Rimozione roorkit
![Messaggio Messaggio](http://www.megalab.it/forum/styles/mli2/imageset/icon_post_target.gif)
Ciao a tutti! Credo che il mio pc abbia problemi coi rootkit. Sono arrivato su MegaLab.it da qualche giorno e vorrei il vostro aiuto.
Da tre giorni tramite Google non riesco ad accedere ai siti che cerco (vengo reinviato su wide.fullpageads.info).
Per ora ho utilizzato la scansione del mio antivirus Norton, Ccleaner, TDSSKiller, Malwarebytes' anti-malware (ho anche provato ad usare GMER, ma senza risultati, poichè si bloccava nella scansione dell'hard disk D:) e infine vi riporto lo scan report di NoAntivirusThanks Anti-Rootkit, che non so decifrare.
Mi potete dire cosa fare (anche usando The Avenger)? Vi ringrazio in anticipo.
==========================================================================================================================
NoVirusThanks Anti-Rootkit v1.2 (FREE EDITION)
Microsoft Windows Version 5.1 Build: 2600 Service Pack: 2
Detected CPUs: (2)
Scanning Commenced... 15/03/2011 11.22.19
==========================================================================================================================
>>>SSDT<<<
==========================================================================================================================
#12 NtAlertResumeThread
Real Address: 0x805D33CE
Hook Address: 0x856E0AB8 [<empty>]
#13 NtAlertThread
Real Address: 0x805D337E
Hook Address: 0x85301550 [<empty>]
#17 NtAllocateVirtualMemory
Real Address: 0x805A758E
Hook Address: 0x84ABB080 [<empty>]
#19 NtAssignProcessToJobObject
Real Address: 0x805D4E92
Hook Address: 0x853254D0 [<empty>]
#31 NtConnectPort
Real Address: 0x805A30A4
Hook Address: 0x857AB158 [<empty>]
#41 NtCreateKey
Real Address: 0x8062212E
Hook Address: 0xF21B4210 [SYMEVENT.SYS]
#43 NtCreateMutant
Real Address: 0x80615572
Hook Address: 0x84AB3B40 [<empty>]
#52 NtCreateSymbolicLinkObject
Real Address: 0x805C36A4
Hook Address: 0x85118270 [<empty>]
#53 NtCreateThread
Real Address: 0x805CF8C8
Hook Address: 0x85710910 [<empty>]
#57 NtDebugActiveProcess
Real Address: 0x80641014
Hook Address: 0x856F9C98 [<empty>]
#63 NtDeleteKey
Real Address: 0x806225BE
Hook Address: 0xF21B4490 [SYMEVENT.SYS]
#65 NtDeleteValueKey
Real Address: 0x8062278E
Hook Address: 0xF21B49F0 [SYMEVENT.SYS]
#68 NtDuplicateObject
Real Address: 0x805BC94C
Hook Address: 0x84ABB318 [<empty>]
#83 NtFreeVirtualMemory
Real Address: 0x805B19F6
Hook Address: 0x851236A0 [<empty>]
#89 NtImpersonateAnonymousToken
Real Address: 0x805F7316
Hook Address: 0x85311BD0 [<empty>]
#91 NtImpersonateThread
Real Address: 0x805D6052
Hook Address: 0x8530D9B0 [<empty>]
#97 NtLoadDriver
Real Address: 0x80582EAE
Hook Address: 0x85877668 [<empty>]
#108 NtMapViewOfSection
Real Address: 0x805B0A7E
Hook Address: 0x85123500 [<empty>]
#114 NtOpenEvent
Real Address: 0x8060CF5C
Hook Address: 0x852E8520 [<empty>]
#122 NtOpenProcess
Real Address: 0x805C9D0A
Hook Address: 0x84ABB570 [<empty>]
#123 NtOpenProcessToken
Real Address: 0x805EBFD0
Hook Address: 0x85900CD0 [<empty>]
#125 NtOpenSection
Real Address: 0x805A8EC2
Hook Address: 0x85288CD0 [<empty>]
#128 NtOpenThread
Real Address: 0x805C9F96
Hook Address: 0x85123FC0 [<empty>]
#137 NtProtectVirtualMemory
Real Address: 0x805B6E5E
Hook Address: 0x85118AC0 [<empty>]
#206 NtResumeThread
Real Address: 0x805D320A
Hook Address: 0x8528D538 [<empty>]
#213 NtSetContextThread
Real Address: 0x805D0002
Hook Address: 0x858266A0 [<empty>]
#228 NtSetInformationProcess
Real Address: 0x805CC754
Hook Address: 0x85123228 [<empty>]
#240 NtSetSystemInformation
Real Address: 0x8060DC14
Hook Address: 0x8574FCD0 [<empty>]
#247 NtSetValueKey
Real Address: 0x806207EE
Hook Address: 0xF21B4C40 [SYMEVENT.SYS]
#253 NtSuspendProcess
Real Address: 0x805D32D2
Hook Address: 0x856D5500 [<empty>]
#254 NtSuspendThread
Real Address: 0x805D3144
Hook Address: 0x856E7358 [<empty>]
#257 NtTerminateProcess
Real Address: 0x805D1232
Hook Address: 0x8583ACD0 [<empty>]
#258 NtTerminateThread
Real Address: 0x805D142C
Hook Address: 0x852BA3A0 [<empty>]
#267 NtUnmapViewOfSection
Real Address: 0x805B188C
Hook Address: 0x8583BCD0 [<empty>]
#277 NtWriteVirtualMemory
Real Address: 0x805B2E0C
Hook Address: 0x85123B30 [<empty>]
==========================================================================================================================
>>>Shadow SDT<<<
==========================================================================================================================
#307 NtUserAttachThreadInput
Real Address: 0xBF8F7A01
Hook Address: 0x852BE150 [<empty>]
#383 NtUserGetAsyncKeyState
Real Address: 0xBF863EA2
Hook Address: 0x852CA150 [<empty>]
#414 NtUserGetKeyboardState
Real Address: 0xBF8BA069
Hook Address: 0x856D6110 [<empty>]
#416 NtUserGetKeyState
Real Address: 0xBF82887F
Hook Address: 0x852B0150 [<empty>]
#428 NtUserGetRawInputData
Real Address: 0xBF9156DC
Hook Address: 0x849E91A8 [<empty>]
#460 NtUserMessageCall
Real Address: 0xBF80EFF3
Hook Address: 0x85897F00 [<empty>]
#475 NtUserPostMessage
Real Address: 0xBF8084A3
Hook Address: 0x85871430 [<empty>]
#476 NtUserPostThreadMessage
Real Address: 0xBF8AD237
Hook Address: 0x85796138 [<empty>]
#549 NtUserSetWindowsHookEx
Real Address: 0xBF8BA129
Hook Address: 0x85754060 [<empty>]
#552 NtUserSetWinEventHook
Real Address: 0xBF8F0124
Hook Address: 0x858883D0 [<empty>]
==========================================================================================================================
>>>Kernel Notify Routines<<<
==========================================================================================================================
CreateProcess: Address 0xF21A90C0 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
Hidden Loaded Driver: False
CreateProcess: Address 0xF1DDFC20 [C:\Documents and Settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110309.001\BHDrvx86.sys]
Hidden Loaded Driver: False
CreateProcess: Address 0xF6A50B60 [C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys]
Hidden Loaded Driver: False
CreateThread: Address 0xF21A9050 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
Hidden Loaded Driver: False
LoadImage: Address 0xF21A8E00 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
Hidden Loaded Driver: False
LoadImage: Address 0xF1DDFB30 [C:\Documents and Settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110309.001\BHDrvx86.sys]
Hidden Loaded Driver: False
LoadImage: Address 0xF6A50820 [C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys]
Hidden Loaded Driver: False
==========================================================================================================================
>>>Processes<<<
==========================================================================================================================
0x859C4660 [4]SYSTEM
Suspicious: False
Hidden: False
0x848F31E0 [1044]C:\WINDOWS\system32\winlogon.exe
Suspicious: False
Hidden: False
0x858C5788 [856]C:\Programmi\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
Suspicious: False
Hidden: False
0x84920B98 [1512]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x8592F030 [364]C:\WINDOWS\system32\spoolsv.exe
Suspicious: False
Hidden: False
0x84810030 [588]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x8469E788 [2484]C:\Programmi\NoVirusThanks\Anti-Rootkit (Free Edition)\NVTArk.exe
Suspicious: False
Hidden: False
0x849429A0 [1916]C:\WINDOWS\explorer.exe
Suspicious: False
Hidden: False
0x84697520 [2560]C:\Programmi\HP\Digital Imaging\bin\hpqbam08.exe
Suspicious: False
Hidden: False
0x84830B18 [480]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x8581E370 [1368]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x85289DA0 [564]C:\Programmi\HP\HP Software Update\hpwuSchd2.exe
Suspicious: False
Hidden: False
0x848E6600 [1320]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x8481C030 [1848]C:\Programmi\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe
Suspicious: False
Hidden: False
0x84931598 [1112]C:\WINDOWS\system32\lsass.exe
Suspicious: False
Hidden: False
0x849BF8A0 [464]C:\Programmi\QuickTime\qttask.exe
Suspicious: False
Hidden: False
0x8491B238 [660]C:\Programmi\File comuni\Java\Java Update\jusched.exe
Suspicious: False
Hidden: False
0x85451030 [680]C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
Suspicious: False
Hidden: False
0x8485DDA0 [732]C:\WINDOWS\system32\ctfmon.exe
Suspicious: False
Hidden: False
0x85861990 [752]C:\Programmi\Norton Utilities 14\nu.exe
Suspicious: False
Hidden: False
0x849214C0 [1100]C:\WINDOWS\system32\services.exe
Suspicious: False
Hidden: False
0x85453DA0 [836]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x84A30B98 [948]C:\WINDOWS\system32\smss.exe
Suspicious: False
Hidden: False
0x84862798 [960]C:\Programmi\HP\Button Manager\BM.exe
Suspicious: True
Hidden: False
0x849C4DA0 [1956]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x852C2030 [1008]C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
Suspicious: False
Hidden: False
0x84934158 [1020]C:\WINDOWS\system32\csrss.exe
Suspicious: False
Hidden: False
0x8491F580 [1712]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x849419A0 [1284]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x849A82F0 [1548]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x84850B18 [1544]C:\Programmi\File comuni\ArcSoft\Connection Service\Bin\ACService.exe
Suspicious: False
Hidden: False
0x8489EB98 [1688]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x858EBDA0 [1748]C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
Suspicious: False
Hidden: False
0x858D8DA0 [388]C:\WINDOWS\system32\wuauclt.exe
Suspicious: False
Hidden: False
0x858DADA0 [2516]C:\Programmi\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe
Suspicious: False
Hidden: False
0x846A2990 [1684]C:\Programmi\HP\Digital Imaging\bin\hpqste08.exe
Suspicious: False
Hidden: False
0x84746030 [2968]C:\WINDOWS\system32\wbem\wmiprvse.exe
Suspicious: False
Hidden: False
0x84726580 [3508]C:\WINDOWS\system32\wbem\wmiapsrv.exe
Suspicious: False
Hidden: False
0x846FA030 [3756]C:\WINDOWS\system32\wbem\wmiprvse.exe
Suspicious: False
Hidden: False
0x847007A8 [3924]C:\WINDOWS\system32\alg.exe
Suspicious: False
Hidden: False
==========================================================================================================================
>>>SYSENTER<<<
==========================================================================================================================
CPU #0 Hook Address: 0x80540790[C:\WINDOWS\system32\ntkrnlpa.exe]
Hooked: False
CPU #1 Hook Address: 0x80540790[C:\WINDOWS\system32\ntkrnlpa.exe]
Hooked: False
==========================================================================================================================
>>>Drivers<<<
==========================================================================================================================
==========================================================================================================================
>>>IDT<<<
==========================================================================================================================
==========================================================================================================================
>>>Windows Message Hooks<<<
==========================================================================================================================
Process: [1916]explorer.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 1920
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 1920
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_SHELL
Address: 0x746C0D4E
TID: 744
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_GETMESSAGE
Address: 0x746C0DE9
TID: 744
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_CBT
Address: 0x746C08B6
TID: 744
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 744
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 744
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 448
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 448
Hook Module: MSCTF.dll
Process: [960]BM.exe
Type: WH_MSGFILTER
Address: 0x00405F27
TID: 968
Hook Module: BM.exe
Process: [960]BM.exe
Type: WH_CBT
Address: 0x0040CBFE
TID: 968
Hook Module: BM.exe
Process: [752]nu.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 776
Hook Module: MSCTF.dll
Process: [960]BM.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 968
Hook Module: MSCTF.dll
Process: [752]nu.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 776
Hook Module: MSCTF.dll
Process: [960]BM.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 968
Hook Module: MSCTF.dll
Process: [1008]hpqtra08.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 1024
Hook Module: MSCTF.dll
Process: [752]nu.exe
Type: WH_MSGFILTER
Address: 0x66061D17
TID: 776
Hook Module: msvbvm60.dll
Process: [1008]hpqtra08.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 1024
Hook Module: MSCTF.dll
Process: [960]BM.exe
Type: WH_MSGFILTER
Address: 0x00405F27
TID: 1444
Hook Module: BM.exe
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2580
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2580
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2608
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2608
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2828
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2636
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2636
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2640
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2640
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2664
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2664
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2828
Hook Module: MSCTF.dll
Process: [752]nu.exe
Type: WH_MOUSE
Address: 0x00031BF7
TID: 776
Hook Module: nu.exe
Process: [752]nu.exe
Type: WH_KEYBOARD
Address: 0x00003A04
TID: 776
Hook Module: nu.exe
Process: [752]nu.exe
Type: WH_KEYBOARD
Address: 0x00003A04
TID: 776
Hook Module: nu.exe
Process: [1008]hpqtra08.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2512
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 3224
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 3224
Hook Module: MSCTF.dll
Process: [1008]hpqtra08.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2512
Hook Module: MSCTF.dll
Process: [2484]NVTArk.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2488
Hook Module: MSCTF.dll
Process: [2484]NVTArk.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2488
Hook Module: MSCTF.dll
Process: [1684]hpqste08.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2572
Hook Module: MSCTF.dll
Process: [1684]hpqste08.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2572
Hook Module: MSCTF.dll
Process: [2560]hpqbam08.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 1500
Hook Module: MSCTF.dll
Process: [2560]hpqbam08.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 1500
Hook Module: MSCTF.dll
==========================================================================================================================
>>>BHOs<<<
==========================================================================================================================
Key Name: {0347C33E-8762-4905-BF09-768834316C61}
Module: C:\Programmi\HP\Smart Web Printing\hpswp_printenhancer.dll (hpswp_printenhancer dll)
Key Name: {053F9267-DC04-4294-A72C-58F732D338C0}
Module: C:\Programmi\HP\Smart Web Printing\hpswp_framework.dll (Leo (Framework) - add-on for Internet Explorer)
Key Name: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Module: C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe PDF Helper for Internet Explorer)
Key Name: {6D53EC84-6AAE-4787-AEEE-F4628F01010C}
Module: C:\Programmi\Norton AntiVirus\Engine\17.8.0.5\IPSBHO.DLL (IPS Browser Helper DLL)
Key Name: {9030D464-4C02-4ABF-8ECC-5164760863C6}
Module: C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (WindowsLiveLogin.dll)
Key Name: {DBC80044-A445-435b-BC74-9C25C1C588A9}
Module: C:\Programmi\Java\jre6\bin\jp2ssv.dll (Java(TM) Platform SE binary)
==========================================================================================================================
>>>AppInit_DLLs<<<
==========================================================================================================================
==========================================================================================================================
>>>IRP Hooks<<<
==========================================================================================================================
==========================================================================================================================
>>>Ring0 Export Hooks<<<
==========================================================================================================================
==========================================================================================================================
>>>Ring3 Export Hooks<<<
==========================================================================================================================
[1916]explorer.exe->kernel32.dll->CreateProcessInternalW
Real Address: 0x7C819527
Hook Address: 0x00B287C8
Hook Module: <empty>
Hidden Hook Module: False
==========================================================================================================================
>>>Locked System Files<<<
==========================================================================================================================
==========================================================================================================================
>>>Locked Generic Files<<<
==========================================================================================================================
==========================================================================================================================
>>>Master Boot Record (MBR)<<<
==========================================================================================================================
Master Boot Record (MBR) appears to be Ok...
==========================================================================================================================
Scan Complete... 15/03/2011 11.23.58
==========================================================================================================================
Da tre giorni tramite Google non riesco ad accedere ai siti che cerco (vengo reinviato su wide.fullpageads.info).
Per ora ho utilizzato la scansione del mio antivirus Norton, Ccleaner, TDSSKiller, Malwarebytes' anti-malware (ho anche provato ad usare GMER, ma senza risultati, poichè si bloccava nella scansione dell'hard disk D:) e infine vi riporto lo scan report di NoAntivirusThanks Anti-Rootkit, che non so decifrare.
Mi potete dire cosa fare (anche usando The Avenger)? Vi ringrazio in anticipo.
==========================================================================================================================
NoVirusThanks Anti-Rootkit v1.2 (FREE EDITION)
Microsoft Windows Version 5.1 Build: 2600 Service Pack: 2
Detected CPUs: (2)
Scanning Commenced... 15/03/2011 11.22.19
==========================================================================================================================
>>>SSDT<<<
==========================================================================================================================
#12 NtAlertResumeThread
Real Address: 0x805D33CE
Hook Address: 0x856E0AB8 [<empty>]
#13 NtAlertThread
Real Address: 0x805D337E
Hook Address: 0x85301550 [<empty>]
#17 NtAllocateVirtualMemory
Real Address: 0x805A758E
Hook Address: 0x84ABB080 [<empty>]
#19 NtAssignProcessToJobObject
Real Address: 0x805D4E92
Hook Address: 0x853254D0 [<empty>]
#31 NtConnectPort
Real Address: 0x805A30A4
Hook Address: 0x857AB158 [<empty>]
#41 NtCreateKey
Real Address: 0x8062212E
Hook Address: 0xF21B4210 [SYMEVENT.SYS]
#43 NtCreateMutant
Real Address: 0x80615572
Hook Address: 0x84AB3B40 [<empty>]
#52 NtCreateSymbolicLinkObject
Real Address: 0x805C36A4
Hook Address: 0x85118270 [<empty>]
#53 NtCreateThread
Real Address: 0x805CF8C8
Hook Address: 0x85710910 [<empty>]
#57 NtDebugActiveProcess
Real Address: 0x80641014
Hook Address: 0x856F9C98 [<empty>]
#63 NtDeleteKey
Real Address: 0x806225BE
Hook Address: 0xF21B4490 [SYMEVENT.SYS]
#65 NtDeleteValueKey
Real Address: 0x8062278E
Hook Address: 0xF21B49F0 [SYMEVENT.SYS]
#68 NtDuplicateObject
Real Address: 0x805BC94C
Hook Address: 0x84ABB318 [<empty>]
#83 NtFreeVirtualMemory
Real Address: 0x805B19F6
Hook Address: 0x851236A0 [<empty>]
#89 NtImpersonateAnonymousToken
Real Address: 0x805F7316
Hook Address: 0x85311BD0 [<empty>]
#91 NtImpersonateThread
Real Address: 0x805D6052
Hook Address: 0x8530D9B0 [<empty>]
#97 NtLoadDriver
Real Address: 0x80582EAE
Hook Address: 0x85877668 [<empty>]
#108 NtMapViewOfSection
Real Address: 0x805B0A7E
Hook Address: 0x85123500 [<empty>]
#114 NtOpenEvent
Real Address: 0x8060CF5C
Hook Address: 0x852E8520 [<empty>]
#122 NtOpenProcess
Real Address: 0x805C9D0A
Hook Address: 0x84ABB570 [<empty>]
#123 NtOpenProcessToken
Real Address: 0x805EBFD0
Hook Address: 0x85900CD0 [<empty>]
#125 NtOpenSection
Real Address: 0x805A8EC2
Hook Address: 0x85288CD0 [<empty>]
#128 NtOpenThread
Real Address: 0x805C9F96
Hook Address: 0x85123FC0 [<empty>]
#137 NtProtectVirtualMemory
Real Address: 0x805B6E5E
Hook Address: 0x85118AC0 [<empty>]
#206 NtResumeThread
Real Address: 0x805D320A
Hook Address: 0x8528D538 [<empty>]
#213 NtSetContextThread
Real Address: 0x805D0002
Hook Address: 0x858266A0 [<empty>]
#228 NtSetInformationProcess
Real Address: 0x805CC754
Hook Address: 0x85123228 [<empty>]
#240 NtSetSystemInformation
Real Address: 0x8060DC14
Hook Address: 0x8574FCD0 [<empty>]
#247 NtSetValueKey
Real Address: 0x806207EE
Hook Address: 0xF21B4C40 [SYMEVENT.SYS]
#253 NtSuspendProcess
Real Address: 0x805D32D2
Hook Address: 0x856D5500 [<empty>]
#254 NtSuspendThread
Real Address: 0x805D3144
Hook Address: 0x856E7358 [<empty>]
#257 NtTerminateProcess
Real Address: 0x805D1232
Hook Address: 0x8583ACD0 [<empty>]
#258 NtTerminateThread
Real Address: 0x805D142C
Hook Address: 0x852BA3A0 [<empty>]
#267 NtUnmapViewOfSection
Real Address: 0x805B188C
Hook Address: 0x8583BCD0 [<empty>]
#277 NtWriteVirtualMemory
Real Address: 0x805B2E0C
Hook Address: 0x85123B30 [<empty>]
==========================================================================================================================
>>>Shadow SDT<<<
==========================================================================================================================
#307 NtUserAttachThreadInput
Real Address: 0xBF8F7A01
Hook Address: 0x852BE150 [<empty>]
#383 NtUserGetAsyncKeyState
Real Address: 0xBF863EA2
Hook Address: 0x852CA150 [<empty>]
#414 NtUserGetKeyboardState
Real Address: 0xBF8BA069
Hook Address: 0x856D6110 [<empty>]
#416 NtUserGetKeyState
Real Address: 0xBF82887F
Hook Address: 0x852B0150 [<empty>]
#428 NtUserGetRawInputData
Real Address: 0xBF9156DC
Hook Address: 0x849E91A8 [<empty>]
#460 NtUserMessageCall
Real Address: 0xBF80EFF3
Hook Address: 0x85897F00 [<empty>]
#475 NtUserPostMessage
Real Address: 0xBF8084A3
Hook Address: 0x85871430 [<empty>]
#476 NtUserPostThreadMessage
Real Address: 0xBF8AD237
Hook Address: 0x85796138 [<empty>]
#549 NtUserSetWindowsHookEx
Real Address: 0xBF8BA129
Hook Address: 0x85754060 [<empty>]
#552 NtUserSetWinEventHook
Real Address: 0xBF8F0124
Hook Address: 0x858883D0 [<empty>]
==========================================================================================================================
>>>Kernel Notify Routines<<<
==========================================================================================================================
CreateProcess: Address 0xF21A90C0 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
Hidden Loaded Driver: False
CreateProcess: Address 0xF1DDFC20 [C:\Documents and Settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110309.001\BHDrvx86.sys]
Hidden Loaded Driver: False
CreateProcess: Address 0xF6A50B60 [C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys]
Hidden Loaded Driver: False
CreateThread: Address 0xF21A9050 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
Hidden Loaded Driver: False
LoadImage: Address 0xF21A8E00 [C:\WINDOWS\system32\Drivers\SYMEVENT.SYS]
Hidden Loaded Driver: False
LoadImage: Address 0xF1DDFB30 [C:\Documents and Settings\All Users\Dati applicazioni\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20110309.001\BHDrvx86.sys]
Hidden Loaded Driver: False
LoadImage: Address 0xF6A50820 [C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys]
Hidden Loaded Driver: False
==========================================================================================================================
>>>Processes<<<
==========================================================================================================================
0x859C4660 [4]SYSTEM
Suspicious: False
Hidden: False
0x848F31E0 [1044]C:\WINDOWS\system32\winlogon.exe
Suspicious: False
Hidden: False
0x858C5788 [856]C:\Programmi\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
Suspicious: False
Hidden: False
0x84920B98 [1512]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x8592F030 [364]C:\WINDOWS\system32\spoolsv.exe
Suspicious: False
Hidden: False
0x84810030 [588]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x8469E788 [2484]C:\Programmi\NoVirusThanks\Anti-Rootkit (Free Edition)\NVTArk.exe
Suspicious: False
Hidden: False
0x849429A0 [1916]C:\WINDOWS\explorer.exe
Suspicious: False
Hidden: False
0x84697520 [2560]C:\Programmi\HP\Digital Imaging\bin\hpqbam08.exe
Suspicious: False
Hidden: False
0x84830B18 [480]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x8581E370 [1368]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x85289DA0 [564]C:\Programmi\HP\HP Software Update\hpwuSchd2.exe
Suspicious: False
Hidden: False
0x848E6600 [1320]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x8481C030 [1848]C:\Programmi\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe
Suspicious: False
Hidden: False
0x84931598 [1112]C:\WINDOWS\system32\lsass.exe
Suspicious: False
Hidden: False
0x849BF8A0 [464]C:\Programmi\QuickTime\qttask.exe
Suspicious: False
Hidden: False
0x8491B238 [660]C:\Programmi\File comuni\Java\Java Update\jusched.exe
Suspicious: False
Hidden: False
0x85451030 [680]C:\Programmi\Adobe\Reader 8.0\Reader\reader_sl.exe
Suspicious: False
Hidden: False
0x8485DDA0 [732]C:\WINDOWS\system32\ctfmon.exe
Suspicious: False
Hidden: False
0x85861990 [752]C:\Programmi\Norton Utilities 14\nu.exe
Suspicious: False
Hidden: False
0x849214C0 [1100]C:\WINDOWS\system32\services.exe
Suspicious: False
Hidden: False
0x85453DA0 [836]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x84A30B98 [948]C:\WINDOWS\system32\smss.exe
Suspicious: False
Hidden: False
0x84862798 [960]C:\Programmi\HP\Button Manager\BM.exe
Suspicious: True
Hidden: False
0x849C4DA0 [1956]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x852C2030 [1008]C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
Suspicious: False
Hidden: False
0x84934158 [1020]C:\WINDOWS\system32\csrss.exe
Suspicious: False
Hidden: False
0x8491F580 [1712]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x849419A0 [1284]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x849A82F0 [1548]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x84850B18 [1544]C:\Programmi\File comuni\ArcSoft\Connection Service\Bin\ACService.exe
Suspicious: False
Hidden: False
0x8489EB98 [1688]C:\WINDOWS\system32\svchost.exe
Suspicious: False
Hidden: False
0x858EBDA0 [1748]C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
Suspicious: False
Hidden: False
0x858D8DA0 [388]C:\WINDOWS\system32\wuauclt.exe
Suspicious: False
Hidden: False
0x858DADA0 [2516]C:\Programmi\Norton AntiVirus\Engine\17.8.0.5\ccsvchst.exe
Suspicious: False
Hidden: False
0x846A2990 [1684]C:\Programmi\HP\Digital Imaging\bin\hpqste08.exe
Suspicious: False
Hidden: False
0x84746030 [2968]C:\WINDOWS\system32\wbem\wmiprvse.exe
Suspicious: False
Hidden: False
0x84726580 [3508]C:\WINDOWS\system32\wbem\wmiapsrv.exe
Suspicious: False
Hidden: False
0x846FA030 [3756]C:\WINDOWS\system32\wbem\wmiprvse.exe
Suspicious: False
Hidden: False
0x847007A8 [3924]C:\WINDOWS\system32\alg.exe
Suspicious: False
Hidden: False
==========================================================================================================================
>>>SYSENTER<<<
==========================================================================================================================
CPU #0 Hook Address: 0x80540790[C:\WINDOWS\system32\ntkrnlpa.exe]
Hooked: False
CPU #1 Hook Address: 0x80540790[C:\WINDOWS\system32\ntkrnlpa.exe]
Hooked: False
==========================================================================================================================
>>>Drivers<<<
==========================================================================================================================
==========================================================================================================================
>>>IDT<<<
==========================================================================================================================
==========================================================================================================================
>>>Windows Message Hooks<<<
==========================================================================================================================
Process: [1916]explorer.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 1920
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 1920
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_SHELL
Address: 0x746C0D4E
TID: 744
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_GETMESSAGE
Address: 0x746C0DE9
TID: 744
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_CBT
Address: 0x746C08B6
TID: 744
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 744
Hook Module: MSCTF.dll
Process: [732]ctfmon.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 744
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 448
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 448
Hook Module: MSCTF.dll
Process: [960]BM.exe
Type: WH_MSGFILTER
Address: 0x00405F27
TID: 968
Hook Module: BM.exe
Process: [960]BM.exe
Type: WH_CBT
Address: 0x0040CBFE
TID: 968
Hook Module: BM.exe
Process: [752]nu.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 776
Hook Module: MSCTF.dll
Process: [960]BM.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 968
Hook Module: MSCTF.dll
Process: [752]nu.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 776
Hook Module: MSCTF.dll
Process: [960]BM.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 968
Hook Module: MSCTF.dll
Process: [1008]hpqtra08.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 1024
Hook Module: MSCTF.dll
Process: [752]nu.exe
Type: WH_MSGFILTER
Address: 0x66061D17
TID: 776
Hook Module: msvbvm60.dll
Process: [1008]hpqtra08.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 1024
Hook Module: MSCTF.dll
Process: [960]BM.exe
Type: WH_MSGFILTER
Address: 0x00405F27
TID: 1444
Hook Module: BM.exe
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2580
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2580
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2608
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2608
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2828
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2636
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2636
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2640
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2640
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2664
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2664
Hook Module: MSCTF.dll
Process: [2516]ccsvchst.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2828
Hook Module: MSCTF.dll
Process: [752]nu.exe
Type: WH_MOUSE
Address: 0x00031BF7
TID: 776
Hook Module: nu.exe
Process: [752]nu.exe
Type: WH_KEYBOARD
Address: 0x00003A04
TID: 776
Hook Module: nu.exe
Process: [752]nu.exe
Type: WH_KEYBOARD
Address: 0x00003A04
TID: 776
Hook Module: nu.exe
Process: [1008]hpqtra08.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2512
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 3224
Hook Module: MSCTF.dll
Process: [1916]explorer.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 3224
Hook Module: MSCTF.dll
Process: [1008]hpqtra08.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2512
Hook Module: MSCTF.dll
Process: [2484]NVTArk.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2488
Hook Module: MSCTF.dll
Process: [2484]NVTArk.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2488
Hook Module: MSCTF.dll
Process: [1684]hpqste08.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 2572
Hook Module: MSCTF.dll
Process: [1684]hpqste08.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 2572
Hook Module: MSCTF.dll
Process: [2560]hpqbam08.exe
Type: WH_KEYBOARD
Address: 0x746C024B
TID: 1500
Hook Module: MSCTF.dll
Process: [2560]hpqbam08.exe
Type: WH_MOUSE
Address: 0x746BFF89
TID: 1500
Hook Module: MSCTF.dll
==========================================================================================================================
>>>BHOs<<<
==========================================================================================================================
Key Name: {0347C33E-8762-4905-BF09-768834316C61}
Module: C:\Programmi\HP\Smart Web Printing\hpswp_printenhancer.dll (hpswp_printenhancer dll)
Key Name: {053F9267-DC04-4294-A72C-58F732D338C0}
Module: C:\Programmi\HP\Smart Web Printing\hpswp_framework.dll (Leo (Framework) - add-on for Internet Explorer)
Key Name: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Module: C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe PDF Helper for Internet Explorer)
Key Name: {6D53EC84-6AAE-4787-AEEE-F4628F01010C}
Module: C:\Programmi\Norton AntiVirus\Engine\17.8.0.5\IPSBHO.DLL (IPS Browser Helper DLL)
Key Name: {9030D464-4C02-4ABF-8ECC-5164760863C6}
Module: C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (WindowsLiveLogin.dll)
Key Name: {DBC80044-A445-435b-BC74-9C25C1C588A9}
Module: C:\Programmi\Java\jre6\bin\jp2ssv.dll (Java(TM) Platform SE binary)
==========================================================================================================================
>>>AppInit_DLLs<<<
==========================================================================================================================
==========================================================================================================================
>>>IRP Hooks<<<
==========================================================================================================================
==========================================================================================================================
>>>Ring0 Export Hooks<<<
==========================================================================================================================
==========================================================================================================================
>>>Ring3 Export Hooks<<<
==========================================================================================================================
[1916]explorer.exe->kernel32.dll->CreateProcessInternalW
Real Address: 0x7C819527
Hook Address: 0x00B287C8
Hook Module: <empty>
Hidden Hook Module: False
==========================================================================================================================
>>>Locked System Files<<<
==========================================================================================================================
==========================================================================================================================
>>>Locked Generic Files<<<
==========================================================================================================================
==========================================================================================================================
>>>Master Boot Record (MBR)<<<
==========================================================================================================================
Master Boot Record (MBR) appears to be Ok...
==========================================================================================================================
Scan Complete... 15/03/2011 11.23.58
==========================================================================================================================