Esegui BeGa ha scritto:non ho detto che è un virus, ma che potrebbe
Lo elimino che lo stesso non credo serva a niente...poi vediamo se le intrusioni si verificano ancora...
-
- Annuncio Pubblicitario
Intrusioni bloccate continue
41 messaggi
• Pagina 2 di 3 • 1, 2, 3
da PcPhilosophus » mer nov 28, 2007 3:09 pm
Lo elimino che lo stesso non credo serva a niente...poi vediamo se le intrusioni si verificano ancora...
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da PcPhilosophus » mer nov 28, 2007 3:19 pm
ste_95 ha scritto:succede quando vai su qualche sito in particolare?
fai da server?
una iniezione di codice non è una baggianata..
Succede all'improvviso mentre navigo in internet, non su qualche sito in particolare, tipo ieri era da 3 giorni che non usciva l'avviso...
Ma se il codice è iniettato in internet explorer non faccio prima a disinstallarlo e reinstallarlo?
poi secondo voi potrebbe essere questo?
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Non ho idea di cosa sia...
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da BeGa » mer nov 28, 2007 3:22 pm
Bart_simpson ha scritto:ste_95 ha scritto:succede quando vai su qualche sito in particolare?
fai da server?
una iniezione di codice non è una baggianata..
Succede all'improvviso mentre navigo in internet, non su qualche sito in particolare, tipo ieri era da 3 giorni che non usciva l'avviso...
Ma se il codice è iniettato in internet explorer non faccio prima a disinstallarlo e reinstallarlo?
poi secondo voi potrebbe essere questo?
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Non ho idea di cosa sia...
va qualche topic più in su
-
BeGa - Membro Ufficiale (Gold)
- Messaggi: 2192
- Iscritto il: mer apr 18, 2007 3:13 pm
da ste_95 » mer nov 28, 2007 3:27 pm
Bart_simpson ha scritto:ste_95 ha scritto:succede quando vai su qualche sito in particolare?
fai da server?
una iniezione di codice non è una baggianata..
Succede all'improvviso mentre navigo in internet, non su qualche sito in particolare, tipo ieri era da 3 giorni che non usciva l'avviso...
Ma se il codice è iniettato in internet explorer non faccio prima a disinstallarlo e reinstallarlo?
è iniettato in internet perché navighi con lui...
fai da server?
poi secondo voi potrebbe essere questo?
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
Non ho idea di cosa sia...
quella voce è l'utilità di diagnostica di rete che per un bug di hijackthis è vista disattivata...
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
-
ste_95 - Membro Ufficiale (Gold)
- Messaggi: 17271
- Iscritto il: lun ago 06, 2007 11:19 am
da PcPhilosophus » mer nov 28, 2007 3:59 pm
Nel senso che è nella connessione? Nell'adsl?
Le risposte le vedo domani che ora devo andare,grazie...
Le risposte le vedo domani che ora devo andare,grazie...
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da ste_95 » mer nov 28, 2007 4:12 pm
non è che è nella connessione, ma sfrutta IE per entrare, prova a navigare con FF e vedi se funziona senza problemi...
«A volte è meglio tacere e sembrare stupidi che aprir bocca e togliere ogni dubbio.» Oscar Wilde
-
ste_95 - Membro Ufficiale (Gold)
- Messaggi: 17271
- Iscritto il: lun ago 06, 2007 11:19 am
da PcPhilosophus » mer nov 28, 2007 5:54 pm
Ora ho avviato senza componenti aggiuntivi come hai detto tu Bega...appena aperto il browser il firewall ha segnalato di nuovo: ora ti scrivo per esteso cosa ha segnalato...
-----------------------------------------------------------------------------------------------
Dettagli tecnici tentativo di intrusione:
Applicazione injector: C:\Programmi\Internet Explorer\iexplore.exe
Descrizione: Internet Explorer
Versione file: 7.00.6000.16544 (vista_gdr.070814-1500)
Nome prodotto: Windows® Internet Explorer
Versione prodotto: 7.00.6000.16544
Creato: 2007/9/10, 10:44:43
Modificato: 2007/8/17, 10:23:03
Ultimo accesso: 2007/11/28, 14:05:54
Applicazione di destinazione: C:\Programmi\Internet Explorer\iexplore.exe
Descrizione: Internet Explorer
Versione file: 7.00.6000.16544 (vista_gdr.070814-1500)
Nome prodotto: Windows® Internet Explorer
Versione prodotto: 7.00.6000.16544
Creato: 2007/9/10, 10:44:43
Modificato: 2007/8/17, 10:23:03
Ultimo accesso: 2007/11/28, 14:05:54
Indirizzo injection: 0x43628F46
-----------------------------------------------------------------------------------------------
Con questi dati in più sapete dirmi come risolvere?
-----------------------------------------------------------------------------------------------
Dettagli tecnici tentativo di intrusione:
Applicazione injector: C:\Programmi\Internet Explorer\iexplore.exe
Descrizione: Internet Explorer
Versione file: 7.00.6000.16544 (vista_gdr.070814-1500)
Nome prodotto: Windows® Internet Explorer
Versione prodotto: 7.00.6000.16544
Creato: 2007/9/10, 10:44:43
Modificato: 2007/8/17, 10:23:03
Ultimo accesso: 2007/11/28, 14:05:54
Applicazione di destinazione: C:\Programmi\Internet Explorer\iexplore.exe
Descrizione: Internet Explorer
Versione file: 7.00.6000.16544 (vista_gdr.070814-1500)
Nome prodotto: Windows® Internet Explorer
Versione prodotto: 7.00.6000.16544
Creato: 2007/9/10, 10:44:43
Modificato: 2007/8/17, 10:23:03
Ultimo accesso: 2007/11/28, 14:05:54
Indirizzo injection: 0x43628F46
-----------------------------------------------------------------------------------------------
Con questi dati in più sapete dirmi come risolvere?
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da PcPhilosophus » mer nov 28, 2007 5:58 pm
ste_95 ha scritto:non è che è nella connessione, ma sfrutta IE per entrare, prova a navigare con FF e vedi se funziona senza problemi...
Firefox lo avevo deu mesi fa, ha incominciato a bloccare le pagine quindi lo ho disinstallato...
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da PcPhilosophus » mer nov 28, 2007 8:13 pm
Ho provato e Firefox non si connette nemmeno, dice sempre pagina bloccata su qualunque sito...
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da PcPhilosophus » gio nov 29, 2007 1:53 pm
Ho fatto la scansione con gmer (alternativo ad hijackthis) ecco l'esito... che faccio?
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-29 13:51:02
Windows 5.1.2600 SE~1rvice Pack 2
---- System - GMER 1.0.13 ----
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCloSE~1
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcesSE~1x
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSE~1ction
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSE~1tInformationFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSE~1tValueKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile
---- Kernel code SE~1ctions - GMER 1.0.13 ----
PAGENDSM NDIS.sys!NdisMIndicateStatus F7387A5F 6 Bytes JMP F45041EC \SystemRoot\system32\drivers\fwdrv.sys
---- USE~1r code SE~1ctions - GMER 1.0.13 ----
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[384] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[384] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00080720
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Programmi\WinRAR\WinRAR.exe[428] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 001307AC
.text C:\Programmi\WinRAR\WinRAR.exe[428] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00130720
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetConnectA 433149BA 5 Bytes JMP 00130F54
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetConnectW 43315BA8 5 Bytes JMP 00130FE0
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetOpenA 4331C869 5 Bytes JMP 00130D24
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetOpenW 4331CE99 5 Bytes JMP 00130DB0
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetOpenUrlA 433206DD 5 Bytes JMP 00130E3C
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetOpenUrlW 4336AB41 5 Bytes JMP 00130EC8
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[488] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[488] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[488] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[488] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[488] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 001307AC
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00130720
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] WS2_32.dll!socket 71A33B91 5 Bytes JMP 001308C4
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00130838
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateThread 7C810637 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!WinExec 7C86136D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[712] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[712] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[736] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[736] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\SE~1rvices.exe[780] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\SE~1rvices.exe[780] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\SE~1rvices.exe[780] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\SE~1rvices.exe[780] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\SE~1rvices.exe[780] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-29 13:51:02
Windows 5.1.2600 SE~1rvice Pack 2
---- System - GMER 1.0.13 ----
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCloSE~1
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcesSE~1x
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSE~1ction
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSE~1tInformationFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSE~1tValueKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile
---- Kernel code SE~1ctions - GMER 1.0.13 ----
PAGENDSM NDIS.sys!NdisMIndicateStatus F7387A5F 6 Bytes JMP F45041EC \SystemRoot\system32\drivers\fwdrv.sys
---- USE~1r code SE~1ctions - GMER 1.0.13 ----
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\wbem\wmiprvSE~1.exe[236] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[384] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[384] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[384] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00080720
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\WinRAR\WinRAR.exe[428] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Programmi\WinRAR\WinRAR.exe[428] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 001307AC
.text C:\Programmi\WinRAR\WinRAR.exe[428] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00130720
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetConnectA 433149BA 5 Bytes JMP 00130F54
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetConnectW 43315BA8 5 Bytes JMP 00130FE0
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetOpenA 4331C869 5 Bytes JMP 00130D24
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetOpenW 4331CE99 5 Bytes JMP 00130DB0
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetOpenUrlA 433206DD 5 Bytes JMP 00130E3C
.text C:\Programmi\WinRAR\WinRAR.exe[428] WININET.dll!InternetOpenUrlW 4336AB41 5 Bytes JMP 00130EC8
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\System32\alg.exe[488] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\System32\alg.exe[488] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\System32\alg.exe[488] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00080720
.text C:\WINDOWS\System32\alg.exe[488] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\System32\alg.exe[488] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\System32\alg.exe[488] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00130608
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 001307AC
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00130720
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] WS2_32.dll!socket 71A33B91 5 Bytes JMP 001308C4
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00130838
.text C:\Programmi\Kerio\Personal Firewall 4\kpf4gui.exe[648] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateThread 7C810637 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!WinExec 7C86136D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[712] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[712] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[736] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[736] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\SE~1rvices.exe[780] kernel32.dll!SE~1tThreadContext 7C862A69 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\SE~1rvices.exe[780] USE~1R32.dll!SE~1tWindowsHookExW 7E3ADDB5 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\SE~1rvices.exe[780] USE~1R32.dll!SE~1tWindowsHookExA 7E3B11D1 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\SE~1rvices.exe[780] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\SE~1rvices.exe[780] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\SE~1rvices.exe[780] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!VirtualProtectEx
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da PcPhilosophus » gio nov 29, 2007 2:17 pm
ste_95 ha scritto:Mi pare che manchi l'ultima parte....sei sicuro che sia compelto...?
C'era scritto il mio contatto msn con le cartelle condivise, xciò lo ho cancellato...
vedendo questo cosa puoi dirmi?
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
![[;)]](http://www.megalab.it/forum/images/smilies/wink.gif "Occhiolino")
da PcPhilosophus » gio nov 29, 2007 2:20 pm
e tutti i kernel32.dll che sono??
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da crazy.cat » gio nov 29, 2007 2:28 pm
Puoi verificare la presenza di questo file
C:\WINDOWS\system32\SE~1rvices.exe
Se e' nel tuo pc con questo nome caricalo sul sito www.virustotal.com e vedi cosa ti dicono.
C:\WINDOWS\system32\SE~1rvices.exe
Se e' nel tuo pc con questo nome caricalo sul sito www.virustotal.com e vedi cosa ti dicono.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
-
crazy.cat - MLI Hero
- Messaggi: 30959
- Iscritto il: lun gen 12, 2004 1:38 pm
- Località: Mestre
da PcPhilosophus » gio nov 29, 2007 2:30 pm
crazy.cat ha scritto:Puoi verificare la presenza di questo file
C:\WINDOWS\system32\SE~1rvices.exe
Se e' nel tuo pc con questo nome caricalo sul sito www.virustotal.com e vedi cosa ti dicono.
non c'è...
ho fatto la scansione con spybot e mi ha trovato un grokloader, è quello il virus?
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
da PcPhilosophus » gio nov 29, 2007 2:52 pm
chiave di registro, la ho rimossa...non so se è quello, fattostà che oggi non mi segnala ancora intrusioni...
Ero conosciuto con il nick di bart_simpson in questo forum, lo ho cambiato, ora sono PcPhilosophus :)
-
PcPhilosophus - Bronze Member
- Messaggi: 616
- Iscritto il: sab ott 13, 2007 10:08 pm
41 messaggi
• Pagina 2 di 3 • 1, 2, 3
Chi c’è in linea
Visitano il forum: Nessuno e 40 ospiti
megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising