Backdoor.Haxdoor

[MAD72]

Ciao a tutti,
mi son beccato Backdoor.Haxdoor ma non ho trovato operazioni efficati per rimuoverlo.
Ho provato con Spy Sweeper ma niente, Adware niente, avete consigli? c'è un fix?

ciao, Marco

[holifay]

Scarica l´ultima versione di systemscan. Chiudi tutte le applicazioni e avvialo. Fai la scansione. Al termine ti salverà il file report.zip nella cartella suspectfile. Metti quel file su www.mytempdir.com e posta qui il link al log.

[holifay]

Ho ricevuto il report

prima di proseguire mi posti (anche qui, non ci sono informazioni sensibili) un nuovo log selezionando solo l´opzione Device driver services? Deseleziona pure tutto il resto.

Grazie

[MAD72]

eccolo!

PS: visto che sei di Milano, stasera sono per un aperitivo al Before, se passi di lì ti offro da bere!
----------------------------------------------------------------------

systemscan - www.suspectfile.com - ver. 2.0.20

Date: 28/12/2006
Time: 15.03.13,28

Output limited to:
-Device Driver Services

-------------List of running device driver services -------------
Unable to enumerate available services on Windows system. (Get query)

SYSTEM SAYS: Sono disponibili altri dati.



-------------List of NOT running device driver services -------------



000) "abp480n5" - abp480n5

001) "adpu160m" - adpu160m

002) "aec" - Eliminatore di eco acustico del kernel Microsoft
---> FILE = system32\drivers\aec.sys

003) "Aha154x" - Aha154x

004) "aic78u2" - aic78u2

005) "aic78xx" - aic78xx

006) "AliIde" - AliIde

007) "amsint" - amsint

008) "asc" - asc

009) "asc3350p" - asc3350p

010) "asc3550" - asc3550

011) "AsyncMac" - Driver per supporti asincroni RAS
---> FILE = system32\DRIVERS\asyncmac.sys

012) "Atdisk" - Atdisk

013) "Atmarpc" - Protocollo client ARP ATM
---> FILE = system32\DRIVERS\atmarpc.sys

014) "cbidf2k" - cbidf2k

015) "cd20xrnt" - cd20xrnt

016) "Cdaudio" - Cdaudio

017) "Changer" - Changer

018) "CmdIde" - CmdIde

019) "Cpqarray" - Cpqarray

020) "dac960nt" - dac960nt

021) "dmboot" - dmboot
---> FILE = System32\drivers\dmboot.sys

022) "DMusic" - Sintetizzatore DLS Microsoft Kernel
---> FILE = system32\drivers\DMusic.sys

023) "dpti2o" - dpti2o

024) "drmkaud" - Decodificatore audio DRM del kernel Microsoft
---> FILE = system32\drivers\drmkaud.sys

025) "Fdc" - Fdc

026) "Flpydisk" - Flpydisk

027) "HdAudAddService" - Microsoft UAA Function Driver for High Definition Audio Service
---> FILE = system32\drivers\HdAudio.sys

028) "hpn" - hpn

029) "i2omgmt" - i2omgmt

030) "i2omp" - i2omp

031) "ini910u" - ini910u

032) "Ip6Fw" - Driver Windows Firewall IPv6
---> FILE = system32\DRIVERS\Ip6Fw.sys

033) "IpFilterDriver" - Driver filtro traffico IP
---> FILE = system32\DRIVERS\ipfltdrv.sys

034) "IpInIp" - Driver tunnel IP in IP
---> FILE = system32\DRIVERS\ipinip.sys

035) "IpNat" - Traduttore indirizzi di rete IP
---> FILE = system32\DRIVERS\ipnat.sys

036) "lbrtfdc" - lbrtfdc

037) "Modem" - Modem

038) "mraid35x" - mraid35x

039) "MSKSSRV" - Proxy di servizio di flusso Microsoft
---> FILE = system32\drivers\MSKSSRV.sys

040) "MSPCLOCK" - Proxy clock di flusso Microsoft
---> FILE = system32\drivers\MSPCLOCK.sys

041) "MSPQM" - Proxy di gestione qualità di flusso Microsoft
---> FILE = system32\drivers\MSPQM.sys

042) "NwlnkFlt" - Driver filtro traffico IPX
---> FILE = system32\DRIVERS\nwlnkflt.sys

043) "NwlnkFwd" - Driver inoltratore traffico IPX
---> FILE = system32\DRIVERS\nwlnkfwd.sys

044) "PCIDump" - PCIDump

045) "PDCOMP" - PDCOMP

046) "PDFRAME" - PDFRAME

047) "PDRELI" - PDRELI

048) "PDRFRAME" - PDRFRAME

049) "perc2" - perc2

050) "perc2hib" - perc2hib

051) "ql1080" - ql1080

052) "Ql10wnt" - Ql10wnt

053) "ql12160" - ql12160

054) "ql1240" - ql1240

055) "ql1280" - ql1280

056) "RDPWD" - RDPWD

057) "Secdrv" - Secdrv
---> FILE = system32\DRIVERS\secdrv.sys

058) "Serial" - Serial

059) "Sfloppy" - Sfloppy

060) "Simbad" - Simbad

061) "Sparrow" - Sparrow

062) "splitter" - Frazionatore audio del kernel Microsoft
---> FILE = system32\drivers\splitter.sys

063) "swmidi" - Sintetizzatore Wavetable GS kernel Microsoft
---> FILE = system32\drivers\swmidi.sys

064) "symc810" - symc810

065) "symc8xx" - symc8xx

066) "sym_hi" - sym_hi

067) "sym_u3" - sym_u3

068) "TDPIPE" - TDPIPE

069) "TDTCP" - TDTCP

070) "TosIde" - TosIde

071) "Udfs" - Udfs

072) "ultra" - ultra

073) "usbccgp" - Driver principale generico USB Microsoft
---> FILE = system32\DRIVERS\usbccgp.sys

074) "usbprint" - Classe stampanti USB Microsoft
---> FILE = system32\DRIVERS\usbprint.sys

075) "usbscan" - Driver scanner USB
---> FILE = system32\DRIVERS\usbscan.sys

076) "ViaIde" - ViaIde

077) "w29n51" - Driver di Intel(R) PRO/Wireless 2200BG Network Connection Driver per Windows XP
---> FILE = system32\DRIVERS\w29n51.sys

078) "WDICA" - WDICA

079) "xcttgs" - STK Bi 002
---> FILE = \??\C:\WINDOWS\system32\xcttgm.sys



--------------------------
Scan completed in 0 minutes
End of report

[holifay]

mmmm ti spiace rifarlo? Guarda se riesce ad enumerare i driver attivi... adesso il messaggio è Unable to enumerate available services on Windows system. (Get query).

Eventualmente riprova un paio di volte e se il messaggio è sempre quello, clicca prima Run as a system task e poi riprova. Se il log è sempre quello, pazienza, non postarlo, ma avvertimi che ti dico come procedere.

Grazie per l´offerta

[MAD72]

sai che non ho capito, dove vedo se riesce a enumerarli?

esce questo report:

systemscan - www.suspectfile.com - ver. 2.0.20

Date: 28/12/2006
Time: 15.36.24,89

Output limited to:
-Device Driver Services

-------------List of running device driver services -------------



000) "ACPI" - Driver ACPI Microsoft
---> FILE = \SystemRoot\system32\DRIVERS\ACPI.sys

001) "ACPIEC" - Driver del controller integrato Microsoft
---> FILE = \SystemRoot\system32\DRIVERS\ACPIEC.sys

002) "AegisP" - AEGIS Protocol (IEEE 802.1x) v3.2.0.3
---> FILE = system32\DRIVERS\AegisP.sys

003) "AFD" - AFD
---> FILE = \SystemRoot\System32\drivers\afd.sys

004) "Arp1394" - Protocollo client ARP 1394
---> FILE = system32\DRIVERS\arp1394.sys

005) "atapi" - Controller disco rigido IDE/ESDI standard
---> FILE = \SystemRoot\system32\DRIVERS\atapi.sys

006) "ati2mtag" - ati2mtag
---> FILE = system32\DRIVERS\ati2mtag.sys

007) "audstub" - Driver stub audio
---> FILE = system32\DRIVERS\audstub.sys

008) "Beep" - Beep

009) "Cdfs" - Cdfs

010) "Cdrom" - Driver del CD-ROM
---> FILE = system32\DRIVERS\cdrom.sys

011) "CmBatt" - Driver batteria a metodo di controllo ACPI Microsoft
---> FILE = system32\DRIVERS\CmBatt.sys

012) "Compbatt" - Driver della batteria composita Microsoft
---> FILE = \SystemRoot\system32\DRIVERS\compbatt.sys

013) "Disk" - Driver del disco
---> FILE = \SystemRoot\system32\DRIVERS\disk.sys

014) "dmio" - Driver Gestione dischi logici
---> FILE = \SystemRoot\System32\drivers\dmio.sys

015) "dmload" - dmload
---> FILE = \SystemRoot\System32\drivers\dmload.sys

016) "Fastfat" - Fastfat

017) "Fips" - Fips

018) "FltMgr" - FltMgr
---> FILE = \SystemRoot\system32\DRIVERS\fltMgr.sys

019) "Ftdisk" - Driver archiviazione volumi
---> FILE = \SystemRoot\system32\DRIVERS\ftdisk.sys

020) "Gpc" - Utilità di classificazione pacchetti generica
---> FILE = system32\DRIVERS\msgpc.sys

021) "HDAudBus" - Microsoft UAA Bus Driver for High Definition Audio
---> FILE = system32\DRIVERS\HDAudBus.sys

022) "HidUsb" - Driver di classe HID Microsoft
---> FILE = system32\DRIVERS\hidusb.sys

023) "HTTP" - HTTP
---> FILE = System32\Drivers\HTTP.sys

024) "i8042prt" - Driver di porta mouse PS/2 e tastiera i8042
---> FILE = system32\DRIVERS\i8042prt.sys

025) "Imapi" - Driver filtro masterizzazione CD
---> FILE = system32\DRIVERS\imapi.sys

026) "IntcAzAudAddService" - Service for Realtek HD Audio (WDM)
---> FILE = system32\drivers\RtkHDAud.sys

027) "IntelIde" - IntelIde
---> FILE = \SystemRoot\system32\DRIVERS\intelide.sys

028) "intelppm" - Driver processore Intel
---> FILE = system32\DRIVERS\intelppm.sys

029) "IPSec" - Driver IPSEC
---> FILE = system32\DRIVERS\ipsec.sys

030) "irda" - Protocollo IrDA
---> FILE = system32\DRIVERS\irda.sys

031) "IRENUM" - Servizio enumeratore infrarossi
---> FILE = system32\DRIVERS\irenum.sys

032) "isapnp" - Driver bus PnP ISA/EISA
---> FILE = \SystemRoot\system32\DRIVERS\isapnp.sys

033) "Kbdclass" - Driver classe tastiera
---> FILE = system32\DRIVERS\kbdclass.sys

034) "kmixer" - Mixer wave audio del kernel Microsoft
---> FILE = system32\drivers\kmixer.sys

035) "KSecDD" - KSecDD

036) "mnmdd" - mnmdd

037) "Mouclass" - Driver classe mouse
---> FILE = system32\DRIVERS\mouclass.sys

038) "mouhid" - Driver di mouse HID
---> FILE = system32\DRIVERS\mouhid.sys

039) "MountMgr" - MountMgr

040) "MRxDAV" - Redirector del client WebDav
---> FILE = system32\DRIVERS\mrxdav.sys

041) "MRxSmb" - MRXSMB
---> FILE = system32\DRIVERS\mrxsmb.sys

042) "Msfs" - Msfs

043) "mssmbios" - Driver BIOS Microsoft System Management
---> FILE = system32\DRIVERS\mssmbios.sys

044) "Mup" - Mup

045) "NAVAP" - NAVAP
---> FILE = \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys

046) "NAVAPEL" - NAVAPEL
---> FILE = \??\C:\Programmi\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS

047) "NAVENG" - NAVENG
---> FILE = \??\C:\PROGRA~1\FILECO~1\SYMANT~1\VIRUSD~1\2006122 4.008\NAVENG.sys

048) "NAVEX15" - NAVEX15
---> FILE = \??\C:\PROGRA~1\FILECO~1\SYMANT~1\VIRUSD~1\2006122 4.008\NAVEX15.sys

049) "NDIS" - Driver di sistema NDIS

050) "NdisTapi" - Driver TAPI NDIS di accesso remoto
---> FILE = system32\DRIVERS\ndistapi.sys

051) "Ndisuio" - Protocollo I/O modalità utente su NDIS
---> FILE = system32\DRIVERS\ndisuio.sys

052) "NdisWan" - Driver WAN NDIS di accesso remoto
---> FILE = system32\DRIVERS\ndiswan.sys

053) "NDProxy" - Proxy NDIS

054) "NetBIOS" - Interfaccia NetBIOS
---> FILE = system32\DRIVERS\netbios.sys

055) "NetBT" - NetBios su Tcpip
---> FILE = system32\DRIVERS\netbt.sys

056) "NIC1394" - 1394 Net Driver
---> FILE = system32\DRIVERS\nic1394.sys

057) "Npfs" - Npfs

058) "Ntfs" - Ntfs

059) "Null" - Null

060) "ohci1394" - Controller host Texas Instruments IEEE 1394 compatibile OHCI
---> FILE = \SystemRoot\system32\DRIVERS\ohci1394.sys

061) "Parport" - Driver della porta parallela
---> FILE = system32\DRIVERS\parport.sys

062) "PartMgr" - PartMgr

063) "ParVdm" - ParVdm

064) "PCI" - Driver bus PCI
---> FILE = \SystemRoot\system32\DRIVERS\pci.sys

065) "PCIIde" - PCIIde

066) "Pcmcia" - Pcmcia
---> FILE = \SystemRoot\system32\DRIVERS\pcmcia.sys

067) "PptpMiniport" - WAN Miniport (PPTP)
---> FILE = system32\DRIVERS\raspptp.sys

068) "PSched" - Utilità di pianificazione pacchetti QoS
---> FILE = system32\DRIVERS\psched.sys

069) "Ptilink" - Driver Direct Parallel Link
---> FILE = system32\DRIVERS\ptilink.sys

070) "RasAcd" - Driver connessione automatica Accesso remoto
---> FILE = system32\DRIVERS\rasacd.sys

071) "Rasirda" - WAN Miniport (IrDA)
---> FILE = system32\DRIVERS\rasirda.sys

072) "Rasl2tp" - WAN Miniport (L2TP)
---> FILE = system32\DRIVERS\rasl2tp.sys

073) "RasPppoe" - Driver PPPOE di accesso remoto
---> FILE = system32\DRIVERS\raspppoe.sys

074) "Raspti" - Direct Parallel
---> FILE = system32\DRIVERS\raspti.sys

075) "Rdbss" - Rdbss
---> FILE = system32\DRIVERS\rdbss.sys

076) "RDPCDD" - RDPCDD
---> FILE = System32\DRIVERS\RDPCDD.sys

077) "rdpdr" - Driver redirector periferica Terminal Server
---> FILE = system32\DRIVERS\rdpdr.sys

078) "redbook" - Driver filtro riproduzione CD-ROM audio digitale
---> FILE = system32\DRIVERS\redbook.sys

079) "RTL8023xp" - Realtek 10/100/1000 NIC Family all in one NDIS XP Driver
---> FILE = system32\DRIVERS\Rtlnicxp.sys

080) "sdbus" - sdbus
---> FILE = system32\DRIVERS\sdbus.sys

081) "SMCIRDA" - Driver periferica Miniport SMC IrCC
---> FILE = system32\DRIVERS\smcirda.sys

082) "sr" - Driver filtro Ripristino configurazione di sistema
---> FILE = \SystemRoot\system32\DRIVERS\sr.sys

083) "Srv" - Srv
---> FILE = system32\DRIVERS\srv.sys

084) "Stmatm" - ATM/ADSL miniport
---> FILE = system32\DRIVERS\stmatm.sys

085) "swenum" - Driver bus software
---> FILE = system32\DRIVERS\swenum.sys

086) "SymEvent" - SymEvent
---> FILE = \??\C:\Programmi\Symantec\SYMEVENT.SYS

087) "sysaudio" - Periferica audio di sistema Microsoft Kernel
---> FILE = system32\drivers\sysaudio.sys

088) "TaurusUsb" - ADSL Modem USB Service
---> FILE = system32\DRIVERS\torususb.sys

089) "Tcpip" - Driver protocollo TCP/IP
---> FILE = system32\DRIVERS\tcpip.sys

090) "TermDD" - Driver della periferica terminale
---> FILE = system32\DRIVERS\termdd.sys

091) "Update" - Driver aggiornamento microcodice
---> FILE = system32\DRIVERS\update.sys

092) "usbehci" - Driver Miniport controller enhanced host USB 2.0 Microsoft
---> FILE = system32\DRIVERS\usbehci.sys

093) "usbhub" - Hub abilitato USB2
---> FILE = system32\DRIVERS\usbhub.sys

094) "USBSTOR" - Driver archiviazione di massa USB
---> FILE = system32\DRIVERS\USBSTOR.SYS

095) "usbuhci" - Driver Miniport Controller Universal Host USB Microsoft
---> FILE = system32\DRIVERS\usbuhci.sys

096) "VgaSave" - VgaSave
---> FILE = \SystemRoot\System32\drivers\vga.sys

097) "VolSnap" - VolSnap

098) "vsdatant" - vsdatant
---> FILE = System32\vsdatant.sys

099) "Wanarp" - Driver ARP IP di accesso remoto
---> FILE = system32\DRIVERS\wanarp.sys

100) "wdmaud" - Driver di compatibilità audio Microsoft WINMM WDM
---> FILE = system32\drivers\wdmaud.sys

101) "xcttgm" - STK Bi 001
---> FILE = \??\C:\WINDOWS\system32\xcttgm.sys



-------------List of NOT running device driver services -------------



000) "abp480n5" - abp480n5

001) "adpu160m" - adpu160m

002) "aec" - Eliminatore di eco acustico del kernel Microsoft
---> FILE = system32\drivers\aec.sys

003) "Aha154x" - Aha154x

004) "aic78u2" - aic78u2

005) "aic78xx" - aic78xx

006) "AliIde" - AliIde

007) "amsint" - amsint

008) "asc" - asc

009) "asc3350p" - asc3350p

010) "asc3550" - asc3550

011) "AsyncMac" - Driver per supporti asincroni RAS
---> FILE = system32\DRIVERS\asyncmac.sys

012) "Atdisk" - Atdisk

013) "Atmarpc" - Protocollo client ARP ATM
---> FILE = system32\DRIVERS\atmarpc.sys

014) "cbidf2k" - cbidf2k

015) "cd20xrnt" - cd20xrnt

016) "Cdaudio" - Cdaudio

017) "Changer" - Changer

018) "CmdIde" - CmdIde

019) "Cpqarray" - Cpqarray

020) "dac960nt" - dac960nt

021) "dmboot" - dmboot
---> FILE = System32\drivers\dmboot.sys

022) "DMusic" - Sintetizzatore DLS Microsoft Kernel
---> FILE = system32\drivers\DMusic.sys

023) "dpti2o" - dpti2o

024) "drmkaud" - Decodificatore audio DRM del kernel Microsoft
---> FILE = system32\drivers\drmkaud.sys

025) "Fdc" - Fdc

026) "Flpydisk" - Flpydisk

027) "HdAudAddService" - Microsoft UAA Function Driver for High Definition Audio Service
---> FILE = system32\drivers\HdAudio.sys

028) "hpn" - hpn

029) "i2omgmt" - i2omgmt

030) "i2omp" - i2omp

031) "ini910u" - ini910u

032) "Ip6Fw" - Driver Windows Firewall IPv6
---> FILE = system32\DRIVERS\Ip6Fw.sys

033) "IpFilterDriver" - Driver filtro traffico IP
---> FILE = system32\DRIVERS\ipfltdrv.sys

034) "IpInIp" - Driver tunnel IP in IP
---> FILE = system32\DRIVERS\ipinip.sys

035) "IpNat" - Traduttore indirizzi di rete IP
---> FILE = system32\DRIVERS\ipnat.sys

036) "lbrtfdc" - lbrtfdc

037) "Modem" - Modem

038) "mraid35x" - mraid35x

039) "MSKSSRV" - Proxy di servizio di flusso Microsoft
---> FILE = system32\drivers\MSKSSRV.sys

040) "MSPCLOCK" - Proxy clock di flusso Microsoft
---> FILE = system32\drivers\MSPCLOCK.sys

041) "MSPQM" - Proxy di gestione qualità di flusso Microsoft
---> FILE = system32\drivers\MSPQM.sys

042) "NwlnkFlt" - Driver filtro traffico IPX
---> FILE = system32\DRIVERS\nwlnkflt.sys

043) "NwlnkFwd" - Driver inoltratore traffico IPX
---> FILE = system32\DRIVERS\nwlnkfwd.sys

044) "PCIDump" - PCIDump

045) "PDCOMP" - PDCOMP

046) "PDFRAME" - PDFRAME

047) "PDRELI" - PDRELI

048) "PDRFRAME" - PDRFRAME

049) "perc2" - perc2

050) "perc2hib" - perc2hib

051) "ql1080" - ql1080

052) "Ql10wnt" - Ql10wnt

053) "ql12160" - ql12160

054) "ql1240" - ql1240

055) "ql1280" - ql1280

056) "RDPWD" - RDPWD

057) "Secdrv" - Secdrv
---> FILE = system32\DRIVERS\secdrv.sys

058) "Serial" - Serial

059) "Sfloppy" - Sfloppy

060) "Simbad" - Simbad

061) "Sparrow" - Sparrow

062) "splitter" - Frazionatore audio del kernel Microsoft
---> FILE = system32\drivers\splitter.sys

063) "swmidi" - Sintetizzatore Wavetable GS kernel Microsoft
---> FILE = system32\drivers\swmidi.sys

064) "symc810" - symc810

065) "symc8xx" - symc8xx

066) "sym_hi" - sym_hi

067) "sym_u3" - sym_u3

068) "TDPIPE" - TDPIPE

069) "TDTCP" - TDTCP

070) "TosIde" - TosIde

071) "Udfs" - Udfs

072) "ultra" - ultra

073) "usbccgp" - Driver principale generico USB Microsoft
---> FILE = system32\DRIVERS\usbccgp.sys

074) "usbprint" - Classe stampanti USB Microsoft
---> FILE = system32\DRIVERS\usbprint.sys

075) "usbscan" - Driver scanner USB
---> FILE = system32\DRIVERS\usbscan.sys

076) "ViaIde" - ViaIde

077) "w29n51" - Driver di Intel(R) PRO/Wireless 2200BG Network Connection Driver per Windows XP
---> FILE = system32\DRIVERS\w29n51.sys

078) "WDICA" - WDICA

079) "xcttgs" - STK Bi 002
---> FILE = \??\C:\WINDOWS\system32\xcttgm.sys



--------------------------
Scan completed in 0 minutes
End of report

[holifay]

OK, adesso ha fatto la scansione correttamente. Scarica The Avenger ed estrai l´eseguibile sul desktop.

Scarica sul desktop il file script.txt http://www.mytempdir.com/1138208

- apri il file script.txt, seleziona con il mouse tuttp il contenuto e copialo negli appunti (premi CTRL+C).
- avvia The Avenger e seleziona Input Script Manually
- clicca sulla icona con la lente di ingrandimento
- si aprirà una nuova finestra con scritto View/edit script
- incolla quanto copiato sopra premendo Ctrl+V
- clicca Done
- clicca l´icona con il semaforo con la luce verde per avviare lo script
- rispondi Yes due volte

Dovrebbe fare il reboot un paio di volte. Al termine posta il contenuto del file c:/avenger.txt

[MAD72]

fatto! ecco il report:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\gypghvwn

*******************

Script file located at: \??\C:\idibyuyr.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver xcttgm unloaded successfully.
Driver xcttgs unloaded successfully.
File C:\WINDOWS\system32\pushow70.dll deleted successfully.
File C:\WINDOWS\system32\pushow93.dll deleted successfully.
File C:\WINDOWS\system32\winlogin.exe deleted successfully.
File C:\WINDOWS\system32\83ghh.ini deleted successfully.
File C:\WINDOWS\system32\aaaxcfdwq.dat deleted successfully.
File C:\WINDOWS\system32\ayuuio.dat deleted successfully.
File C:\WINDOWS\system32\qz.dll deleted successfully.
File C:\WINDOWS\system32\qz.sys deleted successfully.
File C:\WINDOWS\system32\xcttgm.sys deleted successfully.
File C:\WINDOWS\system32\xcttgs.dll deleted successfully.
Registry value HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Pa rameters\FirewallPolicy\StandardProfile\Authorized Applications\List|\??\C:\WINDOWS\system32\winlogon .exe deleted successfully.
Registry value HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.


Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Winlogon\Notify\xcttgs not found!
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Winlogon\Notify\xcttgs failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[holifay]

OK

Scarica HijackThis , avvialo, clicca do a system scan and save a log file e posta qui il log. Poi per favore mandami a suspectfile il file backup.zip che trovi in c:/avenger

[MAD72]

ok, questo è il log, ora mando il bakup.

ciao, grazie ancora!! marco


---------------

Logfile of HijackThis v1.99.1
Scan saved at 17.27.28, on 28/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\Atheros\ACU.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\BVRPSO~1\POWERT~1\BVRPOlr.exe
C:\Programmi\MSN Messenger\MsnMsgr.Exe
C:\Programmi\Skype\Phone\Skype.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programmi\Power Translator\LogoMedia TranslateDotNet Server.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Programmi\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Microsoft Office\OFFICE11\FRONTPG.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\mad\IMPOST~1\Temp\Rar$EX00.813\HijackT his.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Programmi\Power Translator\Applications\LEC IE Translation Extension.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AdslTaskBar] "rundll32.exe" stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [ACU] "C:\Programmi\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PowerTranslator Pro OLR] "C:\PROGRA~1\BVRPSO~1\POWERT~1\BVRPOlr.exe" /PowerTranslator Pro
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmi\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Winlogin] C:\WINDOWS\system32\winlogin.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Programmi\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Adobe Gamma.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: ImageFox 2.0 Trial.lnk = ?
O4 - Global Startup: Spy Sweeper Fix.lnk = C:\Programmi\Webroot\Spy Sweeper\SpySweeperFix.bat
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{430E8DA7-314A-4B27-A656-CCB090B79D5B}: NameServer = 85.37.17.15 85.38.28.74
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: xcttgs - xcttgs.dll (file missing)
O23 - Service: Servizio di configurazione Atheros (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Programmi\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe