1)guarda nel task manager se c'è qualche file con valore anomalo
2)trova e cancella dal registro queste voci
Click Start > Run.
Type regedit
Then click OK.
Navigate to and delete the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents\CLSID\"[DEFAULT VALUE]" = "{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents.1\CLSID\"[DEFAULT VALUE]" = "{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\"*WinLogon = "[TROJAN FULL PATH FILE NAME] ren time:[RANDOM NUMBER]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"*[TROJAN FILE NAME]" = "[TROJAN FULL PATH FILE NAME] rerun"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"*[TROJAN FILE NAME]" = "[TROJAN FULL PATH FILE NAME]"
Navigate to and delete the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ActiveState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATLDistrib\CLSID\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATLDistrib.1\CLSID\
HKEY_USERS\S-1-5-21-2068663838-1736639611-1443527720-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22E85F2A-4A67-4835-B2C3-C575FE4EC322}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22E85F2A-4A67-4835-B2C3-C575FE4EC322}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60}
HKEY_CLASSES_ROOT\CLSID\{DE8BDE42-16D9-4CCC-9F4F-1C3167B82F60}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPCUpdater
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPCUpdater.1
è per il vundo(anche vundofix va benissimo)
3)usa hijackthis e togli tutte le voci da eliminare e scrivi qua le voci sospette
4)guarda anche in installazione/applicazione se c'è qualcosa di anormale
[Modificato da boyuniversity 17/12/2008 11:53]