PC lentissimo!!!

[S4R4K]

Ciao a tutti,
da un po' di giorni il mio PC è lentissimo, faccio fatica ad aprire anche le cartelle ed al massimo apro due pagine internet alla volta: ma che lentezza!
Dal Task Manager mi accorgo subito di processi attivi che prima non c'erano: hpqste08.exe, hprblog.exe, wuauclt.exe, che sicuramente contengono qualche malware.
Per evitare di far danni vi posto qui il log di HijackThis chiedendovi di darmi una mano a risolvere il problema: ci sono anche le famigerate stringhe HBO... please, AIUTO!

Ecco il log:

Logfile of HijackThis v1.99.1
Scan saved at 2.56.43, on 16/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\wifipack.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Programmi\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sarak\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://arianna.libero.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rocorosso.splinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Libero
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\wifipack.exe",
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 205.238.40.1 http://www.winmx.com
O1 - Hosts: 205.238.40.1 err.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {B71BB4A1-83C6-C995-0FC3-86615A2EC46C} - C:\WINDOWS\mcagy1.dll (file missing)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Programmi\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programmi\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskTray] C:\Programmi\Creative\SBAudigy\TaskBar\CTLTray.exe
O4 - HKCU\..\Run: [TaskBar] C:\Programmi\Creative\SBAudigy\TaskBar\CTLTask.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Salva oggetto con NetXfer - C:\Programmi\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Salva tutti gli oggetti con NetXfer - C:\Programmi\Xi\NetXfer\NXAddList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: (no name) - {44EFB53C-C965-43CF-9F45-52242D134187} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F98184BB-2A6D-480A-A11C-DC55308D8026}: NameServer = 193.70.192.25,193.70.152.25
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Luke57]

Ciao, sembri infetto da linkoptimizer.
Apri hiajckthis, con le altre applicazioni chiuse e disconnesso da internet, premi "open the misc tools section", "open process manager", cerca il seguente processo:
c:\windows\wifipack.exe
premi kill process.

Torna al menu principale con back, premi scan, cerca e spunta le seguenti voci:
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\wifipack.exe",
O2 - BHO: Class - {B71BB4A1-83C6-C995-0FC3-86615A2EC46C} - C:\WINDOWS\mcagy1.dll (file missing)
premi fix checked

Poi elimina tutti i file temp di windows e di ie. Allo scopo usa ATFCleaner:
http://www.atribune.org/ccount/click.php?id=1

Avvia ATF cleaner clicca sul menu "main" e poi seleziona la casella "Select All". Adesso clicca sul pulsante "Empty selected" e aspetta il messaggio "Done Cleaning!".

Scarica Avgpfix da qui:
http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP

Poi rendi visibili file e cartelle nascosti:
da risorse del computer>strumenti>Opzioni Cartella
Seleziona Visualizza
Spunta "mostra file e cartelle nascoste"
Togli la spunta da "nascondi file di sistema protetti (consigliato)"
Click Ok

Avvii AVgpfix, cerchi ed elimini il file:
c:\windows\wifipack.exe
(basta lanciarlo, premere Start, individuare il file e premere OK)
Poi Scarica questi due tools:

http://www.prevx.com/gromozon.asp

Tool di rimozione della Symantec:
http://smallbiz.symantec.com/security_r ... 16-4153-99

Eseguili uno alla volta; disattiva il tuo antivirus durante la scansione.

Quello della prevx fa riavviare il computer e al riavvio viene completata la scansione, al termine della quale viene rilasciato un report che trovi in C:\Gromozon_Removal.log.

Poi esegui il tool della symantec (dalla modalità provvisoria; se
non sai come andarci, premi ripetutamente il tasto F8 all'accensione del computer prima che inizi a caricarsi windows; sulla schermata grigia che appare scegli modalità provvisoria spostandoti con le freccette e premendo invio).

Anche questo tool rilascia un rapporto della scansione nella cartella dove
hai messo il file (Fixlinkopt.log)

Posta i report delle scansioni dei due tools.

[S4R4K]

Grazie mille,
provvedo immediatamente e posto i report.

[S4R4K]

Tutto fatto!

Questo è il report gromozon:

Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file:
Resetting file permissions...
Clearing attributes...
Impossibile trovare il file - C:\_cleaned.tmp
Removing file...
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\cYnA.exe
Removing protected file: C:\Programmi\File comuni\System\DPx.exe
Removing protected file: C:\Programmi\File comuni\System\efv.exe
Removing protected file: C:\Programmi\File comuni\System\GBQF.exe
Removing protected file: C:\Programmi\File comuni\System\gWfTH.exe
Removing protected file: C:\Programmi\File comuni\System\iBfSxL.exe
Removing protected file: C:\Programmi\File comuni\System\KGI.exe
Removing protected file: C:\Programmi\File comuni\System\Kur.exe
Removing protected file: C:\Programmi\File comuni\System\LdZUo.exe
Removing protected file: C:\Programmi\File comuni\System\mkctp.exe
Removing protected file: C:\Programmi\File comuni\System\nFe.exe
Removing protected file: C:\Programmi\File comuni\System\pIL.exe
Removing protected file: C:\Programmi\File comuni\System\pKIoB.exe
Removing protected file: C:\Programmi\File comuni\System\Qti.exe
Removing protected file: C:\Programmi\File comuni\System\qtj.exe
Removing protected file: C:\Programmi\File comuni\System\QYUCIx.exe
Removing protected file: C:\Programmi\File comuni\System\tBB.exe
Removing protected file: C:\Programmi\File comuni\System\tqBrED.exe
Removing protected file: C:\Programmi\File comuni\System\ujReyq.exe
Removing protected file: C:\Programmi\File comuni\System\Wptvz.exe
Removing protected file: C:\Programmi\File comuni\System\xkD.exe
Removing protected file: C:\Programmi\File comuni\System\ZUb.exe
Removing protected file: C:\Programmi\File comuni\System\zVw.exe
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\IntelMon.exe
Removed!


Trojan.Gromozon Removed!




Questo è il report symantec:

Symantec Trojan.Linkoptimizer Removal Tool 1.0.8
Restored SeDebugPrivilege to Administrators group
service: UpdYar (logon as: .\Olmo, passed filters)
service: UpdYar (file path: C:\Programmi\File comuni\System\aXg.exe - infected)
file: C:\Programmi\File comuni\System\aXg.exe (deleted)
reg: ...\SYSTEM\CurrentControlSet\Services\UpdYar\Security (key deleted)
reg: ...\SYSTEM\CurrentControlSet\Services\UpdYar\Enum (key deleted)
reg: ...\SYSTEM\CurrentControlSet\Services\UpdYar (key deleted)
reg: ...\SpecialAccounts\UserList\Olmo (value deleted)
folder: \\?\C:\Documents and Settings\Olmo (deleted)
user: Olmo (deleted)


C:\WINDOWS\mcagy1.dll: (deleted)

Trojan.Linkoptimizer has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 128077
The number of deleted threat files: 2
The number of directories deleted: 1
The number of threat processes terminated: 0
The number of threat threads terminated: 0
The number of registry entries fixed: 4
The number of threat services removed: 1
The number of accounts disabled: 1

The tool initiated a system reboot.

registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (cleared)




infine questo è il nuovo Logfile of HijackThis v1.99.1
Scan saved at 14.27.47, on 16/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\windows\ibmnet.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Programmi\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Utility\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://arianna.libero.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rocorosso.splinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Libero
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\ibmnet.exe",
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 205.238.40.1 http://www.winmx.com
O1 - Hosts: 205.238.40.1 err.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Programmi\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programmi\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskTray] C:\Programmi\Creative\SBAudigy\TaskBar\CTLTray.exe
O4 - HKCU\..\Run: [TaskBar] C:\Programmi\Creative\SBAudigy\TaskBar\CTLTask.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Salva oggetto con NetXfer - C:\Programmi\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Salva tutti gli oggetti con NetXfer - C:\Programmi\Xi\NetXfer\NXAddList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: (no name) - {44EFB53C-C965-43CF-9F45-52242D134187} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC31363-2ECB-4AB3-9014-D0710DE2FF38}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{F98184BB-2A6D-480A-A11C-DC55308D8026}: NameServer = 193.70.192.25,193.70.152.25
O17 - HKLM\System\CS3\Services\Tcpip\..\{2BC31363-2ECB-4AB3-9014-D0710DE2FF38}: NameServer = 193.70.152.15 193.70.152.25
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Spero che non ci siano più problemi.
Grazie mille!

[Luke57]

Ciao, fai queste verifiche:
apri hijackthis, premi “open the misc tools section”, “ open uninstall manager”, se fra le applicazioni è presente qualcuno di questi

-ConnectionService
-Power Verify
-StrongestGuard
-ConnectionKnight
-StrongestOptimizer
-SecurityOptimizer
-InternetOptimizer
-StrongestPaladin
-SecurityGuard
-InternerGuard
-InternetShield
selezionalo e premi il tasto “delete this entry”.

Poi da start>esegui>lusrmgr.msc (lo digiti nello spazio), se nella cartella Users trovi un utente con nome casuale tipo XPRzuvN o anche Olmo, lo evidenzi e lo rimuovi.
Controlla se nella cartella C:\documents and settings non vi sia una cartella con lo stesso nome dell’utenza eventualmente trovata. Se presente eliminala.

[S4R4K]

Ho trovato:
ConnectionService
InternetKnight

ed ho cancellato le entrate.

Non ho trovato invece alcun Users anomalo.

Il PC anche ora è piuttosto lento e ci mette parecchio per spegnersi.
Riprovo ora e spero vada meglio.
Grazie

[Luke57]

Ciao, proviamo a fare questo controllo:
scarica Gmer da qui:
http://www.majorgeeks.com/GMER_d5198.html
scompatta il file .zip e avvia gmer.exe.
Per entrare in Avanzate premi il tab>>>>. Poi scegli il tab Rootkit, lascia le impostazioni di default, metti la spunta alla casella ADS, fai uno Scan completo. Chiudi, prima dello scan, tutti i programmi e le applicazioni aperti.
Al termine, premi il tasto Copy e incolla il report in un foglio di testo.
Sempre con Gmer ti sposti sul tab Autostart (non spuntare la casella show all), premi Scan. Al termine dello scan, premi Copy. Incolli il report nel foglio precedentemente salvato e poi incolli i due report in un post nel forum.
Inoltre controlla che nella cartella C:\Documents and Settings\Nomeutente\Impostazioni locali\Temp\non via siano file tipo PXR1E.tmp, PXR2E.tmp e così via. Se ci sono, dimmi il percorso esatto della cartella dove si trovano e il loro nome, perchè non si cancellano facilmente

[S4R4K]

Ciao,
purtroppo ci sono le voci che mi hai detto di controllare e sono molte. Tutte in carattere verde.
Eccole:

PXR1A.tmp
PXR1B.tmp
PXR1C.tmp
PXR6.tmp
PXR7.tmp
PXR8.tmp
PXR9.tmp
PXR10.tmp
PXR11.tmp
PXR12.tmp
PXR13.tmp
PXR14.tmp
PXR15.tmp
PXR16.tmp
PXR17.tmp
PXR18.tmp
PXR19.tmp
PXRA.tmp
PXRB.tmp
PXRC.tmp
PXRD.tmp
PXRE.tmp
PXRF.tmp

Il percorso è questo:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp


Questi sono i report di GMER, uno di seguito all'altro.
Grazie ancora.



GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-16 17:13:25
Windows 5.1.2600 Service Pack 2

.text ...

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:8FB6501C
ADS C:\Programmi\Internet Explorer\iexplore.exe:SummaryInformation
ADS C:\Programmi\Internet Explorer\iexplore.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 1D5 804E2831 3 Bytes [ 14, B7, F6 ]
.text ntoskrnl.exe!_abnormal_termination + 1D5 804E2831 3 Bytes [ 14, B7, F6 ]
.text ntoskrnl.exe!_abnormal_termination + 310 804E296C 1 Byte [ 76 ]
.text ntoskrnl.exe!_abnormal_termination + 310 804E296C 1 Byte [ 76 ]
.text ntoskrnl.exe!_abnormal_termination + 312 804E296E 2 Bytes [ 67, F8 ]

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 82799E10
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 82799E10
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 82799E10
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 82799E10
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 82799E10
Device \Driver\nvatabus \Device\0000007b IRP_MJ_CLEANUP 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_CLOSE 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_CREATE 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_CREATE_MAILSLOT 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_CREATE_NAMED_PIPE 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_DEVICE_CHANGE 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_DIRECTORY_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_FILE_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_FLUSH_BUFFERS 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_INTERNAL_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_LOCK_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_PNP 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_POWER 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_QUERY_EA 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_QUERY_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_QUERY_QUOTA 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_QUERY_SECURITY 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_QUERY_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_READ 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_SET_EA 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_SET_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_SET_QUOTA 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_SET_SECURITY 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_SET_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_SHUTDOWN 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007b IRP_MJ_WRITE 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_CLEANUP 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_CLOSE 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_CREATE 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_CREATE_MAILSLOT 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_CREATE_NAMED_PIPE 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_DEVICE_CHANGE 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_DIRECTORY_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_FILE_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_FLUSH_BUFFERS 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_INTERNAL_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_LOCK_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_PNP 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_POWER 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_QUERY_EA 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_QUERY_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_QUERY_QUOTA 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_QUERY_SECURITY 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_QUERY_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_READ 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_SET_EA 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_SET_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_SET_QUOTA 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_SET_SECURITY 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_SET_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_SHUTDOWN 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007c IRP_MJ_WRITE 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_CLEANUP 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_CLOSE 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_CREATE 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_CREATE_MAILSLOT 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_CREATE_NAMED_PIPE 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_DEVICE_CHANGE 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_DIRECTORY_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_FILE_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_FLUSH_BUFFERS 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_INTERNAL_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_LOCK_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_PNP 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_POWER 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_QUERY_EA 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_QUERY_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_QUERY_QUOTA 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_QUERY_SECURITY 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_QUERY_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_READ 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_SET_EA 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_SET_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_SET_QUOTA 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_SET_SECURITY 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_SET_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_SHUTDOWN 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007d IRP_MJ_WRITE 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_CLEANUP 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_CLOSE 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_CREATE 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_CREATE_MAILSLOT 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_CREATE_NAMED_PIPE 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_DEVICE_CHANGE 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_DIRECTORY_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_FILE_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_FLUSH_BUFFERS 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_INTERNAL_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_LOCK_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_PNP 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_POWER 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_QUERY_EA 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_QUERY_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_QUERY_QUOTA 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_QUERY_SECURITY 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_QUERY_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_READ 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_SET_EA 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_SET_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_SET_QUOTA 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_SET_SECURITY 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_SET_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_SHUTDOWN 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\0000007e IRP_MJ_WRITE 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CLEANUP 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CLOSE 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CREATE 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CREATE_MAILSLOT 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_CREATE_NAMED_PIPE 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_DEVICE_CHANGE 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_DIRECTORY_CONTROL 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_FILE_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_FLUSH_BUFFERS 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_LOCK_CONTROL 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_PNP 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_POWER 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_EA 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_INFORMATION 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_QUOTA 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_SECURITY 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_QUERY_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_READ 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_EA 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_INFORMATION 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_QUOTA 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_SECURITY 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SET_VOLUME_INFORMATION 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SHUTDOWN 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_SYSTEM_CONTROL 82D63218
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_WRITE 82D63218
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82D67258
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82D67258
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82EF12F8
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_READ 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_CLEANUP 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_CLOSE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_CREATE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_PNP 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_POWER 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_QUERY_EA 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_READ 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_SET_EA 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_SET_INFORMATION 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_SET_QUOTA 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_SET_SECURITY 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_SHUTDOWN 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82FAE008
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port0Path0Target0Lun0 IRP_MJ_WRITE 82FAE008
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6B7D230] vsdatant.sys
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ FF2F1298
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ FF9175F0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ FF996528
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ FF996528
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ FF99E698
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ FFA31708
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ FFA55698

---- System - GMER 1.0.12 ----

SSDT a347bus.sys ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT a347bus.sys ZwSetSystemPowerState
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \??\C:\Programmi\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- EOF - GMER 1.0.12 ----









GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-01-16 17:14:28
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = c:\windows\system32\userinit.exe,"c:\windows\ibmnet.exe",

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
Creative Service for CDROM Access /*Creative Service for CDROM Access*/@ = C:\WINDOWS\System32\CTsvcCDA.exe
ewido anti-spyware 4.0 guard /*ewido anti-spyware 4.0 guard*/@ = C:\Programmi\ewido anti-spyware 4.0\guard.exe
ewido security suite control /*ewido security suite control*/@ = C:\Programmi\ewido anti-malware\ewidoctrl.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe"
Pml Driver HPZ12 /*Pml Driver HPZ12*/@ = C:\WINDOWS\system32\HPZipm12.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
WMDM PMSP Service /*WMDM PMSP Service*/@ = C:\WINDOWS\System32\MsPMSPSv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
@Zone Labs ClientC:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe = C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@DownloadAccelerator"C:\Programmi\DAP\DAP.EXE" /STARTUP = "C:\Programmi\DAP\DAP.EXE" /STARTUP

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run >>>
@ibmnet"c:\windows\ibmnet.exe" = "c:\windows\ibmnet.exe"
@wifipack"c:\windows\wifipack.exe" /*file not found*/ = "c:\windows\wifipack.exe" /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@TaskTrayC:\Programmi\Creative\SBAudigy\TaskBar\CTLTray.exe = C:\Programmi\Creative\SBAudigy\TaskBar\CTLTray.exe
@TaskBarC:\Programmi\Creative\SBAudigy\TaskBar\CTLTask.exe = C:\Programmi\Creative\SBAudigy\TaskBar\CTLTask.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{54D9498B-CF93-414F-8984-8CE7FDE0D391}C:\Programmi\ewido anti-malware\shellhook.dll = C:\Programmi\ewido anti-malware\shellhook.dll
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll = C:\Programmi\ewido anti-spyware 4.0\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Programmi\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD} /*CorelDRAW Shell Extension Component*/C:\Programmi\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll = C:\Programmi\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll
@CorelDRAW Shell Extension Component /*CorelDRAW Shell Extension Component*/(null) =
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{D3796116-94D3-4009-96D7-51578411CC7D} /*Outpost Shell Extension*/C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll /*file not found*/ = C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll /*file not found*/

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
Resurrector@{3B177BCE-B599-4ABD-BECE-B57EE18187FA} = C:\WINDOWS\system32\iddqd.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} = C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL
ewido anti-spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\ewido anti-spyware 4.0\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssmypics.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.libero.it = http://www.libero.it
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.rocorosso.splinder.com/ = http://www.rocorosso.splinder.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
skype4com@CLSID = C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = C:\PROGRA~1\LIBERO~1\sliplsp.dll
000000000002@PackedCatalogItem = C:\PROGRA~1\LIBERO~1\sliplsp.dll
000000000003@PackedCatalogItem = C:\PROGRA~1\LIBERO~1\sliplsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009@PackedCatalogItem = C:\PROGRA~1\LIBERO~1\sliplsp.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
Avvio rapido di HP Image Zone.lnk = Avvio rapido di HP Image Zone.lnk
HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.12 ----

[Luke57]

Ciao, apri il registro di sistema
da START\ESEGUI digita regedit>OK

Aperto l’editor del registro, cliccando sul segno + accanto alle singole voci segui adesso questo percorso:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon, click su quest’ultima cartella
ll'interno della cartella, sulla parte destra dovresti trovare
UserInit= REG C:\WINDOWS\system32\userinit.exe, c:\windows\ibmnet.exe,
doppio click sulla voce,
nella finestra Modifica stringa che ti appare
nello spazio bianco troverai:
c:\windows\system32\userinit.exe, c:\windows\ibmnet.exe, seleziona
c:\windows\ibmnet.exe, (virgola compresa)
in modo da lasciare nello spazio solamente:
c:\windows\system32\userinit.exe, (virgola compresa)
premi canc>OK
(ATTENZIONE a non cancellare userinit.exe, il computer non si riavvierà).

Chiudi il registro.

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
scompatta il file.zip
Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | ibmnet
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | wifipack

Files to delete:
c:\windows\ibmnet.exe
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1A.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1B.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1C.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR6.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR7.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR8.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR9.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR10.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR11.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR12.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR13.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR14.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR15.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR16.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR17.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR18.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR19.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRA.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRB.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRC.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRD.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRE.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRF.tmp



Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (C:/avenger.txt) con l´esito dello script.

[S4R4K]

Sei stato precisissimo nelle informazioni.
Il PC non si è riavviato, l'ho fatto manualmente ma mi ha creato problemi.

Ecco il report:


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not initiate system shutdown.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fqfskcho

*******************

Script file located at: \??\C:\WINDOWS\system32\irobyxod.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\ibmnet.exe deleted successfully.


File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1A.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1A.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1A.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1B.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1B.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1B.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1C.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1C.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR1C.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR6.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR6.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR6.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR7.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR7.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR7.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR8.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR8.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR8.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR9.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR9.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR9.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR10.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR10.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR10.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR11.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR11.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR11.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR12.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR12.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR12.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR13.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR13.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR13.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR14.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR14.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR14.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR15.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR15.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR15.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR16.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR16.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR16.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR17.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR17.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR17.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR18.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR18.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR18.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR19.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR19.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXR19.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRA.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRA.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRA.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRB.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRB.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRB.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRC.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRC.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRC.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRD.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRD.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRD.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRE.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRE.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRE.tmp
Status: 0xc0000034



File C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRF.tmp not found!
Deletion of file C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRF.tmp failed!

Could not process line:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp PXRF.tmp
Status: 0xc0000034



Could not get size of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs
Replacement with dummy of registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs failed!
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|ibmnet deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|wifipack deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[S4R4K]

purtroppo i file non li ho eliminati.
Non so se dovevo fare tutto in modalità provvisoria o altro ancora.

[Luke57]

Ciao, i file temp non li hai eliminati perchè ti ho dato uno script con un errore, mannaggia

Rifai la manovra inserendo questo script:

Files to delete:
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR1A.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR1B.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR1C.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR6.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR7.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR8.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR9.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR10.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR11.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR12.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR13.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR14.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR15.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR16.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR17.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR18.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR19.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRA.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRB.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRC.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRD.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRE.tmp
C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRF.tmp

[S4R4K]

rieccomi, ha funzionato ma continuo a vedere nel task maneger alcuni processi strani.

Ecco il report:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\natqdkbv

*******************

Script file located at: \??\C:\uqckytun.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR1A.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR1B.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR1C.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR6.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR7.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR8.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR9.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR10.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR11.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR12.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR13.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR14.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR15.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR16.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR17.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR18.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXR19.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRA.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRB.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRC.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRD.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRE.tmp deleted successfully.
File C:\Documents and Settings\Sarak\Impostazioni locali\Temp\PXRF.tmp deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

[Luke57]

Ciao, quali sono questi processi strani?

[S4R4K]

Ciao di nuovo.
Il PC continua a metterci 7 minuti circa per spegnersi ed è abbastanza letto.
Ho attivi processi hp che non ricordo prima: hprblog.exe, hpqste08.exe, hpqimzone.exe.
Poi wuauclt.exe, che non so cosa sia.
svchost.exe e vsmon.exe mi prendono parecchia memoria.

[Luke57]

Ciao di nuovo.
Il PC continua a metterci 7 minuti circa per spegnersi ed è abbastanza letto.
Ho attivi processi hp che non ricordo prima: hprblog.exe, hpqste08.exe, hpqimzone.exe.
Poi wuauclt.exe, che non so cosa sia.
svchost.exe e vsmon.exe mi prendono parecchia memoria.

Ciao, quelli sono processi legittimi.
Proviamo un ulteriore controllo.
Vai qui:
http://www.suspectfile.com/forum/viewtopic.php?t=466
scarica system scan, fi una scansione e, siccome il report è lunghissimo, lo salvi in un foglio di testo, vai su:
http://www.mytempdir.com/
premi il tasto Sfoglia, inserisci il foglio testo con il report, premi Host it. Una volta inserito, appare il link da dove scaricare il file, lo copi e lo incolli in un post.

[S4R4K]

Questo è il link del report:

http://www.mytempdir.com/1171360


Se vuoi ti riposto pure quello di HijackThis.

Grazie

[Luke57]

Ciao, nel report non ho individuato niente di nocivo. Prova a ripostare un log di hijackthis.

[S4R4K]

Logfile of HijackThis v1.99.1
Scan saved at 13.51.59, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Creative\SBAudigy\TaskBar\CTLTray.exe
C:\Programmi\Creative\SBAudigy\TaskBar\CTLTask.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programmi\HP\Digital Imaging\bin\hpqimzone.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programmi\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sarak\Desktop\slsk.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Real\RealPlayer\RealPlay.exe
D:\Utility\systemscan.exe
C:\DOCUME~1\Sarak\IMPOST~1\Temp\RarSFX0\runme.exe
D:\Utility\hijackthis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\SYSTEM32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://arianna.libero.it
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rocorosso.splinder.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.libero.it
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Libero
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 205.238.40.1 http://www.winmx.com
O1 - Hosts: 205.238.40.1 err.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Programmi\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Programmi\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskTray] C:\Programmi\Creative\SBAudigy\TaskBar\CTLTray.exe
O4 - HKCU\..\Run: [TaskBar] C:\Programmi\Creative\SBAudigy\TaskBar\CTLTask.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Avvio rapido di HP Image Zone.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Programmi\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Programmi\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Programmi\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Salva oggetto con NetXfer - C:\Programmi\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Salva tutti gli oggetti con NetXfer - C:\Programmi\Xi\NetXfer\NXAddList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: (no name) - {44EFB53C-C965-43CF-9F45-52242D134187} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.libero.it
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC31363-2ECB-4AB3-9014-D0710DE2FF38}: NameServer = 193.70.152.15 193.70.152.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{F98184BB-2A6D-480A-A11C-DC55308D8026}: NameServer = 193.70.192.25,193.70.152.25
O17 - HKLM\System\CS3\Services\Tcpip\..\{2BC31363-2ECB-4AB3-9014-D0710DE2FF38}: NameServer = 193.70.152.15 193.70.152.25
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Luke57]

Ciao, utilizza avenger inserendo questo script:

files to delete:
C:\DOCUME~1\Sarak\IMPOST~1\Temp\RarSFX0\runme.exe

Poi inizia a ripulire il computer dai file temporanei di windows e di ie:
Scarica ATF cleaner da qui:
http://www.atribune.org/ccount/click.php?id=1

Poi avvia ATFCleaner. Clicca sul menu main e poi seleziona la casella Select All. Adesso clicca sul pulsante Empty selected e aspetta il messaggio Done Cleaning!.

Inoltre, togli alcuni elementi che in avvio non servono, facendo così:
start>esegui>msconfig (lo digiti nello spazio)>OK
Nella finestra che si apre, premi il tab Avvio e togli la spunta perlomeno alle seguenti voci: Nero,java, quicktime, Adobe, tutte le voci HP, Office, ecc., lasciando indispensabili solo firewall e antivirus e quelli che ti servono, appunto, in avvio.