Virus impossibile da cancellare... EskSnm.exe

[alex_go]

Ciao a tutti! Da un pò di giorni AVG mi sta segnando all'avvio del pc qst virus.



Se metto Heal (guarisci) mi dice ke è impossibile continuare poikè l'accesso al file è stato negato. Avviene lo stesso se voglio metterlo in quarantena.. l'unica cosa è ignorarlo. Ho provato cn Ad-Ware, KillBox e Hijack This, ma niente. Mi è impossibile eliminarlo. Provai a fare una scansione completa cn AVG e assieme a qll in precedenza mi segnalò anke qst ke vedete nella cartella.. i due evidenziati da windows in verde.



Aprii EskSnm x sbaglio e mi mando explorer.exe in crash, ma riapparve subito.
Vi posto un log di Hijackthis sperando serva a qlcs.


Logfile of HijackThis v1.99.1
Scan saved at 16.17.54, on 18/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Trust\Ami Mouse 250S Series\lwbwheel.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Programmi\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Windows Media Player\wmplayer.exe
C:\Programmi\KiddiesBarre\KiddiesBarre.exe
C:\Documents and Settings\alex_go\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programmi\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Programmi\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programmi\Trust\Ami Mouse 250S Series\lwbwheel.exe
O4 - HKLM\..\Run: [zzzHPSETUP] G:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVCOMS] C:\WINDOWS\system32\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /M "Stylus D68" /EF "HKCU"
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7745075343
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DEE5118-2BEC-45F9-AB77-275D09DB3714}: NameServer = 193.70.152.15 193.70.152.25
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ciao e grazie!

[Luke57]

Ciao, per avere un quadro più chiaro:
scarica Gmer :
http://www.gmer.net/gmer111.zip

Dopo averlo scompattato, lo avvii, selezioni "Rootkit" nella tabella dei Menu
Clicca su "Scan"
Attendi la fine della scansione e clicca su "Copy"
Apri il block notes di windows, clicca su modifica e seleziona incolla

Poi fai una scansione con GMer dalla posizione Autostart nella tabella dei Menu, con le stesse procedure del precedente. Incolli il log generato nel suddetto block notes e poi incolli i due log in un post nel forum.

[alex_go]

Ehm, scusa io ho fatto cm hai detto tu, ma copiando il log di Rootkit e Autostart è 1 mega e mezzo di Blocconote.. nn posso postare tutto.

[BilloKenobi]

non possono essere così tanti dati!!!

riduci il log rootkit postando le ultime righe (la sezione Files la trovi alla fine del log... è la più importante... per quanto riguarda il log autostart postalo tutto)

[alex_go]

non possono essere così tanti dati!!!

io ho sl fatto COPY dalle 2 scansioni e le ho incollate sul blocconote..
Ecco puoi vederlo qui ---> http://www.alexgo.altervista.org/Log.txt
Ciao

[BilloKenobi]

sei infetto, ma nn avevo mai visto un log del genere...

usa questo

http://www.prevx.com/gromozon.asp

[alex_go]

c'è sempe una prima volta
Cmq grazie, scansione veloce e esauriente. Trojan eliminati!
Posso eliminare la cartella in cui erano contenuto, no?

[BilloKenobi]

aspetta. quel tool elimina di solito diciamo l'80% dell'infezione. qualcosa da togliere resta sempre... il tool lascia un logfile in C:\gromozon_removal.log

puoi copiarne e postarne il contenuto?

inoltre scarica questo tool

GMER --- http://www.gmer.net/files.php

una volta scaricato, estrailo, avvialo, e fai uno scan dalla sezione "Autostart". poi clicchi su copia e incolli nella risposta

stessa cosa con la sezione "Rootkit"

[alex_go]

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\System\EskSnm.exe
Removing directory: C:\Documents and Settings\\bwB
Removing protected file: C:\Programmi\File comuni\System\XdM.exe
Removing directory: C:\Documents and Settings\\bwB


Trojan.Gromozon Removed!

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>


GMER 1.0.11.11349 - http://www.gmer.net
Autostart 2006-09-25 15:45:01
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVGEMS /*AVG E-mail Scanner*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
LogWao /*LogWao*/@ = "C:\Programmi\File comuni\System\EskSnm.exe" /*file not found*/
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE"
PREVXAgent /*Prevx Agent*/@ = "C:\Programmi\Prevx1\PXAgent.exe" -f
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@EPSON Stylus D68 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
@Zone Labs Client"C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
@LWBMOUSEC:\Programmi\Trust\Ami Mouse 250S Series\lwbwheel.exe = C:\Programmi\Trust\Ami Mouse 250S Series\lwbwheel.exe
@zzzHPSETUPG:\Setup.exe /*file not found*/ = G:\Setup.exe /*file not found*/
@Share-to-Web Namespace DaemonC:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe = C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
@AdslTaskBarrundll32.exe stmctrl.dll,TaskBar = rundll32.exe stmctrl.dll,TaskBar
@SiSUSBRGC:\WINDOWS\SiSUSBrg.exe = C:\WINDOWS\SiSUSBrg.exe
@SiS TrayC:\WINDOWS\system32\sistray.EXE = C:\WINDOWS\system32\sistray.EXE
@SiS Windows KeyHookC:\WINDOWS\system32\keyhook.exe = C:\WINDOWS\system32\keyhook.exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_06\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
@DXM6Patch_981116C:\WINDOWS\p_981116.exe /Q:A = C:\WINDOWS\p_981116.exe /Q:A
@LVCOMSC:\WINDOWS\system32\LVCOMS.EXE /*file not found*/ = C:\WINDOWS\system32\LVCOMS.EXE /*file not found*/
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@PrevxOne"C:\Programmi\Prevx1\PXConsole.exe" = "C:\Programmi\Prevx1\PXConsole.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" /*file not found*/ = "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe" /*file not found*/
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@EPSON Stylus D68 SeriesC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /M "Stylus D68" /EF "HKCU" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /M "Stylus D68" /EF "HKCU"
@msnmsgr"C:\Programmi\MSN Messenger\msnmsgr.exe" /background = "C:\Programmi\MSN Messenger\msnmsgr.exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{6B19FEC2-A45B-11CF-9045-00A0C9039735} /*Registered ActiveX Controls*/C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL = C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
@{D545EBD1-BD92-11CF-8772-00A0C9039735} /*Developer Studio Components*/C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL = C:\Programmi\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.5 Context Menu Shell Extension*/C:\Programmi\WinAce\arcext.dll = C:\Programmi\WinAce\arcext.dll
@{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.5 DragDrop Shell Extension*/C:\Programmi\WinAce\arcext.dll = C:\Programmi\WinAce\arcext.dll
@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.5 Context Menu Shell Extension*/C:\Programmi\WinAce\arcext.dll = C:\Programmi\WinAce\arcext.dll
@{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.5 Property Sheet Shell Extension*/C:\Programmi\WinAce\arcext.dll = C:\Programmi\WinAce\arcext.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0792.00.dll
@{A4DF5659-0801-4A60-9607-1C48695EFDA9} /*Cartella di caricamento Share-to-Web*/C:\Programmi\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL = C:\Programmi\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL
@{792F0537-F929-4eb7-AC1D-FB6334C71550} /*LG Phone*/C:\PROGRA~1\LGPCSU~1\LGPHON~1\Phone.dll = C:\PROGRA~1\LGPCSU~1\LGPHON~1\Phone.dll
@{C169E5F0-E2B3-41F3-B81A-7BA529CBE193} /*ZipGenius Shell Extension*/C:\PROGRA~1\ZIPGEN~1\contmenu.dll = C:\PROGRA~1\ZIPGEN~1\contmenu.dll
@{2E5AC2E0-406D-11D4-86B3-FA5861508E25} /*ZipGenius Zip InfoTip*/C:\PROGRA~1\ZIPGEN~1\zgtips.dll = C:\PROGRA~1\ZIPGEN~1\zgtips.dll
@{310A0C95-EA11-42AE-A8E4-53E69E650310} /*ZipGenius Zip Drop handler*/C:\PROGRA~1\ZIPGEN~1\DROPHA~1.DLL = C:\PROGRA~1\ZIPGEN~1\DROPHA~1.DLL
@{FE8D01BF-610A-4261-9C6E-32D65A42C907} /*ZipGenius 5.5 DnD Extract handler*/C:\PROGRA~1\ZIPGEN~1\ZGDRAG~1.DLL = C:\PROGRA~1\ZIPGEN~1\ZGDRAG~1.DLL
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Programmi\Grisoft\AVG Free\avgse.dll = C:\Programmi\Grisoft\AVG Free\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll
ZFAdd@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Programmi\WinAce\arcext.dll
ZipGenius 5@{C169E5F0-E2B3-41F3-B81A-7BA529CBE193} = C:\PROGRA~1\ZIPGEN~1\contmenu.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
ZFAdd@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Programmi\WinAce\arcext.dll
ZipGenius 5@{C169E5F0-E2B3-41F3-B81A-7BA529CBE193} = C:\PROGRA~1\ZIPGEN~1\contmenu.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Programmi\Grisoft\AVG Free\avgse.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{55EA1964-F5E4-4D6A-B9B2-125B37655FCB} = C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = Reality Fusion GameCam SE.lnk

---- EOF - GMER 1.0.11 ----

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-25 16:15:10
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT pxfsf.sys ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [B5EC12A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B5EC12A0] vsdatant.sys

---- Processes - GMER 1.0.11 ----

Process winlogon.exe (*** hidden *** ) [592] 83D4ADA0
Process lsass.exe (*** hidden *** ) [648] 8427E8D8
Process svchost.exe (*** hidden *** ) [876] 83D7A7F8
Process svchost.exe (*** hidden *** ) [840] 84081DA0
Process svchost.exe (*** hidden *** ) [936] 83D82DA0
Process svchost.exe (*** hidden *** ) [792] 84080DA0
Process vsmon.exe (*** hidden *** ) [1052] 83D2F240
Process services.exe (*** hidden *** ) [636] 840179D8
Process alg.exe (*** hidden *** ) [2260] 8426EDA0
Process avgemc.exe (*** hidden *** ) [1408] 83C66CA8
Process zlclient.exe (*** hidden *** ) [368] 84124650
Process svchost.exe (*** hidden *** ) [1880] 84283DA0
Process System (*** hidden *** ) [4] 843CA7F8
Process MDM.EXE (*** hidden *** ) [1508] 841C2D38
Process avgamsvr.exe (*** hidden *** ) [1376] 84120830
Process svchost.exe (*** hidden *** ) [1532] 840ECD38
Process csrss.exe (*** hidden *** ) [568] 83D4AB10
Process spoolsv.exe (*** hidden *** ) [1272] 84154C60

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----

[alex_go]

ah mi son dimenticato di una cosa:

qst qui:

---- Processes - GMER 1.0.11 ----

Process winlogon.exe (*** hidden *** ) [592] 83D4ADA0
Process lsass.exe (*** hidden *** ) [648] 8427E8D8
Process svchost.exe (*** hidden *** ) [876] 83D7A7F8
Process svchost.exe (*** hidden *** ) [840] 84081DA0
Process svchost.exe (*** hidden *** ) [936] 83D82DA0
Process svchost.exe (*** hidden *** ) [792] 84080DA0
Process vsmon.exe (*** hidden *** ) [1052] 83D2F240
Process services.exe (*** hidden *** ) [636] 840179D8
Process alg.exe (*** hidden *** ) [2260] 8426EDA0
Process avgemc.exe (*** hidden *** ) [1408] 83C66CA8
Process zlclient.exe (*** hidden *** ) [368] 84124650
Process svchost.exe (*** hidden *** ) [1880] 84283DA0
Process System (*** hidden *** ) [4] 843CA7F8
Process MDM.EXE (*** hidden *** ) [1508] 841C2D38
Process avgamsvr.exe (*** hidden *** ) [1376] 84120830
Process svchost.exe (*** hidden *** ) [1532] 840ECD38
Process csrss.exe (*** hidden *** ) [568] 83D4AB10
Process spoolsv.exe (*** hidden *** ) [1272] 84154C60

me lo segna in rosso e ogni volta ke avvio GMER mi dà un avviso ke GMER ha rilevato delle modifiche di sistema ke potrebbero essere causate dalla attività ROOTKIT kidendomi se voglio scannerizzare completamente il sistema.. a cs è dovuto?

[BilloKenobi]

allora, pare che il tool abbia fatto il suo lavoro (a dire la verità piccolo nel tuo caso, ma sufficiente)

Ora estrai e avvia Avenger.exe

Seleziona l'opzione "Input Script Manually"
Clicca sulla lente di ingrandimento

Si apre una finestra "View/edit script"
All'interno del box bianco,copia e incolla le scritte in neretto:



registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\LogWao


Clicca sul pulsante Done
Clicca 2 volte sull'icona del semaforo verde
Rispondi due volte Yes
Il pc dovrebbe riavviarsi da solo,se così non fosse riavvialo manualmente


Il programma rilascia un log con le operazioni eseguite.

Posta il log di Avenger (che si trova in C:/avenger.txt) con l´esito dello script.

poi esegui questa procedura

premi start -> esegui -> cmd.exe

ti comparirà il prompt dei comandi

ora digita le seguenti righe in neretto, una dopo l'altra

cd C:\Programmi\File comuni\System

poi

dir > C:\log.txt

ora vai in c:\ e apri il file log.txt e postane il contenuto... poi vedremo se basterà così o no

[BilloKenobi]

scusa, mi sono scordato di darti il link per avenger. eccolo

http://swandog46.geekstogo.com/avenger.zip

[alex_go]

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0


Error: could not initiate system shutdown.
Error code: 0


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wbatjofr

*******************

Script file located at: \??\C:\WINDOWS\noouqmgh.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKLM\SYSTEM\CurrentControlSet\Services\LogWao deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


<><><>

Il volume nell'unit… C non ha etichetta.
Numero di serie del volume: 70A9-5BC3

Directory di C:\Programmi\File comuni\System

25/09/2006 19.04 <DIR> .
25/09/2006 19.04 <DIR> ..
25/09/2006 19.04 682 1log.txt
07/09/2006 16.34 <DIR> ado
30/08/2004 22.00 81.408 directdb.dll
07/09/2006 22.24 <DIR> msadc
07/09/2006 16.40 <DIR> MSMAPI
08/09/2006 21.02 <DIR> Ole DB
17/03/2006 11.11 510.464 wab32.dll
30/08/2004 22.00 254.976 wab32res.dll
4 File 847.530 byte
6 Directory 21.992.304.640 byte disponibili

[BilloKenobi]

ora pare tutto ok... per finire farei una scansione online con bitdefender e poi in ultimo un giro di Ccleaner (http://download.ccleaner.com/ccsetup132.exe)

giusto per pulire il pc

[alex_go]

la prudenza nn è mai troppa eh?
la scans. la faccio cn bit defender install sul pc.. è lo stesso no?

[BilloKenobi]

se vuoi... così avrai un supporto antivirus on demand...