worm bagle: disattiva antivirus a antispyware. HelP!

[Neofito]

salve

Da molti giorni ho questo worm... non so più che fare

- non mi fa completare l'installazione degli antivirus e mi cancella l'exe di avast che avevo già installato. Quindi il collegamento sul desktop all'exe di avast, non trova nulla. Avevo copiato il file di exe (ashavast.exe) in un'altra cartella, ma appena apro questa cartella, vedo il file per un istante e dopo sparisce di nuovo. Mi cancella anche l'exe di Spybot. A nulla sono servite altre installazioni di questi programmi.

- impossibile fare il ripristino configurazione di sistema. Una volta che completa la procedura, mi dice che nessuna modifica è stata apportata al pc.

- ad ogni riavvio, mi disabilita il centro di sicurezza del pc e gli aggiornamenti automatici ed il firewall

- ad ogni riavvio, mi creava una cartella nascosta, chiamata "m" di 160 mb in c/Documents and Settings/nome utente/Dati applicazioni
con dentro un file chiamato numerosi zip con nomi di giochi e di antivirus ed un file chiamato flec006 che non si poteva eliminare.
Sono infine riuscito a cancellare questa cartella (ed un'altra che compariva nella stessa locazione)

- trovavo sempre in C/windows/prefetch
i seguenti files:
HIDR.EXE-12BE895A.pf
HLDRRR.EXE-21250D0F.pf
Li ho rimossi.

- in msconfig, mi compaiono diverse nuove voci, nella schermata di avvio:
* hidr
* hldrrr
* flec006
li ho disabilitati, li ho cercati poi nel registro di sistema e li ho cancellati

- ha creato la cartella exefnd e exefld
le ho rimosse

comunque gli altri problemi non sono stati risolti. Il centro sicurezza del pc deve sempre essere avviato manualmente, così come gli aggiornamenti automatici, così come l'antivirus non trova l'exe.

a parte buttare il pc, cosa altro potrei fare?

[Luke57]

Ciao, scarica Elibagla (tool apposito) da qui:
http://www.zonavirus.com/datos/descarga ... ibagla.asp

Assicurati che la casella Eliminar Ficheros Automaticamente sia spuntata

Eseguilo

Ignora eventuali messaggi dell’antivirus

Posta il report dello scan

[Neofito]

ciao e grazie della risposta

questo è il report

_________________________________________________________

Tue Aug 14 12:50:26 2007
EliBagle v10.47 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Acción Directa):
C:\WINDOWS\SYSTEM32\BAN_LIST.TXT --> Eliminado Bagle
Restaurada Clave: "SafeBoot\Minimal y Network"

Tue Aug 14 12:50:36 2007
EliBagle v10.47 (c)2007 S.G.H. / Satinfo S.L.
----------------------------------------------
Lista de Acciones (por Exploración):
Explorando Unidad C:\

_________________________________________________________

[Luke57]

Ciao, il tool ha ripristinato la chiaved i registro pe rla modalità provvisoria.
Non sembra aver trovatro altro, comunque segui questa ottima guida:
http://www.megalab.it/articoli.php?id=948

[Neofito]

grazie, l'avevo già seguita. Ho tolto tutto quello che mi diceva andava eliminato, ma non è cambiato nulla. Sempre non riesco ad installare antivirus e spybot ecc....

ho fatto l''hijack. Questo è il log.
Qualcuno lo sa leggere?

____________________________________________________

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14.08.11, on 14/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Luca De Angelis\Desktop\Anti spyware\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - blank (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmi\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Umail - {A925929B-C780-49B2-BB1F-F8DE969111AF} - http://www.umail.it (file missing) (HKCU)
O9 - Extra button: (no name) - {CEC2A0EB-DBA3-4DA2-B551-97793A7148D6} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://fotoluca9.spaces.msn.com//PhotoU ... nPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/do ... se5059.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7581 bytes
_____________________________________________________

[Luke57]

Ciao, scarica system scan da qui:
http://www.suspectfile.com/systemscan
mettilo sul desktop, spunti tutte le caselle, premi scan now.
Al termine della scansione, vai in C:\suspectfile e carica la cartella .zip che trovi su questo sito:
http://www.sendmefile.com/
fai l’upload della cartella .zip e inserisci nel tuo post successivo il link che ti sarà fornito per poterlo vedere.

[Neofito]

grazie 1000 dell'aiuto!

quì c'è il link per il download

http://www.sendmefile.com/00568296

[Luke57]

Ciao, qualcosa ho trovato riferito al beagle (non so se sarà sufficiente per ripristinare le funzionalità perse) , Scarica The Avenger
http://swandog46.geekstogo.com/avenger.zip

estrai l’archivio nel desktop.

Poi avvia il file Avenger.exe.
Seleziona l'opzione Input Script Manually, clicca sulla lente di ingrandimento e all'interno dello spazio bianco copia ed incolla questo script:

Files to delete:
C:\WINDOWS\system32\frysdk.dll
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\pci32.sys


Clicca sul pulsante Done
Adesso clicca sul semaforo con la luce verde
Rispondi Yes 2 volte
Il pc si dovrebbe riavviare,se non si riavvia,riavvialo manualmente

Al riavvio collegati e posta il contenuto del file C:\Avenger.txt

[Neofito]

ciao e grazie ancora dell'aiuto!!

questo è il risultato del log

__________________________________________

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ycvuraac

*******************

Script file located at: \??\C:\WINDOWS\system32\qohehqtt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\frysdk.dll deleted successfully.
File C:\WINDOWS\system32\drivers\hidr.exe deleted successfully.


File C:\WINDOWS\system32\pci32.sys not found!
Deletion of file C:\WINDOWS\system32\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\pci32.sys
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

______________________________________

[maud76]

Non so se sto postando nel punto giusto, scusatemi, sono nuova! Il mio problema è il virus bagle, che mi ha disinstallato l'antivirus avg e non mi permette di reinstallare né lui né altri antivirus. Ho letto tutte le discussioni al riguardo, ho usato gmer e avenger, ma niente da fare. Non riesco assolutamente ad eliminare il file hidr.exe, che ho scoperto essere nella directory: C:\WWINDOWS\system32\drivers\hidr.exe
Aiutatemi per favore, non so assolutamente come fare!!!!

[Luke57]

Non so se sto postando nel punto giusto, scusatemi, sono nuova! Il mio problema è il virus bagle, che mi ha disinstallato l'antivirus avg e non mi permette di reinstallare né lui né altri antivirus. Ho letto tutte le discussioni al riguardo, ho usato gmer e avenger, ma niente da fare. Non riesco assolutamente ad eliminare il file hidr.exe, che ho scoperto essere nella directory: C:\WWINDOWS\system32\drivers\hidr.exe
Aiutatemi per favore, non so assolutamente come fare!!!!

Ciao, prova con questo scrip, è generico perchè non conosco che cosa hai effettivamente nel computer (penso che il tuo so sia xp).

scarica http://swandog46.geekstogo.com/avenger.zip
e
http://research.pandasoftware.com/blogs ... ootkit.zip

(dezippali sul desktop)

Disattiva l'antivirus e chiudi programmi e applicazioni aperti


Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente d'ingrandimento

Ti si apre lafinestra "View/edit script"
All'interno del box bianco, copia e incolla il seguentescript (alcuni valori porebbero essere non trovati):

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\hldrr.exe



folders to delete:
C:\WINDOWS\exefnd

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32


Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes due volte
Il pc dovrebbe riavviarsi da solo, diversamente riavvialo manualmente

Posta il report che trovi in C:\avenger.txt

Cancella tutti i file tmp ed .exe che trovi nella cartella
C:\documents and settings\nome utente\dati applicazioni\impostazioni locali\temp

Avvia PAVARK.exe (AntiRootkit.zip), clicca su "Start Scan" ed esegui i successivi passaggi.

[Cindy Arden]

ho avuto la fortuna di capitare qua
avevo anche io, da questo pomeriggio, lo stesso problema. Ho seguito le instruzioni alla lettera, guardando anche i log che venivano fuori e cercando di capire da sola...
Ho risolto!!!
Grazie davvero!!! Penso che ormai non andrò più via da qui, mi sono innamorata di questo forum a prima vista

[Franklin80]

Ciao a tutti, sono nuovo. Purtroppo anche io ho scoperto di essere affetto da questo worm. In un batter d'occhio mi trovo antivir fuoriuso, spyterminator zoppicante. Ad essere attivolo è solo COMODO firewall.
Purtroppo ho cercato varie guide, ho letto anche questo topic ma non sono riuscito a risolvere nulla. Ad ogni avvio COMODO mi segnala l'intrusione del file flec006 (che io ovviamente nego).
Aiutatemi vi prego

[Franklin80]

ho fatto l''hijack. Questo è il log.


Logfile of HijackThis v1.99.1
Scan saved at 13.46.24, on 12/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmi\Comodo\Firewall\cmdagent.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Comodo\Firewall\CPF.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Documents and Settings\francesco\Dati applicazioni\m\flec006.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\francesco\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programmi\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Programmi\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [updateMgr] C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hidr.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\francesco\Dati applicazioni\m\flec006.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C2DC1CA-3C67-4663-9728-6EA75514F894}: NameServer = 85.37.17.51 85.38.28.97
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Programmi\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Servizio iPod (iPod Service) - Apple Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
O23 - Service: UPnPService - Unknown owner - C:\Programmi\File comuni\MAGIX Shared\UPnPService\UPnPService.exe (file missing)

[Franklin80]

dimenticavo, anche da me c'è una fantomatica cartella "m", il caso è simile se non identico a quel "neofito" che ha aperto il topic.
tuttavaia ancora non ho fatto nulla, ho scaricato solamente avenger e pavark. In attesa di aiuto.
Grazie delle eventuali risposte

[Luke57]

Ciao, scarica elibagla da qui http://www.zonavirus.com/datos/descarga ... ibagla.asp
in fondo alla pagina trovi Descargar Elibagla.
Assicurati che la casella Eliminar Ficheros Automaticamente sia spuntata e e fagli fare una scansione.

POi scarica Gmer da qui:
http://www.majorgeeks.com/GMER_d5198.html
scompatta il file .zip e avvia gmer.exe, con tutte le altre applicazioni chiuse.
Per entrare in Avanzate premi il tab>>>>. Poi scegli il tab Rootkit, spunta anche la casella ADS , fai uno Scan completo. Al termine clicca Copy e incolla il report in un file di testo.
Ritorna su Gmer, premi il tab Autostart (non spuntare la casella show all) e premi Scan. Al termine click su Copy e incolla il report nel medesimo foglio di testo.
Poi, copia e incolla i due report in un post nel forum

[Franklin80]

Grazie della risposta Luke. Allora, dopo aver perso 3 ore circa spero di aver sconfitto il worm. Ho eliminato la cartella, il fantomatico filE.
Ho reinstallato Antivir e Spyware terminator, ho riavviato ben 4 volte. E sono ancorà lì, il centrosicurezza pc funge.
In ogni caso ho eseguito i tuoi consigli alla lettera.
Ecco il rootkit di Gmer:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-12 16:50:41
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection
SSDT F8BD8F5C ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile
SSDT sptd.sys ZwOpenKey
SSDT F8BD8F48 ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection
SSDT F8BD8F4D ZwOpenThread
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather
SSDT F8BD8F52 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

? C:\WINDOWS\system32\drivers\sptd.sys Impossibile accedere al file. Il file è utilizzato da un altro processo.
.text USBPORT.SYS!DllUnload F813762C 5 Bytes JMP 821221B8
? C:\WINDOWS\System32\Drivers\dtscsi.sys Impossibile accedere al file. Il file è utilizzato da un altro processo.

---- User code sections - GMER 1.0.13 ----

.text C:\Programmi\Comodo\Firewall\CPF.exe[1844] ntdll.dll!LdrLoadDll 7C9261CA 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Comodo\Firewall\CPF.exe[1844] ntdll.dll!LdrLoadDll + 4 7C9261CE 2 Bytes [ 05, 5F ]
.text C:\Programmi\Comodo\Firewall\CPF.exe[1844] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \WINDOWS\System32\Drivers\SPTDDRV1.SYS[ntoskrnl.exe!IoConnectInterrupt] [F845D718] sptd.sys
IAT \WINDOWS\System32\Drivers\SPTDDRV1.SYS[ntoskrnl.exe!IofCompleteRequest] [F8472656] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F845D6C4] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8473394] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F845D718] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F844DAB6] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F844DBEE] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F844DB76] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F844E71C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F844E5F2] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84734E8] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F84727AE] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84734E8] sptd.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F85886D0] inspect.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F8588730] inspect.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F8588950] inspect.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F8588910] inspect.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F8588910] inspect.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F8588730] inspect.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F85886D0] inspect.sys
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F8588950] inspect.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F8588950] inspect.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F8588910] inspect.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F8588730] inspect.sys
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F85886D0] inspect.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F8588910] inspect.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F85886D0] inspect.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F8588730] inspect.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F8588950] inspect.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F85886D0] inspect.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F8588910] inspect.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F8588730] inspect.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F8588950] inspect.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F8588910] inspect.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F8588730] inspect.sys
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F85886D0] inspect.sys

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Documents and Settings\francesco\Impostazioni locali\Temp\gmer.exe[1348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Documents and Settings\francesco\Impostazioni locali\Temp\gmer.exe[1348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Documents and Settings\francesco\Impostazioni locali\Temp\gmer.exe[1348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Documents and Settings\francesco\Impostazioni locali\Temp\gmer.exe[1348] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\WINDOWS\Explorer.EXE[1424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\WINDOWS\Explorer.EXE[1424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\WINDOWS\Explorer.EXE[1424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\WINDOWS\Explorer.EXE[1424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Programmi\Messenger\msmsgs.exe[1976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Programmi\Messenger\msmsgs.exe[1976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Programmi\Messenger\msmsgs.exe[1976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Programmi\Messenger\msmsgs.exe[1976] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\PROGRA~1\WINZIP\winzip32.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\PROGRA~1\WINZIP\winzip32.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\PROGRA~1\WINZIP\winzip32.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\PROGRA~1\WINZIP\winzip32.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Programmi\Internet Explorer\iexplore.exe[3960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [10002DF0] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Programmi\Internet Explorer\iexplore.exe[3960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [10002C50] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Programmi\Internet Explorer\iexplore.exe[3960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [10002C10] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll
IAT C:\Programmi\Internet Explorer\iexplore.exe[3960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [10002C60] C:\Programmi\File comuni\Logitech\LVMVFM\LVPrcInj.dll

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 823D71D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 823D71D8

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F8388F70] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F8388F70] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F8389160] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F8388F70] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F837CF08] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F837CF08] fltMgr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2F3AA6A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B2F3AA16] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B2F3A94A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2F3A85E] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B2F3A9B8] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [B2F3AB12] cmdmon.sys

Device \Driver\NetBT \Device\NetBT_Tcpip_{8C92B039-F941-4843-A37E-B8156310E454} IRP_MJ_CREATE 8201D990
Device \Driver\NetBT \Device\NetBT_Tcpip_{8C92B039-F941-4843-A37E-B8156310E454} IRP_MJ_CLOSE 8201D990
Device \Driver\NetBT \Device\NetBT_Tcpip_{8C92B039-F941-4843-A37E-B8156310E454} IRP_MJ_DEVICE_CONTROL 8201D990
Device \Driver\NetBT \Device\NetBT_Tcpip_{8C92B039-F941-4843-A37E-B8156310E454} IRP_MJ_INTERNAL_DEVICE_CONTROL 8201D990
Device \Driver\NetBT \Device\NetBT_Tcpip_{8C92B039-F941-4843-A37E-B8156310E454} IRP_MJ_CLEANUP 8201D990
Device \Driver\NetBT \Device\NetBT_Tcpip_{8C92B039-F941-4843-A37E-B8156310E454} IRP_MJ_PNP 8201D990
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 820571D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 820571D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 820571D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 820571D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 823721D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 823721D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 820571D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 820571D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 820571D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 820571D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 820571D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 820571D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 820571D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 820571D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CREATE 820571D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CLOSE 820571D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_POWER 820571D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 820571D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_PNP 820571D8
Device \Driver\00000036 \Device\00000047 IRP_MJ_POWER [F8459DB6] sptd.sys
Device \Driver\00000036 \Device\00000047 IRP_MJ_SYSTEM_CONTROL [F846F73C] sptd.sys
Device \Driver\00000036 \Device\00000047 IRP_MJ_PNP [F846877E] sptd.sys
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CREATE 820401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CLOSE 820401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_DEVICE_CONTROL 820401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 820401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_POWER 820401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_SYSTEM_CONTROL 820401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_PNP 820401D8

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2F3AA6A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B2F3AA16] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B2F3A94A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2F3A85E] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B2F3A9B8] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [B2F3AB12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [B2F3AB12] cmdmon.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 823D91D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 823D91D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 823D91D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 823D91D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 823D91D8
Device \Drive

[Franklin80]

Questo è l'autostart.

GMER 1.0.13.12551 - http://www.gmer.net
Autostart scan 2007-09-12 16:55:08
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AntiVirScheduler /*AntiVir PersonalEdition Classic Scheduler*/@ = "C:\Programmi\Avira\AntiVir PersonalEdition Classic\sched.exe"
AntiVirService /*AntiVir PersonalEdition Classic Guard*/@ = "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe"
Apple Mobile Device /*Apple Mobile Device*/@ = "C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
CmdAgent /*Comodo Application Agent*/@ = C:\Programmi\Comodo\Firewall\cmdagent.exe
LVPrcSrv /*Logitech Process Monitor*/@ = c:\programmi\file comuni\logitech\lvmvfm\LVPrcSrv.exe
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
sp_rssrv /*Spyware Terminator Realtime Shield Service*/@ = "C:\Programmi\Spyware Terminator\sp_rsser.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@CloneCDTray"C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s = "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@LogitechVideo[inspector]C:\Programmi\Logitech\Video\InstallHelper.exe /inspect = C:\Programmi\Logitech\Video\InstallHelper.exe /inspect
@LogitechCameraService(E)C:\WINDOWS\system32\ElkCtrl.exe /automation = C:\WINDOWS\system32\ElkCtrl.exe /automation
@EPSON Stylus C66 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@COMODO Firewall Pro"C:\Programmi\Comodo\Firewall\CPF.exe" /background = "C:\Programmi\Comodo\Firewall\CPF.exe" /background
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe" = "C:\Programmi\iTunes\iTunesHelper.exe"
@DAEMON Tools"C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033 = "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
@avgnt"C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min = "C:\Programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
@SpywareTerminator"C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe" = "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@LogitechSoftwareUpdateC:\Programmi\Logitech\Video\ManifestEngine.exe boot = C:\Programmi\Logitech\Video\ManifestEngine.exe boot
@updateMgrC:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 /*file not found*/ = C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 /*file not found*/
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Programmi\MSN Messenger\fsshext.8.1.0178.00.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{23170F69-40C1-278A-1000-000100020000} /*7-Zip Shell Extension*/C:\Programmi\7-Zip\7-zip.dll = C:\Programmi\7-Zip\7-zip.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Programmi\Avira\AntiVir PersonalEdition Classic\shlext.dll = C:\Programmi\Avira\AntiVir PersonalEdition Classic\shlext.dll
@{BD88A479-9623-4897-8546-BC62B9628F44} /*SPTHandler*/C:\Programmi\Spyware Terminator\sptcontmenu.dll = C:\Programmi\Spyware Terminator\sptcontmenu.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zip.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\Avira\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Programmi\7-Zip\7-zip.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\Avira\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}C:\Programmi\Windows Live Toolbar\msntb.dll = C:\Programmi\Windows Live Toolbar\msntb.dll
@{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll = C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\ACMILA~1.SCR /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll

C:\Documents and Settings\francesco\Menu Avvio\Programmi\Esecuzione automatica = Adobe Gamma.lnk

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.13 ----

Grazie ancora per gli eventuali consigli. Dimmi se sono riuscito a debellare il worm.
Ciao

[Luke57]

Ciao, sembra che non ci sia più. Controlla anche, se non già fatto, le chiavi di registro segnalate dalla guida di megalab.