salve ragazzi,
ho pensato di aprire un tread ufficiale per l'analisi dei log di gmer e per parlare di tutto quello che riguarda questo software antirootkit.
ci sono un sacco di tread dispersivi ma con questo si aiuterà più velocemente chi cerca info a riguardo.
questo software serve per scovare eventuali rootkit malevoli nonchè anche gli ADS (alternate data stream) nei vostri pc.
questo software serve a rilevare e pulire dai rootkit (termina i servizi e i processi nascosti dei rootkit). segnala se ci sono rootkit malevoli tramite dicitura in rosso nei suoi logs. alcuni rootkit malevoli modificano talmente tanto il sistema che per ripristinare il sistema operativo alle condizioni iniaziali si deve ricorrere ad uno strumento software chiamato "avenger" che tramite una serie di script personalizzati in base ad ogni caso ristabiliscono ordine.
lo potete scaricare da quì:
http://swandog46.geekstogo.com/avenger.zip
-------------------------------------------------------------------
per chi non sapesse che sono gli ADS può trovare info
quì
per chi non sapesse che sono i rootkit può andare
quì
-------------------------------------------------------------------
sito ufficiale di gmer: http://www.gmer.net/rootkit.php
ultima versione: GMER 1.0.14.14116
download gmer ultima release:
http://www.gmer.net/files.php
------------------------------------------------------------------------
quì troverete una guida fatta veramente bene (segnalazione NV25;redattore guida: eraser):
http://www.pcalsicuro.com/main/guida-a-gmer/
un'altra guida fatta bene di Megalab.it curata da Amantide e crazy.cat:
http://www.megalab.it/articoli.php?id=972
come agiscono i rootkit: http://www.pianetapc.it/articoli.php?id=65
sito di riferimenti da tenere in considerazione per info sui rootkit: http://www.antirootkit.com/
cose da sapere per la rimozione di rootkit:
http://www.suspectfile.com/forum/viewtopic.php?p=1675
in passato il sito ufficiale di gmer è stato parecchie volte sotto attacco DDOS, quindi si è dovuti ricorrere a siti esterni per scaricare il software. se il sito ufficiale non fosse raggiungibile per scaricare il software per qualsiasi motivo, fate riferimento a questi siti (un grazie a NV25 per l'info):
http://pcalsicuro.phpsoft.it/gmer.zip
altrimenti lo potete scaricare da qui:
http://www.majorgeeks.com/GMER_d5198.html
------------------------------------------------------------------------
il software durante la scansione restituisce diversi log che andrebbero postati quì per essere analizzati alla ricerca di rootkit.
regole da seguire per aumentare la leggibilità dei logs e delle informazioni:
- usare la funzione CODE (individuabile tramite un "#" nell'area di scrittura del post del forum) quì di seguito rappresentata con un immagine (un grazie a NV25 che è un vero specialista nell'arricchire questi treads :D )
oppure semplicemente seguire la seguente struttura (thanks to NV25):
intanto ne approfitto per postare un log di gmer del mio pc come esempio:
Codice:
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-04 11:18:04
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
SSDT pxfsf.sys ZwCompactKeys
SSDT pxfsf.sys ZwCompressKey
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT pxfsf.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT pxfsf.sys ZwCreatePort
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT pxfsf.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT pxfsf.sys ZwLoadDriver
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockRegistryKey
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT pxfsf.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT pxfsf.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT pxfsf.sys ZwRenameKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveKeyEx
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT pxfsf.sys ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnloadKeyEx
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]
Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous
---- Kernel code sections - GMER 1.0.12 ----
.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9E14 5 Bytes JMP A9B99760 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE54E 5 Bytes JMP A9B99C50 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntkrnlpa.exe!ZwCallbackReturn + 23B4 805010B8 24 Bytes [ 79, F8, 68, BA, 83, F8, 68, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23D0 805010D4 16 Bytes [ B5, F8, 68, BA, BF, F8, 68, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23E4 805010E8 12 Bytes [ DD, F8, 68, BA, E7, F8, 68, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 23F4 805010F8 24 Bytes [ FB, F8, 68, BA, 05, F9, 68, ... ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2424 80501128 8 Bytes [ 37, F9, 68, BA, 41, F9, 68, ... ]
.text ...
.text ntkrnlpa.exe!KiDispatchInterrupt + BA 80540ABA 7 Bytes JMP A9B9CCD0 \??\C:\WINDOWS\system32\drivers\klif.sys
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\explorer.exe[484] SHELL32.dll!StrStrW + FFE33B46 7C9DE9F8 4 Bytes [ 04, 03, F4, 00 ]
.text C:\WINDOWS\explorer.exe[484] SHELL32.dll!StrStrW + FFE33B56 7C9DEA08 4 Bytes [ 00, 04, F4, 00 ]
.text C:\WINDOWS\explorer.exe[484] SHELL32.dll!StrStrW + FFE34A96 7C9DF948 4 Bytes [ 54, 04, F4, 00 ]
.text C:\WINDOWS\explorer.exe[484] SHELL32.dll!StrStrW + FFE34AB2 7C9DF964 4 Bytes [ 82, 03, F4, 00 ]
.text C:\WINDOWS\explorer.exe[484] SHELL32.dll!StrStrW + FFE34AC6 7C9DF978 4 Bytes [ 58, 03, F4, 00 ]
---- Threads - GMER 1.0.12 ----
Thread 4:176 8A5CAA20
Thread 4:180 8A5AAC60
Thread 4:184 8A5AAC60
Thread 4:412 8A5CAA20
Thread 4:476 8A5CAA20
Thread 4:3444 884AD5B0
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION CBD8DCED4A898C431C10FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667C038D530D6EB3452A2D97226D213B5559DB7CE019D40AA5C68DA28F9B1B06CCDF15704AD89ED03C182A24ED363F6DE445E08F05784CDE4D4715FF84426350FC906033CE0A88CD2887A190B90D677229C959C7493C15E7412E34E920A23BBDC2B24E0F5CDD935395EC980911DE60CE9A58627BC908DD31E23EBC2CD66F286AE8E1BA4B115D75B86727ECBA73D60F29DC51E767C5965D88444FA0763C961CC7F21FAB8532FE1DE2F0AECA27B8E11DB4AF4148EC8CD498AECC1469D727A413AEDA71BB92063B91B4A7DABDD1E7DCC6CA2C15DA69A21BEFBC27E47B9FC90E7EC3C79957AC5CF275A9439168C024D6CBD794C39A9CEDC4E3112EF3AC469792EF7D2024980D167F25CED3D4AF181164ADCC9492537A75A83A50D22A15902F47463BABFD68339EFED57599CAC045842C64AAD83E6A3CBCA70480BB1414B759899A824C6A572D281E8F07E01E4EC250F46FBE8D885F5C131A8780452239B57CB0438E1BCDFEE598B3C46ABA65D0CEE90AE5ADEB74D6AF7E6458E184915851B4D9D746A5EF2CEEB4FC1E7CDDDC3721DAD6D4298A750EEC11662D48671A6F39D2CD3B458FA119A8F62D7D8FA0B8D69FB21708443C15FA8513F2286B7392E081D4E994
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
ADS C:\Programmi\ATI Technologies\ATI.ACE\skins\CATALYST_Quicksilver\CATALYST_Quicksilver.uis_Scrollbar:Smaller.WB4
---- EOF - GMER 1.0.12 ----
autostart:
GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-01-04 11:20:21
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
AtiExtEvent@DLLName = Ati2evxx.dll
klogon@DLLName = C:\WINDOWS\system32\klogon.dll
WgaLogon@DLLName = WgaLogon.dll
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AcrSch2Svc /*Acronis Scheduler2 Service*/@ = "C:\Programmi\File comuni\Acronis\Schedule2\schedul2.exe"
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
AVP /*Kaspersky Internet Security 6.0*/@ = "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r
btwdins /*Bluetooth Service*/@ = C:\Programmi\Software Bluetooth\bin\btwdins.exe
O&O Defrag /*O&O Defrag*/@ = C:\WINDOWS\system32\oodag.exe
PavPrSrv /*Panda Process Protection Service*/@ = "C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe" /*file not found*/
PREVXAgent /*Prevx Agent*/@ = "C:\Programmi\Prevx1\PXAgent.exe" -f
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@Acronis?True?Image Monitor(null) =
@Acronis Scheduler2 Service"C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe" = "C:\Programmi\File comuni\Acronis\Schedule2\schedhlp.exe"
@REGSHAVEC:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN = C:\Programmi\REGSHAVE\REGSHAVE.EXE /AUTORUN
@HPDJ Taskbar UtilityC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe = C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
@HPHmon04C:\WINDOWS\system32\hphmon04.exe = C:\WINDOWS\system32\hphmon04.exe
@OmnipageC:\Programmi\ScanSoft\OmniPageSE\opware32.exe = C:\Programmi\ScanSoft\OmniPageSE\opware32.exe
@LVCOMSXC:\WINDOWS\system32\LVCOMSX.EXE = C:\WINDOWS\system32\LVCOMSX.EXE
@BluetoothAuthenticationAgentrundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe = C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@Babylon ClientC:\Programmi\Babylon\Babylon.exe -AutoStart = C:\Programmi\Babylon\Babylon.exe -AutoStart
@Motive SmartBridgeC:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe = C:\PROGRA~1\ALICET~1\SMARTB~1\MotiveSB.exe
@LogitechVideoTrayC:\Programmi\Logitech\Video\LogiTray.exe = C:\Programmi\Logitech\Video\LogiTray.exe
@ATICCC"C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe" = "C:\Programmi\ATI Technologies\ATI.ACE\CLIStart.exe"
@CnxDslTaskBar"C:\Programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe" = "C:\Programmi\digicomt\Michelangelo USB ADSL\CnxDslTb.exe"
@!AVG Anti-Spyware"C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
@PinnacleDriverCheckC:\WINDOWS\system32\PSDrvCheck.exe -CheckReg = C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
@Pinnacle WebUpdater"C:\Programmi\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles = "C:\Programmi\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
@PMCRemoteC:\Programmi\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe = C:\Programmi\Pinnacle\Shared Files\Programs\Remote\Remoterm.exe
@AVP"C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" = "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
@SunJavaUpdateSched"C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe" = "C:\Programmi\Java\jre1.5.0_09\bin\jusched.exe"
@PCSuiteTrayApplicationC:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup /*file not found*/ = C:\Programmi\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup /*file not found*/
@WINDVDPatchCTHELPER.EXE = CTHELPER.EXE
@UpdRegC:\WINDOWS\UpdReg.EXE = C:\WINDOWS\UpdReg.EXE
@Jet DetectionC:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe = C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
@AudioHQUC:\Programmi\Creative\SBLive\AudioHQ\AHQTBU.EXE = C:\Programmi\Creative\SBLive\AudioHQ\AHQTBU.EXE
@PrevxOne"C:\Programmi\Prevx1\PXConsole.exe" = "C:\Programmi\Prevx1\PXConsole.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SpybotSD TeaTimerC:\Programmi\Spybot - Search & Destroy\TeaTimer.exe = C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
@LogitechSoftwareUpdateC:\Programmi\Logitech\Video\ManifestEngine.exe boot = C:\Programmi\Logitech\Video\ManifestEngine.exe boot
@PMCS"C:\Programmi\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe" = "C:\Programmi\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe"
@SUPERAntiSpywareC:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe = C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@UPnPMonitor = C:\WINDOWS\system32\upnpui.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}C:\Programmi\SUPERAntiSpyware\SASSEH.DLL = C:\Programmi\SUPERAntiSpyware\SASSEH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll = C:\Programmi\File comuni\Ahead\Lib\NeroDigitalExt.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\BTNEIG~1.DLL = C:\WINDOWS\system32\BTNEIG~1.DLL
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3} /*Immagini Logitech*/C:\Programmi\Logitech\Video\Namespc2.dll = C:\Programmi\Logitech\Video\Namespc2.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll = C:\Programmi\ATI Technologies\ATI.ACE\atiacmxx.dll
@{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus*/C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) =
@{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A} /*PhoneBrowser*/C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll = C:\Programmi\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Periferiche Plug and Play universali*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451} /*OODefrag*/C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll = C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll
OODefrag@{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451} = C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll
OODefrag@{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451} = C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Programmi\Nero\Nero 7\Nero BackItUp\NBShell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll = C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll = C:\Programmi\Java\jre1.5.0_09\bin\ssv.dll
@{A5366673-E8CA-11D3-9CD9-0090271D075B}C:\PROGRA~1\FlashGet\jccatch.dll = C:\PROGRA~1\FlashGet\jccatch.dll
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3A887298-BC2E-42EA-9F76-A597293A834B} /*Connessione 1394*/ >>>
@IPAddress192.168.0.1 = 192.168.0.1
@NameServer =
@DefaultGateway =
@Domain =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Alice ti aiuta.lnk = Alice ti aiuta.lnk
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
BTTray.lnk = BTTray.lnk
Exif Launcher.lnk = Exif Launcher.lnk
---- EOF - GMER 1.0.12 ----
----------------------------------------------------------------------
Lista di indirizzi Ip (siti civetta per diffusione gromozon) aggiornati che sono coinvolti,spam e truffe varie in costante aggiornamento da bloccare nel firewall: (grazie a mausap per la segnalazione)
http://maipiugromozon.blogspot.com/
----------------------------------------------------------------------
altri software di pulizia rootkit:
1. sysinternal:
http://www.sysinternals.com/Utilitie...tRevealer.html
2. f-secure blacklight:
http://www.f-secure.com/blacklight/
3. AVG anti-rootkit
http://www.antirootkit.com/software/AVG-Antirootkit.htm
4. Panda anti-rootkit
http://research.pandasoftware.com/bl...t-cleaner.aspx
5. Sophos anti-rootkit
http://www.sophos.com/products/free-...i-rootkit.html
6. McAfee Rootkit Detective
http://news.swzone.it/swznews-19395.php
7. F-Secure BlackLight Rootkit Detection
http://www.f-secure.com/blacklight/
8. Trend Micro RootkitBuster
http://www.trendmicro.com/download/rbuster.asp
9. RootkitRevealer
http://www.microsoft.com/technet/sys...tRevealer.mspx
10. BitDefender RootkitUncover
http://www.bitdefender.co.uk/NW253-u...tkit-Beta.html
11. DarkSpy Anti-Rootkit
http://www.softpedia.com/get/Antivir...-Rootkit.shtml
12. Lavasoft ARIES Rootkit Remover
http://www.lavasoft.com/support/secu...it_remover.php
13. Anti-rootkit Unhooker (sembra il più potente in circolazione)
http://www.rku.xell.ru/?l=e&a=dl
comunque oramai tutti i principali produttori di antivirus hanno software specifici per eliminare rootkit.[/b]
----------------------------------------------------------------------
spero di aver fatto cosa gradita e comunque ogni suggerimento/critica o arricchimento di nozioni su questo software è ben accetto.
NOTA BENE:
non mi assumo nessuna responsabilità su danni hardware e/o software e dati che possono avvenire per l'uso di questo software. alcune funzioni di questo programma possono produrre effetti di crash di sistema specie se il servizio terminato riguarda il sistema operativo che state utilizzando. usate tale software a vostro rischio e pericolo. questo tread ha il solo scopo informativo e non mi assumo responsabilità su eventuali imprecisioni che vi sono all'interno, se notate qualcosa di incongruente sulle informazioni contenute in questo tread provvedete a segnalarmelo tramite messaggio privato ed io provvederò ad aggiornare il post.
saluti
c.m.g