Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Avenger non parte

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Rispondi al messaggio

Avenger non parte

Messaggioda miniver » mar gen 23, 2007 11:53 pm

Ho problemi con wintems.exe. Ho letto i vecchi topic ed ho provato a scaricare Avenger, ma accade una cosa stranissima: quando avvio il programma si apre per un secondo e poi si richiude. Se digito su Firefox o IE "Avenger" il programma si chiude. Ho provato decine di volte...Come faccio a risolvere questo problema?
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Messaggioda BilloKenobi » mer gen 24, 2007 12:25 am

probabile che hai il linkoptimizer... scarica questo tool

http://www.mytempdir.com/1182664

estrailo, avvialo, metti la spunta a tutte le voci e poi premi SCAN per avviare la scansione. allega il log generato (lo trovi in C:\suspectfile\report.txt) su www.mytempdir.com e poi ci dai il link al file per analizzarlo [;)]
Begun the Clone War has
Avatar utente
BilloKenobi
Senior Member
Senior Member
 
Messaggi: 453
Iscritto il: gio ago 10, 2006 11:06 am
Top

Messaggioda miniver » mer gen 24, 2007 8:50 pm

ci ho provato ma mentre fa mi dice "accesso a windows script host disabilitato sul computer in uso". [cry+]
Inoltre quando ho provato ad aprire la pagina su cui sto scrivendo sul mio pc, sia firefox che IE vanno in crash quindi sono costretto ad aprirla su altri computer [...]
non ho più idea di che fare [acc2]
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top
Top

Messaggioda BilloKenobi » gio gen 25, 2007 12:15 am

le finestre si chiudono perché il titolo della finestra contiene il nome avenger...

l'avviso quando ti compare?, non ho ben capito...
Begun the Clone War has
Avatar utente
BilloKenobi
Senior Member
Senior Member
 
Messaggi: 453
Iscritto il: gio ago 10, 2006 11:06 am
Top

Messaggioda miniver » gio gen 25, 2007 8:55 pm

L'avviso mi compare quando avvio system scan.
Ho provato tutti i mezzi, ma non mi da la possibilità di agire. Se digito Avenger su google si blocca,se lo avvio si chiude immediatamente, se apro questo thread dal mio computer si blocca system scan mi da quell'avviso di errore e non mi crea il log, se digito hijackthis si chiude google....
Panico totale [V]
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Messaggioda crazy.cat » gio gen 25, 2007 9:07 pm

Prendi hijackthis rinominato da questo link e speriamo tu riesca a lanciarlo
http://www.mediafire.com/?eymdtm4fmom

Posta il log della scansione se funziona
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre
Top

Messaggioda miniver » ven gen 26, 2007 8:39 pm

Niente da fare...Lo scarica ma appena lo avvio si richiude...
Che mi resta da fare? PANICO! [cry+]
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Messaggioda miniver » ven gen 26, 2007 8:49 pm

Con spyware blaster acceso risolve il problema!

Questo è il log di hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 19.46.14, on 26/01/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Apoint2K\Apoint.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\Programmi\Apoint2K\Apntex.exe
C:\Programmi\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Programmi\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Programmi\SpywareBlaster\spywareblaster.exe
C:\Hhis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.miniver.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\ibmdrv.exe","c:\windows\nvidiadrv.exe","c:\windows\toshibachecker.exe",
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {66C19482-BF6A-4322-8175-33B66168B264} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Programmi\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://alfredoesposito.spaces.msn.com// ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5934406562
O17 - HKLM\System\CCS\Services\Tcpip\..\{58733AA3-A310-4AF0-B3CA-D811F3136966}: NameServer = 10.0.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Programmi\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Messaggioda miniver » ven gen 26, 2007 9:04 pm

QUESTO é LO SCAN AUTOSTART DI GMER

GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-01-26 20:03:09
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = c:\windows\system32\userinit.exe,"c:\windows\ibmdrv.exe","c:\windows\nvidiadrv.exe","c:\windows\toshibachecker.exe",
Windows@AppInit_DLLs = \\?\C:\WINDOWS\com4.unp

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
LexBceS /*LexBce Server*/@ = C:\WINDOWS\system32\LEXBCES.EXE
NVSvc /*NVIDIA Driver Helper Service*/@ = %SystemRoot%\system32\nvsvc32.exe
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ApointC:\Programmi\Apoint2K\Apoint.exe = C:\Programmi\Apoint2K\Apoint.exe
@hldrrrC:\WINDOWS\system32\hldrrr.exe = C:\WINDOWS\system32\hldrrr.exe
@TkBellExe"C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot = "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run >>>
@ibmdrv"c:\windows\ibmdrv.exe" = "c:\windows\ibmdrv.exe"
@nvidiadrv"c:\windows\nvidiadrv.exe" = "c:\windows\nvidiadrv.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@msnmsgr"C:\Programmi\MSN Messenger\msnmsgr.exe" /background = "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
@hldrrrC:\WINDOWS\system32\hldrrr.exe = C:\WINDOWS\system32\hldrrr.exe
@drvsyskitC:\Documents and Settings\1984\Dati applicazioni\hidires\hidr.exe = C:\Documents and Settings\1984\Dati applicazioni\hidires\hidr.exe
@german.exeC:\WINDOWS\system32\wintems.exe = C:\WINDOWS\system32\wintems.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler@{553858A7-4922-4e7e-B1C1-97140C1C16EF} = C:\WINDOWS\system32\ieframe.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Pagina proprietà versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Versioni precedenti*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{EFA24E61-B078-11d0-89E4-00C04FC9E26E} /*Favorites Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Programmi\WinRAR\rarext.dll = C:\Programmi\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{0D6D4F41-2994-4ba0-8FEF-620E43CD2812} /*IE Microsoft Internet Toolbar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{482A7CB3-2EDF-4595-A315-A5244F1E96E6} /*IE Search Control*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6D8BB3D3-9D87-4a91-AB56-4F30CFFEFE9F} /*Explorer Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7E48925F-FF5C-47fa-A99A-F5912A10623B} /*IE Address EditBox*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{C4EC38BD-4E9E-4b5e-935A-D1BFF237D980} /*Explorer Travel Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{DE011590-0531-4804-9C9C-3FEDC7E6E5C8} /*IE &Address*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F0353E1D-FEEC-474e-A984-1E5C6865E380} /*IE Global Folder Settings*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/(null) =
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Programmi\Real\RealPlayer\rpshell.dll = C:\Programmi\Real\RealPlayer\rpshell.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Programmi\MSN Messenger\fsshext.8.0.0812.00.dll
@{44440D00-FF19-4AFC-B765-9A0970567D97} /*TuneUp Theme Extension*/%SystemRoot%\system32\uxtuneup.dll = %SystemRoot%\system32\uxtuneup.dll
@{4858E7D9-8E12-45a3-B6A3-1CD128C9D403} /*TuneUp Shredder Shell Extension*/C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll = C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
TuneUp Shredder Shell Extension@{4858E7D9-8E12-45a3-B6A3-1CD128C9D403} = C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
TuneUp Shredder Shell Extension@{4858E7D9-8E12-45a3-B6A3-1CD128C9D403} = C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} = C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=54729 = http://go.microsoft.com/fwlink/?LinkId=54729
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID} = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.miniver.org/ = http://www.miniver.org/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
skype4com@CLSID = C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{58733AA3-A310-4AF0-B3CA-D811F3136966} /*Connessione alla rete locale (LAN)*/ >>>
@IPAddress10.0.0.4 = 10.0.0.4
@NameServer10.0.0.1 = 10.0.0.1
@DefaultGateway10.0.0.1 = 10.0.0.1
@Domain =

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = MA521 Configuration Utility.lnk

---- EOF - GMER 1.0.12 ----
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Questo è il rootkit

Messaggioda miniver » ven gen 26, 2007 9:13 pm

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-26 20:11:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Documents and Settings\1984\Dati applicazioni\hidires\m_hook.sys ZwCreateFile
SSDT sptd.sys ZwCreateKey
SSDT \??\C:\Documents and Settings\1984\Dati applicazioni\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\C:\Documents and Settings\1984\Dati applicazioni\hidires\m_hook.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \??\C:\Documents and Settings\1984\Dati applicazioni\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\C:\Documents and Settings\1984\Dati applicazioni\hidires\m_hook.sys ZwQueryKey
SSDT \??\C:\Documents and Settings\1984\Dati applicazioni\hidires\m_hook.sys ZwQuerySystemInformation
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text USBPORT.SYS!DllUnload F853062C 5 Bytes JMP 829931B8

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text C:\WINDOWS\system32\hldrrr.exe[160] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 3EE8D16F
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 3EE89627
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 3EE88D00
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 3EE88969
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 3EE8AE50
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 3EE8D357
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 3EE88471
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 3EE87E6A
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 3EE89430
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 3EE88CEB
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 3EE88AAE
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 3EE8F4A7
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 3EE88C1E
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 6 Bytes [ 37, 37, 91, 40, E9, EE ]
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FindFirstFileExW + 9 7C80EC86 2 Bytes [ 68, C2 ]
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 3EE8F148
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 3EE8E15E
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 3EE8C788
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 3EE8DDD7
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 3EE8EB6D
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 3EE8F856
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 3EE8F819
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 3EE881E8
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 3EE8B816
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 3EE8D6CC
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 3EE8EC8B
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 3EE8D522
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 3EE8F879
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 3EE8BFD9
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 3EE8B424
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 3EE8BEDF
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 3EE89D1C
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 3EE8DC00
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 3EE8EBA3
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 3EE8DAAC
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 3EE8D03C
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 3EE8955F
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 3EE8F958
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 3EE8A114
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 3EE8B40E
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 3EE8E598
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 3EE8D8D7
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 3EE8AF57
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Module32FirstW + 2 7C863E21 3 Bytes JMP 3EE8C17E
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Module32FirstW + 6 7C863E25 2 Bytes [ 62, C2 ]
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 3EE8F2C5
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 3EE8DDAD
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 3EE8B2AB
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 3EE8EC64
.text C:\WINDOWS\system32\hldrrr.exe[160] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 3EE8BDA1
.text C:\WINDOWS\system32\hldrrr.exe[160] user32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 3EE8848C
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 3EE8C527
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 2 Bytes [ 41, E9 ]
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegCloseKey + 5 77F46BF5 3 Bytes [ 87, F4, C6 ]
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 3EE8B3AE
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 3EE8F37C
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 3EE8EB4B
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 3EE8BF44
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 3EE8B931
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 3EE8B6D6
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 3EE8CE31
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 3EE8F4CB
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 3EE8C8CD
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 3EE8F931
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 3EE8AB59
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 3EE8B1B8
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 3EE8B984
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 3EE8AE48
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 3EE8CD2A
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 3EE88F4B
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 3EE8A048
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 3EE8A450
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 3EE8B010
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 3EE8CE16
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 3EE8C2F7
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 3EE8C914
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 3EE8A9EF
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 3EE8B510
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 3EE8B600
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 3EE8D7B0
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 3EE8D1AA
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 3EE87EDE
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 3EE883FD
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 3EE8B58C
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 3EE8F431
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 3EE89DB9
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 3EE8CFD7
.text C:\WINDOWS\system32\hldrrr.exe[160] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 3EE8EB3D
.text C:\WINDOWS\system32\hldrrr.exe[160] ws2_32.dll!connect + 2 71A3406C 6 Bytes JMP 3EE8999A
.text C:\WINDOWS\system32\hldrrr.exe[160] ws2_32.dll!gethostbyname + 2 71A34FD6 9 Bytes JMP 3EE89966
.text C:\WINDOWS\system32\hldrrr.exe[160] ws2_32.dll!WSAAsyncGetHostByName + 2 71A3E987 13 Bytes [ F9, F3, 49, 42, FC, 92, 2F, ... ]
.text C:\WINDOWS\system32\hldrrr.exe[160] ws2_32.dll!WSAConnect + 2 71A40C6B 14 Bytes [ 9F, 48, D6, 9F, 99, F9, 90, ... ]
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 3EE8D16F
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 3EE89627
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 3EE88D00
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 3EE88969
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 3EE8AE50
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 3EE8D357
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 3EE88471
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 3EE87E6A
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 3EE89430
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 3EE88CEB
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 3EE88AAE
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 3EE8F4A7
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 3EE88C1E
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 6 Bytes [ 49, F3, 42, 42, E9, EE ]
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FindFirstFileExW + 9 7C80EC86 2 Bytes [ 68, C2 ]
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 3EE8F148
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 3EE8E15E
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 3EE8C788
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 3EE8DDD7
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 3EE8EB6D
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 3EE8F856
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 3EE8F819
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 3EE881E8
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 3EE8B816
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 3EE8D6CC
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 3EE8EC8B
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 3EE8D522
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 3EE8F879
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 3EE8BFD9
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 3EE8B424
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 3EE8BEDF
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 3EE89D1C
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 3EE8DC00
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 3EE8EBA3
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 3EE8DAAC
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 3EE8D03C
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 3EE8955F
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 3EE8F958
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 3EE8A114
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 3EE8B40E
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 3EE8E598
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 3EE8D8D7
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 3EE8AF57
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Module32FirstW + 2 7C863E21 3 Bytes JMP 3EE8C17E
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Module32FirstW + 6 7C863E25 2 Bytes [ 62, C2 ]
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 3EE8F2C5
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 3EE8DDAD
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 3EE8B2AB
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 3EE8EC64
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 3EE8BDA1
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] USER32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 3EE8848C
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 3EE8C527
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 2 Bytes [ 92, E9 ]
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegCloseKey + 5 77F46BF5 3 Bytes [ 87, F4, C6 ]
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 3EE8B3AE
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 3EE8F37C
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 3EE8EB4B
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 3EE8BF44
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 3EE8B931
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 3EE8B6D6
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 3EE8CE31
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 3EE8F4CB
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 3EE8C8CD
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 3EE8F931
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 3EE8AB59
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 3EE8B1B8
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 3EE8B984
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 3EE8AE48
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 3EE8CD2A
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 3EE88F4B
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 3EE8A048
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 3EE8A450
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 3EE8B010
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 3EE8CE16
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 3EE8C2F7
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 3EE8C914
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 3EE8A9EF
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 3EE8B510
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 3EE8B600
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 3EE8D7B0
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 3EE8D1AA
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 3EE87EDE
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 3EE883FD
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 3EE8B58C
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 3EE8F431
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 3EE89DB9
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 3EE8CFD7
.text C:\Documents and Settings\1984\Desktop\gmer\gmer.exe[280] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 3EE8EB3D
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 3EE8AD8B
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!NtQueryInformationFile 7C91DFDC 5 Bytes JMP 3EE8FA70
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 3EE8D78F
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!NtReadVirtualMemory 7C91E2BB 5 Bytes JMP 3EE8E76A
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!NtVdmControl 7C91E975 5 Bytes JMP 3EE8ABBE
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!NtWriteVirtualMemory 7C91EA32 5 Bytes JMP 3EE8A79A
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 3EE87B6B
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 3EE88CE2
.text C:\WINDOWS\explorer.exe[584] ntdll.dll!RtlQueryProcessDebugInformation + 2 7C9638ED 6 Bytes JMP 3EE8DE20
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!CreateFileA + 2 7C801A26 6 Bytes JMP 3EE8D16F
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 3EE89627
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!LoadLibraryExA + 2 7C801D51 6 Bytes JMP 3EE88D00
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!LoadLibraryA + 2 7C801D79 7 Bytes JMP 3EE88969
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!ReadProcessMemory + 2 7C8021CE 6 Bytes JMP 3EE8AE50
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!WriteProcessMemory + 2 7C802211 5 Bytes JMP 3EE8D357
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!CreateProcessW + 2 7C802334 5 Bytes JMP 3EE88471
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!CreateProcessA + 2 7C802369 5 Bytes JMP 3EE87E6A
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FreeLibrary + 2 7C80AA68 7 Bytes JMP 3EE89430
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!GetProcAddress + 2 7C80AC2A 5 Bytes JMP 3EE88CEB
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!LoadLibraryW + 2 7C80ACD5 5 Bytes JMP 3EE88AAE
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!GetFileAttributesW + 2 7C80B5D6 6 Bytes JMP 3EE8F4A7
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FreeLibraryAndExitThread + 2 7C80CEA3 6 Bytes JMP 3EE88C1E
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FindFirstFileExW + 2 7C80EC7F 6 Bytes [ F3, F5, 98, 41, E9, EE ]
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FindFirstFileExW + 9 7C80EC86 2 Bytes [ 68, C2 ]
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FindFirstFileW + 2 7C80F0E3 5 Bytes JMP 3EE8F148
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FindNextFileW 7C80F13A 7 Bytes JMP 3EE8E15E
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!CreateFileW + 2 7C810978 6 Bytes JMP 3EE8C788
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!GetFileAttributesExW + 2 7C81130F 6 Bytes JMP 3EE8DDD7
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!GetFileAttributesA + 2 7C81174E 6 Bytes JMP 3EE8EB6D
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!GetFileAttributesExA + 2 7C813533 6 Bytes JMP 3EE8F856
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FindFirstFileA + 2 7C81355B 9 Bytes JMP 3EE8F819
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!ExitProcess + 2 7C81CAA4 5 Bytes JMP 3EE881E8
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!OpenProcess + 2 7C81E07B 6 Bytes JMP 3EE8B816
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!DeleteFileA + 2 7C81E85E 6 Bytes JMP 3EE8D6CC
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!DeleteFileW + 2 7C81F73F 6 Bytes JMP 3EE8EC8B
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!SetFileAttributesA + 2 7C81FB46 6 Bytes JMP 3EE8D522
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!SetFileAttributesW + 2 7C81FC07 6 Bytes JMP 3EE8F879
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 3EE8BFD9
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!MoveFileWithProgressA + 2 7C8222B5 6 Bytes JMP 3EE8B424
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 3EE8BEDF
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FindNextFileA + 2 7C83901B 9 Bytes JMP 3EE89D1C
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!MoveFileExW + 2 7C839921 6 Bytes JMP 3EE8DC00
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!FindFirstFileExA + 2 7C85C2F4 9 Bytes JMP 3EE8EBA3
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!MoveFileExA + 2 7C85D2A5 6 Bytes JMP 3EE8DAAC
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!_lopen + 2 7C85E612 6 Bytes JMP 3EE8D03C
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!WinExec + 2 7C86114F 6 Bytes JMP 3EE8955F
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Process32FirstW + 2 7C8639D6 6 Bytes JMP 3EE8F958
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Process32First + 2 7C863A8F 9 Bytes JMP 3EE8A114
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Process32NextW + 2 7C863B61 6 Bytes JMP 3EE8B40E
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Process32Next + 2 7C863C02 9 Bytes JMP 3EE8E598
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Thread32First + 2 7C863CD4 6 Bytes JMP 3EE8D8D7
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Thread32Next + 2 7C863D88 6 Bytes JMP 3EE8AF57
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Module32FirstW + 2 7C863E21 3 Bytes JMP 3EE8C17E
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Module32FirstW + 6 7C863E25 2 Bytes [ 62, C2 ]
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Module32First + 2 7C863EDA 9 Bytes JMP 3EE8F2C5
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Module32NextW + 2 7C863FBE 6 Bytes JMP 3EE8DDAD
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!Module32Next + 2 7C86405F 9 Bytes JMP 3EE8B2AB
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!GetBinaryTypeW 7C86783C 5 Bytes JMP 3EE8EC64
.text C:\WINDOWS\explorer.exe[584] kernel32.dll!GetBinaryType + 2 7C867C9D 6 Bytes JMP 3EE8BDA1
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegOpenKeyExW + 2 77F46A7A 6 Bytes JMP 3EE8C527
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegCloseKey + 2 77F46BF2 2 Bytes [ D6, E9 ]
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegCloseKey + 5 77F46BF5 3 Bytes [ 87, F4, C6 ]
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegQueryValueExW + 2 77F46FCA 6 Bytes JMP 3EE8B3AE
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegCreateKeyExW + 2 77F47537 6 Bytes JMP 3EE8F37C
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegOpenKeyExA + 2 77F4761D 6 Bytes JMP 3EE8EB4B
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegQueryValueExA + 2 77F47885 6 Bytes JMP 3EE8BF44
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegEnumValueW + 2 77F48083 6 Bytes JMP 3EE8B931
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegSetValueExW 77F4D7CC 7 Bytes JMP 3EE8B6D6
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegQueryValueW + 2 77F4D8E4 6 Bytes JMP 3EE8CE31
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegCreateKeyExA + 2 77F4EAF6 6 Bytes JMP 3EE8F4CB
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegSetValueExA 77F4EBE7 7 Bytes JMP 3EE8C8CD
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegDeleteValueA + 2 77F4EDE7 6 Bytes JMP 3EE8F931
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegDeleteValueW + 2 77F4EEF3 6 Bytes JMP 3EE8AB59
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegSetValueA + 2 77F56F4B 5 Bytes JMP 3EE8B1B8
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!SetFileSecurityW + 2 77F5AA6B 6 Bytes JMP 3EE8B984
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegEnumValueA + 2 77F5CF4C 6 Bytes JMP 3EE8AE48
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!SetNamedSecurityInfoW + 2 77F61287 6 Bytes JMP 3EE8CD2A
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!CreateProcessAsUserW + 2 77F67777 6 Bytes JMP 3EE88F4B
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegDeleteKeyW + 2 77F69886 6 Bytes JMP 3EE8A048
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!GetFileSecurityW + 2 77F6BCE0 6 Bytes JMP 3EE8A450
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegDeleteKeyA + 2 77F6C125 6 Bytes JMP 3EE8B010
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegQueryInfoKeyA + 2 77F6C1B7 6 Bytes JMP 3EE8CE16
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegOpenKeyA + 2 77F6C41D 6 Bytes JMP 3EE8C2F7
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegQueryValueA + 2 77F6CC12 6 Bytes JMP 3EE8C914
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegQueryInfoKeyW + 2 77F6CCF1 6 Bytes JMP 3EE8A9EF
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!GetNamedSecurityInfoW + 2 77F6D07A 7 Bytes JMP 3EE8B510
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegCreateKeyA + 2 77F6D5BD 6 Bytes JMP 3EE8B600
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!SetFileSecurityA + 2 77F7D2FF 5 Bytes JMP 3EE8D7B0
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!GetFileSecurityA + 2 77F7D365 5 Bytes JMP 3EE8D1AA
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!CreateProcessAsUserA + 2 77F8095A 6 Bytes JMP 3EE87EDE
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!CreateProcessWithLogonW 77F85C9D 5 Bytes JMP 3EE883FD
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!GetNamedSecurityInfoA + 2 77F91546 7 Bytes JMP 3EE8B58C
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!SetNamedSecurityInfoA + 2 77F91592 7 Bytes JMP 3EE8F431
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegQueryMultipleValuesA + 2 77FA553D 6 Bytes JMP 3EE89DB9
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegQueryMultipleValuesW + 2 77FA589F 6 Bytes JMP 3EE8CFD7
.text C:\WINDOWS\explorer.exe[584] ADVAPI32.dll!RegSetValueW + 2 77FA5FC4 5 Bytes JMP 3EE8EB3D
.text C:\WINDOWS\explorer.exe[584] USER32.dll!ExitWindowsEx + 2 77D59E6F 6 Bytes JMP 3EE8848C
.text C:\WINDOWS\explorer.exe[584] PSAPI.DLL!EnumProcessModules 76BB1F1C 5 Bytes JMP 3EE8E944
.t
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Messaggioda Amantide » ven gen 26, 2007 9:13 pm

Solo rileggendo per ennesima volta quel wintems.exe mi è venuto in mente che questo è un file che si installa con Bagle. Non ci avevo pensato perché di solito viene nascosto da rootkit, quello visibile rimane solo hldrrr.exe

Leggi questa guida e, se riesci a d usare in qualche modo Avenger, magari rinominandolo, esegui questo script:

Files to delete:
C:\Documents and Settings\1984\Dati applicazioni\hidires\m_hook.sys
C:\Documents and Settings\1984\Dati applicazioni\hidires\hidr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe

folders to delete:
C:\Documents and Settings\1984\Dati applicazioni\hidires
C:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr

Fammi sapere se riesci ad eseguire lo script, magari prova anche ad usare Avenger dalla modalità provvisoria.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo
Top

Messaggioda Amantide » ven gen 26, 2007 9:44 pm

Sto guardando che oltre al bagle hai anche altri virus, tra quali anche LinkOptimizer.

Per far funzionare Avenger dovresti eliminare prima questi file, dalla modalità provvisoria o con aiuto di Unlocker o KillBox:
c:\windows\ibmdrv.exe
c:\windows\nvidiadrv.exe
c:\windows\toshibachecker.exe

Se non riuscirai ad individuarli, prova prima di abilitare la visualizzazione dei file nascosti (apri una cartella qualsiasi, vai su Strumenti --> Opzioni cartella --> Visualizzazione e spunta Visualizza file e cartelle nascosti).

Dopo apri il registro di sistema (Start--> Esegui--> scrivi regedit), tramite espansione delle schede arriva fino alla chiave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon e nella scheda a destra trova la voce UserInit. Fai il doppio click sopra e nella riga Dati valori assicurati di lasciare solo questa parte, la virgola finale compresa:
C:\WINDOWS\system32\userinit.exe,

Immagine

Una volta che hai risolto con Avenger, puoi eseguire anche questo scipt:

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

files to delete:
C:\WINDOWS\com4.unp

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | ibmdrv
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | nvidiadrv

Fine [acc2]
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo
Top

Messaggioda miniver » lun gen 29, 2007 7:56 pm

Ho cancellato i file dal registro, ma quando con avenger (che ora parte [:)] ) provo a copiare-incollare gli script da te forniti mi dice che è impossibile creare il file zip... [cry]

Inoltre approfitto...nel Task Manager ci sono aperti LEXBCES.EXE e LEXPPS.EXE, riferibili alla Lexmark installata, e vari applicazioni di AVG ANTIVIRUS (avgamsvr.exe, avgupsvc.exe e avgemc.exe) nonchè nvsvc32.exe che sono indicati sotto l'utente SYSTEM ma che non comprendo che utilità possano avere..
Ultima modifica di miniver il lun gen 29, 2007 8:10 pm, modificato 1 volta in totale.
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Messaggioda Amantide » lun gen 29, 2007 8:07 pm

Prova ad eseguire gli script una parte alla volte, se non va nemmeno cosi postami lo screenshot o la descrizione completa dell'errore.

P.S. Hai estratto Avenger dall'archivio prima di eseguirlo?
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo
Top

Messaggioda miniver » lun gen 29, 2007 8:12 pm

Amantide ha scritto:Prova ad eseguire gli script una parte alla volte, se non va nemmeno cosi postami lo screenshot o la descrizione completa dell'errore.

P.S. Hai estratto Avenger dall'archivio prima di eseguirlo?


Sopra ho aggiunto delle cose al post...

SI ho estratto Avenger e anche provato uno alla volta...

L'errore è questo:
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Messaggioda Amantide » lun gen 29, 2007 8:40 pm

Avrei il dubbio che Avenger sia stato danneggiato.
Prova a riscaricarlo ed eseguire lo script dalla modalità provvisoria.

Questo processo lo puoi disabilitare lexpps.exe, non è indispensabile
http://www.castlecops.com/s1838-lexpps_exe.html
Altro invece, LEXBCES.EXE, serve per far funzionare la stampante.
Tutti i processi di AVG Antivirus sono indispensabili, questo nvsvc32.exe è relativo ai driver nvidia.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo
Top

Messaggioda miniver » lun gen 29, 2007 9:20 pm

Amantide ha scritto:Avrei il dubbio che Avenger sia stato danneggiato.
Prova a riscaricarlo ed eseguire lo script dalla modalità provvisoria.

Questo processo lo puoi disabilitare lexpps.exe, non è indispensabile
http://www.castlecops.com/s1838-lexpps_exe.html
Altro invece, LEXBCES.EXE, serve per far funzionare la stampante.
Tutti i processi di AVG Antivirus sono indispensabili, questo nvsvc32.exe è relativo ai driver nvidia.


questo è il risultato dello script:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cpqnrial

*******************

Script file located at: \??\C:\Documents and Settings\vfjahcpk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\com4.unp not found!
Deletion of file C:\WINDOWS\com4.unp failed!

Could not process line:
C:\WINDOWS\com4.unp
Status: 0xc0000034

Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.


Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|ibmdrv
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|ibmdrv failed!
Status: 0xc0000034



Could not delete registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|nvidiadrv
Deletion of registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|nvidiadrv failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.



Inoltre il file della Lexmark non me lo fa chiudere se faccio termina operazione.. [boh]
Avatar utente
miniver
Neo Iscritto
Neo Iscritto
 
Messaggi: 10
Iscritto il: mar gen 23, 2007 11:44 pm
Top

Messaggioda Amantide » lun gen 29, 2007 9:54 pm

Per impedire a quel processo di Lexmark di avviarsi ad ogni boot del sistema, vai su Start--> Esegui scrivi msconfig, vai sulla scheda Avvio, trova e deseleziona il file desiderato.

Avevi eseguito anche il primo script per Avenger? Quello per eliminare il worm Bagle?
Leggi anche questo articolo, facendo maggiore attenzione alla parte Cenni finali.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo
Top
Rispondi al messaggio

Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 6 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising