chiarimento su MyUninstaller per rimuovere LinkOptimizer

[shenandoa]

Sto seguendo le vostre istruzioni per rimuovere LinkOptimizer.
Ho fatto le scansioni con HijackThis e ora ho scaricato MyUnistaller però ... non ho la voce "Delected" da te indicata

con "Uninstal Selected software" vengo indirizzato al seguente indirizzo http://notetol.com/uninstall.php con un pulsante Uninstal al centro...
devo utilizzare questo pulsante ???
l'opzione "Delete selected item" è solo per togliere la voce dall'elenco...
puoi suggerirmi come devo procedere ??

grazie in anticipo

[Luke57]

Ciao, apri myuninstaller.exe, appena completato l'elenco delle applicazioni, evidenzi la voce LinkOptimizer, click con il tasto dx del mouse e scegli Delete selected entries.

[shenandoa]

Grazie Luke57, perdona la mia ingenuità

1. rimosso LinkOptimizer con MyUninstaller
2. ho verificato la presenza dell'utenza sospetta eozzIEfh
3. non ho però cartelle visibili/nascoste con questo nome di utenza in C:\Documents and Settings
4. creato Log con HijackThis (vedi sotto)
5. eseguito GMER che mi ha dato questo msg d'errore
"GMER has fund system modification, with might have been caused ROOTKIT activity" ogni volta che ho eseguito lo scan Rootkit

Ti allego i Log e ti chiedo come procedere con Avenger e quali ulteriori passi devo eventualmente fare...
A presto




Logfile of HijackThis v1.99.1
Scan saved at 11.10.17, on 24/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe
C:\windows\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\IQAC55.EXE
C:\Programmi\Citrix\PNAgent\ssonsvr.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\windows\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Citrix\PNAgent\pnagent.exe
C:\windows\TEMP\alns1.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\windows\system32\NOTEPAD.EXE
C:\Documents and Settings\ (...) \Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intra/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programmi\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.mtsintra.network/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 69.50.166.13 google.co.uk
O1 - Hosts: 69.50.166.13 http://www.google.es
O1 - Hosts: 69.50.166.13 google.es
O1 - Hosts: 69.50.166.13 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {AAA71084-7689-875E-80E9-1924BFCA805D} - C:\windows\ingwp1.dll (file missing)
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\windows\system32\bgstb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BgInfo] c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://faavs01.mtsintra.network:81/offi ... nNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://faavs01.mtsintra.network:81/offi ... tupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://faavs01.mtsintra.network:81/offi ... /setup.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://faavs01.mtsintra.network:81/offi ... veCtrl.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.intra/extintra/orgpublisher/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsintra.network
O17 - HKLM\Software\..\Telephony: DomainName = mtsintra.network
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BB6A120-92BF-4569-ABF7-108EE190C438}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{37B8CFD6-37D8-4ED2-830D-E5FA5390585F}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{C511CD89-3AF0-4D61-8A8D-79A91567EF88}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsintra.network
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: BkD - Unknown owner - C:\windows\TEMP\6.tmp (file missing)
O23 - Service: Cisco Trust Agent (ctad) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe
O23 - Service: Cisco Trust Agent Event Logging Service (ctalogd) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe



GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-24 11:24:17
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.10 ----

Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CREATE [F7B0FC98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CLOSEIRP_MJ_READ [F7B0FC98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B0F4A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SHUTDOWN [F7B0F3D2] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SYSTEM_CONTROL [F7B0F386] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_DEVICE_CHANGE [F7B0F4A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_PNP_POWER [F7B0FE88] SMBCLASS.SYS
---- Processes - GMER 1.0.10 ----

Library C:\windows\TEMP\alns1.exe (*** hidden *** ) @ C:\windows\TEMP\alns1.exe [232] 0x00400000 <-- ROOTKIT !!!
Library C:\windows:yiis.log (*** hidden *** ) @ C:\windows\system32\NOTEPAD.EXE [468] 0x3EE80000 <-- ROOTKIT !!!
Library C:\windows:yiis.log (*** hidden *** ) @ C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe [1100] 0x3EE80000 <-- ROOTKIT !!!
Library C:\WINDOWS\TEMP\IQAC55.EXE (*** hidden *** ) @ C:\WINDOWS\TEMP\IQAC55.EXE [1140] 0x00400000 <-- ROOTKIT !!!
Library C:\windows:yiis.log (*** hidden *** ) @ C:\windows\system32\NOTEPAD.EXE [1396] 0x3EE80000 <-- ROOTKIT !!!

Process C:\windows\system32\svchost.exe (*** hidden *** ) 1536 <-- ROOTKIT !!!
Library C:\windows:yiis.log (*** hidden *** ) @ C:\windows\system32\svchost.exe [1536] 0x3EE80000 <-- ROOTKIT !!!
Library C:\windows:yiis.log (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [1848] 0x3EE80000 <-- ROOTKIT !!!
Library C:\windows\ingwp1.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [1848] 0x00F70000 <-- ROOTKIT !!!
Library C:\windows:yiis.log (*** hidden *** ) @ C:\windows\System32\svchost.exe [2004] 0x3EE80000 <-- ROOTKIT !!!
Library C:\windows:yiis.log (*** hidden *** ) @ C:\WINDOWS\system32\WISPTIS.EXE [2120] 0x3EE80000 <-- ROOTKIT !!!
Library C:\windows\ingwp1.dll (*** hidden *** ) @ C:\windows\Explorer.EXE [3344] 0x011E0000 <-- ROOTKIT !!!
Library C:\windows:yiis.log (*** hidden *** ) @ C:\Documents and Settings\ (...) \Software\Security\GMer\gmer.exe [3820] 0x3EE80000 <-- ROOTKIT !!!

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINDOWS\ingwp1.dll

---- EOF - GMER 1.0.10 ----


GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-24 11:24:56
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
IntelWireless@DLLName = C:\Programmi\Intel\Wireless\Bin\LgNotify.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\windows:yiis.log

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
anbmService /*Notebook Manager Service*/@ = C:\Acer\eManager\anbmServ.exe
BkD /*BkD*/@ = "C:\windows\TEMP\6.tmp" /*file not found*/
ctad /*Cisco Trust Agent*/@ = "C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe"
ctalogd /*Cisco Trust Agent Event Logging Service*/@ = "C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe"
CVPND /*Cisco Systems, Inc. VPN Service*/@ = "C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe"
EvtEng /*EvtEng*/@ = C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
ntrtscan /*OfficeScanNT RealTime Scan*/@ = C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
OfcPfwSvc /*OfficeScanNT Personal Firewall*/@ = C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
OwnershipProtocol /*OwnershipProtocol*/@ = C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
RegSrvc /*RegSrvc*/@ = C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
S24EventMonitor /*Spectrum24 Event Monitor*/@ = C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
tmlisten /*OfficeScanNT Listener*/@ = C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@BgInfoc:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent = c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
@OfficeScanNT Monitor"C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow = "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
@LManagerC:\Programmi\Launch Manager\QtZgAcer.EXE = C:\Programmi\Launch Manager\QtZgAcer.EXE
@PCSuiteTrayApplicationC:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray /*file not found*/
@DataLayerC:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE = C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
@bgsmsnd.exeC:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe = C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
@IntelZeroConfigC:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe = C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
@IntelWirelessC:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless = C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
@EOUAppC:\Programmi\Intel\Wireless\Bin\EOUWiz.exe = C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run >>>
@wininet.dll /*file not found*/ = /*file not found*/
@kernel32.dll /*file not found*/ = /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter 1*/(null) =
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music Converter*/(null) =
@{792F0537-F929-4eb7-AC1D-FB6334C71550} /*LG Phone*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{AAA71084-7689-875E-80E9-1924BFCA805D}C:\windows\ingwp1.dll = C:\windows\ingwp1.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.intra/ = http://www.intra/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = mtsintra.network

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Program Neighborhood Agent.lnk = Program Neighborhood Agent.lnk
VPN Client.lnk = VPN Client.lnk

---- EOF - GMER 1.0.10 ----

[Luke57]

Ciao, avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\BkD
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAA71084-7689-875E-80E9-1924BFCA805D}

Files to delete:
C:\windows\ingwp1.dll
C:\windows\TEMP\alns1.exe
C:\WINDOWS\TEMP\IQAC55.EXE

Folders to delete:
C:\Windows\Temp

Clicca sul pulsante Done
Clicca 2 volte sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script.

Controlla se in C:\Programmi o C:\Programmi\file comuni o C:\programmi\file comuni\System o in C:\programmi\file comuni\microsoft shared , sono presenti file con estensione .exe i colore verde; se sì fammelo sapere.

Ancora con hiajackthis, premi Open the misc tools section, poi clicca su Open Ads Spy... togli il segno di spunta a Quick Scan. Se trovi il file
C:\windows:yiis.log
selezionalo mettendo un segno di spunta nella casella accanto alla voce e premi Remove selected

[shenandoa]

Ciao Luke57

1. ho eseguito Avenger però mi ha dato msg d'errore sull'Objects
2. non ho file exe "verdi" nelle directories indicate
3. con HijackThis ho trovato 2 files C:\windows:yiis.log ma non riesco a rimuoverli (msg "files locked by another program")
4. controllando nuovamente con MyUninstaller ho ancora l'item LinkOptimizer... ho nuovamente seguito la tua indicazione di scegliere l'opzione "Delete selected entries"
5. ho sempre l'utente sospetto ma nessuna cartella corrispondente in C:\Documents and Settings
6. ho rieseguito i log di HijackThis e GMER per completezza

sigh


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 1813
Line:
Objects\{AAA71084-7689-875E-80E9-1924BFCA805D}


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\^yhdmxtc

*******************

Script file located at: \??\C:\Program Files\glhmjjka.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\BkD deleted successfully.
File C:\windows\ingwp1.dll deleted successfully.


File C:\windows\TEMP\alns1.exe not found!
Deletion of file C:\windows\TEMP\alns1.exe failed!

Could not process line:
C:\windows\TEMP\alns1.exe
Status: 0xc0000034



File C:\WINDOWS\TEMP\IQAC55.EXE not found!
Deletion of file C:\WINDOWS\TEMP\IQAC55.EXE failed!

Could not process line:
C:\WINDOWS\TEMP\IQAC55.EXE
Status: 0xc0000034

Folder C:\Windows\Temp deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.


Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper not found!
Deletion of registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 13.11.34, on 24/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe
C:\windows\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\YH2780.EXE
C:\Programmi\Citrix\PNAgent\ssonsvr.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Citrix\PNAgent\pnagent.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\...\Software\Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intra/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programmi\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.mtsintra.network/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 69.50.166.13 google.co.uk
O1 - Hosts: 69.50.166.13 http://www.google.es
O1 - Hosts: 69.50.166.13 google.es
O1 - Hosts: 69.50.166.13 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {AAA71084-7689-875E-80E9-1924BFCA805D} - C:\windows\ingwp1.dll (file missing)
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\windows\system32\bgstb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BgInfo] c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://faavs01.mtsintra.network:81/offi ... nNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://faavs01.mtsintra.network:81/offi ... tupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://faavs01.mtsintra.network:81/offi ... /setup.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://faavs01.mtsintra.network:81/offi ... veCtrl.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.intra/extintra/orgpublisher/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsintra.network
O17 - HKLM\Software\..\Telephony: DomainName = mtsintra.network
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BB6A120-92BF-4569-ABF7-108EE190C438}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{37B8CFD6-37D8-4ED2-830D-E5FA5390585F}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{C511CD89-3AF0-4D61-8A8D-79A91567EF88}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsintra.network
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Cisco Trust Agent (ctad) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe
O23 - Service: Cisco Trust Agent Event Logging Service (ctalogd) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-24 13:17:40
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.10 ----

Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CREATE [F7B0FC98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CLOSEIRP_MJ_READ [F7B0FC98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B0F4A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SHUTDOWN [F7B0F3D2] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SYSTEM_CONTROL [F7B0F386] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_DEVICE_CHANGE [F7B0F4A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_PNP_POWER [F7B0FE88] SMBCLASS.SYS

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-24 13:19:02
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
IntelWireless@DLLName = C:\Programmi\Intel\Wireless\Bin\LgNotify.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
anbmService /*Notebook Manager Service*/@ = C:\Acer\eManager\anbmServ.exe
ctad /*Cisco Trust Agent*/@ = "C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe"
ctalogd /*Cisco Trust Agent Event Logging Service*/@ = "C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe"
CVPND /*Cisco Systems, Inc. VPN Service*/@ = "C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe"
EvtEng /*EvtEng*/@ = C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
ntrtscan /*OfficeScanNT RealTime Scan*/@ = C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
OfcPfwSvc /*OfficeScanNT Personal Firewall*/@ = C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
OwnershipProtocol /*OwnershipProtocol*/@ = C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
RegSrvc /*RegSrvc*/@ = C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
S24EventMonitor /*Spectrum24 Event Monitor*/@ = C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
tmlisten /*OfficeScanNT Listener*/@ = C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@BgInfoc:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent = c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
@OfficeScanNT Monitor"C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow = "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
@LManagerC:\Programmi\Launch Manager\QtZgAcer.EXE = C:\Programmi\Launch Manager\QtZgAcer.EXE
@PCSuiteTrayApplicationC:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray /*file not found*/
@DataLayerC:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE = C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
@bgsmsnd.exeC:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe = C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
@IntelZeroConfigC:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe = C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
@IntelWirelessC:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless = C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
@EOUAppC:\Programmi\Intel\Wireless\Bin\EOUWiz.exe = C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run >>>
@wininet.dll /*file not found*/ = /*file not found*/
@kernel32.dll /*file not found*/ = /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter 1*/(null) =
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music Converter*/(null) =
@{792F0537-F929-4eb7-AC1D-FB6334C71550} /*LG Phone*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{AAA71084-7689-875E-80E9-1924BFCA805D}C:\windows\ingwp1.dll /*file not found*/ = C:\windows\ingwp1.dll /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.intra/ = http://www.intra/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = mtsintra.network

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Program Neighborhood Agent.lnk = Program Neighborhood Agent.lnk
VPN Client.lnk = VPN Client.lnk

---- EOF - GMER 1.0.10 ----
[/b]

[Luke57]

Ciao, non sarà facile rimuovere quel file:
con hiajkthis, premi "do a system scan only", cechi e spunti:
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {AAA71084-7689-875E-80E9-1924BFCA805D} - C:\windows\ingwp1.dll (file missing)
premi fix checked

Prova a fare uno scan on line con bitdefender:
http://www.bitdefender.com/scan8/ie.html

[shenandoa]

Ciao,
1. con HijackThis ho spuntato/fixed le due voci.
2. Bitdefender ho trovato/cancellato alcuni "rar alias mp3" Infected with: Trojan.Downloader.IstBar.OK ed inoltre C:\WINDOWS\system32\ogaa.dll Infected with: Trojan.Agent.TN
3. dopo reboot cmq non è presente più alcun utente sospetto (solo Administrator e il sottoscritto).
4. è ancora impossibile rimuovere i 2 files C:\windows:yiis.log

ritieni che è stato debellato oppure si deve procedere ancora con qualche esorcismo ...
devo ancora e come faccio a rimuovere i files C:\windows:yiis.log ???
bdoscandel.exe (file missing) è anch'esso un problema ???
a presto e grazie per la tua pazienza

PS
il file C:\WINDOWS\TEMP\CNE564.EXE credo sia da ricondursi a Officescan (con Spybot Elenco processi si ha C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe in grassetto...)


Logfile of HijackThis v1.99.1
Scan saved at 16.26.02, on 24/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe
C:\windows\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\CNE564.EXE
C:\Programmi\Citrix\PNAgent\ssonsvr.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Citrix\PNAgent\pnagent.exe
C:\windows\system32\userinit.exe
C:\Documents and Settings\...\Software\Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intra/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programmi\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.mtsintra.network/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 69.50.166.13 google.co.uk
O1 - Hosts: 69.50.166.13 http://www.google.es
O1 - Hosts: 69.50.166.13 google.es
O1 - Hosts: 69.50.166.13 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\windows\system32\bgstb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BgInfo] c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) -

http://faavs01.mtsintra.network:81/offi ... nNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) -

http://faavs01.mtsintra.network:81/offi ... tupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) -

http://faavs01.mtsintra.network:81/offi ... /setup.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) -

http://faavs01.mtsintra.network:81/offi ... veCtrl.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.intra/extintra/orgpublisher/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsintra.network
O17 - HKLM\Software\..\Telephony: DomainName = mtsintra.network
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BB6A120-92BF-4569-ABF7-108EE190C438}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{37B8CFD6-37D8-4ED2-830D-E5FA5390585F}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{C511CD89-3AF0-4D61-8A8D-79A91567EF88}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsintra.network
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Cisco Trust Agent (ctad) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe
O23 - Service: Cisco Trust Agent Event Logging Service (ctalogd) - Cisco Systems, Inc. - C:\Programmi\Cisco

Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN

Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan

Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan

Client\OfcPfwSvc.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-24 17:17:12
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.10 ----

Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CREATE [F7B0FC98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CLOSEIRP_MJ_READ [F7B0FC98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B0F4A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SHUTDOWN [F7B0F3D2] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SYSTEM_CONTROL [F7B0F386] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_DEVICE_CHANGE [F7B0F4A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_PNP_POWER [F7B0FE88] SMBCLASS.SYS

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-24 17:18:23
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
IntelWireless@DLLName = C:\Programmi\Intel\Wireless\Bin\LgNotify.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
anbmService /*Notebook Manager Service*/@ = C:\Acer\eManager\anbmServ.exe
ctad /*Cisco Trust Agent*/@ = "C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe"
ctalogd /*Cisco Trust Agent Event Logging Service*/@ = "C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe"
CVPND /*Cisco Systems, Inc. VPN Service*/@ = "C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe"
EvtEng /*EvtEng*/@ = C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
ntrtscan /*OfficeScanNT RealTime Scan*/@ = C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
OfcPfwSvc /*OfficeScanNT Personal Firewall*/@ = C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
OwnershipProtocol /*OwnershipProtocol*/@ = C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
RegSrvc /*RegSrvc*/@ = C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
S24EventMonitor /*Spectrum24 Event Monitor*/@ = C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
tmlisten /*OfficeScanNT Listener*/@ = C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@BgInfoc:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent = c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
@OfficeScanNT Monitor"C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow = "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
@LManagerC:\Programmi\Launch Manager\QtZgAcer.EXE = C:\Programmi\Launch Manager\QtZgAcer.EXE
@PCSuiteTrayApplicationC:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray /*file not found*/
@DataLayerC:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE = C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
@bgsmsnd.exeC:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe = C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
@IntelZeroConfigC:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe = C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
@IntelWirelessC:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless = C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
@EOUAppC:\Programmi\Intel\Wireless\Bin\EOUWiz.exe = C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run >>>
@wininet.dll /*file not found*/ = /*file not found*/
@kernel32.dll /*file not found*/ = /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter 1*/(null) =
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music Converter*/(null) =
@{792F0537-F929-4eb7-AC1D-FB6334C71550} /*LG Phone*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.intra/ = http://www.intra/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = mtsintra.network

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Program Neighborhood Agent.lnk = Program Neighborhood Agent.lnk
VPN Client.lnk = VPN Client.lnk

---- EOF - GMER 1.0.10 ----

[Luke57]

Ciao, nel log di GMer non appaiono più. Prova con ewido:
http://www.ewido.net/en/
scansione comleta dalla modalità provvisoria.
bioscandel è di bitdefender

[Luke57]

Ciao, prova anche con questo:
http://www.merijn.org/files/adsspy.zip
CITAZIONE:
Decomprimi l'archivio ,avvia il programma,togli tutte le spunte presenti e mettila solo nella casella "Scan only this folder",clicca sul pulsantino e seleziona il disco rigido da scansionare,clicca su "Scan the system ecc " per far partire la scansione
A fine scansione dovresti visualizzare questo valore
C:\windows:yiis.log
Metti la spunta(flag) nella caselle che corrisponde al valore e clicca su "Remove selected streams"
non garantisco il risultato

[shenandoa]

Ho provato con adsspy ma anch'esso mi segnala che è "locked".
Domattina provo con ewido e gli altri suggerimenti che vorrai darmi stasera

a domani

Curiosità aggiuntiva:
nell'elenco ho più di 500 files (pdf,mp3,doc,zip da Internet) con Zone.Identifier, alcuni 3gp con SummaryInformation (da telefonino) e dei files Thumbs.db con encryptable... son critici ?

[Luke57]

Ciao, quei file non è facile eliminarli.
Prova anche con bitdefender:
http://www.kuma215.it/Guide%20K&J/K/Bit ... nder8.html
in questa guida è spiegato anche come utilizzarlo in mod.provvisoria.

[shenandoa]

Ciao Luke57 ... problema credo risolto: ho utilizzato VirIT che mi ha rimosso dei virus.
Ora non mi compare più l'ADS C:\WINDOWS:yiis.log nè con HijackThis nè con adsspy.
Ho installato anche BitDefender (zero virus) e pulito il registro con CCleaner

Se vuoi/puoi dare un'ultima occhiata ai log HijackThis e GMER per confermarmi che ora è tutto ok
Ogni tuo suggerimento è stato prezioso e ogni ulteriore è ben accetto
ma soprattutto... GRAZIE, GRAZIE, GRAZIE per il tuo aiuto


VirIT eXplorer Lite Log

SCANSIONE DELLA MEMORIA
OK
SCANSIONE DELLA MEMORIA
OK
SCANSIONE DELLA MEMORIA
OK
--------------------------------------------------------
25/08/2006 - 10:41:19

[SCANSIONE DEL REGISTRO]
{2a6af021-17a2-4014-8624-cf6015f82fad} Infetto da BHO.Agent.BA
* * * RIMOSSO * * *

[C:]
MASTER BOOT RECORD: OK
BOOT SECTOR: OK

C:\Programmi\IrfanView\Plugins\Iptc.dll Infetto da Backdoor.SdBot.G
* * * RIMOSSO * * *
C:\Programmi\IrfanView\Plugins\JPEG2000.dll Infetto da Trojan.Win32.SP
* * * RIMOSSO * * *
C:\WINDOWS:yiis.log:$DATA Infetto da Trojan.Win32.RootKit.E
* * * RIMOSSO * * *

Chiavi Registro infette: 1.
Files Infetti: 3.
Files Sospetti: 0.
Files Analizzati: 30778.
Files Totali: 30778.
Chiavi Registro rimosse: 1.
Virus Rimossi: 3.



Logfile of HijackThis v1.99.1
Scan saved at 18.14.47, on 25/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe
C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe
C:\windows\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
C:\PROGRAMMI\VEXPLITE\viritsvc.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\GSCB75.EXE
C:\Programmi\Citrix\PNAgent\ssonsvr.exe
C:\Programmi\Intel\Wireless\Bin\ZcfgSvc.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Programmi\Launch Manager\QtZgAcer.EXE
C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRAMMI\VEXPLITE\MONLITE.EXE
C:\Programmi\Softwin\BitDefender8\bdnagent.exe
C:\Programmi\Citrix\PNAgent\pnagent.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
c:\programmi\softwin\bitdefender8\bdmcon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\...\Software\Security\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intra/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programmi\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.mtsintra.network/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 69.50.166.13 google.co.uk
O1 - Hosts: 69.50.166.13 http://www.google.es
O1 - Hosts: 69.50.166.13 google.es
O1 - Hosts: 69.50.166.13 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\windows\system32\bgstb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BgInfo] c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [LManager] C:\Programmi\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\PROGRAMMI\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://faavs01.mtsintra.network:81/offi ... nNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://faavs01.mtsintra.network:81/offi ... tupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://faavs01.mtsintra.network:81/offi ... /setup.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://faavs01.mtsintra.network:81/offi ... veCtrl.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.intra/extintra/orgpublisher/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mtsintra.network
O17 - HKLM\Software\..\Telephony: DomainName = mtsintra.network
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BB6A120-92BF-4569-ABF7-108EE190C438}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{37B8CFD6-37D8-4ED2-830D-E5FA5390585F}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CCS\Services\Tcpip\..\{C511CD89-3AF0-4D61-8A8D-79A91567EF88}: NameServer = 85.255.114.36,85.255.112.114
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mtsintra.network
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Programmi\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Cisco Trust Agent (ctad) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe
O23 - Service: Cisco Trust Agent Event Logging Service (ctalogd) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas http://www.tgsoft.it - C:\PROGRAMMI\VEXPLITE\viritsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-25 17:40:54
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.10 ----

Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CREATE [F7B15C98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_CLOSEIRP_MJ_READ [F7B15C98] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B154A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SHUTDOWN [F7B153D2] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_SYSTEM_CONTROL [F7B15386] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_DEVICE_CHANGE [F7B154A4] SMBCLASS.SYS
Device \Driver\SMBHC \Device\SmbHc IRP_MJ_PNP_POWER [F7B15E88] SMBCLASS.SYS

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-25 17:41:22
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
IntelWireless@DLLName = C:\Programmi\Intel\Wireless\Bin\LgNotify.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
anbmService /*Notebook Manager Service*/@ = C:\Acer\eManager\anbmServ.exe
bdss /*BitDefender Scan Server*/@ = "C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service
ctad /*Cisco Trust Agent*/@ = "C:\Programmi\Cisco Systems\CiscoTrustAgent\ctad.exe"
ctalogd /*Cisco Trust Agent Event Logging Service*/@ = "C:\Programmi\Cisco Systems\CiscoTrustAgent\ctalogd.exe"
CVPND /*Cisco Systems, Inc. VPN Service*/@ = "C:\Programmi\Cisco Systems\VPN Client\cvpnd.exe"
EvtEng /*EvtEng*/@ = C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
ntrtscan /*OfficeScanNT RealTime Scan*/@ = C:\Programmi\Trend Micro\OfficeScan Client\ntrtscan.exe
OfcPfwSvc /*OfficeScanNT Personal Firewall*/@ = C:\Programmi\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
OwnershipProtocol /*OwnershipProtocol*/@ = C:\Programmi\Intel\Wireless\Bin\OProtSvc.exe
RegSrvc /*RegSrvc*/@ = C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
S24EventMonitor /*Spectrum24 Event Monitor*/@ = C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
tmlisten /*OfficeScanNT Listener*/@ = C:\Programmi\Trend Micro\OfficeScan Client\tmlisten.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\PROGRAMMI\VEXPLITE\viritsvc.exe
XCOMM /*BitDefender Communicator*/@ = "C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@IgfxTrayC:\WINDOWS\System32\igfxtray.exe = C:\WINDOWS\System32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe
@BgInfoc:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent = c:\windows\bginfo.exe c:\windows\mts.bgi /timer:0 /silent
@OfficeScanNT Monitor"C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow = "C:\Programmi\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
@LManagerC:\Programmi\Launch Manager\QtZgAcer.EXE = C:\Programmi\Launch Manager\QtZgAcer.EXE
@PCSuiteTrayApplicationC:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray /*file not found*/
@DataLayerC:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE = C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
@bgsmsnd.exeC:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe = C:\windows\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
@IntelZeroConfigC:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe = C:\Programmi\Intel\Wireless\bin\ZCfgSvc.exe
@IntelWirelessC:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless = C:\Programmi\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
@EOUAppC:\Programmi\Intel\Wireless\Bin\EOUWiz.exe = C:\Programmi\Intel\Wireless\Bin\EOUWiz.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@VIRIT LITE MONITORC:\PROGRAMMI\VEXPLITE\MONLITE.EXE = C:\PROGRAMMI\VEXPLITE\MONLITE.EXE
@BDMCon"C:\Programmi\Softwin\BitDefender8\bdmcon.exe" = "C:\Programmi\Softwin\BitDefender8\bdmcon.exe"
@BDNewsAgent"C:\Programmi\Softwin\BitDefender8\bdnagent.exe" = "C:\Programmi\Softwin\BitDefender8\bdnagent.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@wininet.dll = /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{FED7043D-346A-414D-ACD7-550D052499A7} /*dBpowerAMP Music Converter 1*/(null) =
@{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} /*dBpowerAMP Music Converter*/(null) =
@{792F0537-F929-4eb7-AC1D-FB6334C71550} /*LG Phone*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll
@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} /*BitDefender Antivirus v8*/C:\Programmi\Softwin\BitDefender8\bdshelxt.dll = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll
BitDefender Antivirus v8@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zipn.dll
BitDefender Antivirus v8@{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Programmi\Softwin\BitDefender8\bdshelxt.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.intra/ = http://www.intra/
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = mtsintra.network

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Program Neighborhood Agent.lnk = Program Neighborhood Agent.lnk
VPN Client.lnk = VPN Client.lnk

---- EOF - GMER 1.0.10 ----

[Luke57]

Ciao, sembra tutto a posto.