi\File comuni\System\jkSs.exe
Removing protected file: C:\Programmi\File comuni\System\jlFQ.exe
Removing protected file: C:\Programmi\File comuni\System\JLk.exe
Removing protected file: C:\Programmi\File comuni\System\Jpb.exe
Removing protected file: C:\Programmi\File comuni\System\Jqo.exe
Removing protected file: C:\Programmi\File comuni\System\jUEyP.exe
Removing protected file: C:\Programmi\File comuni\System\JUfBaM.exe
Removing protected file: C:\Programmi\File comuni\System\JYC.exe
Removing protected file: C:\Programmi\File comuni\System\JzfTRU.exe
Removing protected file: C:\Programmi\File comuni\System\keFHsZ.exe
Removing protected file: C:\Programmi\File comuni\System\kJHZA.exe
Removing protected file: C:\Programmi\File comuni\System\kjSCQ.exe
Removing protected file: C:\Programmi\File comuni\System\KPzWZ.exe
Removing protected file: C:\Programmi\File comuni\System\kQT.exe
Removing protected file: C:\Programmi\File comuni\System\kULMAt.exe
Removing protected file: C:\Programmi\File comuni\System\kWyheL.exe
Removing protected file: C:\Programmi\File comuni\System\Leo.exe
Removing protected file: C:\Programmi\File comuni\System\lMN.exe
Removing protected file: C:\Programmi\File comuni\System\lqeD.exe
Removing protected file: C:\Programmi\File comuni\System\lUH.exe
Removing protected file: C:\Programmi\File comuni\System\Lyfko.exe
Removing protected file: C:\Programmi\File comuni\System\mfH.exe
Removing protected file: C:\Programmi\File comuni\System\MlneoH.exe
Removing protected file: C:\Programmi\File comuni\System\mOaFx.exe
Removing protected file: C:\Programmi\File comuni\System\Msdi.exe
Removing protected file: C:\Programmi\File comuni\System\msI.exe
Removing protected file: C:\Programmi\File comuni\System\NcsnGn.exe
Removing protected file: C:\Programmi\File comuni\System\NnV.exe
Removing protected file: C:\Programmi\File comuni\System\nqJ.exe
Removing protected file: C:\Programmi\File comuni\System\ObcZHc.exe
Removing protected file: C:\Programmi\File comuni\System\oFc.exe
Removing protected file: C:\Programmi\File comuni\System\OHypRi.exe
Removing protected file: C:\Programmi\File comuni\System\oINfUj.exe
Removing protected file: C:\Programmi\File comuni\System\oJp.exe
Removing protected file: C:\Programmi\File comuni\System\OkmJV.exe
Removing protected file: C:\Programmi\File comuni\System\OQRpG.exe
Removing protected file: C:\Programmi\File comuni\System\Osw.exe
Removing protected file: C:\Programmi\File comuni\System\ouU.exe
Removing protected file: C:\Programmi\File comuni\System\oZk.exe
Removing protected file: C:\Programmi\File comuni\System\OZP.exe
Removing protected file: C:\Programmi\File comuni\System\pTU.exe
Removing protected file: C:\Programmi\File comuni\System\pUGu.exe
Removing protected file: C:\Programmi\File comuni\System\Qic.exe
Removing protected file: C:\Programmi\File comuni\System\qjaRSS.exe
Removing protected file: C:\Programmi\File comuni\System\qlPp.exe
Removing protected file: C:\Programmi\File comuni\System\QWn.exe
Removing protected file: C:\Programmi\File comuni\System\RfC.exe
Removing protected file: C:\Programmi\File comuni\System\rrCs.exe
Removing protected file: C:\Programmi\File comuni\System\RWWTvr.exe
Removing protected file: C:\Programmi\File comuni\System\Sbk.exe
Removing protected file: C:\Programmi\File comuni\System\sIIix.exe
Removing protected file: C:\Programmi\File comuni\System\sPelrR.exe
Removing protected file: C:\Programmi\File comuni\System\Tfh.exe
Removing protected file: C:\Programmi\File comuni\System\tIQuET.exe
Removing protected file: C:\Programmi\File comuni\System\tnYRbE.exe
Removing protected file: C:\Programmi\File comuni\System\TPhgDa.exe
Removing protected file: C:\Programmi\File comuni\System\txdyry.exe
Removing protected file: C:\Programmi\File comuni\System\TYYQP.exe
Removing protected file: C:\Programmi\File comuni\System\Tzr.exe
Removing protected file: C:\Programmi\File comuni\System\TZt.exe
Removing protected file: C:\Programmi\File comuni\System\uGgz.exe
Removing protected file: C:\Programmi\File comuni\System\uhA.exe
Removing protected file: C:\Programmi\File comuni\System\UOVMGi.exe
Removing protected file: C:\Programmi\File comuni\System\UyMvLB.exe
Removing protected file: C:\Programmi\File comuni\System\UYT.exe
Removing protected file: C:\Programmi\File comuni\System\vbRgY.exe
Removing protected file: C:\Programmi\File comuni\System\vCFSC.exe
Removing protected file: C:\Programmi\File comuni\System\VCSji.exe
Removing protected file: C:\Programmi\File comuni\System\VEV.exe
Removing protected file: C:\Programmi\File comuni\System\vnncrh.exe
Removing protected file: C:\Programmi\File comuni\System\vVNZW.exe
Removing protected file: C:\Programmi\File comuni\System\vxo.exe
Removing protected file: C:\Programmi\File comuni\System\Wajr.exe
Removing protected file: C:\Programmi\File comuni\System\wdq.exe
Removing protected file: C:\Programmi\File comuni\System\Wwej.exe
Removing protected file: C:\Programmi\File comuni\System\XBQ.exe
Removing protected file: C:\Programmi\File comuni\System\XtOYN.exe
Removing protected file: C:\Programmi\File comuni\System\xUEq.exe
Removing protected file: C:\Programmi\File comuni\System\YaD.exe
Removing protected file: C:\Programmi\File comuni\System\yDw.exe
Removing protected file: C:\Programmi\File comuni\System\yhH.exe
Removing protected file: C:\Programmi\File comuni\System\YIFxl.exe
Removing protected file: C:\Programmi\File comuni\System\yNlyU.exe
Removing protected file: C:\Programmi\File comuni\System\YwlWmm.exe
Removing protected file: C:\Programmi\File comuni\System\yXqgP.exe
Removing protected file: C:\Programmi\File comuni\System\YYX.exe
Removing protected file: C:\Programmi\File comuni\System\Zbr.exe
Removing protected file: C:\Programmi\File comuni\System\zdIPix.exe
Removing protected file: C:\Programmi\File comuni\System\zfF.exe
Removing protected file: C:\Programmi\File comuni\System\zJu.exe
Removing protected file: C:\Programmi\File comuni\System\zkSHtg.exe
Removing protected file: C:\Programmi\File comuni\System\zpFtEb.exe
Removing protected file: C:\Programmi\File comuni\System\zva.exe
Removing protected file: C:\Programmi\File comuni\System\ZvTt.exe
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\system32\diaa.dll
Removed!


Trojan.Gromozon Removed!

[Luke57]

Ciao, sembrano che siano stati eliminati tutti.

[giordyclay]

Grazie mille Luke,
però in quella cartella vedo ancora un file (eGTUo.exe)... si tratta sempre di un file pericoloso?
Ho rifatto l'operazione con FixGrom ma non mi trova più niente.
Grazie ancora.

[Luke57]

Ciao, scarica Gmer :
http://www.gmer.net/gmer111.zip
Dopo averlo scompattato, lo avvii, entri in Avanzate premendo>>>>>>,selezioni il tab "Rootkit"
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Incolli il log gemerato in un blocco notes (foglio di testo) e salvi il medesimo foglio..

Con la stessa procedura fai una scansione nella posizione Autostart (spunta “show all”) la copi e incolli nel suddetto foglio di testo.

Copi e incolli il contenuto del foglio di testo in un log.

[giordyclay]

Questi i risultati dee due processi:

GMER 1.0.11.11390 - http://www.gmer.net
Autostart 2006-10-17 16:43:13
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = PDBoot.exe autocheck autochk * SsiEfr.e

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier@DLLName = WRLogonNTF.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
NOD32krn /*NOD32 Kernel Service*/@ = "C:\Programmi\Eset\nod32krn.exe"
PDSched /*PDScheduler*/@ = C:\Programmi\Raxco\PerfectDisk\PDSched.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SrvAjr /*SrvAjr*/@ = "C:\Programmi\File comuni\System\keFHsZ.exe" /*file not found*/
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Skype = "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
@{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} /*Webroot Spy Sweeper Context Menu Integration*/C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
SpySweeper@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{5CA3D70E-1895-11CF-8E15-001234567890}C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.it/

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = imon.dll
000000000002@PackedCatalogItem = imon.dll
000000000003@PackedCatalogItem = imon.dll
000000000004@PackedCatalogItem = imon.dll
000000000005@PackedCatalogItem = imon.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023@PackedCatalogItem = imon.dll

---- EOF - GMER 1.0.11 ----

[giordyclay]

Scusa, sopra ho sbagliato. Posto di nuovo.


GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-17 16:42:48
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL [F6A0F492] tfsnifs.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F6C45230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F6C45230] vsdatant.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F6A0F492] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F6A0F44C] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F6A0F44C] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F6A0F44C] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F6A0F44C] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F6A0F44C] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F6A0F64C] tfsnifs.sys

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS ...

---- EOF - GMER 1.0.11 ----





GMER 1.0.11.11390 - http://www.gmer.net
Autostart 2006-10-17 16:43:13
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = PDBoot.exe autocheck autochk * SsiEfr.e

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier@DLLName = WRLogonNTF.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
NOD32krn /*NOD32 Kernel Service*/@ = "C:\Programmi\Eset\nod32krn.exe"
PDSched /*PDScheduler*/@ = C:\Programmi\Raxco\PerfectDisk\PDSched.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SrvAjr /*SrvAjr*/@ = "C:\Programmi\File comuni\System\keFHsZ.exe" /*file not found*/
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Skype = "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\WZSHLSTB.DLL = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
@{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} /*Webroot Spy Sweeper Context Menu Integration*/C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
SpySweeper@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{5CA3D70E-1895-11CF-8E15-001234567890}C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.it/

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = imon.dll
000000000002@PackedCatalogItem = imon.dll
000000000003@PackedCatalogItem = imon.dll
000000000004@PackedCatalogItem = imon.dll
000000000005@PackedCatalogItem = imon.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023@PackedCatalogItem = imon.dll

---- EOF - GMER 1.0.11 ----

[Luke57]

Ciao, scarica Adsspy sul desktop
http://www.merijn.org/files/adsspy.zip
Decomprimi l'archivio
avvia il programma,leva tutte le spunte presenti e mettila solo nella casella "Scan only this folder",clicca sul pulsantino e seleziona il disco rigido da scansionare,clicca su "Scan the system ecc " per far partire la scansione
A fine scansione dovresti visualizzare questo valore
C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE

Metti la spunta nella casella che corrisponde al valore e clicca su "Remove selected streams".

Inoltre lancia questo comadno:
start>esegui>sc stop SrvAjr (lo digiti nello spazio bianco)>OK
start>esegui>sc delete SrvAjr (lo digiti nello spazio bianco)>OK

Elimina anche quel file verde.
Se non si fa eliminare normalmente, Seleziona il file con il tasto destro e click su PROPRIETA', qui seleziona su PROTEZIONE>AVANZATE >PROPRIETARIO, qui seleziona account di ADMINISTRATORS
e fare OK (o applica) e dopo ancora OK fino ad uscire dalle PROPRIETA'.
Adesso rientra su PROPRIETA', PROTEZIONE e dopo su AVANZATE, clickare su AGGIUNGI da AUTORIZZAZIONI
e aggiungere l'account di ADMINISTRATOR, dopo selezionare da CONSENTI "CONTROLLO COMPLETO"
e fare OK per uscire.
Adesso clicke su PROPRIETA' del file e togliere i flags di "SOLO LETTURA" e NASCOSTO.
Poi, cancellare il file.

[giordyclay]

Ok Luke,
ho fatto tutto quello che mi hai detto. Spero di essermi definitivamente liberato di questo coso (a proposito, cosa diavolo era?).

Grazie mille, questo forum è tra le cose migliori che esista in rete e voi siete stupendi.

Giordy

[Luke57]

Ciao, grazie per i complimenti, sei molto gentile