Esegui Hai provato ad installare VirIt e fare la scansione? In alternativa prova scaricare e scompattare tutti programmi e tools da un altro computer, e magari cambia ulteriomente i nomi a tutti i tools.
-
- Annuncio Pubblicitario
*** LINKOPTIMIZER/GROMOZON --- PREVENZIONE E RIMOZIONE ***
da Amantide » gio nov 23, 2006 10:12 am
Hai provato ad installare VirIt e fare la scansione? In alternativa prova scaricare e scompattare tutti programmi e tools da un altro computer, e magari cambia ulteriomente i nomi a tutti i tools.
-
Amantide - Membro Ufficiale (Gold)
- Messaggi: 8126
- Iscritto il: lun feb 06, 2006 4:13 pm
- Località: Abruzzo
da Amantide » gio nov 23, 2006 10:22 am
The King of GnG ha scritto:Kaspersky Lab: che barba questi malware
Questa è bellaLa Kaspersky considera Gromozon come una carezza, ohibò O.o
Ne avevamo già parlato di questo argomento. Ciò che Marco aveva definito come la versione "russa" di Gromozon, in realta non sta per il virus diffuso in Russia, ma vuol dire che il virus in questi casi risiedeva sui server ucraini, non erano nemmeno russi (te l'avevano spiegato anche sul forum di PI). Come ben sappiamo, a parte qualche caso singolare, questo è un male prevalentemente italiano e di conseguenza non puoi pretendere che gli sviluppatori di antivirus russi, americani, inglesi o chessia dedicano le risorse per analizzare e prevenire un infezione che nel resto del mondo non esiste.
-
Amantide - Membro Ufficiale (Gold)
- Messaggi: 8126
- Iscritto il: lun feb 06, 2006 4:13 pm
- Località: Abruzzo
da Aeryon » gio nov 23, 2006 11:17 am
porca miseria raga.. non so che fare!! ogni volta che tento di estrarre un file .exe mi dice Accesso Negato...
Che posso fare? Potrebbe essere un problema del firewall o di qualche altra cosa? Come antivirus ho Kaspersky che però viene disattivato dopo 10 minuti che lo apro...![[XX(]](http://www.megalab.it/forum/images/smilies/frusty.gif "Testate al muro")
![[sedia]](http://www.megalab.it/forum/images/smilies/chair.gif "Sediate!")
![[cry+]](http://www.megalab.it/forum/images/smilies/cry.gif "Piangere a dirotto")
Che posso fare? Potrebbe essere un problema del firewall o di qualche altra cosa? Come antivirus ho Kaspersky che però viene disattivato dopo 10 minuti che lo apro...
-
Aeryon - Neo Iscritto
- Messaggi: 10
- Iscritto il: gio nov 23, 2006 9:07 am
da SoldatoBiancaneve » gio nov 23, 2006 12:33 pm
prova ad aprire il taskmanager e terminare tutti i processi inutili o strani .. tipo siemensmonitor , fujitsuhelper o simili ....
sono loro che ti bloccano hijackthis ...
sono loro che ti bloccano hijackthis ...
-
SoldatoBiancaneve - Neo Iscritto
- Messaggi: 22
- Iscritto il: ven nov 10, 2006 7:42 pm
da Amantide » gio nov 23, 2006 12:36 pm
SoldatoBiancaneve ha scritto:prova ad aprire il taskmanager e terminare tutti i processi inutili o strani .. tipo siemensmonitor , fujitsuhelper o simili ....
sono loro che ti bloccano hijackthis ...
Ottima osservazione Soldato...
![[applauso]](http://www.megalab.it/forum/images/smilies/clapping.gif "Applauso")
-
Amantide - Membro Ufficiale (Gold)
- Messaggi: 8126
- Iscritto il: lun feb 06, 2006 4:13 pm
- Località: Abruzzo
da Aeryon » gio nov 23, 2006 1:12 pm
Ho fatto in questo modo:
Sono andato a curiosare tra i programmi che partono all'avvio e c'è un file che si chiama [nwiz.exe /install] ed anche uno che si chiama svchost che si trova tra i Temp nella cartella Impostazioni Locali e ho bloccato anche quello.
Ho riavviato e sono andato in modalità provvisoria. Ho provato ad usare Hijackthis ed ha funzionato. Ho fatto una scansione con log. Poi ho provato ad usare, sempre in modalità provvisoria, il tool di Prevx per la rimozione del Gromozon. Mi ha riavviato il pc, ha fatto la scansione e il log e ha scritto che ha rimosso il virus. Ho rifatto una nuova scansione con Hijackthis.
I log del Prevx e dell'ultimo Hijackthis sono questi:
[quote=Prevx Log]Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: \\?\C:\WINDOWS\system32\lpt2.dzx
\\?\C:\WINDOWS\system32\lpt2.dzx
Resetting file permissions...
Clearing attributes...
Accesso negato - C:\_cleaned.tmp
Removing file...
Rootkit removed! Cleaning up...
Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\Services\aUF.exe
Removing protected file: C:\Programmi\File comuni\Services\cnqKZ.exe
Removing protected file: C:\Programmi\File comuni\Services\DDb.exe
Removing protected file: C:\Programmi\File comuni\Services\dExS.exe
Removing protected file: C:\Programmi\File comuni\Services\dsyq.exe
Removing protected file: C:\Programmi\File comuni\Services\EhiRtL.exe
Removing protected file: C:\Programmi\File comuni\Services\EQNjD.exe
Removing protected file: C:\Programmi\File comuni\Services\ghNgit.exe
Removing protected file: C:\Programmi\File comuni\Services\Hai.exe
Removing protected file: C:\Programmi\File comuni\Services\INYlr.exe
Removing protected file: C:\Programmi\File comuni\Services\jIZ.exe
Removing protected file: C:\Programmi\File comuni\Services\kWO.exe
Removing protected file: C:\Programmi\File comuni\Services\LTNwTh.exe
Removing protected file: C:\Programmi\File comuni\Services\mZQ.exe
Removing protected file: C:\Programmi\File comuni\Services\NIA.exe
Removing protected file: C:\Programmi\File comuni\Services\ola.exe
Removing protected file: C:\Programmi\File comuni\Services\OXW.exe
Removing protected file: C:\Programmi\File comuni\Services\pRJK.exe
Removing protected file: C:\Programmi\File comuni\Services\qYl.exe
Removing protected file: C:\Programmi\File comuni\Services\rtN.exe
Removing protected file: C:\Programmi\File comuni\Services\tdeUB.exe
Removing protected file: C:\Programmi\File comuni\Services\urWvu.exe
Removing protected file: C:\Programmi\File comuni\Services\uUWWY.exe
Removing protected file: C:\Programmi\File comuni\Services\VBL.exe
Removing protected file: C:\Programmi\File comuni\Services\VdT.exe
Removing protected file: C:\Programmi\File comuni\Services\VsL.exe
Removing protected file: C:\Programmi\File comuni\Services\WlmC.exe
Removing protected file: C:\Programmi\File comuni\Services\YBhPvN.exe
Removing protected file: C:\Programmi\File comuni\Services\YHT.exe
Removing protected file: C:\Programmi\File comuni\Services\YUH.exe
Removing protected file: C:\Programmi\File comuni\Services\ZYKybx.exe
Trojan.Gromozon Removed![/quote]
[quote=Hijackthis]Logfile of HijackThis v1.99.1
Scan saved at 12.04.49, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Programmi\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Luca\Impostazioni locali\Temp\wzfe50\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {26F3B891-5D3E-0505-DF75-F92099C4170E} - C:\WINDOWS\mjedk1.dll (file missing)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Luca\Yinstall.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [kav] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 TS.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe[/quote]
Fatemi sapere se volete vedere anche il log di Hijackthis prima della scansione con Prevx.
Grazie mille per tutto!! State salvando il mio pc
Sono andato a curiosare tra i programmi che partono all'avvio e c'è un file che si chiama [nwiz.exe /install] ed anche uno che si chiama svchost che si trova tra i Temp nella cartella Impostazioni Locali e ho bloccato anche quello.
Ho riavviato e sono andato in modalità provvisoria. Ho provato ad usare Hijackthis ed ha funzionato. Ho fatto una scansione con log. Poi ho provato ad usare, sempre in modalità provvisoria, il tool di Prevx per la rimozione del Gromozon. Mi ha riavviato il pc, ha fatto la scansione e il log e ha scritto che ha rimosso il virus. Ho rifatto una nuova scansione con Hijackthis.
I log del Prevx e dell'ultimo Hijackthis sono questi:
[quote=Prevx Log]Removal tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: \\?\C:\WINDOWS\system32\lpt2.dzx
\\?\C:\WINDOWS\system32\lpt2.dzx
Resetting file permissions...
Clearing attributes...
Accesso negato - C:\_cleaned.tmp
Removing file...
Rootkit removed! Cleaning up...
Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni
Removing protected file: C:\Programmi\File comuni\Services\aUF.exe
Removing protected file: C:\Programmi\File comuni\Services\cnqKZ.exe
Removing protected file: C:\Programmi\File comuni\Services\DDb.exe
Removing protected file: C:\Programmi\File comuni\Services\dExS.exe
Removing protected file: C:\Programmi\File comuni\Services\dsyq.exe
Removing protected file: C:\Programmi\File comuni\Services\EhiRtL.exe
Removing protected file: C:\Programmi\File comuni\Services\EQNjD.exe
Removing protected file: C:\Programmi\File comuni\Services\ghNgit.exe
Removing protected file: C:\Programmi\File comuni\Services\Hai.exe
Removing protected file: C:\Programmi\File comuni\Services\INYlr.exe
Removing protected file: C:\Programmi\File comuni\Services\jIZ.exe
Removing protected file: C:\Programmi\File comuni\Services\kWO.exe
Removing protected file: C:\Programmi\File comuni\Services\LTNwTh.exe
Removing protected file: C:\Programmi\File comuni\Services\mZQ.exe
Removing protected file: C:\Programmi\File comuni\Services\NIA.exe
Removing protected file: C:\Programmi\File comuni\Services\ola.exe
Removing protected file: C:\Programmi\File comuni\Services\OXW.exe
Removing protected file: C:\Programmi\File comuni\Services\pRJK.exe
Removing protected file: C:\Programmi\File comuni\Services\qYl.exe
Removing protected file: C:\Programmi\File comuni\Services\rtN.exe
Removing protected file: C:\Programmi\File comuni\Services\tdeUB.exe
Removing protected file: C:\Programmi\File comuni\Services\urWvu.exe
Removing protected file: C:\Programmi\File comuni\Services\uUWWY.exe
Removing protected file: C:\Programmi\File comuni\Services\VBL.exe
Removing protected file: C:\Programmi\File comuni\Services\VdT.exe
Removing protected file: C:\Programmi\File comuni\Services\VsL.exe
Removing protected file: C:\Programmi\File comuni\Services\WlmC.exe
Removing protected file: C:\Programmi\File comuni\Services\YBhPvN.exe
Removing protected file: C:\Programmi\File comuni\Services\YHT.exe
Removing protected file: C:\Programmi\File comuni\Services\YUH.exe
Removing protected file: C:\Programmi\File comuni\Services\ZYKybx.exe
Trojan.Gromozon Removed![/quote]
[quote=Hijackthis]Logfile of HijackThis v1.99.1
Scan saved at 12.04.49, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Programmi\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Luca\Impostazioni locali\Temp\wzfe50\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {26F3B891-5D3E-0505-DF75-F92099C4170E} - C:\WINDOWS\mjedk1.dll (file missing)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Luca\Yinstall.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [kav] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 TS.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe[/quote]
Fatemi sapere se volete vedere anche il log di Hijackthis prima della scansione con Prevx.
Grazie mille per tutto!! State salvando il mio pc
-
Aeryon - Neo Iscritto
- Messaggi: 10
- Iscritto il: gio nov 23, 2006 9:07 am
da Amantide » gio nov 23, 2006 1:38 pm
Il grosso del Gromozon è stato rimosso, però non tutto. Fai anche la scansione con VirIt, dalla modalità provvisoria, per rimuovere il resto.
Le voci infette nel log sono queste e sono da fixare (selezionali e premi fix checked):
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {26F3B891-5D3E-0505-DF75-F92099C4170E} - C:\WINDOWS\mjedk1.dll (file missing)
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Luca\Yinstall.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
I file in rosso devono sparire. Se non verranno eliminati durante la scansione con VirIt, fallo tu con Unlocker o KillBox.
Le voci infette nel log sono queste e sono da fixare (selezionali e premi fix checked):
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {26F3B891-5D3E-0505-DF75-F92099C4170E} - C:\WINDOWS\mjedk1.dll (file missing)
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Luca\Yinstall.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll (file missing)
I file in rosso devono sparire. Se non verranno eliminati durante la scansione con VirIt, fallo tu con Unlocker o KillBox.
-
Amantide - Membro Ufficiale (Gold)
- Messaggi: 8126
- Iscritto il: lun feb 06, 2006 4:13 pm
- Località: Abruzzo
da Aeryon » gio nov 23, 2006 3:11 pm
Ok li ho fixati, sono andato in modalità provvisoria e ho avviato VirIt..
Questo è il log di hijackthis.
Logfile of HijackThis v1.99.1
Scan saved at 14.23.52, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Programmi\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\VEXPLITE\VIRITEXP.EXE
C:\Documents and Settings\Luca\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Luca\IMPOST~1\Temp\svchost.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 TS.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
E' tutto ok ora?
Questo è il log di hijackthis.
Logfile of HijackThis v1.99.1
Scan saved at 14.23.52, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Programmi\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\VEXPLITE\VIRITEXP.EXE
C:\Documents and Settings\Luca\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Luca\IMPOST~1\Temp\svchost.exe 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 TS.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
E' tutto ok ora?
-
Aeryon - Neo Iscritto
- Messaggi: 10
- Iscritto il: gio nov 23, 2006 9:07 am
da Amantide » gio nov 23, 2006 3:29 pm
Si toglie una cosa e si ritrova un altra
Le voci che ho indicato prima non ci sono più, di Gromozon è rimasto solo questo:
O23 - Service: WinNfi - Unknown owner - C:\Programmi\File comuni\Services\INYlr.exe (file missing)
Fixa questa voce e poi da Start--> Esegui esegui uno alla volta questi comandi:
sc stop WinNfi
sc delete WinNfi
C'è anche un altro virus
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Luca\IMPOST~1\Temp\svchost.exe 1
Fixa anche questa voce, abilita la visualizzazione dei file nascosti (Pannello di controllo--> Opzioni cartella--> Visualizzazione--> Visualizza file e cartelle nascosti) ed elimina il file in rosso nella cartella Temp.
Dopo apri il regedit (Start--> Esegui--> regedit), vai alla sottochiave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e nel riquadro a destra elimina questo valore
"WindowsServicesStartup" = "%Temp%\svchost.exe 1"
Le voci che ho indicato prima non ci sono più, di Gromozon è rimasto solo questo:
O23 - Service: WinNfi - Unknown owner - C:\Programmi\File comuni\Services\INYlr.exe (file missing)
Fixa questa voce e poi da Start--> Esegui esegui uno alla volta questi comandi:
sc stop WinNfi
sc delete WinNfi
C'è anche un altro virus
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Luca\IMPOST~1\Temp\svchost.exe 1
Fixa anche questa voce, abilita la visualizzazione dei file nascosti (Pannello di controllo--> Opzioni cartella--> Visualizzazione--> Visualizza file e cartelle nascosti) ed elimina il file in rosso nella cartella Temp.
Dopo apri il regedit (Start--> Esegui--> regedit), vai alla sottochiave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e nel riquadro a destra elimina questo valore
"WindowsServicesStartup" = "%Temp%\svchost.exe 1"
-
Amantide - Membro Ufficiale (Gold)
- Messaggi: 8126
- Iscritto il: lun feb 06, 2006 4:13 pm
- Località: Abruzzo
da Aeryon » gio nov 23, 2006 3:52 pm
ecco adesso il log (ho riavviato il pc per vedere se all'avvio c'è già qualcosa)
Logfile of HijackThis v1.99.1
Scan saved at 14.51.50, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Programmi\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Luca\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 TS.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Ora però sono senza antivirus perché Kaspersky mi si chiudeva dopo 15 minuti e l'ho disinstallato.. Cosa mi consigli di mettere? Grazie ancora per tutto!!
Logfile of HijackThis v1.99.1
Scan saved at 14.51.50, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\ewido anti-spyware 4.0\guard.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\Programmi\Multimedia Card Reader\shwicon2k.exe
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\VEXPLITE\MONLITE.EXE
C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\File comuni\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\connmngmntbox.exe
C:\Programmi\Nokia\PC Suite for Nokia 6600\ectaskscheduler.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Programmi\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Luca\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: AmsServer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programmi\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programmi\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 Detect.lnk = ?
O4 - Global Startup: PCSuiteperNokia6600 TS.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmi\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmi\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmi\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Ora però sono senza antivirus perché Kaspersky mi si chiudeva dopo 15 minuti e l'ho disinstallato.. Cosa mi consigli di mettere? Grazie ancora per tutto!!
-
Aeryon - Neo Iscritto
- Messaggi: 10
- Iscritto il: gio nov 23, 2006 9:07 am
da Aeryon » gio nov 23, 2006 5:35 pm
Ok per antivirus ho messo Avast.. Spero che vada bene e che non lo debba disinstallare com'è successo con gli altri che ho avuto..
AH!! Cosa importantissima che può essere d'aiuto a qualcuno:
Io mi sono accorto del virus perché con FIREFOX non riuscivo più a vedere i filmati in FLASH!! Infatti appena entravo in siti tipo youtube o in qualsiasi sito con un oggetto flash dentro, Firefox mi dava errore. Invece adesso va tutto a meraviglia!!
Grazie mille Amantide!! Sei stata molto gentile e mi hai veramente salvato il PC! Grazieeeeee
AH!! Cosa importantissima che può essere d'aiuto a qualcuno:
Io mi sono accorto del virus perché con FIREFOX non riuscivo più a vedere i filmati in FLASH!! Infatti appena entravo in siti tipo youtube o in qualsiasi sito con un oggetto flash dentro, Firefox mi dava errore. Invece adesso va tutto a meraviglia!!
Grazie mille Amantide!! Sei stata molto gentile e mi hai veramente salvato il PC! Grazieeeeee
-
Aeryon - Neo Iscritto
- Messaggi: 10
- Iscritto il: gio nov 23, 2006 9:07 am
da Amantide » gio nov 23, 2006 7:30 pm
Aeryon ha scritto:Ora però sono senza antivirus perché Kaspersky mi si chiudeva dopo 15 minuti e l'ho disinstallato..
Mi era sembrato strano che il Kaspersky dopo aver rimosso Gromozon ti ha fatto passare un nuovo virus... non è il suo comportamento abituale.
Aeryon ha scritto:Ok per antivirus ho messo Avast.. Spero che vada bene e che non lo debba disinstallare com'è successo con gli altri che ho avuto..
Ottima scelta, anche se Kaspersky non era da meno. Metti anche un buon firewall, ti consiglio Comodo o Zone Alarm.
Aeryon ha scritto:AH!! Cosa importantissima che può essere d'aiuto a qualcuno:
Io mi sono accorto del virus perché con FIREFOX non riuscivo più a vedere i filmati in FLASH!! Infatti appena entravo in siti tipo youtube o in qualsiasi sito con un oggetto flash dentro, Firefox mi dava errore.
Lo sapevamo già, infatti sono stati in tanti ad avere questo problema a causa di Gromozon.
Aeryon ha scritto:Grazie mille Amantide!! Sei stata molto gentile e mi hai veramente salvato il PC! Grazieeeeee
Mi fa piacere che hai risolto
![[;)]](http://www.megalab.it/forum/images/smilies/wink.gif "Occhiolino")
-
Amantide - Membro Ufficiale (Gold)
- Messaggi: 8126
- Iscritto il: lun feb 06, 2006 4:13 pm
- Località: Abruzzo
E' il peggiore che abbia mai avuto!
da gerfar » dom nov 26, 2006 5:33 pm
Ciao a tutti. Innanzitutto, complimentoni per la guida.
Purtroppo però, per me non è stata sufficiente:( Ci sto sbattendo la testa da martedì![[boxed]](http://www.megalab.it/forum/images/smilies/boxed.gif "Conciato Male")
Vi prego di aiutarmi, il linkoptimizer è il peggior virus che abbia mai avuto; sono disperato
Vi incollo il log di hijackthis per qualche consiglio.
Vi ringrazio tantissimo anticipatamente!
Logfile of HijackThis v1.99.1
Scan saved at 16.06.06, on 26/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\File comuni\Ulead Systems\AutoDetector\monitor.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Babylon\Babylon-Pro\Babylon.exe
C:\Programmi\Spamihilator\spamihilator.exe
C:\Programmi\BitTorrent\bittorrent.exe
C:\Programmi\DIGITAL GRAPH\mind6\Alarm6.exe
C:\Programmi\GetRight\getright.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRAMMI DI PULIZIA CONTRO I VIRUS & ALTRI\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Ulead AutoDetector v2] "C:\Programmi\File comuni\Ulead Systems\AutoDetector\monitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE" /FU "C:\WINDOWS\TEMP\E_S39D.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Babylon Client] "C:\Programmi\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKCU\..\Run: [Spamihilator] "C:\Programmi\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Allarme Mind 6.0.lnk = ?
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programmi\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\PROGRAMMI DA MASTERIZZARE\install\AuthorwareFull\AwareWebPlayer\Download\Smart\Cab\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7611978843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4222268312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54DFDCF7-4718-4928-9F2D-CC7E0232864C}: NameServer = 85.37.17.16 85.38.28.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Purtroppo però, per me non è stata sufficiente:( Ci sto sbattendo la testa da martedì
Vi prego di aiutarmi, il linkoptimizer è il peggior virus che abbia mai avuto;
sono disperato
Vi incollo il log di hijackthis per qualche consiglio.
Vi ringrazio tantissimo anticipatamente!
Logfile of HijackThis v1.99.1
Scan saved at 16.06.06, on 26/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmi\Unlocker\UnlockerAssistant.exe
C:\Programmi\File comuni\Ulead Systems\AutoDetector\monitor.exe
C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Babylon\Babylon-Pro\Babylon.exe
C:\Programmi\Spamihilator\spamihilator.exe
C:\Programmi\BitTorrent\bittorrent.exe
C:\Programmi\DIGITAL GRAPH\mind6\Alarm6.exe
C:\Programmi\GetRight\getright.exe
C:\Programmi\Alice ti aiuta\bin\mpbtn.exe
C:\Programmi\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\PROGRAMMI DI PULIZIA CONTRO I VIRUS & ALTRI\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programmi\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Ulead AutoDetector v2] "C:\Programmi\File comuni\Ulead Systems\AutoDetector\monitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE" /FU "C:\WINDOWS\TEMP\E_S39D.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Babylon Client] "C:\Programmi\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKCU\..\Run: [Spamihilator] "C:\Programmi\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmi\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Global Startup: Alice ti aiuta.lnk = C:\Programmi\Alice ti aiuta\bin\matcli.exe
O4 - Global Startup: Allarme Mind 6.0.lnk = ?
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Programmi\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Programmi\GetRight\GRdownload.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programmi\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://C:\PROGRAMMI DA MASTERIZZARE\install\AuthorwareFull\AwareWebPlayer\Download\Smart\Cab\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7611978843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4222268312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{54DFDCF7-4718-4928-9F2D-CC7E0232864C}: NameServer = 85.37.17.16 85.38.28.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programmi\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-
gerfar - Neo Iscritto
- Messaggi: 2
- Iscritto il: dom nov 26, 2006 5:11 pm
Re: E' il peggiore che abbia mai avuto!
da crazy.cat » lun nov 27, 2006 3:02 pm
gerfar ha scritto:Vi prego di aiutarmi, il linkoptimizer è il peggior virus che abbia mai avuto;
Nel log di hijackthis non si vede niente.
perché dici di avere il gromozon?
Hai già fatto girare virit e il tools della prevx?
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
-
crazy.cat - MLI Hero
- Messaggi: 30959
- Iscritto il: lun gen 12, 2004 1:38 pm
- Località: Mestre
da masello2 » mar nov 28, 2006 9:47 am
carissimi, ho trovato le vs medicine per il pc del mio amico (un po' citrullo) che si è preso il link. sto seguendo pasopasso le istruzioni del buon billokenobi. sono al 4. vi posto il risultato del gmer. (tra parentesi, il mio linkopt non mi faceva aprire il gmer..ho dovuto pure cambiargli nome..)
posto gmer, devo mettere lo script in avenger.
GMER 1.0.12.12010 - http://www.gmer.net
Autostart scan 2006-11-28 08:11:01
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\com5.bvu
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
NOD32krn /*NOD32 Kernel Service*/@ = "C:\Programmi\Eset\nod32krn.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
UPHClean /*User Profile Hive Cleanup*/@ = C:\Programmi\UPHClean\uphclean.exe
WebGtk /*WebGtk*/@ = "C:\Programmi\File comuni\Services\fSd.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SiSUSBRGC:\WINDOWS\SiSUSBrg.exe = C:\WINDOWS\SiSUSBrg.exe
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@SiSPowerRundll32.exe SiSPower.dll,ModeAgent = Rundll32.exe SiSPower.dll,ModeAgent
@WheelMouseC:\PROGRA~1\A4Tech\Mouse\Amoumain.exe = C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_04\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
@AdaptecDirectCD"C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@1 = C:\WINDOWS\service32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@updateMgr"C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 = "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
@swgC:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe /*file not found*/ = C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*AutoCAD Digital Signatures Icon Overlay Handler*/C:\WINDOWS\system32\AcSignIcon.dll = C:\WINDOWS\system32\AcSignIcon.dll
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{B089FE88-FB52-11D3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{507A245F-B7DF-22E3-F172-FCFF0E3E782E}C:\WINDOWS\qksip1.dll = C:\WINDOWS\qksip1.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar3.dll = c:\programmi\google\googletoolbar3.dll
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F1ACF135-34AA-451C-9835-C8A7F10901E1} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.64 = 192.168.0.64
@NameServer151.99.125.2,151.99.125.3 = 151.99.125.2,151.99.125.3
@DefaultGateway192.168.0.254 = 192.168.0.254
@Domain =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000002@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000003@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000004@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000005@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk
Utility Tray.lnk = Utility Tray.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk
---- EOF - GMER 1.0.12 ----
GMER 1.0.12.12010 - http://www.gmer.net
Rootkit scan 2006-11-28 08:18:04
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey
SYSENTER ? F4283E40
Code F428289D pIofCallDriver
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!Kei386EoiHelper + 4F5 804DFDF0 3 Bytes [ 51, 8D, 6D ]
.text tcpip.sys!IPTransmit + 10B7 F413DCFA 6 Bytes CALL F4285C09
.text tcpip.sys!IPTransmit + 2C9E F413F8E1 6 Bytes CALL F4285C09
.text tcpip.sys!IPRegisterProtocol + 8B7 F4155556 6 Bytes CALL F4285C09
.text wanarp.sys F79FB3FD 7 Bytes CALL F4285C13
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 2A2B145B
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 2A2ACE6D
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 2A2AE56F
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 2A2AE200
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 2A2AC0D9
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 2A2ACB6E
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 2A2A94F8
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 2A2A88CB
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 2A2AFCB6
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 2A2AAB2B
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 2A2A981A
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 2A2A8DD0
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 2A2AA3A8
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 2A2ABF23
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 2A2AE3F1
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 2A2A87C9
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 2A2A8AE7
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 2A2A9AB3
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 2A2A9C37
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 2A2A8D4C
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 2A2B159F
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 2A2A8E24
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 9 Bytes JMP 2A2AC677
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 2A2B0DA3
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 2A2AEC20
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 2A2B08FC
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 2A2B05F6
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 2A2AC293
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 2A2AFBA2
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 2A2AFFD2
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 2A2AA427
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 2A2AD21F
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 2A2ADC0D
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 2A2AF23F
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 2A2B0143
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 2A2AC373
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 2A2B0763
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 2A2AFB6C
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 2A2AEAC5
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 2A2ADDC6
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 2A2ACD35
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 2A2AEA04
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 2A2AFB4D
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 2A2AD24D
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 2A2AA031
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 2A2AB060
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 2A2AC68A
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 2A2AC685
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 2A2AAB75
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 2A2AB55C
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 2A2B1901
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Module32FirstW + 2 7C863E21 6 Bytes JMP 2A2ADF8C
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 2A2AE0E2
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 2A2B07AD
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 2A2AAEC4
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 2A2ABF56
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 2A2B02D1
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 2A2ABCA4
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 6 Bytes JMP 2A2AEAFA
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 2A2B0A51
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 2A2B11A7
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 2A2AAE69
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 2A2AB5F3
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 2A2ABC30
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 2A2B1B7C
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 2A2AF4F6
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 2A2B15BA
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 2A2B0DCA
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 2A2AAB88
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 2A2AD9C7
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 2A2AD85A
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 2A2AD448
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 2A2ABE24
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 2A2AE32C
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 2A2A8C64
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 2A2ADDF8
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 2A2B1451
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 2A2AF277
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 2A2AD02C
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 2A2AFEDB
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 2A2AB7D3
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 2A2AD52B
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 2A2AC4C2
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 2A2AB847
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 2A2ADD60
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 2A2ABAAA
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 2A2A9AF4
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 2A2AA1A5
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 2A2AAD06
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 2A2AE46D
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 2A2ACF1F
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 2A2B0EAF
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 2A2AF504
.text C:\WINDOWS\system32\winlogon.exe[572] USER32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 2A2A84AB
.text C:\WINDOWS\system32\winlogon.exe[572] PSAPI.DLL!EnumProcessModules 76BB1F1C 5 Bytes JMP 2A2AB37A
.text C:\WINDOWS\system32\winlogon.exe[572] WS2_32.dll!connect + 2 71A3406C 6 Bytes JMP 2A2AA5E7
.text C:\WINDOWS\system32\winlogon.exe[572] WS2_32.dll!gethostbyname + 2 71A34FD6 9 Bytes JMP 2A2AA8A1
.text C:\WINDOWS\system32\winlogon.exe[572] WS2_32.dll!WSAAsyncGetHostByName + 2 71A3E987 13 Bytes [ 40, 41, 9F, 91, 40, D6, 49, ... ]
.text C:\WINDOWS\system32\winlogon.exe[572] WS2_32.dll!WSAConnect + 2 71A40C6B 14 Bytes [ 40, 49, F9, F3, 4A, D6, 91, ... ]
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 2A2B145B
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 2A2ACE6D
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 2A2AE56F
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 2A2AE200
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 2A2AC0D9
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 2A2ACB6E
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 2A2A94F8
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 2A2A88CB
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 2A2AFCB6
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 2A2AAB2B
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 2A2A981A
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 2A2A8DD0
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 2A2AA3A8
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 2A2ABF23
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 2A2AE3F1
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 2A2A87C9
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 2A2A8AE7
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 2A2A9AB3
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 2A2A9C37
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 2A2A8D4C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 2A2B159F
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 2A2A8E24
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 9 Bytes JMP 2A2AC677
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 2A2B0DA3
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 2A2AEC20
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 2A2B08FC
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 2A2B05F6
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 2A2AC293
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 2A2AFBA2
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 2A2AFFD2
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 2A2AA427
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 2A2AD21F
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 2A2ADC0D
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 2A2AF23F
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 2A2B0143
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 2A2AC373
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 2A2B0763
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 2A2AFB6C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 2A2AEAC5
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 2A2ADDC6
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 2A2ACD35
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 2A2AEA04
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 2A2AFB4D
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 2A2AD24D
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 2A2AA031
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 2A2AB060
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 2A2AC68A
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 2A2AC685
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 2A2AAB75
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 2A2AB55C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 2A2B1901
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Module32FirstW + 2 7C863E21 6 Bytes JMP 2A2ADF8C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 2A2AE0E2
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 2A2B07AD
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 2A2AAEC4
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 2A2ABF56
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 2A2B02D1
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 2A2ABCA4
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 6 Bytes JMP 2A2AEAFA
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 2A2B0A51
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 2A2B11A7
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 2A2AAE69
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 2A2AB5F3
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 2A2ABC30
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 2A2B1B7C
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 2A2AF4F6
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 2A2B15BA
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 2A2B0DCA
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 2A2AAB88
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 2A2AD9C7
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 2A2AD85A
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 2A2AD448
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 2A2ABE24
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 2A2AE32C
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 2A2A8C64
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 2A2ADDF8
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 2A2B1451
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 2A2AF277
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 2A2AD02C
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 2A2AFEDB
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 2A2AB7D3
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 2A2AD52B
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 2A2AC4C2
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 2A2AB847
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 2A2ADD60
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 2A2ABAAA
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 2A2A9AF4
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 2A2AA1A5
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 2A2AAD06
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 2A2AE46D
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 2A2ACF1F
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 2A2B0EAF
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 2A2AF504
.text C:\WINDOWS\system32\services.exe[640] USER32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 2A2A84AB
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!connect + 2 71A3406C 6 Bytes JMP 2A2AA5E7
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!gethostbyname + 2 71A34FD6 9 Bytes JMP 2A2AA8A1
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!WSAAsyncGetHostByName + 2 71A3E987 6 Bytes [ 99, F8, 40, 2F, F8, 92 ]
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!WSAAsyncGetHostByName + 9 71A3E98E 6 Bytes JMP 2A2AAAAB
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!WSAConnect + 2 71A40C6B 14 Bytes [ 48, 48, 91, F5, 42, FC, F2, ... ]
.text C:\WINDOWS\system32\services.exe[640] PSAPI.DLL!EnumProcessModules 76BB1F1C 5 Bytes JMP 2A2AB37A
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 2A2B145B
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 2A2ACE6D
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 2A2AE56F
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 2A2AE200
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 2A2AC0D9
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 2A2ACB6E
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 2A2A94F8
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 2A2A88CB
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 2A2AFCB6
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 2A2AAB2B
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 2A2A981A
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 2A2A8DD0
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 2A2AA3A8
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 2A2ABF23
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 2A2AE3F1
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 2A2A87C9
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 2A2A8AE7
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 2A2A9AB3
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 2A2A9C37
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 2A2A8D4C
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 2A2B159F
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 2A2A8E24
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 9 Bytes JMP 2A2AC677
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 2A2B0DA3
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 2A2AEC20
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 2A2B08FC
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 2A2B05F6
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 2A2AC293
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 2A2AFBA2
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 2A2AFFD2
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 2A2AA427
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 2A2AD21F
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 2A2ADC0D
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 2A2AF23F
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 2A2B0143
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 2A2AC373
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 2A2B0763
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 2A2AFB6C
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 2A2AEAC5
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 2A2ADDC6
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 2A2ACD35
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 2A2AEA04
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 2A2AFB4D
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 2A2AD24D
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 2A2AA031
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 2A2AB060
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 2A2AC68A
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 2A2AC685
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 2A2AAB75
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 2A2AB55C
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 2A2B1901
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Module32FirstW + 2 7C863E21 6 Bytes JMP 2A2ADF8C
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 2A2AE0E2
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 2A2B07AD
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 2A2AAEC4
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 2A2ABF56
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 2A2B02D1
.text C:\WINDOWS\system32\alg.exe[724] USER32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 2A2A84AB
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 2A2ABCA4
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 6 Bytes JMP 2A2AEAFA
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 2A2B0A51
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 2A2B11A7
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 2A2AAE69
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 2A2AB5F3
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 2A2ABC30
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 2A2B1B7C
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 2A2AF4F6
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 2A2B15BA
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 2A2B0DCA
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 2A2AAB88
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 2A2AD9C7
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 2A2AD85A
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 2A2AD448
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 2A2ABE24
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 2A2AE32C
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 2A2A8C64
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 2A2ADDF8
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 2A2B1451
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 2A2AF277
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 2A2AD02C
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 2A2AFEDB
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 2A2AB7D3
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 2A2AD52B
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 2A2AC4C2
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 2A2AB847
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 2A2ADD60
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 2A2ABAAA
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 2A2A9AF4
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 2A2AA1A5
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 2A2AAD06
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 2A2AE46D
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 2A2ACF1F
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 2A2B0EAF
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 2A2AF504
.text C:\WINDOWS\system32\alg.exe[724] WS2_32.dll!connect + 2 71A3406C 6 Bytes JMP 2A2AA5E7
.text C:\WINDOWS\system32\alg.exe[724] WS2_32.dll!gethostbyname + 2 71A34FD6 9 Bytes JMP 2A2AA8A1
.text C:\WINDOWS\system32\alg.exe[724] WS2_32.dll!WSAAsyncGetHostByName + 2 71A3E987 13 Bytes [ F5, 40, 90, 9F, F2, 37, 37, ... ]
.text C:\WINDOWS\system32\alg.exe[724] WS2_32.dll!WSAConnect + 2 71A40C6B 14 Bytes [ F3, 4A, 3F, 41, 99, F9, F3, ... ]
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 2A2B145B
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 2A2ACE6D
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 2A2AE56F
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 2A2AE200
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 2A2AC0D9
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 2A2ACB6E
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 2A2A94F8
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 2A2A88CB
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 2A2AFCB6
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 2A2AAB2B
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 2A2A981A
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 2A2A8DD0
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 2A2AA3A8
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 2A2ABF23
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 2A2AE3F1
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 2A2A87C9
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 2A2A8AE7
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 2A2A9AB3
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 2A2A9C37
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 2A2A8D4C
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 2A2B159F
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 2A2A8E24
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 9 Bytes JMP 2A2AC677
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 2A2B0DA3
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 2A2AEC20
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 2A2B08FC
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 2A2B05F6
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 2A2AC293
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 2A2AFBA2
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 2A2AFFD2
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 2A2AA427
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 2A2AD21F
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 2A2ADC0D
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 2A2AF23F
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 2A2B0143
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 2A2AC373
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!MoveFileWithProgressW 7C82156
posto gmer, devo mettere lo script in avenger.
GMER 1.0.12.12010 - http://www.gmer.net
Autostart scan 2006-11-28 08:11:01
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
Windows@AppInit_DLLs = \\?\C:\WINDOWS\system32\com5.bvu
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
NOD32krn /*NOD32 Kernel Service*/@ = "C:\Programmi\Eset\nod32krn.exe"
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe
UPHClean /*User Profile Hive Cleanup*/@ = C:\Programmi\UPHClean\uphclean.exe
WebGtk /*WebGtk*/@ = "C:\Programmi\File comuni\Services\fSd.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SiSUSBRGC:\WINDOWS\SiSUSBrg.exe = C:\WINDOWS\SiSUSBrg.exe
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@SiSPowerRundll32.exe SiSPower.dll,ModeAgent = Rundll32.exe SiSPower.dll,ModeAgent
@WheelMouseC:\PROGRA~1\A4Tech\Mouse\Amoumain.exe = C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_04\bin\jusched.exe = C:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
@AdaptecDirectCD"C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@1 = C:\WINDOWS\service32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background = "C:\Programmi\Messenger\msmsgs.exe" /background
@updateMgr"C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 = "C:\Programmi\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
@swgC:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe /*file not found*/ = C:\Programmi\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{AC1DB655-4F9A-4c39-8AD2-A65324A4C446} /*Autodesk Drawing Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll = C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcThumbnail16.dll
@{36A21736-36C2-4C11-8ACB-D4136F2B57BD} /*AutoCAD Digital Signatures Icon Overlay Handler*/C:\WINDOWS\system32\AcSignIcon.dll = C:\WINDOWS\system32\AcSignIcon.dll
@{6DEA92E9-8682-4b6a-97DE-354772FE5727} /*Autodesk DWF Preview*/C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll = C:\Programmi\File comuni\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll
@{B089FE88-FB52-11D3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Cartelle Web*/ = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{507A245F-B7DF-22E3-F172-FCFF0E3E782E}C:\WINDOWS\qksip1.dll = C:\WINDOWS\qksip1.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\programmi\google\googletoolbar3.dll = c:\programmi\google\googletoolbar3.dll
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.it/ = http://www.google.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F1ACF135-34AA-451C-9835-C8A7F10901E1} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress192.168.0.64 = 192.168.0.64
@NameServer151.99.125.2,151.99.125.3 = 151.99.125.2,151.99.125.3
@DefaultGateway192.168.0.254 = 192.168.0.254
@Domain =
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000002@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000003@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000004@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
000000000005@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019@PackedCatalogItem = C:\WINDOWS\system32\imon.dll
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Avvio veloce di Adobe Reader.lnk = Avvio veloce di Adobe Reader.lnk
Microsoft Office.lnk = Microsoft Office.lnk
Utility Tray.lnk = Utility Tray.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk
---- EOF - GMER 1.0.12 ----
GMER 1.0.12.12010 - http://www.gmer.net
Rootkit scan 2006-11-28 08:18:04
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey
SYSENTER ? F4283E40
Code F428289D pIofCallDriver
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!Kei386EoiHelper + 4F5 804DFDF0 3 Bytes [ 51, 8D, 6D ]
.text tcpip.sys!IPTransmit + 10B7 F413DCFA 6 Bytes CALL F4285C09
.text tcpip.sys!IPTransmit + 2C9E F413F8E1 6 Bytes CALL F4285C09
.text tcpip.sys!IPRegisterProtocol + 8B7 F4155556 6 Bytes CALL F4285C09
.text wanarp.sys F79FB3FD 7 Bytes CALL F4285C13
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 2A2B145B
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 2A2ACE6D
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 2A2AE56F
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 2A2AE200
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 2A2AC0D9
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 2A2ACB6E
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 2A2A94F8
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 2A2A88CB
.text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 2A2AFCB6
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 2A2AAB2B
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 2A2A981A
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 2A2A8DD0
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 2A2AA3A8
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 2A2ABF23
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 2A2AE3F1
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 2A2A87C9
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 2A2A8AE7
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 2A2A9AB3
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 2A2A9C37
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 2A2A8D4C
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 2A2B159F
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 2A2A8E24
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 9 Bytes JMP 2A2AC677
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 2A2B0DA3
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 2A2AEC20
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 2A2B08FC
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 2A2B05F6
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 2A2AC293
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 2A2AFBA2
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 2A2AFFD2
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 2A2AA427
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 2A2AD21F
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 2A2ADC0D
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 2A2AF23F
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 2A2B0143
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 2A2AC373
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 2A2B0763
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 2A2AFB6C
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 2A2AEAC5
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 2A2ADDC6
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 2A2ACD35
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 2A2AEA04
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 2A2AFB4D
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 2A2AD24D
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 2A2AA031
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 2A2AB060
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 2A2AC68A
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 2A2AC685
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 2A2AAB75
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 2A2AB55C
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 2A2B1901
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Module32FirstW + 2 7C863E21 6 Bytes JMP 2A2ADF8C
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 2A2AE0E2
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 2A2B07AD
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 2A2AAEC4
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 2A2ABF56
.text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 2A2B02D1
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 2A2ABCA4
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 6 Bytes JMP 2A2AEAFA
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 2A2B0A51
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 2A2B11A7
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 2A2AAE69
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 2A2AB5F3
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 2A2ABC30
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 2A2B1B7C
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 2A2AF4F6
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 2A2B15BA
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 2A2B0DCA
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 2A2AAB88
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 2A2AD9C7
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 2A2AD85A
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 2A2AD448
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 2A2ABE24
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 2A2AE32C
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 2A2A8C64
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 2A2ADDF8
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 2A2B1451
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 2A2AF277
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 2A2AD02C
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 2A2AFEDB
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 2A2AB7D3
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 2A2AD52B
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 2A2AC4C2
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 2A2AB847
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 2A2ADD60
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 2A2ABAAA
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 2A2A9AF4
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 2A2AA1A5
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 2A2AAD06
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 2A2AE46D
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 2A2ACF1F
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 2A2B0EAF
.text C:\WINDOWS\system32\winlogon.exe[572] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 2A2AF504
.text C:\WINDOWS\system32\winlogon.exe[572] USER32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 2A2A84AB
.text C:\WINDOWS\system32\winlogon.exe[572] PSAPI.DLL!EnumProcessModules 76BB1F1C 5 Bytes JMP 2A2AB37A
.text C:\WINDOWS\system32\winlogon.exe[572] WS2_32.dll!connect + 2 71A3406C 6 Bytes JMP 2A2AA5E7
.text C:\WINDOWS\system32\winlogon.exe[572] WS2_32.dll!gethostbyname + 2 71A34FD6 9 Bytes JMP 2A2AA8A1
.text C:\WINDOWS\system32\winlogon.exe[572] WS2_32.dll!WSAAsyncGetHostByName + 2 71A3E987 13 Bytes [ 40, 41, 9F, 91, 40, D6, 49, ... ]
.text C:\WINDOWS\system32\winlogon.exe[572] WS2_32.dll!WSAConnect + 2 71A40C6B 14 Bytes [ 40, 49, F9, F3, 4A, D6, 91, ... ]
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 2A2B145B
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 2A2ACE6D
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 2A2AE56F
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 2A2AE200
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 2A2AC0D9
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 2A2ACB6E
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 2A2A94F8
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 2A2A88CB
.text C:\WINDOWS\system32\services.exe[640] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 2A2AFCB6
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 2A2AAB2B
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 2A2A981A
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 2A2A8DD0
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 2A2AA3A8
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 2A2ABF23
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 2A2AE3F1
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 2A2A87C9
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 2A2A8AE7
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 2A2A9AB3
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 2A2A9C37
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 2A2A8D4C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 2A2B159F
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 2A2A8E24
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 9 Bytes JMP 2A2AC677
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 2A2B0DA3
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 2A2AEC20
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 2A2B08FC
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 2A2B05F6
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 2A2AC293
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 2A2AFBA2
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 2A2AFFD2
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 2A2AA427
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 2A2AD21F
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 2A2ADC0D
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 2A2AF23F
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 2A2B0143
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 2A2AC373
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 2A2B0763
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 2A2AFB6C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 2A2AEAC5
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 2A2ADDC6
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 2A2ACD35
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 2A2AEA04
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 2A2AFB4D
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 2A2AD24D
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 2A2AA031
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 2A2AB060
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 2A2AC68A
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 2A2AC685
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 2A2AAB75
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 2A2AB55C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 2A2B1901
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Module32FirstW + 2 7C863E21 6 Bytes JMP 2A2ADF8C
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 2A2AE0E2
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 2A2B07AD
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 2A2AAEC4
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 2A2ABF56
.text C:\WINDOWS\system32\services.exe[640] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 2A2B02D1
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 2A2ABCA4
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 6 Bytes JMP 2A2AEAFA
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 2A2B0A51
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 2A2B11A7
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 2A2AAE69
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 2A2AB5F3
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 2A2ABC30
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 2A2B1B7C
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 2A2AF4F6
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 2A2B15BA
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 2A2B0DCA
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 2A2AAB88
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 2A2AD9C7
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 2A2AD85A
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 2A2AD448
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 2A2ABE24
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 2A2AE32C
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 2A2A8C64
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 2A2ADDF8
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 2A2B1451
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 2A2AF277
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 2A2AD02C
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 2A2AFEDB
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 2A2AB7D3
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 2A2AD52B
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 2A2AC4C2
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 2A2AB847
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 2A2ADD60
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 2A2ABAAA
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 2A2A9AF4
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 2A2AA1A5
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 2A2AAD06
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 2A2AE46D
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 2A2ACF1F
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 2A2B0EAF
.text C:\WINDOWS\system32\services.exe[640] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 2A2AF504
.text C:\WINDOWS\system32\services.exe[640] USER32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 2A2A84AB
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!connect + 2 71A3406C 6 Bytes JMP 2A2AA5E7
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!gethostbyname + 2 71A34FD6 9 Bytes JMP 2A2AA8A1
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!WSAAsyncGetHostByName + 2 71A3E987 6 Bytes [ 99, F8, 40, 2F, F8, 92 ]
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!WSAAsyncGetHostByName + 9 71A3E98E 6 Bytes JMP 2A2AAAAB
.text C:\WINDOWS\system32\services.exe[640] WS2_32.dll!WSAConnect + 2 71A40C6B 14 Bytes [ 48, 48, 91, F5, 42, FC, F2, ... ]
.text C:\WINDOWS\system32\services.exe[640] PSAPI.DLL!EnumProcessModules 76BB1F1C 5 Bytes JMP 2A2AB37A
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 2A2B145B
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 2A2ACE6D
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 2A2AE56F
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 2A2AE200
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 2A2AC0D9
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 2A2ACB6E
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 2A2A94F8
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 2A2A88CB
.text C:\WINDOWS\system32\alg.exe[724] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 2A2AFCB6
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 2A2AAB2B
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 2A2A981A
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 2A2A8DD0
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 2A2AA3A8
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 2A2ABF23
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 2A2AE3F1
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 2A2A87C9
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 2A2A8AE7
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 2A2A9AB3
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 2A2A9C37
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 2A2A8D4C
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 2A2B159F
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 2A2A8E24
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 9 Bytes JMP 2A2AC677
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 2A2B0DA3
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 2A2AEC20
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 2A2B08FC
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 2A2B05F6
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 2A2AC293
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 2A2AFBA2
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 2A2AFFD2
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 2A2AA427
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 2A2AD21F
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 2A2ADC0D
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 2A2AF23F
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 2A2B0143
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 2A2AC373
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 2A2B0763
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 2A2AFB6C
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 2A2AEAC5
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 2A2ADDC6
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 2A2ACD35
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 2A2AEA04
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 2A2AFB4D
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 2A2AD24D
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 2A2AA031
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 2A2AB060
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 2A2AC68A
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 2A2AC685
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 2A2AAB75
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 2A2AB55C
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 2A2B1901
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Module32FirstW + 2 7C863E21 6 Bytes JMP 2A2ADF8C
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 2A2AE0E2
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 2A2B07AD
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 2A2AAEC4
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 2A2ABF56
.text C:\WINDOWS\system32\alg.exe[724] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 2A2B02D1
.text C:\WINDOWS\system32\alg.exe[724] USER32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 2A2A84AB
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 2A2ABCA4
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 6 Bytes JMP 2A2AEAFA
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 2A2B0A51
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 2A2B11A7
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 2A2AAE69
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 2A2AB5F3
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 2A2ABC30
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 2A2B1B7C
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 2A2AF4F6
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 2A2B15BA
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 2A2B0DCA
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 2A2AAB88
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 2A2AD9C7
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 2A2AD85A
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 2A2AD448
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 2A2ABE24
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 2A2AE32C
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 2A2A8C64
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 2A2ADDF8
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 2A2B1451
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 2A2AF277
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 2A2AD02C
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 2A2AFEDB
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 2A2AB7D3
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 2A2AD52B
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 2A2AC4C2
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 2A2AB847
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 2A2ADD60
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 2A2ABAAA
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 2A2A9AF4
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 2A2AA1A5
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 2A2AAD06
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 2A2AE46D
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 2A2ACF1F
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 2A2B0EAF
.text C:\WINDOWS\system32\alg.exe[724] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 2A2AF504
.text C:\WINDOWS\system32\alg.exe[724] WS2_32.dll!connect + 2 71A3406C 6 Bytes JMP 2A2AA5E7
.text C:\WINDOWS\system32\alg.exe[724] WS2_32.dll!gethostbyname + 2 71A34FD6 9 Bytes JMP 2A2AA8A1
.text C:\WINDOWS\system32\alg.exe[724] WS2_32.dll!WSAAsyncGetHostByName + 2 71A3E987 13 Bytes [ F5, 40, 90, 9F, F2, 37, 37, ... ]
.text C:\WINDOWS\system32\alg.exe[724] WS2_32.dll!WSAConnect + 2 71A40C6B 14 Bytes [ F3, 4A, 3F, 41, 99, F9, F3, ... ]
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 2A2B145B
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 2A2ACE6D
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 2A2AE56F
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 2A2AE200
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 2A2AC0D9
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 2A2ACB6E
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 2A2A94F8
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 2A2A88CB
.text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 2A2AFCB6
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 2A2AAB2B
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 2A2A981A
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 2A2A8DD0
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 2A2AA3A8
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 2A2ABF23
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 2A2AE3F1
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 2A2A87C9
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 2A2A8AE7
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 2A2A9AB3
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 2A2A9C37
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 2A2A8D4C
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 2A2B159F
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 2A2A8E24
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 9 Bytes JMP 2A2AC677
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 2A2B0DA3
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 2A2AEC20
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 2A2B08FC
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 2A2B05F6
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 2A2AC293
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 2A2AFBA2
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 2A2AFFD2
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 2A2AA427
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 2A2AD21F
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 2A2ADC0D
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 2A2AF23F
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 2A2B0143
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 2A2AC373
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!MoveFileWithProgressW 7C82156
-
masello2 - Neo Iscritto
- Messaggi: 6
- Iscritto il: mar nov 28, 2006 9:39 am
da Amantide » mar nov 28, 2006 12:57 pm
Benvenuto Masello2, ecco qui il log per Avenger. Comunque era meglio se iniziavi con le scansioni con VirIt ed i tools di Prevx e Symantec.
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Files to delete:
C:\WINDOWS\system32\com5.bvu
C:\Programmi\File comuni\Services\fSd.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\qksip1.dll
registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\WebGtk
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{507A245F-B7DF-22E3-F172-FCFF0E3E782E}
registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@1 | C:\WINDOWS\service32.exe
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Files to delete:
C:\WINDOWS\system32\com5.bvu
C:\Programmi\File comuni\Services\fSd.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\qksip1.dll
registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\WebGtk
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{507A245F-B7DF-22E3-F172-FCFF0E3E782E}
registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run@1 | C:\WINDOWS\service32.exe
-
Amantide - Membro Ufficiale (Gold)
- Messaggi: 8126
- Iscritto il: lun feb 06, 2006 4:13 pm
- Località: Abruzzo
Grazie mille al forum!
da gerfar » mar nov 28, 2006 1:45 pm
Avevo gromozon, e grazie a voi credo di averlo debellato!:):):):)
Il fatto era che avevo disinstallato ZoneAlarm a favore di Comodo. I settaggi non erano quelli giusti, così pensavo di avere ancora il virus.
Reinstallanzo zone allarm mi si è ripristinato tutto (avevo anche problemi con Outlook, ma solo per la posta in uscita).
Grazie Gente!
Il fatto era che avevo disinstallato ZoneAlarm a favore di Comodo. I settaggi non erano quelli giusti, così pensavo di avere ancora il virus.
Reinstallanzo zone allarm mi si è ripristinato tutto (avevo anche problemi con Outlook, ma solo per la posta in uscita).
Grazie Gente!
-
gerfar - Neo Iscritto
- Messaggi: 2
- Iscritto il: dom nov 26, 2006 5:11 pm
da BilloKenobi » mar nov 28, 2006 2:57 pm
Amantide ha scritto:Benvenuto Masello2, ecco qui il log per Avenger.
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Files to delete:
C:\WINDOWS\system32\com5.bvu
C:\Programmi\File comuni\Services\fSd.exe
C:\WINDOWS\service32.exe
C:\WINDOWS\qksip1.dll
registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\WebGtk
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{507A245F-B7DF-22E3-F172-FCFF0E3E782E}
registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 1
la sintassi era leggermente sbagliata sull'ultima riga. comunque verifica se in C:\Windows hai una delle seguenti dll
syst32.dll
syshost.dll
mdm32.dll
winsmgr32.dll
iexplore32.dll
scrss32.dll
spoolsv32.dll
svchost32.dll
iexplorre32.dll
sys32exploer.dll
Begun the Clone War has
-
BilloKenobi - Senior Member
- Messaggi: 453
- Iscritto il: gio ago 10, 2006 11:06 am
Chi c’è in linea
Visitano il forum: Nessuno e 6 ospiti
megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising