Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

spybot rileva gromozon e prevx1 no!

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

spybot rileva gromozon e prevx1 no!

Messaggioda noviziopasticcio » gio gen 04, 2007 8:35 pm

ciao a tutti.
fresco fresco di format lancio uno sguardo i programmi all'avvio con spybot e trovo un KHCU in bianco(valore system32.exe). nelle info mi si dice che è gromozon.
ho letto in giro che è complesso rimuoverlo ed ho trovato uno strumento della prevx che dovrebbe farlo. ma quando lo lancio non rileva nulla....
non ho ancora fatto scansioni con spybot e con nod perché non vorrei complicare il problema(tipo rimuovo qualcosa e non qualcos'altro)...che faccio?
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda Amantide » gio gen 04, 2007 10:06 pm

Guarda, ne ho visti tantissimi casi di infezzione con Gromozon ma mai nessuno era accompagnato al file system32.exe, ciò non toglie il fatto che si tratti di un trojan.
Posta il log di Hijackthis cosi vediamo la situazione completa.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda noviziopasticcio » gio gen 04, 2007 10:20 pm

Logfile of HijackThis v1.99.1
Scan saved at 21.02.22, on 04/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\mst software\mst Defrag\mstDfrgS.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINNT\system32\nvsvc32.exe
C:\Programmi\Prevx1\PXAgent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\Arovax Shield\ArovaxShield.exe
C:\Programmi\Prevx1\PXConsole.exe
C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Arovax Shield] C:\Programmi\Arovax Shield\ArovaxShield.exe -tray
O4 - HKLM\..\Run: [PrevxOne] "C:\Programmi\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Logitech SetPoint.lnk.disabled
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7934540595
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: mst Defrag Service (mstDfrgS) - mst software, Martin Stiemerling, Germany - C:\Programmi\mst software\mst Defrag\mstDfrgS.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programmi\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programmi\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Utility Manager (UtilMan) - Unknown owner - C:\WINNT\System32\UtilMan.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am


Messaggioda Amantide » gio gen 04, 2007 10:36 pm

Non si vede nulla nel log di hijackthis.
Mi puoi fare anche i log di GMER delle sezioni Autostart e Rootkit?
Per fare il log selezioni prima la scheda Autostart, premi a destra Scan ed a scansione avvenuta clicca su Copy ed incolla il log Ripeti stessa operazione per Rootkit.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda noviziopasticcio » gio gen 04, 2007 11:28 pm

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-04 22:34:42
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT pxfsf.sys ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text NTDLL.DLL!NtClose 784681F8 5 Bytes JMP 72033FAA
.text NTDLL.DLL!NtCreateProcess 78468308 5 Bytes JMP 72034135
.text NTDLL.DLL!NtCreateSection 78468328 5 Bytes JMP 72033FC8
.text NTDLL.DLL!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text NTDLL.DLL!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]

---- User code sections - GMER 1.0.12 ----

.text C:\WINNT\system32\csrss.exe[208] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\csrss.exe[208] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\csrss.exe[208] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\csrss.exe[208] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\csrss.exe[208] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\winlogon.exe[228] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\winlogon.exe[228] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\winlogon.exe[228] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\winlogon.exe[228] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\winlogon.exe[228] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\services.exe[256] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\services.exe[256] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\services.exe[256] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\lsass.exe[268] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\lsass.exe[268] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\lsass.exe[268] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\svchost.exe[436] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\svchost.exe[436] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\svchost.exe[436] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\svchost.exe[436] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\svchost.exe[436] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\spoolsv.exe[472] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\spoolsv.exe[472] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\spoolsv.exe[472] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\spoolsv.exe[472] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\spoolsv.exe[472] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\svchost.exe[504] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\svchost.exe[504] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\svchost.exe[504] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\svchost.exe[504] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\svchost.exe[504] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Eset\nod32krn.exe[564] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Eset\nod32krn.exe[564] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\Eset\nod32krn.exe[564] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Eset\nod32krn.exe[564] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\Eset\nod32krn.exe[564] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\nvsvc32.exe[580] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\nvsvc32.exe[580] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\nvsvc32.exe[580] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\nvsvc32.exe[580] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\nvsvc32.exe[580] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\MSTask.exe[720] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\MSTask.exe[720] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\MSTask.exe[720] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\MSTask.exe[720] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\MSTask.exe[720] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\Explorer.EXE[840] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\Explorer.EXE[840] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\Explorer.EXE[840] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\Explorer.EXE[840] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\Explorer.EXE[840] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Eset\nod32kui.exe[920] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Eset\nod32kui.exe[920] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\Eset\nod32kui.exe[920] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Eset\nod32kui.exe[920] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\Eset\nod32kui.exe[920] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetScrollRange 77E1FD75 5 Bytes JMP 0042727B C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!EnableScrollBar 77E1FDC5 5 Bytes JMP 0042722A C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetScrollPos 77E258A2 9 Bytes JMP 00427260 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!SetScrollPos 77E280B8 5 Bytes JMP 004272B1 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetSysColorBrush 77E2B462 6 Bytes JMP 00427428 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetScrollInfo 77E2FF46 7 Bytes JMP 00427245 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!ShowScrollBar 77E3870D 5 Bytes JMP 004272E7 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!SetScrollRange 77E38DEA 5 Bytes JMP 004272CC C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetSysColor 77E429A5 6 Bytes JMP 004273E2 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!SetScrollInfo 77E43456 5 Bytes JMP 00427296 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\WINNT\system32\svchost.exe[984] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\svchost.exe[984] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\svchost.exe[984] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\svchost.exe[984] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\svchost.exe[984] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] KERNEL32.dll!FreeLibrary + 37 796D0882 4 Bytes [ B6, F7, 92, E5 ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] KERNEL32.dll!FreeLibrary + 37 796D0882 4 Bytes [ B6, F7, 92, E5 ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys
Device \Driver\USB_RNDIS \Device\{46EF1A37-B6DD-433F-A1A3-0ED4DB8AD539} IRP_MJ_PNP [EB7FD242] RNDISMPK.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE

---- EOF - GMER 1.0.12 ----
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda noviziopasticcio » gio gen 04, 2007 11:34 pm

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-04 22:40:47
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.12 ----

SSDT pxfsf.sys ZwAlertResumeThread
SSDT pxfsf.sys ZwAllocateUserPhysicalPages
SSDT pxfsf.sys ZwAllocateVirtualMemory
SSDT pxfsf.sys ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT pxfsf.sys ZwCreateDirectoryObject
SSDT pxfsf.sys ZwCreateEvent
SSDT pxfsf.sys ZwCreateEventPair
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT pxfsf.sys ZwCreateIoCompletion
SSDT pxfsf.sys ZwCreateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT pxfsf.sys ZwCreateMailslotFile
SSDT pxfsf.sys ZwCreateMutant
SSDT pxfsf.sys ZwCreateNamedPipeFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT pxfsf.sys ZwCreateSemaphore
SSDT pxfsf.sys ZwCreateSymbolicLinkObject
SSDT pxfsf.sys ZwCreateThread
SSDT pxfsf.sys ZwCreateTimer
SSDT pxfsf.sys ZwCreateToken
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT pxfsf.sys ZwDeviceIoControlFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT pxfsf.sys ZwEnumerateKey
SSDT pxfsf.sys ZwEnumerateValueKey
SSDT pxfsf.sys ZwFreeUserPhysicalPages
SSDT pxfsf.sys ZwFreeVirtualMemory
SSDT pxfsf.sys ZwImpersonateAnonymousToken
SSDT pxfsf.sys ZwImpersonateThread
SSDT pxfsf.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT pxfsf.sys ZwLoadKey2
SSDT pxfsf.sys ZwLockVirtualMemory
SSDT pxfsf.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT pxfsf.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT pxfsf.sys ZwOpenProcessToken
SSDT pxfsf.sys ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT pxfsf.sys ZwOpenThreadToken
SSDT pxfsf.sys ZwProtectVirtualMemory
SSDT pxfsf.sys ZwQueryInformationProcess
SSDT pxfsf.sys ZwQueryInformationThread
SSDT pxfsf.sys ZwQueryKey
SSDT pxfsf.sys ZwQueryMultipleValueKey
SSDT pxfsf.sys ZwQueryOpenSubKeys
SSDT pxfsf.sys ZwQueryValueKey
SSDT pxfsf.sys ZwQueueApcThread
SSDT pxfsf.sys ZwReadFile
SSDT pxfsf.sys ZwReadVirtualMemory
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT pxfsf.sys ZwResumeThread
SSDT pxfsf.sys ZwSaveKey
SSDT pxfsf.sys ZwSaveMergedKeys
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT pxfsf.sys ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT pxfsf.sys ZwSetInformationKey
SSDT pxfsf.sys ZwSetInformationProcess
SSDT pxfsf.sys ZwSetInformationThread
SSDT pxfsf.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT pxfsf.sys ZwSuspendThread
SSDT pxfsf.sys ZwSystemDebugControl
SSDT pxfsf.sys ZwTerminateJobObject
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT pxfsf.sys ZwTerminateThread
SSDT pxfsf.sys ZwUnloadDriver
SSDT pxfsf.sys ZwUnloadKey
SSDT pxfsf.sys ZwUnlockVirtualMemory
SSDT pxfsf.sys ZwUnmapViewOfSection
SSDT pxfsf.sys ZwWriteFile
SSDT pxfsf.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text NTDLL.DLL!NtClose 784681F8 5 Bytes JMP 72033FAA
.text NTDLL.DLL!NtCreateProcess 78468308 5 Bytes JMP 72034135
.text NTDLL.DLL!NtCreateSection 78468328 5 Bytes JMP 72033FC8
.text NTDLL.DLL!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text NTDLL.DLL!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]

---- User code sections - GMER 1.0.12 ----

.text C:\WINNT\system32\csrss.exe[208] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\csrss.exe[208] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\csrss.exe[208] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\csrss.exe[208] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\csrss.exe[208] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\winlogon.exe[228] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\winlogon.exe[228] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\winlogon.exe[228] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\winlogon.exe[228] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\winlogon.exe[228] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\services.exe[256] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\services.exe[256] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\services.exe[256] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\lsass.exe[268] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\lsass.exe[268] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\lsass.exe[268] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\svchost.exe[436] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\svchost.exe[436] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\svchost.exe[436] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\svchost.exe[436] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\svchost.exe[436] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\spoolsv.exe[472] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\spoolsv.exe[472] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\spoolsv.exe[472] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\spoolsv.exe[472] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\spoolsv.exe[472] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\svchost.exe[504] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\svchost.exe[504] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\svchost.exe[504] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\svchost.exe[504] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\svchost.exe[504] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\mst software\mst Defrag\mstDfrgS.exe[540] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Eset\nod32krn.exe[564] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Eset\nod32krn.exe[564] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\Eset\nod32krn.exe[564] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Eset\nod32krn.exe[564] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\Eset\nod32krn.exe[564] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\nvsvc32.exe[580] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\nvsvc32.exe[580] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\nvsvc32.exe[580] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\nvsvc32.exe[580] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\nvsvc32.exe[580] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\system32\MSTask.exe[720] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\MSTask.exe[720] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\MSTask.exe[720] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\MSTask.exe[720] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\MSTask.exe[720] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\Explorer.EXE[840] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\Explorer.EXE[840] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\Explorer.EXE[840] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\Explorer.EXE[840] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\Explorer.EXE[840] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Eset\nod32kui.exe[920] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Eset\nod32kui.exe[920] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\Eset\nod32kui.exe[920] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Eset\nod32kui.exe[920] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\Eset\nod32kui.exe[920] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\System32\WBEM\WinMgmt.exe[928] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetScrollRange 77E1FD75 5 Bytes JMP 0042727B C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!EnableScrollBar 77E1FDC5 5 Bytes JMP 0042722A C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetScrollPos 77E258A2 9 Bytes JMP 00427260 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!SetScrollPos 77E280B8 5 Bytes JMP 004272B1 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetSysColorBrush 77E2B462 6 Bytes JMP 00427428 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetScrollInfo 77E2FF46 7 Bytes JMP 00427245 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!ShowScrollBar 77E3870D 5 Bytes JMP 004272E7 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!SetScrollRange 77E38DEA 5 Bytes JMP 004272CC C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!GetSysColor 77E429A5 6 Bytes JMP 004273E2 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\Programmi\Arovax Shield\ArovaxShield.exe[940] USER32.dll!SetScrollInfo 77E43456 5 Bytes JMP 00427296 C:\Programmi\Arovax Shield\ArovaxShield.exe
.text C:\WINNT\system32\svchost.exe[984] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\svchost.exe[984] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\svchost.exe[984] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINNT\system32\svchost.exe[984] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINNT\system32\svchost.exe[984] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] KERNEL32.dll!FreeLibrary + 37 796D0882 4 Bytes [ B6, F7, 92, E5 ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1240] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] ntdll.dll!NtTerminateProcess 78468E6C 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] ntdll.dll!NtTerminateProcess + 4 78468E70 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] KERNEL32.dll!LoadLibraryExW 796D0549 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] KERNEL32.dll!FreeLibrary + 37 796D0882 4 Bytes [ B6, F7, 92, E5 ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] KERNEL32.dll!CreateProcessA 796D4FF4 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1496] KERNEL32.dll!CreateProcessW 796D6935 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys
Device \Driver\USB_RNDIS \Device\{46EF1A37-B6DD-433F-A1A3-0ED4DB8AD539} IRP_MJ_PNP [EB7FD242] RNDISMPK.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BD8952A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BD8952A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE

---- EOF - GMER 1.0.12 ----
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda Amantide » gio gen 04, 2007 11:40 pm

Sono entrambi i log di rootkit, sostituisci il secondo con quello di Autostart.

Intanto apri Hijackthis --> Open the misc tools section --> Open ADS Spy... Togli la spunta al Quick Scan e fai la scansione premendo il tasto Scan.
Trova la voce
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
selezionala e premi Remove selected.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda noviziopasticcio » gio gen 04, 2007 11:42 pm

GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-01-04 22:49:01
Windows 5.0.2195 Service Pack 4


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
mstDfrgS /*mst Defrag Service*/@ = C:\Programmi\mst software\mst Defrag\mstDfrgS.exe
NOD32krn /*NOD32 Kernel Service*/@ = "C:\Programmi\Eset\nod32krn.exe"
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
PREVXAgent /*Prevx Agent*/@ = "C:\Programmi\Prevx1\PXAgent.exe" -f
Schedule /*Utilità di pianificazione*/@ = %SystemRoot%\system32\MSTask.exe
SDhelper /*PC Tools Spyware Doctor*/@ = C:\Programmi\Spyware Doctor\sdhelp.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINNT\system32\ZoneLabs\vsmon.exe -service
WinMgmt /*Strumentazione gestione Windows*/@ = %SystemRoot%\System32\WBEM\WinMgmt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@nod32kui"C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE = "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
@NvCplDaemonRUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
@Arovax ShieldC:\Programmi\Arovax Shield\ArovaxShield.exe -tray /*file not found*/ = C:\Programmi\Arovax Shield\ArovaxShield.exe -tray /*file not found*/
@PrevxOne"C:\Programmi\Prevx1\PXConsole.exe" = "C:\Programmi\Prevx1\PXConsole.exe"
@Zone Labs Client"C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Programmi\Zone Labs\ZoneAlarm\zlclient.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ /*file not found*/ = /*file not found*/
@Spyware Doctor"C:\Programmi\Spyware Doctor\swdoctor.exe" /Q = "C:\Programmi\Spyware Doctor\swdoctor.exe" /Q

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{41E300E0-78B6-11ce-849B-444553540000} /*Estensione CPL PlusPack*/plustab.dll = plustab.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} /*Anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{EAB841A0-9550-11CF-8C16-00805F1408F3} /*Programma di estrazione pagine HTML in anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{1AEB1360-5AFC-11D0-B806-00C04FD706EC} /*Programma di estrazione filtri grafici di Office in anteprima*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{9DBD2C50-62AD-11D0-B806-00C04FD706EC} /*Summary Info Thumbnail handler (DOCFILES)*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{500202A0-731E-11D0-B829-00C04FD706EC} /*LNK file thumbnail interface delegator*/C:\WINNT\system32\thumbvw.dll = C:\WINNT\system32\thumbvw.dll
@{fe1290f0-cfbd-11cf-a330-00aa00c16e65} /*Directory Namespace*/dsfolder.dll = dsfolder.dll
@{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} /*Shell properties for a DS object*/dsfolder.dll = dsfolder.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINNT\system32\nvshell.dll = C:\WINNT\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINNT\system32\nvshell.dll = C:\WINNT\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINNT\system32\nvshell.dll = C:\WINNT\system32\nvshell.dll
@{B089FE88-FB52-11d3-BDF1-0050DA34150D} /*NOD32 Context Menu Shell Extension*/C:\Programmi\Eset\nodshex.dll = C:\Programmi\Eset\nodshex.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
NOD32 Context Menu Shell Extension@{B089FE88-FB52-11d3-BDF1-0050DA34150D} = C:\Programmi\Eset\nodshex.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll = C:\Documents and Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
@{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll = C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
@{B56A7D7D-6927-48C8-A975-17DF180C71AC}C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll = C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redi ... ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Local PageC:\WINNT\system32\blank.htm = C:\WINNT\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
its@CLSID = C:\WINNT\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINNT\system32\itss.dll
vnd.ms.radio@CLSID = C:\WINNT\system32\msdxm.ocx

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001@LibraryPath = %SystemRoot%\System32\rnr20.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
000000000001@PackedCatalogItem = imon.dll
000000000002@PackedCatalogItem = imon.dll
000000000003@PackedCatalogItem = imon.dll
000000000004@PackedCatalogItem = imon.dll
000000000005@PackedCatalogItem = imon.dll
000000000006@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000007@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000008@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000011@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000012@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000013@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000014@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000015@PackedCatalogItem = %SystemRoot%\system32\msafd.dll
000000000016@PackedCatalogItem = %SystemRoot%\system32\msafd.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017@PackedCatalogItem = imon.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Logitech SetPoint.lnk.disabled = Logitech SetPoint.lnk.disabled
WinZip Quick Pick.lnk.disabled = WinZip Quick Pick.lnk.disabled

---- EOF - GMER 1.0.12 ----
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda noviziopasticcio » gio gen 04, 2007 11:46 pm

Immagine
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda noviziopasticcio » gio gen 04, 2007 11:49 pm

Amantide ha scritto:Sono entrambi i log di rootkit, sostituisci il secondo con quello di Autostart.

Intanto apri Hijackthis --> Open the misc tools section --> Open ADS Spy... Togli la spunta al Quick Scan e fai la scansione premendo il tasto Scan.
Trova la voce
ADS C:\Documents and Settings\All Users\Dati applicazioni\TEMP:2A81F9CE
selezionala e premi Remove selected.

fatto
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda Amantide » gio gen 04, 2007 11:57 pm

Il file system32.exe non è visibile da nessuna parte in ricompensa abbiamo eliminato un ADS dannoso.

Quel valore "vuoto" nel registroè presente anche nel log di Gmer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ /*file not found*/ = /*file not found*/

Visto che il valore non presenta nessun dato non può rappresentare alcun pericolo, forse è il residuo di qualche disinstallazione, se riesci prova ad eliminarlo con aiuto di Spybot altrimenti eliminalo manualmente.
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda noviziopasticcio » ven gen 05, 2007 12:00 am

spybot non lo rileva con la scansione, lo segnala solo come da screenshot.
lo elimino in manuale allora?
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda noviziopasticcio » ven gen 05, 2007 12:03 am

non ho trovato la chiave HKCU run e lo ho eliminato da spybot.
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda Amantide » ven gen 05, 2007 12:06 am

noviziopasticcio ha scritto:non ho trovato la chiave HKCU run e lo ho eliminato da spybot.

Non l'hai trovata nel registro? E' HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Il file system32.exe dove l'hai visto invece? E' stato spybot a notificartelo?
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda noviziopasticcio » ven gen 05, 2007 12:23 am

adesso non lo so più! [:)]
si era stato spybot a notificarlo
sembra sia rimosso....
ma aspetto il prossimo riavvio
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda noviziopasticcio » ven gen 05, 2007 12:26 am

o meglio, più che notifcarlo a segnalarlo nei programmi all'avvio
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda noviziopasticcio » ven gen 05, 2007 12:33 am

ho allegato lo screenshot
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am

Messaggioda noviziopasticcio » ven gen 05, 2007 12:23 pm

sembra tutto a posto. grazie per l'aiuto! [:)]
Avatar utente
noviziopasticcio
Senior Member
Senior Member
 
Messaggi: 370
Iscritto il: ven nov 04, 2005 11:41 am


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 17 ospiti

cron
Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising