Pagina 1 di 1

Email-Worm.Win32.Bagle.of - MI STA FACENDO IMPAZZIRE...aiuto

MessaggioInviato: sab gen 19, 2008 1:32 pm
da fedy_11
Ho un grosso problema.
Ho preso qualcosa da internet, non so come definirlo, se virus, trojan o quant'altro. So solo che leggendo sul forum e in internet, son riuscito a trovare il nome, ma non la soluzione al mio problema.

Email-Worm.Win32.Bagle.of

Con SPYWARE DOCTOR riesco a vederlo e a trovarlo, ma non a cancellarlo.
Mi dice che l'infezione si trova in:

HKEY_USERS\S-1-5-21-1606980848-2142333999-725345543-1003\Software\Windows\CurrentVersion\Run, german.exe

Ho provato anche a scaricare un programmino per eliminare BEAGLE dal sito della SYMANTEC, ma niente.

QUALCUNO MI AIUTI PERFAVORE...
Grazie, Federico

MessaggioInviato: sab gen 19, 2008 1:38 pm
da crazy.cat

MessaggioInviato: sab gen 19, 2008 1:41 pm
da fedy_11
Ho già fatto la scansione con Kaspersky Online, ti elenco il risultato:

KASPERSKY ONLINE SCANNER REPORT
Friday, January 18, 2008 7:04:15 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/01/2008
Kaspersky Anti-Virus database records: 483088


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects 57511
Number of viruses found 1
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 05:26:26

Infected Object Name Virus Name Last Action
F:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

F:\Documents and Settings\All Users\Dati applicazioni\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

F:\Documents and Settings\All Users\Dati applicazioni\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped

F:\Documents and Settings\Federico\Cookies\index.dat Object is locked skipped

F:\Documents and Settings\Federico\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

F:\Documents and Settings\Federico\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

F:\Documents and Settings\Federico\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

F:\Documents and Settings\Federico\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

F:\Documents and Settings\Federico\NTUSER.DAT Object is locked skipped

F:\Documents and Settings\Federico\ntuser.dat.LOG Object is locked skipped

F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

F:\Documents and Settings\LocalService\Impostazioni locali\Cronologia\History.IE5\index.dat Object is locked skipped

F:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

F:\Documents and Settings\LocalService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

F:\Documents and Settings\LocalService\Impostazioni locali\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

F:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped

F:\Documents and Settings\NetworkService\Impostazioni locali\Dati applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

F:\Programmi\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

F:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

F:\WINDOWS\Driver Cache\i386\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\SchedLgU.Txt Object is locked skipped

F:\WINDOWS\SoftwareDistribution\Download\e1c01b7f52f122729009e4d1770edc4f\backup\sp2gdr\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\SoftwareDistribution\Download\e1c01b7f52f122729009e4d1770edc4f\backup\sp2qfe\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\Sti_Trace.log Object is locked skipped

F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

F:\WINDOWS\system32\CnxDslWz.log Object is locked skipped

F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

F:\WINDOWS\system32\config\default Object is locked skipped

F:\WINDOWS\system32\config\default.LOG Object is locked skipped

F:\WINDOWS\system32\config\Internet.evt Object is locked skipped

F:\WINDOWS\system32\config\SAM Object is locked skipped

F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

F:\WINDOWS\system32\config\SECURITY Object is locked skipped

F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

F:\WINDOWS\system32\config\software Object is locked skipped

F:\WINDOWS\system32\config\software.LOG Object is locked skipped

F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

F:\WINDOWS\system32\config\system Object is locked skipped

F:\WINDOWS\system32\config\system.LOG Object is locked skipped

F:\WINDOWS\system32\dllcache\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped

F:\WINDOWS\system32\drivers\down\14439281.exe Infected: Email-Worm.Win32.Bagle.of skipped

F:\WINDOWS\system32\drivers\down\14452109.exe Infected: Email-Worm.Win32.Bagle.of skipped

F:\WINDOWS\system32\h323log.txt Object is locked skipped

F:\WINDOWS\system32\mdelk.exe Infected: Email-Worm.Win32.Bagle.of skipped

F:\WINDOWS\system32\ntoskrnl.exe Object is locked skipped

F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

F:\WINDOWS\wiadebug.log Object is locked skipped

F:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

Ho anche già provato ad usare il programmino AVENGER, ma la chiave di registro che ti ho elencato nel mio messaggio di prima non me la toglie manco a morire!!!
Come posso fare?

MessaggioInviato: sab gen 19, 2008 2:06 pm
da ste_95
Scarica Avenger
Estrailo in una cartella a tua scelta
Esegui il file avenger.exe con la figura di una spada
Metti il pallino su input script manually
Quindi scegli la lente e cliccaci
Ora incolla queste righe nella box bianca che si è aperta:

Files to delete:
C:\WINDOWS\system32\drivers\hidr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe
C:\WINDOWS\system32\trusted.exe
C:\WINDOWS\system32\drivers\pci32.sys
C:\windows\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\hldrrr.ex_
C:\WINDOWS\system32\mdelk.exe

folders to delete:
C:\WINDOWS\exefnd
C:\WINDOWS\exefld
C:\WINDOWS\system32\drivers\down

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\CurrentControlSet\Services\pci32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32


Adesso devi cliccare su Done in basso nella box
Seleziona il semaforino in alto a destra
Rispondi di Si alle due richieste di Avenger
Adesso il tuo computer dovrebbe riavviarsi, nel caso non succedesse, riavvialo tu manualmente
Al riavvio del computer, copia e incolla qui il contenuto del blocco note che apparirà.

MessaggioInviato: sab gen 19, 2008 2:17 pm
da fedy_11
Fatto, ti invio il risultato...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gmneceaf

*******************

Script file located at: \??\F:\Documents and Settings\bofnaeaa.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\drivers\hidr.exe for deletion
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\drivers\srosa.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\wintems.exe for deletion
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\hldrrr.exe for deletion
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\trusted.exe for deletion
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\drivers\pci32.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc000003a



Could not open file C:\windows\system32\drivers\hldrrr.exe for deletion
Deletion of file C:\windows\system32\drivers\hldrrr.exe failed!

Could not process line:
C:\windows\system32\drivers\hldrrr.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\drivers\hldrrr.ex_ for deletion
Deletion of file C:\WINDOWS\system32\drivers\hldrrr.ex_ failed!

Could not process line:
C:\WINDOWS\system32\drivers\hldrrr.ex_
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\mdelk.exe for deletion
Deletion of file C:\WINDOWS\system32\mdelk.exe failed!

Could not process line:
C:\WINDOWS\system32\mdelk.exe
Status: 0xc000003a



Could not open folder C:\WINDOWS\exefnd for deletion
Deletion of folder C:\WINDOWS\exefnd failed!

Could not process line:
C:\WINDOWS\exefnd
Status: 0xc000003a



Could not open folder C:\WINDOWS\exefld for deletion
Deletion of folder C:\WINDOWS\exefld failed!

Could not process line:
C:\WINDOWS\exefld
Status: 0xc000003a



Could not open folder C:\WINDOWS\system32\drivers\down for deletion
Deletion of folder C:\WINDOWS\system32\drivers\down failed!

Could not process line:
C:\WINDOWS\system32\drivers\down
Status: 0xc000003a

Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa deleted successfully.
Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA deleted successfully.


Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

MessaggioInviato: sab gen 19, 2008 2:20 pm
da ste_95
Riprova con tutte le applicazioni chiuse.

MessaggioInviato: sab gen 19, 2008 2:22 pm
da fedy_11
Che genere di applicazioni intendi?
Non mi pare di avere avuto nulla di aperto prima...

MessaggioInviato: sab gen 19, 2008 2:33 pm
da ste_95
Tutto quello che non era avenger, chiudilo.

MessaggioInviato: sab gen 19, 2008 2:35 pm
da fedy_11
Era tutto chiuso, riprovo comunque e ti mando il risultato...

MessaggioInviato: sab gen 19, 2008 2:46 pm
da fedy_11
Allora...
sono andato su ESEGUI, ho digitato MSCONFIG, nella finestra GENERALE ho messo su AVVIO DIAGNOSTICO: CARICA SOLTANTO LE PERIFERICHE E I SERVIZI DI BASE.
Dopo aver riavviato il PC ero sicuro che non ci fosse nessuna applicazione aperta.
Ho avviato AVENGER e questo è il risultato:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jbexeiru

*******************

Script file located at: \??\F:\WINDOWS\system32\ncdjmaue.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\system32\drivers\hidr.exe for deletion
Deletion of file C:\WINDOWS\system32\drivers\hidr.exe failed!

Could not process line:
C:\WINDOWS\system32\drivers\hidr.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\drivers\srosa.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\srosa.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\srosa.sys
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\wintems.exe for deletion
Deletion of file C:\WINDOWS\system32\wintems.exe failed!

Could not process line:
C:\WINDOWS\system32\wintems.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\hldrrr.exe for deletion
Deletion of file C:\WINDOWS\system32\hldrrr.exe failed!

Could not process line:
C:\WINDOWS\system32\hldrrr.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\trusted.exe for deletion
Deletion of file C:\WINDOWS\system32\trusted.exe failed!

Could not process line:
C:\WINDOWS\system32\trusted.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\drivers\pci32.sys for deletion
Deletion of file C:\WINDOWS\system32\drivers\pci32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\pci32.sys
Status: 0xc000003a



Could not open file C:\windows\system32\drivers\hldrrr.exe for deletion
Deletion of file C:\windows\system32\drivers\hldrrr.exe failed!

Could not process line:
C:\windows\system32\drivers\hldrrr.exe
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\drivers\hldrrr.ex_ for deletion
Deletion of file C:\WINDOWS\system32\drivers\hldrrr.ex_ failed!

Could not process line:
C:\WINDOWS\system32\drivers\hldrrr.ex_
Status: 0xc000003a



Could not open file C:\WINDOWS\system32\mdelk.exe for deletion
Deletion of file C:\WINDOWS\system32\mdelk.exe failed!

Could not process line:
C:\WINDOWS\system32\mdelk.exe
Status: 0xc000003a



Could not open folder C:\WINDOWS\exefnd for deletion
Deletion of folder C:\WINDOWS\exefnd failed!

Could not process line:
C:\WINDOWS\exefnd
Status: 0xc000003a



Could not open folder C:\WINDOWS\exefld for deletion
Deletion of folder C:\WINDOWS\exefld failed!

Could not process line:
C:\WINDOWS\exefld
Status: 0xc000003a



Could not open folder C:\WINDOWS\system32\drivers\down for deletion
Deletion of folder C:\WINDOWS\system32\drivers\down failed!

Could not process line:
C:\WINDOWS\system32\drivers\down
Status: 0xc000003a



Registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\srosa failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\srosa
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\pci32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Services\pci32
Status: 0xc0000034



Registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 not found!
Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32 failed!

Could not process line:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCI32
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

MessaggioInviato: sab gen 19, 2008 2:50 pm
da ste_95
Allora proviamo così:

Scarica GMER.

Nella scheda Processes cerca e termina tutti i processi inerenti al virus, quindi entra in regedit e portati alla seguente chiave:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Elimina le chiavi inerenti al virus.

Riprova con avenger.

MessaggioInviato: sab gen 19, 2008 3:03 pm
da fedy_11
Scusa la mia ignoranza, ho scaricato GMER, sono andato nella scheda PROCESSI ed ho trovato una serie di processi aperti... QUALI DEVO CHIUDERE???
Ti allego un'immagine per farti vedere...

MessaggioInviato: sab gen 19, 2008 3:04 pm
da ste_95
Quelli sono tutti legittimi, spostati nella scheda Rootkit e vedi se GMER segnala la presenza di rootkit.

MessaggioInviato: sab gen 19, 2008 3:07 pm
da fedy_11
Nella scheda ROOTKIT trovo questo:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-19 15:09:57
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey

---- Devices - GMER 1.0.13 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867E73F0

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F77211DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F77211DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7721454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F77211DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F789E466] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F78A694A] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F789E8A4] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F789E31C] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F78A741E] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F789E408] sisidex.sys

---- Modules - GMER 1.0.13 ----

Module _________ F7749000-F7761000 (98304 bytes)

---- EOF - GMER 1.0.13 ----

MessaggioInviato: sab gen 19, 2008 3:09 pm
da ste_95
Facendo la scansione non trovi nessuna voce in rosso o nessuna segnalazione di file appartenenti al trojan..?

MessaggioInviato: sab gen 19, 2008 8:05 pm
da fedy_11
Non mi pare di aver trovato nulla, ti allego i risultati, se trovi qualcosa tu...
comunque in rosso non c'è nulla...

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2008-01-19 20:04:03
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT a347bus.sys ZwClose
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwRenameKey
SSDT a347bus.sys ZwSetSystemPowerState
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwSetValueKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

? F:\WINDOWS\system32\Drivers\mchInjDrv.sys Impossibile trovare il file specificato.

---- User code sections - GMER 1.0.13 ----

.text F:\WINDOWS\system32\csrss.exe[556] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\csrss.exe[556] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\csrss.exe[556] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\winlogon.exe[580] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\services.exe[624] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\services.exe[624] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\services.exe[624] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\lsass.exe[636] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\lsass.exe[636] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\lsass.exe[636] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\svchost.exe[796] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\svchost.exe[796] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\svchost.exe[864] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\svchost.exe[864] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\System32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\System32\svchost.exe[904] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\System32\svchost.exe[904] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\svchost.exe[956] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\svchost.exe[956] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\svchost.exe[956] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\spoolsv.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\spoolsv.exe[1028] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\spoolsv.exe[1028] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\svchost.exe[1136] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\svchost.exe[1136] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe[1164] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe[1164] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1200] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1200] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE[1200] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe[1236] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe[1236] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Spyware Doctor\pctsAuxs.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\Spyware Doctor\pctsAuxs.exe[1392] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\Spyware Doctor\pctsAuxs.exe[1392] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Spyware Doctor\pctsSvc.exe[1476] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 5F, 98, C3, 83 ]
.text F:\WINDOWS\Explorer.EXE[1652] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\Explorer.EXE[1652] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\Explorer.EXE[1652] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe[1780] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe[1780] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\Musicmatch\Musicmatch Jukebox\mmtask.exe[1780] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Trust\CnxDslTb.exe[1796] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\Trust\CnxDslTb.exe[1796] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\Trust\CnxDslTb.exe[1796] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Documents and Settings\Federico\Desktop\gmer.exe[1804] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Documents and Settings\Federico\Desktop\gmer.exe[1804] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text F:\Documents and Settings\Federico\Desktop\gmer.exe[1804] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Documents and Settings\Federico\Desktop\gmer.exe[1804] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\rundll32.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\rundll32.exe[1816] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\rundll32.exe[1816] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[1832] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[1832] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[1832] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\ctfmon.exe[1840] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\ctfmon.exe[1840] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\ctfmon.exe[1840] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe[1848] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe[1848] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe[1948] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe[1948] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text F:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe[1948] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe[1948] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Analog Devices\SoundMAX\SMAgent.exe[1956] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\Analog Devices\SoundMAX\SMAgent.exe[1956] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\Analog Devices\SoundMAX\SMAgent.exe[1956] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Spyware Doctor\pctsTray.exe[2012] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\Spyware Doctor\pctsTray.exe[2012] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 8B, 96, C3, 83 ]
.text F:\Programmi\Spyware Doctor\pctsTray.exe[2012] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\Spyware Doctor\pctsTray.exe[2012] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\system32\svchost.exe[2036] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\system32\svchost.exe[2036] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\system32\svchost.exe[2036] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe[2220] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe[2220] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text F:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe[2220] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe[2220] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\WINDOWS\System32\alg.exe[2388] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\WINDOWS\System32\alg.exe[2388] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text F:\WINDOWS\System32\alg.exe[2388] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\WINDOWS\System32\alg.exe[2388] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 435FF2C1 F:\WINDOWS\system32\IEFRAME.dll
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 4379166F F:\WINDOWS\system32\IEFRAME.dll
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 437915F0 F:\WINDOWS\system32\IEFRAME.dll
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 43791634 F:\WINDOWS\system32\IEFRAME.dll
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 4379157C F:\WINDOWS\system32\IEFRAME.dll
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 437915B6 F:\WINDOWS\system32\IEFRAME.dll
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 437916AA F:\WINDOWS\system32\IEFRAME.dll
.text F:\Programmi\Internet Explorer\iexplore.exe[2672] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 43621676 F:\WINDOWS\system32\IEFRAME.dll
.text F:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe[2740] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text F:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe[2740] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text F:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe[2740] USER32.dll!SetWindowsHookExW 7E3ADDB5 6 Bytes JMP 5F0A0F5A
.text F:\Programmi\File comuni\Microsoft Shared\Windows Live\WLLoginProxy.exe[2740] USER32.dll!SetWindowsHookExA 7E3B11D1 6 Bytes JMP 5F040F5A

---- Devices - GMER 1.0.13 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867E73F0

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F77211DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F77211DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7721454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F77211DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7714F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F789E466] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F789E408] sisidex.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE

MessaggioInviato: dom gen 20, 2008 5:20 pm
da ste_95
Davvero strano, prova a ripristinare la modalità provvisoria con questo file:

http://www.MegaLab.it/3250

Quindi avvia in modalità provvisoria e riprova con avenger.

MessaggioInviato: dom gen 20, 2008 5:28 pm
da fedy_11
Ti ringrazio, sei stato gentilissimo, ma ho trovato la soluzione da solo...

...ho formattatao il PC, mi stava venendo un esaurimento nervoso!!!

Grazie mille lo stesso...