Pc lento e files non cancellabili...

[simone89]

Ho notato il pc estremamente lento, specialmente durante la navigazione in internet. Analizzando il task manager non ho trovato niente di particolare. Lo stesso dicasi effettuando un'analisi con Adaware, Spybot e Hijackthis. Tuttavia, quando sono andato ad analizzare, per pulire, la temp ed i files temporanei di internet dei vari profili presenti sul computer non sono riuscito ad eliminare tre files .exe: com2, com4 e com6, perchè risultano attualmente impegnati dal sistema. Da chi?!?!!? C'è qualcuno che può aiutarmi? Thanks x favore!!

[andorra24]

Sospetto infezione da linkoptimizer. Scarica il tool:
http://www.prevx.com/gromozon.asp
disattiva momentaneamente l'antivirus, con i programmi e applicazioni chiusi, esegui il tool.
Al riavvio del computer, il programma terminerà la scansione nelle restanti cartelle di windows. Al termine della scansione sarà rilasciato un report in C:\Gromzon_Removal.log.
Posta il report qui sul forum.

Posta anche un log di hijackthis.

[simone89]

Ecco il log del programma hijackthis:


Logfile of HijackThis v1.99.1
Scan saved at 22.36.53, on 17/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINNT\system32\Ati2evxx.exe
E:\WINNT\Explorer.EXE
E:\Programmi\File comuni\Logitech\QCDriver\LVCOMS.EXE
H:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
E:\WINNT\system32\rundll32.exe
E:\WINNT\msncomm.exe
E:\Programmi\File comuni\Symantec Shared\ccApp.exe
E:\PROGRA~1\SYMANT~1\VPTray.exe
H:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
e:\progra~1\intern~1\iexplore.exe
E:\Programmi\Internet Explorer\iexplore.exe
E:\WINNT\msncomm.exe
E:\DOCUME~1\simone\IMPOST~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yehabgzqeyucbcdn.com/U7rqT6l ... 7WScw.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - H:\Programmi\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - E:\Programmi\Power Translator\Applications\LEC IE Translation Extension.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LVCOMS] E:\Programmi\File comuni\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [CamMonitor] H:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [zzz032] c:\windows\webcam.exe r
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [winsys] syschost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PowerTranslator Pro OLR] E:\PROGRA~1\BVRPSO~1\POWERT~1\BVRPOlr.exe /PowerTranslator Pro
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [ImMsn] E:\WINNT\msncomm.exe /i
O4 - HKLM\..\Run: [ccApp] "E:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Cisco Systems VPN Client.lnk = H:\Programmi\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Programmi\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - E:\Programmi\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - H:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - H:\Programmi\ICQLite\ICQLite.exe
O12 - Plugin for .avi: E:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: E:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: NavLogon - E:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - E:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINNT\system32\CTSvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - h:\Programmi\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - E:\Programmi\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: SAVRoam (SavRoam) - symantec - E:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Programmi\Symantec AntiVirus\Rtvscan.exe


Ecco il report:


Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: E:\WINNT
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\10.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\12.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\14.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\16.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\18.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\1A.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\1AD.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\1B0.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\1C.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\1D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\20.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\23.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\25.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\26.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\29.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\2B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\2C.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\2E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\3.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\31.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\33.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\35.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\37.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\39.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\3B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\3D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\3F.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\40.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\42.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\45.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\47.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\49.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\4B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\4D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\4F.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\5.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\50.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\53.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\55.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\57.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\59.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\5B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\5D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\5F.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\61.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\62.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\65.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\67.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\69.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\6A.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\6C.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\6E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\6F.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\7.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\75.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\77.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\7B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\7F.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\8E.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\9.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\91.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\B.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\D.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\F.tmp
Removed!
Gromozon-Related Malicious Code Detected!
FileName: E:\WINNT\system32\qiaa.dll
Removed!
Scanning: E:\Programmi\File comuni
Removing protected file: E:\Programmi\File comuni\System\bKF.exe
Removing protected file: E:\Programmi\File comuni\System\cUeSO.exe
Removing protected file: E:\Programmi\File comuni\System\cypVHr.exe
Removing protected file: E:\Programmi\File comuni\System\eEW.exe
Removing protected file: E:\Programmi\File comuni\System\GaD.exe
Removing protected file: E:\Programmi\File comuni\System\HcL.exe
Removing protected file: E:\Programmi\File comuni\System\iIqwvK.exe
Removing protected file: E:\Programmi\File comuni\System\KBEaBx.exe
Removing protected file: E:\Programmi\File comuni\System\kVGBcO.exe
Removing protected file: E:\Programmi\File comuni\System\lpRnS.exe
Removing protected file: E:\Programmi\File comuni\System\nsOy.exe
Removing protected file: E:\Programmi\File comuni\System\oiRBg.exe
Removing protected file: E:\Programmi\File comuni\System\Pne.exe
Removing protected file: E:\Programmi\File comuni\System\PWD.exe
Removing directory: E:\Documents and Settings\\gionata
Removing protected file: E:\Programmi\File comuni\System\pzX.exe
Removing protected file: E:\Programmi\File comuni\System\QwA.exe
Removing protected file: E:\Programmi\File comuni\System\QWqAGw.exe
Removing protected file: E:\Programmi\File comuni\System\RfEMhQ.exe
Removing protected file: E:\Programmi\File comuni\System\rGy.exe
Removing protected file: E:\Programmi\File comuni\System\RXTQrt.exe
Removing protected file: E:\Programmi\File comuni\System\UDb.exe
Removing protected file: E:\Programmi\File comuni\System\UlA.exe
Removing protected file: E:\Programmi\File comuni\System\uoecJD.exe
Removing protected file: E:\Programmi\File comuni\System\Wjo.exe
Removing protected file: E:\Programmi\File comuni\System\yGkHF.exe
Removing protected file: E:\Programmi\File comuni\System\YrW.exe
Removing protected file: E:\Programmi\File comuni\System\Zgx.exe


Trojan.Gromozon Removed!

[andorra24]

scarica Gmer :
http://www.gmer.net/gmer110.zip
Dopo averlo scompattato, lo avvii, selezioni "Rootkit"
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione ''Autostart'', con le stesse procedure del precedente. Incolla il log generato nel suddetto block notes e poi incolla i due log in un post nel forum.

[andorra24]

Apri hijackthis, premi su ''open the misc tools section'', poi premi ''open process manager'', individua la voce indicata sotto e premi ''kill process'' :

E:\WINNT\msncomm.exe

Poi vai in basso e premi il tasto back e subito dopo il tasto scan. Metti la spunta nella casellina accanto alle voci indicate sotto e premi ''fix checked'' :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yehabgzqeyucbcdn.com/U7rqT6l ... 7WScw.html
O4 - HKLM\..\Run: [zzz032] c:\windows\webcam.exe r
O4 - HKLM\..\Run: [winsys] syschost.exe
O4 - HKLM\..\Run: [ImMsn] E:\WINNT\msncomm.exe /i

Vai su start/risorse del computer/strumenti/opzioni cartella/visualizzazione e metti la spunta su visualizza cartelle file nascosti e togli la spunta da ''nascondi i file protetti di sistema''.

Scarica killbox da qui: http://www.killbox.net/downloads/KillBox.exe
Cerca ed elimina con killbox elimina i seguenti files:
c:\windows\webcam.exe
E:\WINNT\msncomm.exe
syschost.exe (questo file cercalo su start/cerca/tutti i file e le cartelle).

[simone89]

GMER rootkit:


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-17 23:50:51
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.10 ----

SSDT 8169BDA8 ZwConnectPort
SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81A8D7E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 81A8DEA8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 81A8DEA8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 81A8DEA8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 81A8DEA8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 81A8D0E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 81A8D0E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 819B0428
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 81648CE8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 81648CE8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 81A8D0E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 819B0428
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE 81A8D0E8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_CREATE 81A8D0E8
Device \Driver\Ftdisk \Device\HarddiskVolume6 IRP_MJ_CREATE 81A8D0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 8169ADA8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 8169ADA8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 81A8DA28
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_CREATE 81A8DA28
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP_POWER 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 8160F9A8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP_POWER 8160F9A8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 816D0EA8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 816D0EA8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSEIRP_MJ_READ 816D0EA8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 816D0EA8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 816D0EA8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 816D0EA8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_EA 816D0EA8
Device \Driver\00000249 \Device\00000007 IRP_MJ_SYSTEM_CONTROL [BFF39A26] sptd.sys
Device \Driver\00000249 \Device\00000007 IRP_MJ_DEVICE_CHANGE [BFF4DBD8] sptd.sys
Device \Driver\00000249 \Device\00000007 IRP_MJ_PNP_POWER [BFF4654E] sptd.sys
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 81A8D0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 816D2C08
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 818A20E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 818A20E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 81581EA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 815ECA88

---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7110&SUBSYS_00000000&REV_02\3&61aaa01&0&20\Device Parameters\BiosConfig@ISAPNP_CTL009e_DEV0000DA22386IrqFlags? 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7110&SUBSYS_00000000&REV_02\3&61aaa01&0&20\Device Parameters\BiosConfig@ISAPNP_CTL009e_DEV0001DA22386IrqFlags? 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_7110&SUBSYS_00000000&REV_02\3&61aaa01&0&20\Device Parameters\BiosConfig@ISAPNP_CTL009e_DEV0002DA22386IrqFlags? 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_7110&SUBSYS_00000000&REV_02\3&61aaa01&0&20\Device Parameters\BiosConfig@ISAPNP_CTL009e_DEV0000DA22386IrqFlags? 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_7110&SUBSYS_00000000&REV_02\3&61aaa01&0&20\Device Parameters\BiosConfig@ISAPNP_CTL009e_DEV0001DA22386IrqFlags? 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_7110&SUBSYS_00000000&REV_02\3&61aaa01&0&20\Device Parameters\BiosConfig@ISAPNP_CTL009e_DEV0002DA22386IrqFlags? 1

---- Files - GMER 1.0.10 ----

File D:\System Volume Information\tracking.log
File E:\System Volume Information\tracking.log
File E:\WINNT\fmfhl1.del
File E:\WINNT\fmfhl1.dll
File E:\WINNT\fmfhl1.upd
File H:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----



GMER autostart :


GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-09-18 00:07:11
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = E:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
NavLogon@DLLName = E:\WINNT\system32\NavLogon.dll
wzcnotif@DLLName = wzcdlg.dll


HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = E:\WINNT\system32\ati2sgag.exe
C-DillaCdaC11BA /*C-DillaCdaC11BA*/@ = E:\WINNT\system32\drivers\CDAC11BA.EXE
ccEvtMgr /*Symantec Event Manager*/@ = "E:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "E:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe"
Creative Service for CDROM Access /*Creative Service for CDROM Access*/@ = E:\WINNT\system32\CTSvcCDA.EXE
CVPND /*Cisco Systems, Inc. VPN Service*/@ = "h:\Programmi\Cisco Systems\VPN Client\cvpnd.exe"
DefWatch /*Symantec AntiVirus Definition Watcher*/@ = "E:\Programmi\Symantec AntiVirus\DefWatch.exe"
LEC TranslateDotNet Server /*LEC TranslateDotNet Server*/@ = "E:\Programmi\Power Translator\LogoMedia TranslateDotNet Server.exe"
RemoteRegistry /*Servizio Registro di sistema remoto*/@ = %SystemRoot%\system32\regsvc.exe
SavRoam /*SAVRoam*/@ = "E:\Programmi\Symantec AntiVirus\SavRoam.exe"
SBService /*ScriptBlocking Service*/@ = E:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe /*file not found*/
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
StiSvc /*Still Image Service*/@ = %systemroot%\system32\stisvc.exe
Symantec AntiVirus /*Symantec AntiVirus*/@ = "E:\Programmi\Symantec AntiVirus\Rtvscan.exe"
ubt /*ubt*/@ = "E:\Programmi\File comuni\System\PWD.exe"
WMDM PMSP Service /*WMDM PMSP Service*/@ = E:\WINNT\system32\MsPMSPSv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Synchronization Managermobsync.exe /logon = mobsync.exe /logon
@LVCOMSE:\Programmi\File comuni\Logitech\QCDriver\LVCOMS.EXE = E:\Programmi\File comuni\Logitech\QCDriver\LVCOMS.EXE
@CamMonitorH:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe = H:\Programmi\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
@zzz032c:\windows\webcam.exe r /*file not found*/ = c:\windows\webcam.exe r /*file not found*/
@LoadQMloadqm.exe = loadqm.exe
@SunJavaUpdateSchedE:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe = E:\Programmi\Java\j2re1.4.2_05\bin\jusched.exe
@PowerTranslator Pro OLRE:\PROGRA~1\BVRPSO~1\POWERT~1\BVRPOlr.exe /PowerTranslator Pro = E:\PROGRA~1\BVRPSO~1\POWERT~1\BVRPOlr.exe /PowerTranslator Pro
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@ccApp"E:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "E:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@vptrayE:\PROGRA~1\SYMANT~1\VPTray.exe = E:\PROGRA~1\SYMANT~1\VPTray.exe
@Symantec NetDriver MonitorE:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise = E:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
@DAEMON Tools"F:\Programmi\DAEMON Tools\daemon.exe" -lang 1033 = "F:\Programmi\DAEMON Tools\daemon.exe" -lang 1033

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ATI Launchpad"E:\Programmi\ATI Multimedia\main\launchpd.exe" = "E:\Programmi\ATI Multimedia\main\launchpd.exe"
@WindowsCriticalUpdateE:\WINNT\windows_critical_update.exe /*file not found*/ = E:\WINNT\windows_critical_update.exe /*file not found*/
@Symantec NetDriver MonitorE:\PROGRA~1\SYMNET~1\SNDMon.exe = E:\PROGRA~1\SYMNET~1\SNDMon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/E:\WINNT\System32\thumbvw.dll = E:\WINNT\System32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/E:\WINNT\System32\thumbvw.dll = E:\WINNT\System32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/E:\WINNT\System32\thumbvw.dll = E:\WINNT\System32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/E:\WINNT\System32\thumbvw.dll = E:\WINNT\System32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/E:\WINNT\System32\thumbvw.dll = E:\WINNT\System32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/H:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = H:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/h:\PROGRA~1\WinZip\WZSHLSTB.DLL = h:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/h:\PROGRA~1\WinZip\WZSHLSTB.DLL = h:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/h:\PROGRA~1\WinZip\WZSHLSTB.DLL = h:\PROGRA~1\WinZip\WZSHLSTB.DLL
@{A4DF5659-0801-4A60-9607-1C48695EFDA9} /*Cartella di caricamento Share-to-Web*/H:\Programmi\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL = H:\Programmi\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL
@{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} /*SnagIt*/H:\Programmi\TechSmith\SnagIt 7\SnagItIEAddin.dll = H:\Programmi\TechSmith\SnagIt 7\SnagItIEAddin.dll
@{792F0537-F929-4eb7-AC1D-FB6334C71550} /*LG Phone*/(null) =
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/H:\Programmi\ICQLite\ICQLiteShell.dll = H:\Programmi\ICQLite\ICQLiteShell.dll
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/E:\Programmi\File comuni\Symantec Shared\SSC\vpshell2.dll = E:\Programmi\File comuni\Symantec Shared\SSC\vpshell2.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/F:\Programmi\WinRAR\rarext.dll = F:\Programmi\WinRAR\rarext.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = E:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = H:\Programmi\ICQLite\ICQLiteShell.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = E:\Programmi\File comuni\Symantec Shared\SSC\vpshell2.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = h:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = H:\Programmi\ICQLite\ICQLiteShell.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = h:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = E:\Programmi\File comuni\Symantec Shared\SSC\vpshell2.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = F:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = h:\PROGRA~1\WinZip\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = E:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = E:\WINNT\DELPIE~1.SCR

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\ >>>
.avi@Location = E:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll
.mov@Location = E:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageE:\WINNT\system32\blank.htm = E:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = E:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = E:\WINNT\System32\itss.dll
ms-itss@CLSID = E:\Programmi\File comuni\Microsoft Shared\Information Retrieval\msitss.dll
msero@CLSID = E:\Programmi\File comuni\Microsoft Shared\Encarta Researcher\MSERO.DLL
vnd.ms.radio@CLSID = E:\WINNT\System32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000002@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000003@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000004@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000009@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000010@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000017@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

E:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Cisco Systems VPN Client.lnk = Cisco Systems VPN Client.lnk
Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.10 ----

[andorra24]

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio

Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\ubt
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\zzz032
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsCriticalUpdate

Files to delete:
E:\WINNT\fmfhl1.del
E:\WINNT\fmfhl1.dll
E:\WINNT\fmfhl1.upd
E:\Programmi\File comuni\System\PWD.exe
c:\windows\webcam.exe
E:\WINNT\windows_critical_update.exe

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Una volta riavviato il pc, collegati e posta il contenuto del file C:\Avenger.txt


Lancia questo comando:
start>esegui>cmd>OK
Aperto il prompt dei comandi, digiti:
cd C:\Programmi\File comuni\System------- premi Invio
dir > C:\files.txt--------premi Invio
Chiudi il prompt e in C:\ trovi files.txt. Copi e incolli il contenuto in un post.

[andorra24]

Fai anche questi importanti controlli:

1) Vai nel Pannello di controllo e vedi se ci sono le voci LinkOptimizer e/o ConnectionServices ma se li vede non toccare nulla.
Nel caso vedessi una di queste voci (oppure entrambe) scarica MyUninstaller da qui:
http://www.nirsoft.net/utils/myuninst.html
con questo programmino potrai disinstallare LinkOptimizer e/o ConnectionServices se sono presenti nel tuo computer.
Apri il programmino (click su myuninst.exe, attendi che vengono elencate le applicazioni presenti, evidenzi Linkoptimizer (e/o ConnectionServices), click con il dx e scegli Delete selected entries.

2) Start>esegui>control userpasswords2 (lo scrivi nello spazio bianco)>OK

Nella finestra Account utente, guarda se hai un'utenza sospetta con nome casuale (oltre le consuete Administrator, Utente, Aspnet), tipo XYZFG. Segnati il nome dell'utenza ed eliminala (click con il destro e scegli elimina);

3) Rendi visibili file e cartelle nascosti:

Vai su start/risorse del computer/strumenti/opzioni cartella/visualizzazione e metti la spunta su visualizza cartelle file nascosti e togli la spunta da ''nascondi i file protetti di sistema (consigliato)''.

Vai in C:\Documents and Settings, guarda se hai una cartella con lo stesso nome dell'utenza, elimina anch'essa.

[simone89]

Facendo quello che mi hai detto te dopo aver copiato il testo e cliccato sul semaforo mi da degli errori i seguenti:
Error: selected file does not appear to be a valid sript.
Press OK lo error and continue or Cancel to abort
Error code: 1813
Che significa?

[andorra24]

Elimina il programma avenger utilizzato precedentemente e scaricati questa versione modificata:
http://www.suspectfile.com/upload/files ... venger.zip

Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Ti si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\ubt

Files to delete:
E:\WINNT\fmfhl1.del
E:\WINNT\fmfhl1.dll
E:\WINNT\fmfhl1.upd
E:\Programmi\File comuni\System\PWD.exe

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente

Una volta riavviato il pc, collegati e posta il contenuto del file C:\Avenger.txt