linkoptimizer - suspectfile - hijackthis

[smile21]

ciao a tutti ho avuto problemi con link optimize e seguendo la guida su suspecfiles, qualcosa ho fatto, vi chiedo cortesemente se qualche anima buona mi può dare un okkio al log di hijackthis, prima di fare qualcosa di dannoso.
grazie


Logfile of HijackThis v1.99.1
Scan saved at 2.10.58, on 26/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Personal Firewall\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.e xe
C:\VEXPLITE\viritsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1 .exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\AnalogX\Proxy\proxy.exe
C:\PROGRA~1\FILECO~1\PCSuite\Services\SERVIC~1.EXE
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Messenger\msmsgs.exe
C:\ht\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/GIANNI2006/z_startpage/starpageC.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {A679BF58-FCEE-C0D3-0760-B33DE1282A75} - C:\WINDOWS\appbh1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [pdfFactory Schedulatore v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1 .exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Proxy (2).lnk = C:\Programmi\AnalogX\Proxy\proxy.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE540E2-2709-44D5-A1F1-C970C05D2DF1}: NameServer = 85.37.17.52 151.99.125.1
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Personal Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.e xe
O23 - Service: Virit eXplorer Lite (viritsvclite) - TG Soft Sas www.tgsoft.it - C:\VEXPLITE\viritsvc.exe
O23 - Service: WinAbt - Unknown owner - C:\Programmi\File comuni\Microsoft Shared\OqS.exe

[amvinfe]

sono presenti ancora valori riconducibili al trojan (servizio aggiunto)

scarica sul desktop GMER
scopatta, sempre sul desktop il file gmer.zip.
Esegui gmer.exe
Clicca sul Tab "Rootkit"
Clicca su "Scan"
finita la scansione clicca su "Copy"
Apri il Blocco Note incolla il risultato (CTRL+V)

Esegui gmer.exe
Clicca sul Tab "Autostart"
Clicca su "Scan"
finita la scansione clicca su "Copy"
Apri il Blocco Note incolla il risultato (CTRL+V)

Copia in questa discussione entrambi i log

[smile21]

ciao grazie dell'aiuto, ecco fatto :


GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-26 13:13:44
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT 81DBB690 ZwConnectPort
SSDT 81E68230 ZwOpenProcess
SSDT 81CBE1B8 ZwOpenThread

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\WINDOWS\appbh1.dll
File C:\WINDOWS\system32\com4.hzq
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log

---- EOF - GMER 1.0.10 ----


---------------

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-26 13:15:11
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\com4.hzq

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
ccProxy /*Symantec Network Proxy*/@ = "C:\Programmi\File comuni\Symantec Shared\ccProxy.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe"
ISSVC /*ISSvc*/@ = "C:\Programmi\Norton Personal Firewall\ISSVC.exe"
navapsvc /*Servizio Auto-Protect di Norton AntiVirus*/@ = "C:\Programmi\Norton AntiVirus\navapsvc.exe"
NPFMntor /*Norton AntiVirus Firewall Monitor Service*/@ = "C:\Programmi\Norton AntiVirus\IWP\NPFMntor.exe"
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
SNDSrvc /*Symantec Network Drivers Service*/@ = "C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe"
SPBBCSvc /*Symantec SPBBCSvc*/@ = "C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
Symantec Core LC /*Symantec Core LC*/@ = C:\Programmi\File comuni\Symantec Shared\CCPD-LC\symlcsvc.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
Utilità di pianificazione di LiveUpdate automatico /*Utilità di pianificazione di LiveUpdate automatico*/@ = "C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc. exe"
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe
WinAbt /*WinAbt*/@ = "C:\Programmi\File comuni\Microsoft Shared\OqS.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@AME_CSArundll32 amecsa.cpl,RUN_DLL = rundll32 amecsa.cpl,RUN_DLL
@ccApp"C:\Programmi\File comuni\Symantec Shared\ccApp.exe" = "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@pdfFactory Schedulatore v1C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdi s1.exe = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1 .exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_06\b in\jusched.exe = C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@DataLayerC:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DA TALA~1.EXE = C:\PROGRA~1\FILECO~1\PCSuite\DATALA~1\DATALA~1.EXE
@PCSuiteTrayApplicationC:\PROGRA~1\Nokia\NOKIAP~1\ TRAYAP~1.EXE = C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\Run @CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{E0D79300-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\wzshlext.dll = C:\PROGRA~1\WinZip\wzshlext.dll
@{E0D79301-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\wzshlext.dll = C:\PROGRA~1\WinZip\wzshlext.dll
@{E0D79302-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WinZip\wzshlext.dll = C:\PROGRA~1\WinZip\wzshlext.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealOne Player\rpshell.dll = C:\Programmi\Real\RealOne Player\rpshell.dll
@{40950107-FEA6-4d53-A65F-B2DCBA57DD58} /*Nokia Phone Browser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{FBFE7864-D495-41f0-B7DC-4BB601CC295E} /*Contact View*/C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\ContactView.dll
@{C0C4375A-5B72-4efe-929D-3B848C3A1E91} /*Message View*/C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll = C:\Programmi\Nokia\Nokia PC Suite 6\MessageView.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ >>>
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ >>>
Symantec.Norton.Antivirus.IEContextMenu@{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Programmi\Norton AntiVirus\NavShExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
WinZip@{E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{A679BF58-FCEE-C0D3-0760-B33DE1282A75}C:\WINDOWS\appbh1.dll = C:\WINDOWS\appbh1.dll
@{BDF3E430-B101-42AD-A544-FADC6B084872}C:\Programmi\Norton AntiVirus\NavShExt.dll = C:\Programmi\Norton AntiVirus\NavShExt.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=hom e
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagefile:///D:/GIANNI2006/z_startpage/starpageC.htm = file:///D:/GIANNI2006/z_startpage/starpageC.htm
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DL L
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{2FA93D49-CB7C-471E-B444-87BA481FFAD5} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.1.100 = 192.168.1.100
@NameServer =
@DefaultGateway =
@Domain =

C:\Documents and Settings\g\Menu Avvio\Programmi\Esecuzione automatica = Proxy (2).lnk

---- EOF - GMER 1.0.10 ----

[amvinfe]

scarica avenger sul desktop
http://swandog46.geekstogo.com/avenger.zip
Decomprimi l'archivio



Avvia il file avenger.exe
Seleziona l'opzione "Input Script Manually"
Clicca sulla lente d'ingrandimento

Ti si apre lafinestra "View/edit script"
All'interno del box bianco, copia e incolla il seguente codice

codice:

Registry values to replace with dummy: 
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs 

registry keys to delete: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A679BF58-FCEE-C0D3-0760-B33DE1282A75}

Files to delete: 
C:\WINDOWS\system32\com4.hzq 
C:\WINDOWS\appbh1.dll

Clicca sul pulsante Done
Clicca sull'icona del semaforo verde
Rispondi Yes
Il pc dovrebbe riavviarsi da solo, diversamente riavvialo manualmente

Start>Esegui scrivi cmd dai l'OK
All'apertura del prompt, rispettando gli spazi digiti:
cd C:\programmi\file comuni\system ==>dai l'invio
dir > c:\files.txt ==> dai l'invio

Apri C:\ posta il contenuto del file files.txt.

Start>Esegui scrivi
control userpasswords2
dai l'OK
scrivimi i nomi utente

[smile21]

ciao, ecco il log:

e grazie 10000000000000000000000000000

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\vvgovfdw

*******************

Script file located at: \??\C:\WINDOWS\system32\ktbmulrs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\com4.hzq deleted successfully.
File C:\WINDOWS\appbh1.dll deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.
Registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{A679BF58-FCEE-C0D3-0760-B33DE1282A75} deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



per quanto riguarda il control userpasswords2

avevo già cancellato l'utente xyrd che presumo fosse intruso.

digitando da esegui service.msc mi compare una voce:
winabt e alla voce connessione ho questa voce: xivXVFxv

[amvinfe]

eliminala
se non hai più problemi... nel caso posta un nuovo log di GMER

[smile21]

Grazie mille, ti farò sapere!!!!!

troppo gentile

buon fine settimana ciao Carla

[amvinfe]

buon we anche a te, a me invece tocca prendere servizio alle 14.30 e sono già in ritardo
ciao