Pagina 2 di 7 primaprima 1 2 3 4 ... ultimoultimo
Visualizzazione dei risultati da 11 a 20 su 68
  1. #11
    Utente di HTML.it L'avatar di holifay
    Registrato dal
    May 2005
    Messaggi
    1,330
    Posta questi 4 log:

    # Rootkit di Gmer: scarica GMER.EXE. Avvialo, vai sul Tab Rootkit , clicca su Scan . Il risultato della scansione si può salvare premendo Copy .

    # Autostart di GMER: allo stesso modo del punto 1 fai anche la scansione dal tab Autostart di GMER

    # Combofix: Scaricalo sul desktop e avvialo

    # silentrunners: Scaricalo sul desktop, premi NO alla domanda


    Sono un po´ tanti, ma almeno abbiamo il quadro completo
    Pensi di avere un file infetto? Invialo a SuspectFile

  2. #12
    Utente di HTML.it L'avatar di Misterxxx
    Registrato dal
    Oct 2003
    Messaggi
    3,700
    Originariamente inviato da holifay
    Posta questi 4 log:

    # Rootkit di Gmer: scarica GMER.EXE. Avvialo, vai sul Tab Rootkit , clicca su Scan . Il risultato della scansione si può salvare premendo Copy .

    # Autostart di GMER: allo stesso modo del punto 1 fai anche la scansione dal tab Autostart di GMER

    # Combofix: Scaricalo sul desktop e avvialo

    # silentrunners: Scaricalo sul desktop, premi NO alla domanda


    Sono un po´ tanti, ma almeno abbiamo il quadro completo
    Provvedo.
    Cosa sono i rootkit?
    Io ne ho viste cose che voi umani non potreste immaginare. Navi da combattimento in fiamme al largo dei bastioni di Orione e ho visto i raggi B, balenare nel buio vicino le porte di Tannhäuser. E tutti quei momenti ... andranno ... perduti nel tempo, come lacrime nella pioggia. È tempo di morire. (Roy Batty).

  3. #13
    Moderatore di Sicurezza informatica e virus L'avatar di Habanero
    Registrato dal
    Jun 2001
    Messaggi
    9,782
    Originariamente inviato da Misterxxx
    ...
    Cosa sono i rootkit?
    una brutta bestia...
    http://sicurezza.html.it/articoli/le...me-difendersi/
    Leggi il REGOLAMENTO!

    E' molto complicato, un mucchio di input e output, una quantità di informazioni, un mucchio di elementi da considerare, ho una quantità di elementi da tener presente...
    Drugo

  4. #14
    Utente di HTML.it L'avatar di Misterxxx
    Registrato dal
    Oct 2003
    Messaggi
    3,700
    Combofix:
    Start Time= 14/07/2006 16.32.15,59

    QuickScan did not find any signs of infected files

    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


    2006-07-14 16:25:58 528446 ( A.... ) "C:\WINDOWS\gmer.dll"
    2006-07-14 09:56:46 ( .D... ) "C:\Program Files\Trustix"
    2006-07-14 09:56:00 ( .D... ) "C:\Program Files\Comodo"
    2006-07-13 10:42:54 ( .D... ) "C:\Program Files\ToniArts"
    2006-07-12 14:57:38 0 ( A.... ) "C:\WINDOWS\SYSTEM32\cmmgr32.exe"
    2006-07-12 14:42:30 ( .D... ) "C:\Program Files\SUPERAntiSpyware"
    2006-07-12 14:42:30 ( .D... ) "C:\Documents and Settings\Marco\Application Data\SUPERAntiSpyware.com"
    2006-07-12 14:41:30 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
    2006-06-30 17:34:28 ( .D... ) "C:\Program Files\Common Files\xing shared"
    2006-06-30 17:33:48 176167 ( A.... ) "C:\WINDOWS\SYSTEM32\rmoc3260.dll"
    2006-06-30 17:33:34 6656 ( A.... ) "C:\WINDOWS\SYSTEM32\pndx5016.dll"
    2006-06-30 17:33:34 5632 ( A.... ) "C:\WINDOWS\SYSTEM32\pndx5032.dll"
    2006-06-30 17:33:32 278528 ( A.... ) "C:\WINDOWS\SYSTEM32\pncrt.dll"
    2006-06-30 17:33:26 ( .D... ) "C:\Program Files\Real"
    2006-06-30 17:33:26 ( .D... ) "C:\Program Files\Common Files\Real"
    2006-06-30 16:10:12 5248 ( A.... ) "C:\WINDOWS\SYSTEM32\giveio.sys"
    2006-06-30 16:10:12 5248 ( A.... ) "C:\WINDOWS\SYSTEM32\giveio.sys"
    2006-06-22 10:54:52 ( .D... ) "C:\Program Files\Power DVD Ripper"
    2006-06-14 14:43:32 ( .D... ) "C:\Program Files\SWFPlayer"
    2006-06-13 12:49:18 ( .D... ) "C:\Documents and Settings\Marco\Application Data\vlc"
    2006-06-13 12:48:08 ( .D... ) "C:\Program Files\VideoLAN"
    2006-06-13 12:43:52 ( .D... ) "C:\Program Files\XviD"
    2006-06-10 20:36:38 57792 ( A.... ) "C:\Documents and Settings\Marco\Application Data\GDIPFONTCACHEV1.DAT"
    2006-06-10 13:28:40 ( .D... ) "C:\Program Files\Common Files\DirectX"
    2006-06-10 13:23:56 ( .D... ) "C:\Program Files\MotoGP2"
    2006-06-06 20:49:18 745531 ( A.... ) "C:\WINDOWS\gmer.exe"
    2006-05-29 16:05:10 761856 ( A.... ) "C:\WINDOWS\SYSTEM32\xvidcore.dll"
    2006-05-27 20:39:58 ( .D... ) "C:\Program Files\Microsoft Office12"
    2006-05-23 12:10:54 ( .D... ) "C:\Program Files\ewido anti-malware"
    2006-05-23 12:07:14 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"


    (((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


    2006-07-14 16:25 745.531 C:\WINDOWS\gmer.exe
    2006-07-14 16:25 528.446 C:\WINDOWS\gmer.dll
    2006-07-12 14:57 0 C:\WINDOWS\system32\cmmgr32.exe
    2006-06-30 16:10 5.248 C:\WINDOWS\system32\giveio.sys


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
    "EM_EXEC"="C:\\PROGRA~2\\Logitech\\MOUSEW~1\\SYSTE M\\EM_EXEC.EXE"
    "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "zBrowser Launcher"="C:\\PROGRA~2\\Logitech\\iTouch\\iTouch. exe"
    "nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.ex e"
    "gStart"="C:\\Garmin\\gStart.exe"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonceex]
    @=""

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000005
    "Settings"=dword:00000001
    "GeneralFlags"=dword:00000001

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00 ,34,03,00,00,00,03,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23 ,00,00,00,a4,00,00,00,9a,00,\
    00,00,01,00,00,00

    [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EX E"

    [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EX E"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\polic ies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
    "{F28439F2-4996-41B8-8BD0-22789780DE81}"="NSIS Media Extension"



    Contents of the 'Scheduled Tasks' folder

    Completion time: 14/07/2006 16.35.25,65
    ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt
    Io ne ho viste cose che voi umani non potreste immaginare. Navi da combattimento in fiamme al largo dei bastioni di Orione e ho visto i raggi B, balenare nel buio vicino le porte di Tannhäuser. E tutti quei momenti ... andranno ... perduti nel tempo, come lacrime nella pioggia. È tempo di morire. (Roy Batty).

  5. #15
    Utente di HTML.it L'avatar di Misterxxx
    Registrato dal
    Oct 2003
    Messaggi
    3,700
    Silent runners 1^ parte:
    "Silent Runners.vbs", revision 46, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "gStart" = "C:\Garmin\gStart.exe" ["GARMIN Corp."]
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
    "EM_EXEC" = "C:\PROGRA~2\Logitech\MOUSEW~1\SYSTEM\EM_EXEC. EXE" ["Logitech Inc. "]
    "Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."]
    "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
    "zBrowser Launcher" = "C:\PROGRA~2\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]
    "nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
    "(Default)" = (empty string)

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx\ {++}
    "(Default)" = (empty string)

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEHlprObj Class"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
    {AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
    {CF7C3CF0-4B15-11D1-ABED-709549C10000}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "IEPlugin Class"
    \InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\IEHelper.dll" ["Systweak Inc"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
    -> {HKLM...CLSID} = "KodakShellExtension"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {HKLM...CLSID} = "Portable Media Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {HKLM...CLSID} = "Portable Media Devices Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
    -> {HKLM...CLSID} = "ShellLink for Application References"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
    "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
    -> {HKLM...CLSID} = "Shell Icon Handler for Application References"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {HKLM...CLSID} = "Shell Search Band"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
    "{B089FE88-FB52-11d3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
    -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
    "{1EBC3533-B289-409F-9924-B84B3F0717D2}" = "AceFTP Context Menu Shell Extension"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~2\VISICO~1\ACEFTP~1\FTPCntxt.dll" ["Visicom Media Inc."]
    "{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
    -> {HKLM...CLSID} = "Haali Column Provider"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data]
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
    -> {HKLM...CLSID} = "Universal Plug and Play Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
    "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
    -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
    "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{40DAD1B9-DDCF-4A31-A5D3-A03BC8881370}" = "IndexingServiceExtExt Extension"
    -> {HKLM...CLSID} = "IndexingServiceExt Class"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\windexserv.dll" [null data]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
    INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
    INFECTION WARNING! "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
    -> {HKLM...CLSID} = "SABShellExecuteHook Class"
    \InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
    INFECTION WARNING! SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]

    HKLM\Software\Classes\Folder\shellex\ColumnHandler s\
    {0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
    -> {HKLM...CLSID} = "Haali Column Provider"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data]
    {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
    AceFTP\(Default) = "{1EBC3533-B289-409F-9924-B84B3F0717D2}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~2\VISICO~1\ACEFTP~1\FTPCntxt.dll" ["Visicom Media Inc."]
    Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
    -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {HKLM...CLSID} = "Ctest Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
    FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
    NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"
    -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    Io ne ho viste cose che voi umani non potreste immaginare. Navi da combattimento in fiamme al largo dei bastioni di Orione e ho visto i raggi B, balenare nel buio vicino le porte di Tannhäuser. E tutti quei momenti ... andranno ... perduti nel tempo, come lacrime nella pioggia. È tempo di morire. (Roy Batty).

  6. #16
    Utente di HTML.it L'avatar di Misterxxx
    Registrato dal
    Oct 2003
    Messaggi
    3,700
    Silent Runner 2^ parte:
    HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
    AceFTP\(Default) = "{1EBC3533-B289-409F-9924-B84B3F0717D2}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~2\VISICO~1\ACEFTP~1\FTPCntxt.dll" ["Visicom Media Inc."]
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {HKLM...CLSID} = "Ctest Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
    FileEncrypt\(Default) = "{90A07ACC-0331-4aee-9AAD-A854A9C37667}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Advanced System Optimizer\ShellExt.dll" ["Systweak Inc"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
    NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11d3-BDF1-0050DA34150D}"
    -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" ["Eset "]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~2\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Marco\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmyst.scr" [MS]


    Startup items in "Marco" & "All Users" startup folders:
    -------------------------------------------------------

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "APC UPS Status" -> shortcut to: "C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe" ["American Power Conversion Corporation"]
    "del.bat" -> shortcut to: "E:\Documenti\del.bat" [null data]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
    000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    imon.dll ["Eset "], 01 - 08, 39
    %SystemRoot%\system32\mswsock.dll [MS], 09 - 11, 14 - 38
    %SystemRoot%\system32\rsvpsp.dll [MS], 12 - 13


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
    -> {HKLM...CLSID} = "Adobe PDF"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    {182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_05"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]

    {85D1F590-48F4-11D9-9669-0800200C9A66}\
    "MenuText" = "Uninstall BitDefender Online Scanner v8"
    "Exec" = "%windir%\bdoscandel.exe" [null data]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    APC UPS Service, APC UPS Service, "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe" ["American Power Conversion Corporation"]
    ASWLSVC, ASWLSVC, "C:\WINDOWS\SYSTEM32\ASWLSVC.exe" [null data]
    Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
    EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
    EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe" [null data]
    ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
    ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
    IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
    Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
    Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
    NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
    RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
    ScsiAccess, ScsiAccess, "C:\WINDOWS\system32\ScsiAccess.EXE" [null data]
    Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
    TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monito rs\
    Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
    APFMON40\Driver = "APFMON40.DLL" ["TurboPower Software Company"]
    EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
    LPR Port\Driver = "lprmon.dll" [MS]
    Microsoft Office Document Image Writer Monitor\Driver = "mdimon.dll" [MS]


    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 116 seconds.
    + The search for all Registry CLSIDs containing dormant Explorer Bars
    took 34 seconds.
    ---------- (total run time: 188 seconds)
    Io ne ho viste cose che voi umani non potreste immaginare. Navi da combattimento in fiamme al largo dei bastioni di Orione e ho visto i raggi B, balenare nel buio vicino le porte di Tannhäuser. E tutti quei momenti ... andranno ... perduti nel tempo, come lacrime nella pioggia. È tempo di morire. (Roy Batty).

  7. #17
    Utente di HTML.it L'avatar di Misterxxx
    Registrato dal
    Oct 2003
    Messaggi
    3,700
    GMer AS:
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
    AtiExtEvent@DLLName = Ati2evxx.dll
    SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    HKLM\SYSTEM\CurrentControlSet\Services\ >>>
    APC UPS Service /*APC UPS Service*/@ = C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    ASWLSVC /*ASWLSVC*/@ = C:\WINDOWS\SYSTEM32\ASWLSVC.exe
    Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
    EpsonBidirectionalService /*EpsonBidirectionalService*/@ = C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
    EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    ewido security suite control /*ewido security suite control*/@ = C:\Program Files\ewido anti-malware\ewidoctrl.exe
    ewido security suite guard /*ewido security suite guard*/@ = C:\Program Files\ewido anti-malware\ewidoguard.exe
    KodakCCS /*Kodak Camera Connection Software*/@ = %SystemRoot%\system32\drivers\KodakCCS.exe
    MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
    NOD32krn /*NOD32 Kernel Service*/@ = "C:\Program Files\Eset\nod32krn.exe"
    ScsiAccess /*ScsiAccess*/@ = C:\WINDOWS\system32\ScsiAccess.EXE
    ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
    SimpTcp /*Simple TCP/IP Services*/@ = %SystemRoot%\System32\tcpsvcs.exe
    Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
    UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
    vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
    @EM_EXECC:\PROGRA~2\Logitech\MOUSEW~1\SYSTEM\EM_EX EC.EXE = C:\PROGRA~2\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    @Zone Labs Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    @ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    @zBrowser LauncherC:\PROGRA~2\Logitech\iTouch\iTouch.exe = C:\PROGRA~2\Logitech\iTouch\iTouch.exe
    @nod32kui"C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE = "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    @ /*file not found*/ = /*file not found*/
    RunOnceEx@ = /*file not found*/

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
    @CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
    @gStartC:\Garmin\gStart.exe = C:\Garmin\gStart.exe
    @MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background

    HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad@UPnPMonitor = C:\WINDOWS\system32\upnpui.dll

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks >>>
    @{54D9498B-CF93-414F-8984-8CE7FDE0D391}C:\Program Files\ewido anti-malware\shellhook.dll = C:\Program Files\ewido anti-malware\shellhook.dll
    @{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}C:\Program Files\SUPERAntiSpyware\SASSEH.DLL = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
    @{F28439F2-4996-41B8-8BD0-22789780DE81}(null) =

    HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved >>>
    @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
    @{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
    @{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~2\WINZIP\WZSHLSTB.DLL = C:\PROGRA~2\WINZIP\WZSHLSTB.DLL
    @{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~2\WINZIP\WZSHLSTB.DLL = C:\PROGRA~2\WINZIP\WZSHLSTB.DLL
    @{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~2\WINZIP\WZSHLSTB.DLL = C:\PROGRA~2\WINZIP\WZSHLSTB.DLL
    @{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~2\WINZIP\WZSHLSTB.DLL = C:\PROGRA~2\WINZIP\WZSHLSTB.DLL
    @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
    @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
    @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
    @{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\msonsext.dll = C:\Program Files\Common Files\Microsoft Shared\Web Folders\msonsext.dll
    @{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
    @{acb4a560-3606-11d3-aef4-00104bd0f92d} /*KodakShellExtension*/C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll = C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll
    @{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
    @{5CA3D70E-1895-11CF-8E15-001234567890} /*DriveLetterAccess*/C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
    @{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/(null) =
    @{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
    @{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
    @{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Program Files\Eset\nodshex.dll = C:\Program Files\Eset\nodshex.dll
    @{1EBC3533-B289-409F-9924-B84B3F0717D2} /*AceFTP Context Menu Shell Extension*/C:\PROGRA~2\VISICO~1\ACEFTP~1\FTPCntxt.dll = C:\PROGRA~2\VISICO~1\ACEFTP~1\FTPCntxt.dll
    @{0561EC90-CE54-4f0c-9C55-E226110A740C} /*Haali Column Provider*/C:\WINDOWS\system32\mmfinfo.dll = C:\WINDOWS\system32\mmfinfo.dll
    @{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
    @{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
    @{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
    @{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
    @{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
    @{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
    @{40DAD1B9-DDCF-4A31-A5D3-A03BC8881370} /*IndexingServiceExtExt Extension*/C:\WINDOWS\System32\windexserv.dll = C:\WINDOWS\System32\windexserv.dll
    @{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll

    HKCU\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\Program Files\Common Files\Microsoft Shared\Web Folders\msonsext.dll

    HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ >>>
    AceFTP@{1EBC3533-B289-409F-9924-B84B3F0717D2} = C:\PROGRA~2\VISICO~1\ACEFTP~1\FTPCntxt.dll
    Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
    ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
    FileEncrypt@{90A07ACC-0331-4aee-9AAD-A854A9C37667} = C:\Program Files\Advanced System Optimizer\ShellExt.dll
    NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
    WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
    WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~2\WINZIP\WZSHLSTB.DLL

    HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ >>>
    AceFTP@{1EBC3533-B289-409F-9924-B84B3F0717D2} = C:\PROGRA~2\VISICO~1\ACEFTP~1\FTPCntxt.dll
    ewido@{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
    FileEncrypt@{90A07ACC-0331-4aee-9AAD-A854A9C37667} = C:\Program Files\Advanced System Optimizer\ShellExt.dll
    WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
    WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~2\WINZIP\WZSHLSTB.DLL

    HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ >>>
    NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Program Files\Eset\nodshex.dll
    WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
    WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~2\WINZIP\WZSHLSTB.DLL

    HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects >>>
    @{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    @{5CA3D70E-1895-11CF-8E15-001234567890}C:\WINDOWS\system32\dla\tfswshx.dll = C:\WINDOWS\system32\dla\tfswshx.dll
    @{AE7CD045-E861-484f-8273-0445EE161910}C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    @{CF7C3CF0-4B15-11D1-ABED-709549C10000}C:\Program Files\Advanced System Optimizer\IEHelper.dll = C:\Program Files\Advanced System Optimizer\IEHelper.dll

    HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\ssmyst.scr

    HKLM\Software\Microsoft\Internet Explorer\Main >>>
    @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
    @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=hom e
    @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

    HKCU\Software\Microsoft\Internet Explorer\Main >>>
    @Start Pageabout:blank = about:blank
    @Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

    HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
    cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
    dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
    its@CLSID = C:\WINDOWS\System32\itss.dll
    mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
    ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    ms-its@CLSID = C:\WINDOWS\System32\itss.dll
    ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
    mso-offdap@CLSID = C:\PROGRA~2\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
    tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
    wia@CLSID = C:\WINDOWS\System32\wiascr.dll

    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{48BC78AC-C5C8-4CD4-9020-1D533BBFDC64} /*PCI Sat Card*/ >>>
    @IPAddress192.168.238.238 = 192.168.238.238
    @NameServer =
    @DefaultGateway =
    @Domain =

    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ >>>
    000000000004@LibraryPath = C:\WINDOWS\system32\pnrpnsp.dll
    000000000005@LibraryPath = C:\WINDOWS\system32\pnrpnsp.dll

    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ >>>
    000000000001@PackedCatalogItem = imon.dll
    000000000002@PackedCatalogItem = imon.dll
    000000000003@PackedCatalogItem = imon.dll
    000000000004@PackedCatalogItem = imon.dll
    000000000005@PackedCatalogItem = imon.dll
    000000000006@PackedCatalogItem = imon.dll
    000000000007@PackedCatalogItem = imon.dll
    000000000008@PackedCatalogItem = imon.dll

    HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\0000000 00039@PackedCatalogItem = imon.dll

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
    APC UPS Status.lnk = APC UPS Status.lnk
    del.bat.lnk = del.bat.lnk
    Io ne ho viste cose che voi umani non potreste immaginare. Navi da combattimento in fiamme al largo dei bastioni di Orione e ho visto i raggi B, balenare nel buio vicino le porte di Tannhäuser. E tutti quei momenti ... andranno ... perduti nel tempo, come lacrime nella pioggia. È tempo di morire. (Roy Batty).

  8. #18
    Utente di HTML.it L'avatar di Misterxxx
    Registrato dal
    Oct 2003
    Messaggi
    3,700
    GMer rootkit:
    GMER 1.0.10.10122 - http://www.gmer.net
    Rootkit 2006-07-17 09:51:41
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.10 ----

    SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
    SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
    SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess

    ---- Devices - GMER 1.0.10 ----

    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [BAE8CFC0] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [BAE8CFC0] vsdatant.sys
    Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE B7906C8A
    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_DEVICE_CONTROL [BACE34F5] tfsnifs.sys
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_DEVICE_CONTROL [BACE34F5] tfsnifs.sys
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_DEVICE_CONTROL [BACE34F5] tfsnifs.sys
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_DEVICE_CONTROL [BACE34F5] tfsnifs.sys
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_DEVICE_CONTROL [BACE34F5] tfsnifs.sys
    Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL [BACE3611] tfsnifs.sys

    ---- Files - GMER 1.0.10 ----

    File C:\System Volume Information\MountPointManagerRemoteDatabase
    File C:\System Volume Information\tracking.log
    File C:\System Volume Information\_restore{6C88E89F-11D5-40B2-8B8A-0441CF58D37A}
    File E:\System Volume Information\MountPointManagerRemoteDatabase
    File E:\System Volume Information\tracking.log
    File E:\System Volume Information\_restore{2148EC8C-2674-4F70-AAEB-629B3D32FAAD}
    File E:\System Volume Information\_restore{58D0E410-5B9C-4208-BFFC-F431A081BD07}
    File E:\System Volume Information\_restore{6C88E89F-11D5-40B2-8B8A-0441CF58D37A}

    ---- EOF - GMER 1.0.10 ----
    Io ne ho viste cose che voi umani non potreste immaginare. Navi da combattimento in fiamme al largo dei bastioni di Orione e ho visto i raggi B, balenare nel buio vicino le porte di Tannhäuser. E tutti quei momenti ... andranno ... perduti nel tempo, come lacrime nella pioggia. È tempo di morire. (Roy Batty).

  9. #19
    Utente di HTML.it L'avatar di Misterxxx
    Registrato dal
    Oct 2003
    Messaggi
    3,700
    ASPETTO FIDUCIOSO !!!
    Io ne ho viste cose che voi umani non potreste immaginare. Navi da combattimento in fiamme al largo dei bastioni di Orione e ho visto i raggi B, balenare nel buio vicino le porte di Tannhäuser. E tutti quei momenti ... andranno ... perduti nel tempo, come lacrime nella pioggia. È tempo di morire. (Roy Batty).

  10. #20
    Utente di HTML.it L'avatar di holifay
    Registrato dal
    May 2005
    Messaggi
    1,330
    Mah, capisco perchè gli altri forum brancolano nel buio.. rootkit non sembrano esserci, così come altre cose molto evidenti. Adesso guardo con più attenzione i vari log, ma comunque per ora ti consiglio:

    1) Disinstalla tutte le versioni di Java e JAVARUNTIME dal Pannello di Controllo >> Installazione Applicazioni. La tua è la 1.5.0_05 ed è superata per quanto riguarda la sicurezza. Al termine installi l´ultima da qui http://www.java.com/it/download/index.jsp

    2) Svuota tutte le cartelle temporanee e la cache di IE e Firefox

    3) controlla su www.virustotal.com il file C:/Documents and Settings/Marco/Application Data/GDIPFONTCACHEV1.DAT. Potrebbe essere legittimo, ma è riportato in associazione a questo (ma anche ad altri) worm. Poi posta il risultato delle scansioni.

    Puoi dire con più precisione in quali occasioni ti compaiono i popup o è veramente random?
    Pensi di avere un file infetto? Invialo a SuspectFile

Permessi di invio

  • Non puoi inserire discussioni
  • Non puoi inserire repliche
  • Non puoi inserire allegati
  • Non puoi modificare i tuoi messaggi
  •  
Powered by vBulletin® Version 4.2.1
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.