

Come rimuovere virus e spyware? Le carte di credito sono davvero sicure in rete? È possibile navigare anonimi? Con quali programmi tutelare la propria privacy? Come proteggere i file importanti? Se volete una risposta a queste e altre domande questo è il luogo giusto!

Moderatori: m.paolo, kadosh, Luke57

Postdi Morfeo76 » 13/09/06 19:01

Ciao a tutti gli utenti del forum e complimenti agli amministratori/moderatori per quanto di buono hanno fatto, fanne e faranno per noi poveri disastri o quasi del computer (=questo sconosciuto)!

Più o meno il problema che ho avuto è simile a quello descritto dagli altri, quindi mi intrometto impunemente approfittando della vostra gentilezza, anche devo riconoscere che questo mondo inizia ad affascinarmi, anche se faccio tutt’altro.

Allora ho seguito tutte le istruzioni di Luke57……., in più ho scaricato Gromozon rookit removal tool e mi sembra che sia tutto a posto…..questo è il log di HJT…..

Logfile of HijackThis v1.99.1
Scan saved at 19.24.34, on 13/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Microsoft Office\Office\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Alice
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O2 - BHO: (no name) - {769C8EE6-8425-4508-A97F-8ED02F4F8F31} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra button: Alice - {FEDBD437-C592-4D0B-8FCF-F2D2E4A361E5} - (file missing) (HKCU)
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - ...
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programmi\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas - C:\VEXPLITE\viritsvc.exe

… non fosse che VirIT eXplorer Lite Log mi segnala questo virus/trojan:
13/09/2006 - 19:02:59



C:\WINDOWS\system32\com5.npg Infetto da Trojan.Win32.RootKit.G


Chiavi Registro infette: 0.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 41504.
Files Totali: 41504.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.

(comunque prima che facessi tutto quanto spiegato VIRIT mi trovava un chiave di registro infetta ed altri due file infettati da BHO. Agent. BA…mi sembra che fossero 1c.temp, diaa.dll, mi sembra ma non sono sicuro sempre in system..)
Ho fatto la scansione anche in modalità provvisoria, ma niente, non capisco perché non lo rimuove, il file è presente in System32…..
Ed inoltre si “eseguo” services.msc mi trovo, nonostante sia disabilitato, il “servizio” di LogCmb la cui connessione, al posto di servizio di rete o sistema locale è ./yerofauhlnfq…..non se sia connesso con link optimazer però qualche dubbio ce l’ho!
Inoltre modificando le opzioni cartella come indicato ho provato a rimuoverlo sia manualmente sia con Killbox… niente.
Poi ho controllato con Myunistall ma non rileva il processo…..

Che devo fare?
Mille grazie in anticipo!
Post: 6
Iscritto il: 13/09/06 18:52


Postdi andorra24 » 13/09/06 19:15

Ciao, scarica Gmer :
Dopo averlo scompattato, lo avvii, selezioni "Rootkit"
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione ''Autostart'', con le stesse procedure del precedente. Incolla il log generato nel suddetto block notes e poi incolla i due log in un post nel forum.
Utente Senior
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Morfeo76 » 14/09/06 13:59


GMER modalità rootkit:

Rootkit 2006-09-14 14:12:30
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.10 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT pxfsf.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT pxfsf.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT pxfsf.sys ZwCreatePort
SSDT pxfsf.sys ZwCreateProcess
SSDT pxfsf.sys ZwCreateProcessEx
SSDT pxfsf.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT pxfsf.sys ZwDeleteFile
SSDT pxfsf.sys ZwDeleteKey
SSDT pxfsf.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT pxfsf.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT pxfsf.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT pxfsf.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT pxfsf.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT pxfsf.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT pxfsf.sys ZwReplaceKey
SSDT pxfsf.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT pxfsf.sys ZwSetContextThread
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT pxfsf.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT pxfsf.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- EOF - GMER 1.0.10 ----

GMER modalità autostart:

Autostart 2006-09-14 14:13:55
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxdev.dll
WRNotifier@DLLName = WRLogonNTF.dll /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
LexBceS /*LexBce Server*/@ = C:\WINDOWS\system32\LEXBCES.EXE
PREVXAgent /*Prevx Agent*/@ = "C:\Programmi\Prevx1\PXAgent.exe" -f
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_03\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll
@{59850401-6664-101B-B21C-00AA004BA90B} /*Microsoft Office Binder Unbind*/C:\PROGRA~1\MICROS~2\Office\1040\UNBIND.DLL = C:\PROGRA~1\MICROS~2\Office\1040\UNBIND.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\lib\NeroDigitalExt.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll = C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URL =
@Start Pageabout:blank = about:blank

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page =

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

---- EOF - GMER 1.0.10 ----
Post: 6
Iscritto il: 13/09/06 18:52

Postdi andorra24 » 14/09/06 14:10

Il log di gmer sembra OK. Fai questa procedura:

scarica avenger sul desktop
Decomprimi l'archivio

Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente d'ingrandimento

Ti si apre la finestra "View/edit script"
All'interno del box bianco, copia e incolla il seguente codice

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Files to delete:

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo, diversamente riavvialo manualmente

Portati in C:\ postami il contenuto del log generato da Avenger
Utente Senior
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Morfeo76 » 14/09/06 18:27

Fatto eccolo:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:


Script file located at: \??\C:\Documents and Settings\penpugkr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

File C:\WINDOWS\system32\com5.npg deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.


Finished! Terminate.

Ho fatto anche la scansione con Virit e non lo rileva più!

Mille grazie, siete veramente fantastici!

Un ultima cosa: dopo questo "fattaccio" mi sono accorto che nel task manager il processo di explorer è a palla, così come uno dei 5 (devono essere 5 vero?) processi svchost ed un altro processo non meglio identificato (o forse non lo ricordo) chiamato PXAgent.exe....posso satre tranquillo?
Post: 6
Iscritto il: 13/09/06 18:52

Postdi andorra24 » 14/09/06 18:36

Morfeo76 ha scritto:Ho fatto anche la scansione con Virit e non lo rileva più!

Mille grazie, siete veramente fantastici!

Un ultima cosa: dopo questo "fattaccio" mi sono accorto che nel task manager il processo di explorer è a palla, così come uno dei 5 (devono essere 5 vero?) processi svchost ed un altro processo non meglio identificato (o forse non lo ricordo) chiamato PXAgent.exe....posso satre tranquillo?

Probabilmente con un riavvio del pc quei processi torneranno ai valori normali. Adesso il tuo pc e' pulito.
Utente Senior
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Morfeo76 » 14/09/06 19:55

Niente sempre gli stessi valori......inoltre stesso problema con firefox.........
All' avvio il pc è un pò lento, dipende da questo?
Post: 6
Iscritto il: 13/09/06 18:52

Postdi andorra24 » 14/09/06 20:30

Morfeo76 ha scritto:Niente sempre gli stessi valori......inoltre stesso problema con firefox.........
All' avvio il pc è un pò lento, dipende da questo?

Hai anche Prevx installato? Prova a disinstallarlo. Poi svuota i files temp (internet e windows) e fai un defrag.
Utente Senior
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Morfeo76 » 15/09/06 14:13

PXagent.exe era un processo Prevx che ho disintallato, ho fatto quello che mi hai indicato ma poco è pù rifacendo la scansione con Virit è ricomparso il file infetto

15/09/2006 - 14:52:13




C:\Avenger\com5.npg Infetto da Trojan.Win32.RootKit.G


Chiavi Registro infette: 0.
Files Infetti: 1.
Files Sospetti: 0.
Files Analizzati: 41338.
Files Totali: 41338.
Chiavi Registro rimosse: 0.
Virus Rimossi: 0.
Post: 6
Iscritto il: 13/09/06 18:52

Postdi andorra24 » 15/09/06 14:27

Prova cosi:

Aperto il prompt dei comandi. digita letteralmente:
del \\.\c:\avenger\com5.npg ------ >Invio
Utente Senior
Post: 2742
Iscritto il: 21/05/06 15:44
Località: Palermo

Postdi Luke57 » 15/09/06 15:03

Ciao, se non va, direttamente da Lucas/s:
scarica questo file
decomprimi l'archivio,avvia il file icesword.exe,sotto clicca sul pulsante "File" adesso clicca su "Loca disk" dovresti visualizzare la cartella Avenger,selezionala,destro del mouse e scegli "Delete"
Post: 6413
Iscritto il: 11/08/05 19:10

Postdi Morfeo76 » 16/09/06 10:16

andorra24 ha scritto:Prova cosi:

Aperto il prompt dei comandi. digita letteralmente:
del \\.\c:\avenger\com5.npg ------ >Invio

Ho seguito le tue istruzioni Andorra ed ora il log di Virit è pulito.
Spero che non si ripresenti ancora questo file maledetto!

Comunque il problema sembra risolto grazie a tutti.

P.S.: purtroppo però i processi sono sempre a palla, nonostante il defrag...
Post: 6
Iscritto il: 13/09/06 18:52


Postdi babery » 23/09/06 14:58

Ciao a tutti,
sono stato infettato da linkoptimizer, ho cercato nel forum informazioni su come debellarlo, l'ho disinstallato, ma quando si parla del registro di configurazione non ho capito bene quello che devo fare... vi posto un log di Hijackthis e il report di Ewido: se c'è qualcuno che puo aiutarmi...

Logfile of HijackThis v1.99.1
Scan saved at 0.08.39, on 23/09/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Programmi\ewido anti-spyware 4.0\ewido.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da Libero
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {5B4D79E1-AF10-130C-90FE-F62EB199D85E} - C:\WINDOWS\vcbwc1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Programmi\File comuni\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ykoq7.exe] C:\WINDOWS\Temp\ykoq7.exe
O4 - HKLM\..\Run: [ykoq9.exe] C:\WINDOWS\Temp\ykoq9.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmi\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} -
O16 - DPF: {F57D27AE-CE57-4BC8-B232-EA57747BE5B7} - ms-its:mhtml:file://C:\PATH.MHT!
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe

Ewido report:

C:\WINDOWS\Downloaded Program Files\504066.exe -> Heuristic.Win32.Dialer : Ignored.
C:\Documents and Settings\Puma\Impostazioni locali\Temporary Internet Files\Content.IE5\PWSBDHGX\send[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Ignored.
C:\Documents and Settings\Babery\Cookies\babery@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Puma\Cookies\puma@ads20.bpath[2].txt -> TrackingCookie.Bpath : Cleaned.
C:\Documents and Settings\Babery\Impostazioni locali\Temp\Cookies\babery@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Babery\Impostazioni locali\Temp\Cookies\babery@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Babery\Cookies\babery@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\Downloaded Program Files\1059845.exe -> Trojan.Diamin.t : Cleaned with backup (quarantined).
C:\WINDOWS\Passe-partout.exe -> Trojan.Diamin.t : Cleaned with backup (quarantined).

::Report end

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Post: 2
Iscritto il: 23/09/06 10:59

aiuto virus

Postdi takeshi » 18/10/06 22:41

salve, nn so se sono nella sezioe giusta, ma spero che voi mi possiate aiutare. ho fatto una scansione con antivir e il risultato è questo che ora vi mostrerò di seguito,

AntiVir PersonalEdition Classic
Report file date: mercoledì 18 ottobre 2006 14:41

Scanning for 528499 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: andrea
Computer name: FIORE

Version information:
AVSCAN.EXE : 200744 21/08/2006 10:06:56
AVSCAN.DLL : 41000 07/09/2006 10:56:33
LUKE.DLL : 118824 07/09/2006 10:32:33
LUKERES.DLL : 9256 07/09/2006 10:56:33
ANTIVIR0.VDF : 7371264 31/05/2006 10:35:27
ANTIVIR1.VDF : 1745920 02/10/2006 12:33:34
ANTIVIR2.VDF : 138752 17/10/2006 12:33:34
ANTIVIR3.VDF : 12288 18/10/2006 12:33:34
AVEWIN32.DLL : 1872384 18/10/2006 12:33:35
AVPREF.DLL : 23592 24/07/2006 12:36:04
AVREP.DLL : 843816 18/10/2006 12:33:34
AVRPBASE.DLL : 2162728 30/03/2006 08:43:31
AVPACK32.DLL : 368680 21/07/2006 06:00:28
AVREG.DLL : 27688 28/07/2005 10:06:36
NETNT.DLL : 6696 27/09/2005 07:56:49
NETNW.DLL : 9768 24/07/2006 12:35:55
RCIMAGE.DLL : 1642536 01/08/2006 11:22:57
RCTEXT.DLL : 77864 18/10/2006 12:33:28

Configuration settings for the scan:
Jobname.......................: Manual Selection
Configuration file............: C:\Documents and Settings\All Users\Dati applicazioni\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Boot sectors..................: A,C,D,F,G
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 1
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0

Start of the scan: mercoledì 18 ottobre 2006 14:41

The scan of running processes will be started
11 Processes were scanned

Start scanning boot sectors:

Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'F:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( 18 files ).

Starting the file scan:

The path A:\ could not be found!
Periferica non pronta.

[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\ACMrAe.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\AFa.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\aZAL.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\bnYUbb.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\COV.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\DYM.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\elLmhU.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\GxC.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\jLhzdi.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\jNZ.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\KnH.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\kUw.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\LDn.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\MBwsY.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\mYCJS.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\Nht.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\nqO.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\NYHwz.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\oCParZ.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\ppr.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\qCQ.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\qPt.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\RpdIU.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\rqx.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\svBaRN.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\SZO.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\tiU.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\TpsGP.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\uOmin.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\vcvBmz.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\vHM.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\vtPBl.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\WnGSLO.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\Woybs.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\xxh.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\xxOkC.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\Ylp.exe
[WARNING] The file could not be opened!
C:\Programmi\File comuni\System\ZhO.exe
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
The path D:\ could not be found!
Periferica non pronta.

The path G:\ could not be found!
Periferica non pronta.

End of the scan: mercoledì 18 ottobre 2006 15:32
Used time: 50:57 min

The scan has been done completely.

2508 Scanning directories
189946 Files were scanned
0 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1305 Archives were scanned
61 Warnings
3 Notes

Spero voi possiate dirmi di quale virus si tratta e come posso eliminarlo.
vi ringrazio tanto per la vostra attenzione.
Post: 5
Iscritto il: 18/10/06 22:36

Postdi Luke57 » 19/10/06 08:08

Ciao, fai girare questo tool:
disattiva l'antivirus durante il download e la scansione. Al riavvio del computer, il programma terminerà la scansione nelle restanti cartelle di windows.
Sarà rilasciato un report in C:\Gromozon_Removal.log.

Incollalo in un post.

Poi scarica Gmer :
Dopo averlo scompattato, lo avvii, selezioni "Rootkit"
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione ''Autostart'', con le stesse procedure del precedente. Incolla il log generato nel suddetto block notes e poi incolla i due log in un post nel forum.

In caso di difficoltà o problemi riscontrati, avvisa.
Post: 6413
Iscritto il: 11/08/05 19:10

Postdi takeshi » 19/10/06 14:03

ho provato a far partire il tool che mia hai indicato, ma quando clicco sul link mi dice che è impossibile visualizzare la pagina. come posso fare? posso comunque procedere con le altre oporazioni? grazie :)
Post: 5
Iscritto il: 18/10/06 22:36

Postdi Luke57 » 19/10/06 14:21

Ciao, prelevalo da qui:
eseguilo con le modalità suggerite.
Post: 6413
Iscritto il: 11/08/05 19:10

Postdi takeshi » 19/10/06 15:07

Ho fatto la scansione con il tool GROMOZON questo è il risultato,

Removal tool loaded into memory
Executing rootkit removal engine....
Disabling rootkit file: \\?\C:\WINDOWS\system32\aux.sum
Resetting file permissions...
Clearing attributes...
Accesso negato - C:\_cleaned.tmp
Removing file...
Rootkit removed! Cleaning up...

Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\ACMrAe.exe
Removing protected file: C:\Programmi\File comuni\System\AFa.exe
Removing protected file: C:\Programmi\File comuni\System\aZAL.exe
Removing protected file: C:\Programmi\File comuni\System\bnYUbb.exe
Removing protected file: C:\Programmi\File comuni\System\COV.exe
Removing protected file: C:\Programmi\File comuni\System\DYM.exe
Removing protected file: C:\Programmi\File comuni\System\elLmhU.exe
Removing protected file: C:\Programmi\File comuni\System\ghDL.exe
Removing protected file: C:\Programmi\File comuni\System\GxC.exe
Removing protected file: C:\Programmi\File comuni\System\jLhzdi.exe
Removing protected file: C:\Programmi\File comuni\System\jNZ.exe
Removing protected file: C:\Programmi\File comuni\System\KnH.exe
Removing protected file: C:\Programmi\File comuni\System\kUw.exe
Removing protected file: C:\Programmi\File comuni\System\LDn.exe
Removing protected file: C:\Programmi\File comuni\System\Lye.exe
Removing protected file: C:\Programmi\File comuni\System\MBwsY.exe
Removing protected file: C:\Programmi\File comuni\System\mYCJS.exe
Removing protected file: C:\Programmi\File comuni\System\nDx.exe
Removing protected file: C:\Programmi\File comuni\System\Nht.exe
Removing protected file: C:\Programmi\File comuni\System\nqO.exe
Removing protected file: C:\Programmi\File comuni\System\NYHwz.exe
Removing protected file: C:\Programmi\File comuni\System\oCParZ.exe
Removing protected file: C:\Programmi\File comuni\System\ppr.exe
Removing protected file: C:\Programmi\File comuni\System\qCQ.exe
Removing protected file: C:\Programmi\File comuni\System\qPt.exe
Removing protected file: C:\Programmi\File comuni\System\RpdIU.exe
Removing protected file: C:\Programmi\File comuni\System\rqx.exe
Removing protected file: C:\Programmi\File comuni\System\svBaRN.exe
Removing protected file: C:\Programmi\File comuni\System\SZO.exe
Removing protected file: C:\Programmi\File comuni\System\tiU.exe
Removing protected file: C:\Programmi\File comuni\System\TpsGP.exe
Removing protected file: C:\Programmi\File comuni\System\uOmin.exe
Removing protected file: C:\Programmi\File comuni\System\vcvBmz.exe
Removing protected file: C:\Programmi\File comuni\System\vHM.exe
Removing protected file: C:\Programmi\File comuni\System\vtPBl.exe
Removing protected file: C:\Programmi\File comuni\System\WnGSLO.exe
Removing protected file: C:\Programmi\File comuni\System\Woybs.exe
Removing protected file: C:\Programmi\File comuni\System\WuFW.exe
Removing protected file: C:\Programmi\File comuni\System\xxh.exe
Removing protected file: C:\Programmi\File comuni\System\xxOkC.exe
Removing protected file: C:\Programmi\File comuni\System\Ylp.exe
Removing protected file: C:\Programmi\File comuni\System\ZhO.exe
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\dlffc1.dll

Trojan.Gromozon Removed!

Poi ho fatto la scansione con GERM e il risultato è:

Rootkit 2006-10-19 15:54:56
Windows 5.1.2600 Service Pack 2

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS ...

---- EOF - GMER 1.0.11 ----

Questo è il risultato della scansione con AUTOSTART:

Autostart 2006-10-19 16:07:51
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName = Ati2evxx.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AntiVirScheduler /*AntiVir PersonalEdition Classic Scheduler*/@ = C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
AntiVirService /*AntiVir PersonalEdition Classic Guard*/@ = C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
Brother XP spl Service /*BrSplService*/@ = C:\WINDOWS\system32\brsvc01a.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SecNmv /*SecNmv*/@ = "C:\Programmi\File comuni\System\nDx.exe" /*file not found*/
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MessengerPlus3"C:\Programmi\MessengerPlus! 3\MsgPlus.exe" = "C:\Programmi\MessengerPlus! 3\MsgPlus.exe"
@AtiPTAatiptaxx.exe = atiptaxx.exe
@SSBkgdUpdate"C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot = "C:\Programmi\File comuni\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
@PaperPort PTDC:\Programmi\ScanSoft\PaperPort\pptd40nt.exe = C:\Programmi\ScanSoft\PaperPort\pptd40nt.exe
@IndexSearchC:\Programmi\ScanSoft\PaperPort\IndexSearch.exe = C:\Programmi\ScanSoft\PaperPort\IndexSearch.exe
@SetDefPrtC:\Programmi\Brother\Brmfl05a\BrStDvPt.exe = C:\Programmi\Brother\Brmfl05a\BrStDvPt.exe
@ControlCenter2.0C:\Programmi\Brother\ControlCenter2\brctrcen.exe /autorun = C:\Programmi\Brother\ControlCenter2\brctrcen.exe /autorun
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@SweetIMC:\Programmi\Macrogaming\SweetIM\SweetIM.exe = C:\Programmi\Macrogaming\SweetIM\SweetIM.exe
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@Ad-watchC:\Programmi\Lavasoft\Ad-aware 6\Ad-watch.exe = C:\Programmi\Lavasoft\Ad-aware 6\Ad-watch.exe
@avgnt"C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min = "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MessengerPlus3"C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart = "C:\Programmi\MessengerPlus! 3\MsgPlus.exe" /WinStart
@SweetIMC:\Programmi\Macrogaming\SweetIM\SweetIM.exe = C:\Programmi\Macrogaming\SweetIM\SweetIM.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Programmi\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{532DCF4C-B781-9DE1-CD12-1AB1962581BB} = C:\WINDOWS\dlffc1.dll /*file not found*/

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URL = ... ar=msnhome
@Start Page{SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Page =
@Local Page\blank.htm = \blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

---- EOF - GMER 1.0.11 ----

Ti ringrazio tantissimo per il tuo aiuto.
Aspetto tue notizie. :)
Post: 5
Iscritto il: 18/10/06 22:36

Postdi Luke57 » 19/10/06 15:29

Ciao, apri il registro di sistema così:
start>esegui>regedt32 (lo copi nello spazio bianco)>OK

Poi segui questo percorso, cliccando sul segno + accanto alle singole voci
HKEY_LOCAL_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
individua questa voce
click con il tasto dx del mouse>Autorizzazioni>Avanzate>Proprietario, imposti a Utente del computer>OK.
Il menu torna alla pagina precedente, metti la spunta alle tre caselline relative al controllo completo>OK.
Fatto ciò, click col tasto dx sulla voce e scegli Elimina.

Chiudi il registro, lanci questi comandi, uno di seguito all'altro:
start>esegui>sc stop SecNmv (lo copi nello spazio bianco)>OK
start>esegui>sc delete SecNmv (lo copi nello spazio bianco)>OK
Post: 6413
Iscritto il: 11/08/05 19:10

Postdi takeshi » 20/10/06 14:32

Ciao Luke57, ho seguito tutte le tue istruzioni alla lettera e sembrava fosse andato tutto bene, ma ho provato a fare di nuovo la scansione con AntiVir e mi ha trovato 68 file warning. Adesso ti mando il report della scansione.

AntiVir PersonalEdition Classic
Report file date: venerdì 20 ottobre 2006 13:46

Scanning for 529019 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: andrea
Computer name: FIORE

Version information:
AVSCAN.EXE : 200744 21/08/2006 10:06:56
AVSCAN.DLL : 41000 07/09/2006 10:56:33
LUKE.DLL : 118824 07/09/2006 10:32:33
LUKERES.DLL : 9256 07/09/2006 10:56:33
ANTIVIR0.VDF : 7371264 31/05/2006 10:35:27
ANTIVIR1.VDF : 1745920 02/10/2006 12:33:34
ANTIVIR2.VDF : 138752 17/10/2006 12:33:34
ANTIVIR3.VDF : 20480 19/10/2006 12:58:59
AVEWIN32.DLL : 1872384 18/10/2006 12:33:35
AVPREF.DLL : 23592 24/07/2006 12:36:04
AVREP.DLL : 876584 19/10/2006 12:58:59
AVRPBASE.DLL : 2162728 30/03/2006 08:43:31
AVPACK32.DLL : 368680 21/07/2006 06:00:28
AVREG.DLL : 27688 28/07/2005 10:06:36
NETNT.DLL : 6696 27/09/2005 07:56:49
NETNW.DLL : 9768 24/07/2006 12:35:55
RCIMAGE.DLL : 1642536 01/08/2006 11:22:57
RCTEXT.DLL : 77864 18/10/2006 12:33:28

Configuration settings for the scan:
Jobname.......................: Local Drives
Configuration file............: C:\Programmi\AntiVir PersonalEdition Classic\alldrives.avp
Boot sectors..................: C,F,A,D,E
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 1
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Skipped archive types.........: 1000,1001,1002,1003,1004,1005,
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0

Start of the scan: venerdì 20 ottobre 2006 13:46

The scan of running processes will be started
11 Processes were scanned

Start scanning boot sectors:

Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'F:\'
[NOTE] No virus was found!
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!

Starting to scan the registry.
The registry was scanned ( 18 files ).

Starting the file scan:

[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR1.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR10.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR11.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR12.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR13.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR14.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR15.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR16.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR17.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR18.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR19.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR1A.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR1B.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR1C.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR1D.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR1E.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR1F.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR2.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR20.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR21.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR22.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR23.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR24.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR25.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR26.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR27.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR28.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR29.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR2A.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR3.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR4.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR5.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR6.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR7.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR8.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXR9.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXRA.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXRB.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXRC.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXRD.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXRE.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\andrea\Impostazioni locali\Temp\PXRF.tmp
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
[WARNING] The file could not be opened!
F:\Documenti\Andrea\Mp3 Winx\programmi\InstallPREVX102000223.exe
[0] Archive type: ACE SFX (self extracting)
--> img\bins\2k_2k3_xp\lclbrk.cache.2k
[WARNING] Error creating the file
--> img\bins\2k_2k3_xp\rksig.bin
[WARNING] No further files can be extracted from this archive. The archive will be closed
The path A:\ could not be found!
Periferica non pronta.

The path D:\ could not be found!
Periferica non pronta.

The path E:\ could not be found!
Periferica non pronta.

End of the scan: venerdì 20 ottobre 2006 14:21
Used time: 35:02 min

The scan has been done completely.

2502 Scanning directories
190803 Files were scanned
0 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1292 Archives were scanned
68 Warnings
3 Notes

Ecco quà questo è tutto, spero possa dirmi qual'è il problema.
Grazie tanto ancora :)
Post: 5
Iscritto il: 18/10/06 22:36


Torna a Sicurezza e Privacy

Topic correlati a "LinkOptimizer.dll":

Autore: essed
Forum: Sicurezza e Privacy
Risposte: 8

Chi c’è in linea

Visitano il forum: Nessuno e 9 ospiti