sysfind,e1xplorer,e 1000 altri simpatici bastardi;allego LOG

[davidone79]

cari amici, ormai prima che riesca a fare qualcosa con il computer passano un 20 minuti buoni, sono intasato da simpatici amici come quelli descritti nell'oggetto,
ho provato con killsgrunt ma il file me lo da danneggiato, percio' allego log file nella speranza di uscirne presto.
P.S. se potete scrivere passo passo il da farsi, non e' che sia un genio con il computer.GRAZIE A PRESTO


Logfile of HijackThis v1.99.1
Scan saved at 12.12.02, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Messenger\msmsgs.exe
C:\DOCUME~1\luigino\IMPOST~1\Temp\Directory temporanea 3 per hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {5BC04E4A-2526-9AF7-3BD3-D50B9A56A4BD} - C:\WINDOWS\srcnp1.dll (file missing)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Tray Temperature] C:\Programmi\Go!Zilla\weatherbug\minibug.exe 1
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ActionScr] iesetupdll.exe
O4 - HKLM\..\Run: [ms-its] StatusCheck.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sysmon.exe
O4 - HKLM\..\Run: [NopeZ] abrek.exe
O4 - HKLM\..\Run: [KeywordFinder] JAguAr.exe
O4 - HKLM\..\Run: [vrcp1.exe] C:\WINDOWS\Temp\vrcp1.exe
O4 - HKLM\..\Run: [zuyxs.exe] C:\WINDOWS\system32\zuyxs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk.disabled
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.1987324.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF7971B-7100-484D-B245-24A017369EBC}: NameServer = 213.152.192.129 213.152.192.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF7971B-7100-484D-B245-24A017369EBC}: NameServer = 213.152.192.129 213.152.192.130
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Unknown owner - C:\Programmi\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe

[Luke57]

Ciao, dato che ci sei scarica Gmer :
http://www.gmer.net/gmer110.zip
Dopo averlo scompattato, lo avvii, selezioni "Rootkit"
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione Autostart, con le stesse procedure del precedente. Incolli il log generato nel suddetto block notes e poi incolli i due log in un post nel forum.

[davidone79]

scusa il ritardo, ma per fare la prima scansione ci ha messo solo 21 ore; e come se non bastasse si e' impiantato il computer.
dopo aver spento tutto l'ho riavviata e ci ha messo 10 minuti per entrambe le scansioni, mi da pero' un problema con

Library C:\WINDOWS\srcnp1.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3480]

intanto ti allego le 2 scansioni, grazie e a presto

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-02 15:48:06
Windows 5.1.2600 Service Pack 2

---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\srcnp1.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3480] 0x02900000 <-- ROOTKIT !!!

---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAC@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI
Reg \Registry\MACHINE\SECURITY\Policy\Secrets\SAI@ 0

---- Files - GMER 1.0.10 ----

File C:\320c9dcd7804b7cd3d7f98\sp2\spmsg.dll
File C:\320c9dcd7804b7cd3d7f98\sp2\spuninst.exe
File C:\320c9dcd7804b7cd3d7f98\sp2\update
File C:\320c9dcd7804b7cd3d7f98\sp2\update\eula.txt
File C:\320c9dcd7804b7cd3d7f98\sp2\update\spcustom.dll
File C:\320c9dcd7804b7cd3d7f98\sp2\update\update.exe
File C:\Documents and Settings\elena\Documenti\Immagini\amor\' 002.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\amoe
File C:\Documents and Settings\elena\Documenti\Immagini\amor\amor 001.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\amor 002.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\amor 003.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\amor 004.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\amor 005.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\amor 006.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\danio
File C:\Documents and Settings\elena\Documenti\Immagini\amor\elenadanio
File C:\Documents and Settings\elena\Documenti\Immagini\amor\figo
File C:\Documents and Settings\elena\Documenti\Immagini\amor\P2270036.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\pasquetta 015.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\pasquetta 024.jpg
File C:\Documents and Settings\elena\Documenti\Immagini\amor\pasquetta io.JPG
File C:\Documents and Settings\elena\Documenti\Immagini\amor\Thumbs.db
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{3C61EB23-FB24-4DAA-A137-20A67D6E1858}
File C:\WINDOWS\com4.iwl
File C:\WINDOWS\srcnp1.dll

---- EOF - GMER 1.0.10 ----






GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-02 15:48:48
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@Systemcsmor.exe = csmor.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset5@DLLName = reset5.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = \\?\C:\WINDOWS\com4.iwl

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
cmdService /*Command Service*/@ = C:\WINDOWS\ZGF2aWRl\command.exe
navapsvc /*Servizio Auto-Protect di Norton AntiVirus*/@ = C:\Programmi\Norton AntiVirus\navapsvc.exe /*file not found*/
Network Monitor /*Network Monitor*/@ = C:\Programmi\Network Monitor\netmon.exe service /*file not found*/
Reset 5 /*Reset 5*/@ = %systemroot%\system32\srvany.exe
SimpTcp /*Servizi semplici TCP/IP*/@ = %SystemRoot%\system32\tcpsvcs.exe
SNMP /*Servizio SNMP*/@ = %SystemRoot%\System32\snmp.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SrvKcn /*SrvKcn*/@ = "C:\Programmi\File comuni\System\LCk.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Tray TemperatureC:\Programmi\Go!Zilla\weatherbug\minibug.exe 1 /*file not found*/ = C:\Programmi\Go!Zilla\weatherbug\minibug.exe 1 /*file not found*/
@NeroCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@winupdC:\WINDOWS\System32\winupd.exe /*file not found*/ = C:\WINDOWS\System32\winupd.exe /*file not found*/
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
@EPSON Stylus CX3600 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
@HP Software Update"C:\Programmi\HP\HP Software Update\HPWuSchd2.exe" = "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
@HP Component Manager"C:\Programmi\HP\hpcoretech\hpcmpmgr.exe" = "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
@PCSuiteTrayApplicationC:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray /*file not found*/
@DataLayerC:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe = C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
@ActionScriesetupdll.exe /*file not found*/ = iesetupdll.exe /*file not found*/
@ms-itsStatusCheck.exe /*file not found*/ = StatusCheck.exe /*file not found*/
@SystemsC:\WINDOWS\system32\sysmon.exe = C:\WINDOWS\system32\sysmon.exe
@NopeZabrek.exe /*file not found*/ = abrek.exe /*file not found*/
@KeywordFinderJAguAr.exe /*file not found*/ = JAguAr.exe /*file not found*/
@vrcp1.exeC:\WINDOWS\Temp\vrcp1.exe = C:\WINDOWS\Temp\vrcp1.exe
@dmhfs.exeC:\WINDOWS\system32\dmhfs.exe = C:\WINDOWS\system32\dmhfs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@H/PC Connection Agent"C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE" = "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@SystemCheck2C:\WINDOWS\System32\vbsys2 /*file not found*/ = C:\WINDOWS\System32\vbsys2 /*file not found*/
@UPnPMonitorC:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{32A9D769-5B55-4a25-9A62-86B5683FE50A} /*NikonView Drop Extension*/C:\Programmi\Nikon\NkView6\NkvDropExt.dll = C:\Programmi\Nikon\NkView6\NkvDropExt.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{04055D60-93D3-11D1-B8CC-00409524F097} /*Dossier d'immagini*/(null) =
@{7FC7C9B0-FED7-11D1-8F70-00409524F097} /*PackedImageFolder*/(null) =
@{F93F5F63-423F-11D2-8D61-00605206619F} /*Search Result*/(null) =
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\System32\nvcpl.dll = C:\WINDOWS\System32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Periferiche Plug and Play universali*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{5BC04E4A-2526-9AF7-3BD3-D50B9A56A4BD}C:\WINDOWS\srcnp1.dll = C:\WINDOWS\srcnp1.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.libero.it = http://www.libero.it
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagewww.1987324.com?301 = http://www.1987324.com?301
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
cetihpz@CLSID = C:\Programmi\HP\hpcoretech\comp\hpuiprot.dll
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mctp@CLSID = C:\Programmi\Microsoft ActiveSync\aatp.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Microsoft Office.lnk = Microsoft Office.lnk
NkvMon.exe.lnk.disabled = NkvMon.exe.lnk.disabled

---- EOF - GMER 1.0.10 ----

[Luke57]

Ciao, scarica questo Tool:
http://www.prevx.com/gromozon.asp
chiudi le applicazioni e i programmi, lo esegui, al riavvio il tool terminerà la scansione esaminando le altre parti di windows. Al termine della scansione, posta il report del programma.

[davidone79]

questa e' la scansione, spero di aver fatto giusto
intanto grazie

Launching Scan
Removing rootkit file...
Scanning Windows Directory, this may take a few minutes...
>>>>>>>C:\WINDOWS\1E.tmp is infected with Malcode 2
>>>>>>>C:\WINDOWS\4.tmp is infected with Malcode 2
>>>>>>>C:\WINDOWS\5.tmp is infected with Malcode 2
>>>>>>>C:\WINDOWS\srcnp1.dll is infected with Malcode 2
>>>>>>>C:\WINDOWS\system32\sraa.dll is infected with Malcode 1
Searching for EFS service files...
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\AET.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\BmSoq.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\DUi.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\eWH.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\FPkgTQ.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\hfL.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\HiG.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\iSM.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\IWvG.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\LaV.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\LyQ.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\mHjz.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\MRZ.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\nie.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\oQb.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\oVc.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\shxYW.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\StBi.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\UcF.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\uosGgu.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\YMZ.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\Zmp.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\ZOrUP.exe
Encrypted File <AND> Hidden User Folder Detected!
User Folder: C:\Documents and Settings\\hHiKYwpo
File: C:\Programmi\File comuni\System\zRWI.exe
Trojan.Gromozon Removed!

Scan finished normally

[Luke57]

Ciao, scarica fixwareout sul desktop

http://downloads.subratam.org/Fixwareout.exe



e avvialo. Premi "Next", poi "Install". Accertati che la casella "Run fixit" sia selezionata e clicca "Finish".

Inizierà il fix: segui le istruzioni. Quando ti chiede di riavviare, riavvia il PC. Non preoccuparti se ci mette un po' a riavviarsi: è normale.

Al reboot segui le istruzioni. Al termine apri HijackThis, premi "do a system scan only", cerchi e spunti se ci sono sempre:


Allega il report di fixwareout (C:\fixwareout\report.txt) e un altro log di hiajckthis.

[davidone79]

mi da impossibile trovare la pagina, sia con il computer di casa che con quello dell'ufficio.
che faccio?

[Luke57]

Ciao, prova da qui:
http://www.bleepingcomputer.com/files/l ... areout.exe
Se durante l'esecuzione ti inoltrasse un messaggio tipo:
C:\WINDOWS\system32\AUTOEXEC.NT not there

Puoi scaricare il file da qui:
http://www.tech-forums.net/computer/topic/29806.html

[lucas/s]

http://www.bleepingcomputer.com/files/l ... areout.exe

[davidone79]

ciao luke57,ho eseguito tutto, apro hijackthis, premo ''do a system scn only'' ma cosa devo spuntare?
grazie a presto
p.s.
grazie anche a lucas

[Luke57]

Ciao, scusami mi era rimasto attaccato un post a un altro utente.
Riposta un altro log per vedere che cosa ha tolto il tool. Posta anche il log di fixwareout.

[davidone79]

eccoci, ti posto il log con hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 12.24.51, on 05/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Network Monitor\netmon.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\system32\sysmon.exe
C:\WINDOWS\Temp\vrcp1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\sysfind.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\DOCUME~1\luigino\IMPOST~1\Temp\Directory temporanea 6 per hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://arianna.libero.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1987324.com?301
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {5BC04E4A-2526-9AF7-3BD3-D50B9A56A4BD} - C:\WINDOWS\srcnp1.dll (file missing)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll (file missing)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Tray Temperature] C:\Programmi\Go!Zilla\weatherbug\minibug.exe 1
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ActionScr] iesetupdll.exe
O4 - HKLM\..\Run: [ms-its] StatusCheck.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sysmon.exe
O4 - HKLM\..\Run: [NopeZ] abrek.exe
O4 - HKLM\..\Run: [KeywordFinder] JAguAr.exe
O4 - HKLM\..\Run: [vrcp1.exe] C:\WINDOWS\Temp\vrcp1.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk.disabled
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O15 - Trusted Zone: http://www.1987324.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF7971B-7100-484D-B245-24A017369EBC}: NameServer = 193.70.152.25 193.70.192.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF7971B-7100-484D-B245-24A017369EBC}: NameServer = 193.70.152.25 193.70.192.25
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Unknown owner - C:\Programmi\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Programmi\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe



e questo e' il post fatto con fixwareout


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C5AE1DB97141-A13A-D4C4-4FC9-D71399A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4072D6740879-9B59-FA94-BA41-BAC2F980{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A86F2B5E255E-D43B-1BD4-FEF8-788597E2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9C291B8BF533-290A-F714-3C82-D535F803{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E6D7E4FFE712-B838-1DC4-F6AB-66D67150{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A363623B267A-48D9-4234-1113-0485B795{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}745B6FF6A335-5829-9874-1083-360D8A67{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}10806B6D68DE-0628-7604-1B3E-A91E53CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6E7E91D6D4B4-A8D8-37E4-6078-9E4DCCF5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7E5F611C388A-7E09-43F4-F9B8-91C86EBB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E18BAB6D2701-A21B-21F4-C148-90387A96{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3D78C4FF58D4-7AE8-D924-0FF3-F33FB24B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}413EB01EDE9F-9478-5A44-62FD-8212EC90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}50E37F751B9D-93EA-79A4-7CAC-D4436993{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}51B33C478B56-ECE9-6284-6A83-12E59940{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A2A1B68D8905-556A-90B4-2667-6944812F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DD438CFA8B9D-B278-EB64-63B3-857EB5FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8267FB47ADFF-BF6B-FB14-7C97-B46C92B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C0B1ACA27196-E6C8-3614-498D-7AA47F0A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D0FBB416384F-8829-F7D4-1805-E3CF3BAB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0FFB0B97EA7B-EEC9-B854-F43E-75C33761{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EA532B81E214-89E9-7964-966B-94997786{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}10C31105C0BA-0D9A-EEB4-A694-ACE930DB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24068EBC69F0-8FC9-E9F4-C5FF-5326F1CB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0F174137C5F0-B8D9-0514-3433-345015CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C736C67BB5D2-E11B-F494-B5AB-3CAD483E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}602D5302C0DF-74C8-9964-79A0-1ECABA81{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F384EE153A3A-5589-9894-44EF-601605F1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AA1C8914A98C-C50A-6DF4-F72D-D9CA3667{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7D80C975541-ED4A-F184-2306-909257B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2DDF8A219EE9-919A-5604-1CA8-CAC654A8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6C546D77730F-5F9B-E064-572F-34844826{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A7113D6A05BE-F1B8-6F94-B38A-F758ED5E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}06964F99725B-1A58-B284-F65F-CF603307{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CF31EE240222-15FA-4294-6889-06600C73{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2433F86D3A44-AB48-1AD4-620B-2D689F85{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E9C16239E886-623A-0934-7C14-B0F828AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}813B3478A720-2AEA-75F4-AEF3-B369FB76{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}99EF4E8DB9E5-B74B-C3F4-0826-DE4EA38F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E1B48D78022-6749-B064-5967-56619B57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}76515B1027F8-8958-BEE4-7449-8E4B6662{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}955ABE48A0D2-BFB9-E604-6563-906656EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F763F15BA4ED-7C38-86F4-606D-88ED3E23{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0D19E65EF3FF-0D9A-E074-1023-21E08531{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4CEE9CA56068-AEB9-3324-E97F-51ACD4C9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A989E773395A-F01A-2A04-D764-40D1435A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ADCDA74F0550-F099-9F44-A804-E5BF529D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}260A1904A07A-CB4A-1DD4-6E6B-E42416BD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}859A45C07621-1788-4F34-757A-E0EA6974{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}44CEE751E4AC-FA2A-4224-2DA6-5418E82E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1BD7CB6E9521-1288-2DF4-E017-D27EB391{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0C0C713F2AC8-EE3B-99B4-82DC-CA3AA671{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0F0EA942B378-357A-F1D4-EF17-B338C422{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}32EEB27F329F-8499-B9E4-A179-07082A04{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}701E90A894BA-0D99-4AF4-55AD-2FDC3586{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}85DCC4E8254F-6198-FE44-7062-4185D598{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}267B339D9C82-3759-80F4-5174-62E9C716{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9FDD19FB8C4-2DBB-6204-3BE6-34E194B1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3BC6F02285D1-CAFA-1C14-6BE0-8CBB8382{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}483D783EF79D-82F9-AF24-DB9A-772A187C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C839ABA3EFF8-CE09-5EE4-297B-535E7FD8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A008EF8843EE-F458-8B54-7E37-BDA0E728{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2A5859534992-1E39-A434-4794-4906DA6D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C7A1E8A06CF7-87F8-BFA4-1501-9DC83BE9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D0BFDCBE3F62-B8EA-8B34-F344-C31FBF39{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}500328356BB0-C548-8904-4158-6E6F49B1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}22E993E1487E-EC18-7A34-C1C3-69CB5ECF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}40B355DB98FB-2E2B-E214-1240-B778D9EE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B568DC94F37F-65FB-EE94-AC4F-6C0B4A33{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BD641B676F7C-55E8-0784-1874-08F726AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D830FE53E62F-2C49-2FE4-DC90-5643427E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}25D7DC94EEC1-5FF8-7FA4-AA9C-A94283A4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7F139A7EFF59-42EA-52D4-3B58-6524E6D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}78DECAE52A81-395B-AC14-E0B0-5044BDA0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0AB02819CFB9-0D1B-BC64-19B4-5470E3CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3AC99DC45D37-FF3A-9D54-4EEB-46EEE75C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DC41A1362A30-09DA-0044-34C6-38034B2B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2D4BEC6D738B-26AA-49B4-3556-93BB94AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B82883BD81C9-E658-00D4-80EF-47FE0CB4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}175F30B40DAC-82FB-44A4-5A7A-D49BF1DE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}442EC5E19B0F-B46A-0844-7DAB-657E83DE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0906684E0C1A-2E78-4A04-206A-7105B47F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}08AB072A0D8C-6BA9-B054-E7F2-A738E139{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F8174AAF5788-F80B-5BA4-B8EA-35EFF5DD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}194B4B4AA52F-18FA-D364-FF86-B27D54F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8D4AA60192A1-E328-6794-FF54-040182DC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ED4DC6E82E58-4119-5594-E155-A77BC10A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6347D9FE5B6A-5349-5F84-D228-5C6C73FB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4D8E14B14951-4928-A2A4-A15B-7F9E002A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1CCD2D442736-BF79-B8F4-9EE6-DD03E974{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}66E588AA0B32-E0EB-4784-AE6E-0C728C25{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}622463E16CB4-68DB-3394-1429-E884C856{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0A8728B18A71-038B-7774-D7E4-9F241982{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7517E6EB585-D499-E084-9F95-11BF117C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E196A1E0B0A9-D4F8-40E4-5B5B-45434E7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5288C5F034CF-0629-88C4-D917-8ABEDE4C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E4FABF440016-8ABA-9844-AF1C-69DD3618{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EEA43598B77D-A7BB-2654-8D52-A0B67656{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9F0644525E4A-8F08-D2F4-49A7-85AAE12C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}41809F6C9AD6-878B-DB84-5ACE-542F9986{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B1E6C4594CDF-A139-9584-EE5D-B7647243{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D5294DCFAD68-AF7B-8074-ACCF-A57C8CF2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ADA3D9C09A83-8B38-E414-83B2-1D79C7F2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C495B4CF722-291B-C304-EB9F-2FC8A603{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3174507A25C0-64DA-8514-3DE4-4F347C1B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CFE6C21B89AF-8439-6084-84F6-8761AA4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}41C26C8DDD38-6688-E544-533D-E7B4EF18{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EE53796D99E0-EF99-FDE4-F065-6D02FD14{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B415F5A80EB5-DF49-44E4-724C-B6D7E6C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}29F84A620507-4559-7374-B6F3-8D19D7F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1E91BA7F6BB5-52BB-CF64-FF81-A2B5DA07{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}36D8FA728609-205A-FA74-67CB-30376245{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BA4636D8AB8A-591A-C8F4-018E-C1CE417E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A9B4F7E6B688-E1DA-EAF4-3A96-4F7821FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FB7B440B22C2-4759-2C04-4964-567063DF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A11043551708-64A8-4724-08F6-9C728C7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DC8AD9235C10-95F8-7334-9033-869CF7B1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}204ABE13A18A-F108-DC84-A8C8-B4CD5185{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A16E00BFFF76-CE28-A604-9B2B-9AC5EDF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}54DC7FF17592-2EEB-6024-4082-4CBF5CBD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3715A80F100C-36C8-D604-1870-79509E94{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}94738926B370-0428-1AD4-2A7E-B706CDAE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}82D8975CCF8D-8EAB-ADA4-6D8A-B8935974{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}79BC156EE1C5-A028-F174-FE39-1AFD798A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}907DD19B6BAB-9D58-2AF4-7A29-A85D834C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}20453AF9C946-8AF9-8874-3313-5D3B2897{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F316C3DDACD3-F798-4854-BEA3-46FC1509{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B37741CD86BE-B358-7B54-9C9D-92543539{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C4B145F7ED28-9838-5CA4-7B44-17819265{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DCF6946513BF-9BAB-7E64-FB99-9A7A35BD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}61F1B6C7322C-FAB9-72A4-4489-FEDB7138{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C70D8BE8DCA1-9669-4C44-2133-6BF1CB15{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}687BBE91F231-E858-C7B4-70C3-8861783D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2FA3D0499CFF-4AE9-8DE4-3AEB-BDBAC0CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C4A2ABD57E81-5A99-DB64-401A-53398FDB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}86C9F0D9E3BF-F3DA-0DA4-DA0A-579AEF09{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F21939C43CEE-5E68-DAE4-39CC-C550846D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD900EA4813F-FDDB-E684-B256-2D68C34C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E050ADCF643A-6719-AD34-868E-55E549FA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BFEB910A8841-6B59-CD44-EA8C-03D8D688{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}51901F665319-E9EA-3744-E59E-4401FD69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1DCE7E3A5CC7-BE59-E5B4-0F33-45765849{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A305028C8A16-74DB-2154-CD0A-F547E07C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}688DA74AD259-1D38-ECF4-B289-BD426CCC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1C52F4A307F4-E619-6BC4-07E3-4773847A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}961B15902830-D468-8F64-4E91-A6EFC636{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4CD0DCCA2DB4-0878-EB24-2537-06F2A353{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2F1DFC92AFFD-036A-1284-69FA-DEE85FE7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FC39F3B51460-EDB8-BE84-01E8-B0B4B855{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8428798802B0-6F68-6544-761A-97446DD0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F436B7A4611A-B0A9-FA74-0FA0-11AE1C7C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7029F92A6AD5-9B8A-1EB4-03D5-CDDF6F5D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B26213D7FCFC-ED0A-92F4-9B92-962279B2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}73A9AAEA6932-FA78-8494-F525-9CEA83C3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E555FCBC32A-E36A-7D64-5135-39EB9A29{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89E18C728ED4-54F8-8D34-658A-0F877CA4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}944A8ABCEDA2-C038-7F54-2056-91B0C7E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B3AA1B2630BC-F18A-BB04-76CC-32F2D55F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}717BFD2E176D-58E8-9D94-F57C-819B8F0E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A4693B699317-4B79-26A4-0F1B-6210E809{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3F47D044A5D5-AE9A-7104-FEF5-51054765{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DC9BAA5869A3-9A68-9E04-BD0F-76803F1A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FCEF20D50E2A-1F88-6174-1AB2-A97E962C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C63A33A29083-C8C8-04F4-9004-E410133E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BA3EE2C8FC3A-B21B-A9A4-B086-F8EDB7E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E161C390DD1-C5DB-1A34-FA57-1E7B87BD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9A9D6C1CA0F-1109-BF64-3A46-15CFFBCE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DDD9765B4E6A-2E6A-68D4-7B7B-7CCEAEFB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4E6186E9F03F-7178-86C4-0406-4022E9A4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1C8CD94B2A12-3BBA-DF74-5501-D84C9805{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}314363CF69C3-6888-F464-824B-EDDA883D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8F0C6E484E05-3479-8774-DB53-3010E92B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7545BFE1EE76-E09A-A714-D38A-EDC89919{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5EA066A53680-E32B-6EA4-B7FD-A8FA05B8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}90AF2035FC4A-750B-6234-2B4F-ABF2D633{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}160E1F57A65D-C1EA-FF64-E175-DFFFB20E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE1CD635DB20-6619-E4A4-AB26-54730002{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\reimd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\onisacputes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\daolnwodi
...

Microsoft (R) Windows Script Host Versione 5.6
Random Runs removed from HKLM
"dmier.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
C:\WINDOWS\SYSTEM32\DMDUV.EXE
C:\WINDOWS\SYSTEM32\DMFMQ.EXE
C:\WINDOWS\SYSTEM32\DMHFS.EXE
C:\WINDOWS\SYSTEM32\DMIER.EXE
C:\WINDOWS\SYSTEM32\DMIUY.EXE
C:\WINDOWS\SYSTEM32\DMLCQ.EXE
C:\WINDOWS\SYSTEM32\DMMFV.EXE
C:\WINDOWS\SYSTEM32\DMZNN.EXE
* csr.exe C:\WINDOWS\System32\CSMRT.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSMRT.EXE 51.200 2006-02-21
C:\WINDOWS\SYSTEM32\DMDUV.EXE 44.032 2004-08-19
C:\WINDOWS\SYSTEM32\DMFMQ.EXE 44.032 2004-08-19
C:\WINDOWS\SYSTEM32\DMHFS.EXE 44.032 2004-08-19
C:\WINDOWS\SYSTEM32\DMIER.EXE 44.032 2004-08-19
C:\WINDOWS\SYSTEM32\DMIUY.EXE 44.032 2004-08-19
C:\WINDOWS\SYSTEM32\DMLCQ.EXE 44.032 2004-08-19
C:\WINDOWS\SYSTEM32\DMMFV.EXE 44.032 2004-08-19
C:\WINDOWS\SYSTEM32\DMZNN.EXE 44.032 2004-08-19

Other suspects.
Directory of C:\WINDOWS\system32
{E8E843B9-AC60-408A-9D0A-0CC274D52D10}.dll
{AB16CE1D-568D-462A-B731-78BF54B6A8BE}.exe
{11A171C8-F5BC-49A9-AC1C-B82F6D8CE08C}.exe
{8AD7866C-3D70-4FA9-B64A-1A4DF70D19BA}.exe
{ACBD48CF-9BBD-4B11-B3E6-E0378FD43FAB}.exe
{EBE31371-90D3-49A2-A592-1C810ABFCF8B}.exe
{7A0D42D7-8FF9-4B6B-A720-D335C901CE12}.exe
{D6DF7B31-BFE9-4A19-B20D-19C7BEF97906}.exe
{B936583C-BCD5-4950-BEF1-4CC2F5901049}.exe
{998F9955-FF40-49B2-B51A-E80039A1A144}.exe
{16EFA7B3-F251-4439-8BCB-59A18A0D837A}.exe
{D7E04CA8-6E5C-4533-95CC-D31E41BD3A2E}.exe
{D0558A69-8057-4A59-A5D2-14880765B240}.exe
{95A50A2C-48FE-4180-B1B9-9306BA119BEE}.exe
{775F7D38-A6DE-4E4E-A61D-21AC9F2E3370}.exe
{BAF0CE9C-D6A6-4FA3-AF35-82F937B30FB2}.exe
{B36FADAC-A526-4202-9AC2-27ADA8A01C0C}.exe
{587B7E9A-547B-494B-BC07-A5DE7EA879B9}.exe
{69FCE787-FB81-4C85-A398-10260D6FAD33}.exe
{00B89597-57CC-4400-A55A-AF1BFC1AF58E}.exe
{69A78309-841C-4F12-B12A-1072D6BAB81E}.exe
{5FCCD4E9-8706-4E73-8D8A-4B4D6D19E7E6}.exe
{76A8D063-3801-4789-9285-533A6FF6B547}.exe
{597B5840-3111-4324-9D84-A762B326363A}.exe
{05176D66-BA6F-4CD1-838B-217EFF4E7D6E}.exe
{2E795887-8FEF-4DB1-B34D-E552E5B2F68A}.exe
{428ED8AF-D228-42AF-98D9-9E0C702B0FBC}.exe
{EDB75AB0-D2D7-4A07-B0EC-4FA759D9C277}.exe
{3FC57A7B-A9DC-4730-888C-C88AEB988393}.exe
{51931EFB-4E67-4039-AC64-945642D8CF8A}.exe

»»»»» Misc files.
C:\WINDOWS\System32\302.exe

»»»»» Checking for older varients covered by the Rem3 tool.
C:\WINDOWS\System32\run_dos.dll
C:\WINDOWS\System32\opensdl2.exe



a presto

[Luke57]

Ciao, scarica stinger 2.6.0 da qui:
http://vil.nai.com/vil/stinger/
è stand alone non va installato

Scarica ATFCleaner da qui:
http://www.atribune.org/ccount/click.php?id=1
Per eliminare i file temporanei



Apri hijackthi, premi “open the misc tools section”, poi “Open rocess manager”, cerchi ed evidenzi i seguenti processi ( se non ci sono tutti, vai avanti lo stesso)
C:\WINDOWS\system32\sysmon.exe
C:\WINDOWS\Temp\vrcp1.exe
C:\Programmi\Network Monitor\netmon.exe
C:\WINDOWS\system32\sysfind.exe

Premi kill process

Torni al menu principale con bak, premi “scan”, cerchi e spunti le voci seguenti (se ci sono tutte):

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5BC04E4A-2526-9AF7-3BD3-D50B9A56A4BD} - C:\WINDOWS\srcnp1.dll (file missing)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecustom32.dll (file missing)
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [ActionScr] iesetupdll.exe
O4 - HKLM\..\Run: [ms-its] StatusCheck.exe
O4 - HKLM\..\Run: [Systems] C:\WINDOWS\system32\sysmon.exe
O4 - HKLM\..\Run: [NopeZ] abrek.exe
O4 - HKLM\..\Run: [KeywordFinder] JAguAr.exe
O4 - HKLM\..\Run: [vrcp1.exe] C:\WINDOWS\Temp\vrcp1.exe
O15 - Trusted Zone: http://www.1987324.com
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Programmi\Network Monitor\netmon.exe

Premi fix checked

Riavvia in modalità provvisoria
(Avviare il computer.Subito dopo il calcolo della RAM e prima che inizi a caricarsi Windows, iniziare a premere ripetutamente il tasto F8 sulla tastiera. Continuare a farlo fino a visualizzare il menu Opzioni avanzate di Windows . Usando i tasti freccia sulla tastiera, scorrere le opzioni e selezionare il menu Modalità Provvisoria, quindi premere Invio)
Fai una scansione con stinger 260 a tutte le unità.

Rendi visibili file e cartelle nascosti
(vai in start>impostazioni>pannello di controllo>opzioni cartella, e clicca su "visualizzazione". Seleziona "visualizza file e cartelle nascosti", "visualizza il contenuto delle cartelle di sistema" e deseleziona "nascondi file protetti e di sistema").
Clicca su OK


Fai una scansione con stinger 260 su tutte le unità fisse del computer (basta avviarlo con doppio click e scegliere Scan, dopo aver impostato le unità da visionare)

Cerchi ed elimini i seguenti file e cartelle (se ci sono tutti):
C:\WINDOWS\system32\sysmon.exe
C:\WINDOWS\Temp\vrcp1.exe
C:\Programmi\Network Monitor----- >la cartella
C:\WINDOWS\system32\sysfind.exe
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\Temp\vrcp1.exe
abrek.exe (da cercare)
JAguAr.exe (da cercare)

Da pannello di controllo, installazioni\applicazioni , rimuovi le applicazioni sospette che non conosci e che non hai installato tu (Network Monitor)

Avvia ATF cleaner clicca sul menu "main" e poi seleziona la casella "Select All". Adesso clicca sul pulsante "Empty selected" e aspetta il messaggio "Done Cleaning!".


Riavvia in mod.normale e posta nuovo log di controllo

[davidone79]

ciao luke57, forse siamo a buon punto, comunque

con hijackthis pero' non riesco a eliminare il file netmon.exe, dice che potrebbe essere protetto da windows, per gli altri 3 file ho dovuto chiuderli attraverso task manager, netmon.exe invece non se ne va.

nell'ultima scansione con stinger 260 non ha trovato neanche 1 file, forse meglio cosi'.

ti posto il log


Logfile of HijackThis v1.99.1
Scan saved at 1.28.15, on 06/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\luigino\IMPOST~1\Temp\Directory temporanea 8 per hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://arianna.libero.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1987324.com?301
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Tray Temperature] C:\Programmi\Go!Zilla\weatherbug\minibug.exe 1
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk.disabled
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Unknown owner - C:\Programmi\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe

a presto

[Luke57]

Ciao, mi sa che l'hai eliminato, non è più presente nei processi. In ogni caso:
se non riesci ad eliminarlo manualmente usa killbox:
http://www.killbox.net/downloads/KillBox.exe
estrailo sul desktop e apri la cartella che lo contiene e quindi avvialo
- Seleziona l'opzione Delete on Reboot . Nello spazio scrivi il percorso del file da eliminare
C:\Programmi\Network Monitor\netmon.exe
e clicchi sulla crocetta rossa.

Per il resto il log mi sembra pulito.

[davidone79]

nel frattempo ti ringrazio per i tuoi importanti consigli e se avrai modo di passare a vicenza, avanzi svariati spritz!!!!

saresti in grado di darmi anche dei link per poter scaricare programmi freeware anti-virus, spyware, malware e tutto quello che secondo te sembra utile per evitare il piu' possibile questi problemi?

a presto

[Luke57]

Ciao, m'era passata, elimina con hiajckthis questa voce:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.1987324.com?301

[davidone79]

fatto.
guardando i processi in corso con hijackthis( da open the misc tools selection) c'e' ancora questo percorso:
c:\programmi\internet explorer\iexplorer.exe
secondo te e' da eliminare?
ti ri-posto il nuovo log

Logfile of HijackThis v1.99.1
Scan saved at 11.59.10, on 06/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\HP\hpcoretech\hpcmpmgr.exe
C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\DOCUME~1\luigino\IMPOST~1\Temp\Directory temporanea 11 per hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://arianna.libero.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Tray Temperature] C:\Programmi\Go!Zilla\weatherbug\minibug.exe 1
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmi\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programmi\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk.disabled
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O17 - HKLM\System\CCS\Services\Tcpip\..\{1BF7971B-7100-484D-B245-24A017369EBC}: NameServer = 193.70.152.25 193.70.192.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{1BF7971B-7100-484D-B245-24A017369EBC}: NameServer = 193.70.152.25 193.70.192.25
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Unknown owner - C:\Programmi\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe

a presto

[davidone79]

grazie per la risposta
alla prossima

[andorra24]

Disinstalla dal Pannello di controllo/installazione applicazioni Go!Zilla perche' contiene spywares e non e' affidabile.

Con hijackthis elimina le seguenti voci premendo fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://thenewsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thenewsearch.com/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://thenewsearch.com/search.html
O4 - HKLM\..\Run: [Tray Temperature] C:\Programmi\Go!Zilla\weatherbug\minibug.exe 1