Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Problema Sconosciuto

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Rispondi al messaggio

Problema Sconosciuto

Messaggioda king27 » dom mar 11, 2007 8:20 pm

Ciao a tutti [:D],
sono nuovo del forum!
ieri notte ho contratto il hldrrr.exe / german.exe ...
AVG antivirus, Kerio e Ewido fuori uso! ho staccato la rete, tolto questi software, etc..!!!...
per non dilungarmi, posto immediatamente i log di GMER (win xp pro)!

Rootkit:
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-11 19:07:58
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.12 ----

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE BA749636

---- Modules - GMER 1.0.12 ----

Module (noname) (*** hidden *** ) 9421C000
Module (noname) (*** hidden *** ) 9421C000

---- EOF - GMER 1.0.12 ----

--------------------------------------------------------------------------------------------

Autostart:

GMER 1.0.12.12086 - http://www.gmer.net
Autostart scan 2007-03-11 19:07:00
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName = Ati2evxx.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
DirectUpdate /*DirectUpdate engine*/@ = "C:\PROGRA~1\DIRECT~2\DUService.exe"
IISADMIN /*Amministrazione di IIS*/@ = C:\WINDOWS\system32\inetsrv\inetinfo.exe
IOLO_SRV /*iolo System Guard*/@ = C:\Programmi\iolo\System Mechanic Professional 6\IoloSGCtrl.exe /*file not found*/
MSFtpsvc /*Pubblicazione FTP*/@ = %SystemRoot%\system32\inetsrv\inetinfo.exe
PersFw /*Kerio Personal Firewall*/@ = C:\Programmi\Kerio\Personal Firewall\persfw.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
TabletService /*TabletService*/@ = C:\WINDOWS\system32\Tablet.exe
viritsvclite /*Virit eXplorer Lite*/@ = C:\VEXPLITE\viritsvc.exe
W3SVC /*Pubblicazione sul Web*/@ = %SystemRoot%\system32\inetsrv\inetinfo.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ALi5289C:\Programmi\ULI5289\ALi5289.exe = C:\Programmi\ULI5289\ALi5289.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@VIRIT LITE MONITORC:\VEXPLITE\MONLITE.EXE = C:\VEXPLITE\MONLITE.EXE
@WinPatrolC:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe = C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@FreeMem Pro"C:\PROGRA~1\FREEME~1\fmempro.exe" autostart = "C:\PROGRA~1\FREEME~1\fmempro.exe" autostart
@RocketDock"C:\Programmi\RocketDock\RocketDock.exe" = "C:\Programmi\RocketDock\RocketDock.exe"

HKLM\Software\Classes\.hta@ =

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{EE337094-9F50-4B8C-9B53-C00F52A3289B} /*GF Shell Extension*/C:\Programmi\File comuni\onOne Software Shared\lt_lib_gf_iconShellEx.dll = C:\Programmi\File comuni\onOne Software Shared\lt_lib_gf_iconShellEx.dll
@{5a61f7a0-cde1-11cf-9113-00aa00425c62} /*IIS Shell Extension*/C:\WINDOWS\system32\inetsrv\w3ext.dll = C:\WINDOWS\system32\inetsrv\w3ext.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll = C:\Programmi\Microsoft Office\OFFICE11\msohev.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Programmi\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll = C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.pdf@Location = C:\Programmi\Internet Explorer\PLUGINS\nppdf32.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.it/

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica = Adobe Gamma Loader.lnk

---- EOF - GMER 1.0.12 ----

--------------------------------------------------------------------------------------------

Log Completo:

2007-03-11 15:02:46 gmer.sys System [4]: LoadDriver system32\DRIVERS\msgpc.sys
2007-03-11 15:02:46 gmer.sys System [4]: LoadDriver system32\DRIVERS\ipnat.sys
2007-03-11 15:02:46 gmer.sys System [4]: LoadDriver system32\DRIVERS\wanarp.sys
2007-03-11 15:02:46 gmer.sys System [4]: CreateProcess C:\WINDOWS\system32\smss.exe
2007-03-11 15:02:46 gmer.sys smss.exe [340]: CreateProcess C:\WINDOWS\system32\autochk.exe
2007-03-11 15:02:47 gmer.sys smss.exe [340]: CreateProcess C:\WINDOWS\system32\smrgdf.exe
2007-03-11 15:02:47 gmer.sys smss.exe [340]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2007-03-11 15:02:47 gmer.sys smss.exe [340]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Fastfat
2007-03-11 15:02:50 gmer.sys smss.exe [340]: CreateProcess C:\WINDOWS\system32\csrss.exe
2007-03-11 15:02:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati2dvag.dll
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati2cqag.dll
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\atikvmag.dll
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati2dvag.dll
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati2cqag.dll
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\atikvmag.dll
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati3duag.dll
2007-03-11 15:02:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ativvaxx.dll
2007-03-11 15:02:51 gmer.sys smss.exe [340]: CreateProcess C:\WINDOWS\system32\winlogon.exe
2007-03-11 15:02:51 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\services.exe
2007-03-11 15:02:51 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\lsass.exe
2007-03-11 15:02:52 gmer.sys csrss.exe [428]: LoadDriver \SystemRoot\System32\ATMFD.DLL
2007-03-11 15:02:52 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 15:02:52 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 15:02:52 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 15:02:52 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 15:02:52 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\spoolsv.exe
2007-03-11 15:02:52 gmer.sys svchost.exe [728]: LoadDriver system32\DRIVERS\rdbss.sys
2007-03-11 15:02:52 gmer.sys svchost.exe [728]: LoadDriver system32\DRIVERS\mrxsmb.sys
2007-03-11 15:02:52 gmer.sys services.exe [472]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\ParVdm
2007-03-11 15:02:52 gmer.sys services.exe [472]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2007-03-11 15:02:53 gmer.sys services.exe [472]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2007-03-11 15:02:53 gmer.sys services.exe [472]: CreateProcess C:\PROGRA~1\DIRECT~2\DUService.exe
2007-03-11 15:02:53 gmer.sys services.exe [472]: CreateProcess C:\Programmi\ewido anti-spyware 4.0\guard.exe
2007-03-11 15:02:53 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\inetsrv\inetinfo.exe
2007-03-11 15:02:54 gmer.sys services.exe [472]: CreateProcess C:\Programmi\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
2007-03-11 15:02:54 gmer.sys services.exe [472]: CreateProcess C:\Programmi\Kerio\Personal Firewall\PERSFW.exe
2007-03-11 15:02:55 gmer.sys svchost.exe [728]: LoadDriver system32\DRIVERS\srv.sys
2007-03-11 15:02:55 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:02:56 gmer.sys svchost.exe [728]: LoadDriver system32\DRIVERS\ipnat.sys
2007-03-11 15:02:57 gmer.sys Tablet.exe [1408]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:02:57 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\alg.exe
2007-03-11 15:03:06 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\ati2evxx.exe
2007-03-11 15:03:06 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\userinit.exe
2007-03-11 15:03:07 gmer.sys userinit.exe [1824]: CreateProcess C:\WINDOWS\explorer.exe
2007-03-11 15:03:15 gmer.sys Tablet.exe [1408]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:03:17 gmer.sys Tablet.exe [1408]: CreateProcess C:\WINDOWS\system32\WTablet\TabUserW.exe
2007-03-11 15:03:17 gmer.sys Tablet.exe [1408]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:03:17 gmer.sys explorer.exe [1896]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
2007-03-11 15:03:17 gmer.sys explorer.exe [1896]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
2007-03-11 15:03:17 gmer.sys explorer.exe [1896]: CreateProcess C:\Programmi\ULI5289\ALi5289.exe
2007-03-11 15:03:17 gmer.sys explorer.exe [1896]: CreateProcess C:\Programmi\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
2007-03-11 15:03:17 gmer.sys explorer.exe [1896]: CreateProcess C:\Programmi\QuickTime\qttask.exe
2007-03-11 15:03:17 gmer.sys explorer.exe [1896]: CreateProcess C:\Programmi\FreeMem Professional\fmempro.exe
2007-03-11 15:03:18 gmer.sys explorer.exe [1896]: CreateProcess C:\Programmi\RocketDock\RocketDock.exe
2007-03-11 15:03:18 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 15:03:18 gmer.sys explorer.exe [1896]: CreateProcess C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
2007-03-11 15:03:19 gmer.sys svchost.exe [628]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
2007-03-11 15:03:22 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\imapi.exe
2007-03-11 15:03:31 gmer.sys explorer.exe [1896]: CreateProcess C:\Documents and Settings\king27\Desktop\gmer.exe
2007-03-11 15:03:41 gmer.sys svchost.exe [728]: CreateProcess C:\WINDOWS\system32\wuauclt.exe
2007-03-11 15:13:16 gmer.sys svchost.exe [728]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 15:13:28 gmer.sys explorer.exe [1896]: CreateProcess C:\Documents and Settings\king27\Desktop\catchme.exe
2007-03-11 15:13:48 gmer.sys explorer.exe [1896]: CreateProcess I:\EliBaglA.exe
2007-03-11 15:14:14 gmer.sys explorer.exe [1896]: CreateProcess C:\WINDOWS\regedit.exe
2007-03-11 15:14:55 gmer.sys explorer.exe [1896]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 15:20:57 gmer.sys explorer.exe [1896]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 15:26:23 gmer.sys gmer.exe [1452]: CreateProcess C:\WINDOWS\regedit.exe
2007-03-11 15:44:57 gmer.sys RocketDock.exe [156]: CreateProcess C:\WINDOWS\system32\notepad.exe
2007-03-11 15:53:26 gmer.sys svchost.exe [728]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 15:53:51 gmer.sys explorer.exe [1896]: CreateProcess C:\Documents and Settings\king27\Desktop\3E68386.exe
2007-03-11 15:53:51 gmer.sys 3E68386.exe [844]: CreateProcess C:\Documents and Settings\king27\Desktop\3E68386.exe
2007-03-11 15:54:20 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 15:54:23 gmer.sys svchost.exe [728]: CreateProcess C:\WINDOWS\system32\wuauclt.exe
2007-03-11 15:54:23 gmer.sys Tablet.exe [1408]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:55:45 gmer.sys System [4]: LoadDriver system32\DRIVERS\msgpc.sys
2007-03-11 15:55:45 gmer.sys System [4]: LoadDriver system32\DRIVERS\ipnat.sys
2007-03-11 15:55:45 gmer.sys System [4]: LoadDriver system32\DRIVERS\wanarp.sys
2007-03-11 15:55:45 gmer.sys System [4]: CreateProcess C:\WINDOWS\system32\smss.exe
2007-03-11 15:55:45 gmer.sys smss.exe [340]: CreateProcess C:\WINDOWS\system32\autochk.exe
2007-03-11 15:55:47 gmer.sys smss.exe [340]: CreateProcess C:\WINDOWS\system32\smrgdf.exe
2007-03-11 15:55:47 gmer.sys smss.exe [340]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2007-03-11 15:55:47 gmer.sys smss.exe [340]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Fastfat
2007-03-11 15:55:50 gmer.sys smss.exe [340]: CreateProcess C:\WINDOWS\system32\csrss.exe
2007-03-11 15:55:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2007-03-11 15:55:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati2dvag.dll
2007-03-11 15:55:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati2cqag.dll
2007-03-11 15:55:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\atikvmag.dll
2007-03-11 15:55:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 15:55:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati2dvag.dll
2007-03-11 15:55:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati2cqag.dll
2007-03-11 15:55:50 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\atikvmag.dll
2007-03-11 15:55:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ati3duag.dll
2007-03-11 15:55:51 gmer.sys csrss.exe [404]: LoadDriver \SystemRoot\System32\ativvaxx.dll
2007-03-11 15:55:51 gmer.sys smss.exe [340]: CreateProcess C:\WINDOWS\system32\winlogon.exe
2007-03-11 15:55:51 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\services.exe
2007-03-11 15:55:51 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\lsass.exe
2007-03-11 15:55:51 gmer.sys csrss.exe [428]: LoadDriver \SystemRoot\System32\ATMFD.DLL
2007-03-11 15:55:51 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 15:55:51 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 15:55:52 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 15:55:52 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 15:55:52 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\spoolsv.exe
2007-03-11 15:55:52 gmer.sys svchost.exe [728]: LoadDriver system32\DRIVERS\rdbss.sys
2007-03-11 15:55:52 gmer.sys svchost.exe [728]: LoadDriver system32\DRIVERS\mrxsmb.sys
2007-03-11 15:55:52 gmer.sys services.exe [472]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\ParVdm
2007-03-11 15:55:52 gmer.sys services.exe [472]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2007-03-11 15:55:52 gmer.sys services.exe [472]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2007-03-11 15:55:52 gmer.sys services.exe [472]: CreateProcess C:\PROGRA~1\DIRECT~2\DUService.exe
2007-03-11 15:55:52 gmer.sys services.exe [472]: CreateProcess C:\Programmi\ewido anti-spyware 4.0\guard.exe
2007-03-11 15:55:52 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\inetsrv\inetinfo.exe
2007-03-11 15:55:54 gmer.sys services.exe [472]: CreateProcess C:\Programmi\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
2007-03-11 15:55:54 gmer.sys services.exe [472]: CreateProcess C:\Programmi\Kerio\Personal Firewall\PERSFW.exe
2007-03-11 15:55:54 gmer.sys svchost.exe [728]: LoadDriver system32\DRIVERS\srv.sys
2007-03-11 15:55:55 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:55:55 gmer.sys svchost.exe [728]: LoadDriver system32\DRIVERS\ipnat.sys
2007-03-11 15:55:56 gmer.sys Tablet.exe [1400]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:55:56 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\alg.exe
2007-03-11 15:56:40 gmer.sys svchost.exe [728]: CreateProcess C:\WINDOWS\system32\wuauclt.exe
2007-03-11 15:58:33 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\ati2evxx.exe
2007-03-11 15:58:33 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\userinit.exe
2007-03-11 15:58:45 gmer.sys Tablet.exe [1400]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:58:45 gmer.sys userinit.exe [2040]: CreateProcess C:\WINDOWS\explorer.exe
2007-03-11 15:58:47 gmer.sys Tablet.exe [1400]: CreateProcess C:\WINDOWS\system32\WTablet\TabUserW.exe
2007-03-11 15:58:47 gmer.sys Tablet.exe [1400]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 15:58:47 gmer.sys explorer.exe [360]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
2007-03-11 15:58:47 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 15:58:48 gmer.sys explorer.exe [360]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
2007-03-11 15:58:48 gmer.sys explorer.exe [360]: CreateProcess C:\Programmi\ULI5289\ALi5289.exe
2007-03-11 15:58:48 gmer.sys explorer.exe [360]: CreateProcess C:\Programmi\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
2007-03-11 15:58:48 gmer.sys explorer.exe [360]: CreateProcess C:\Programmi\QuickTime\qttask.exe
2007-03-11 15:58:48 gmer.sys explorer.exe [360]: CreateProcess C:\Documents and Settings\king27\Desktop\3E68386.exe
2007-03-11 15:58:48 gmer.sys explorer.exe [360]: CreateProcess C:\Programmi\FreeMem Professional\fmempro.exe
2007-03-11 15:58:48 gmer.sys explorer.exe [360]: CreateProcess C:\Programmi\RocketDock\RocketDock.exe
2007-03-11 15:58:48 gmer.sys 3E68386.exe [988]: CreateProcess C:\Documents and Settings\king27\Desktop\3E68386.exe
2007-03-11 15:58:48 gmer.sys explorer.exe [360]: CreateProcess C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
2007-03-11 15:58:50 gmer.sys svchost.exe [628]: CreateProcess C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
2007-03-11 15:58:50 gmer.sys 3E68386.exe [1360]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 15:58:54 gmer.sys services.exe [472]: CreateProcess C:\WINDOWS\system32\imapi.exe
2007-03-11 15:59:20 gmer.sys explorer.exe [360]: CreateProcess C:\Documents and Settings\king27\Desktop\avenger.exe
2007-03-11 16:02:06 gmer.sys svchost.exe [728]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 16:02:16 gmer.sys explorer.exe [360]: CreateProcess C:\Documents and Settings\king27\Desktop\vnlt6162.exe
2007-03-11 16:02:17 gmer.sys vnlt6162.exe [2236]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\WZSE0.TMP\setup.exe
2007-03-11 16:02:39 gmer.sys setup.exe [2244]: CreateProcess C:\VEXPLITE\tgsvcstp.exe
2007-03-11 16:02:44 gmer.sys services.exe [472]: CreateProcess C:\VEXPLITE\viritsvc.exe
2007-03-11 16:02:44 gmer.sys setup.exe [2244]: CreateProcess C:\VEXPLITE\viritexp.exe
2007-03-11 16:22:25 gmer.sys svchost.exe [728]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 16:22:40 gmer.sys explorer.exe [360]: CreateProcess C:\Programmi\WinRAR\WinRAR.exe
2007-03-11 16:23:07 gmer.sys explorer.exe [360]: CreateProcess C:\Documents and Settings\king27\Desktop\sarsfx\sargui.exe
2007-03-11 16:23:10 gmer.sys sargui.exe [2884]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\ncnwbg.exe
2007-03-11 16:23:10 gmer.sys services.exe [472]: LoadDriver \??\C:\WINDOWS\system32\1.tmp
2007-03-11 16:27:05 gmer.sys sargui.exe [2884]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\bcrcgr.exe
2007-03-11 16:29:27 gmer.sys sargui.exe [2884]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\gvflnp.exe
2007-03-11 16:38:27 gmer.sys explorer.exe [360]: CreateProcess C:\WINDOWS\system32\taskmgr.exe
2007-03-11 16:41:09 gmer.sys RocketDock.exe [1316]: CreateProcess C:\Programmi\Internet Explorer\IEXPLORE.EXE
2007-03-11 16:42:13 gmer.sys explorer.exe [360]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 16:42:56 gmer.sys rundll32.exe [3332]: CreateProcess C:\wamp\unins000.exe
2007-03-11 16:42:56 gmer.sys unins000.exe [3368]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\_iu14D2N.tmp
2007-03-11 16:42:57 gmer.sys _iu14D2N.tmp [3380]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 16:42:57 gmer.sys cmd.exe [3388]: CreateProcess C:\wamp\Apache2\bin\Apache.exe
2007-03-11 16:42:58 gmer.sys cmd.exe [3388]: CreateProcess C:\wamp\mysql\bin\mysqld-nt.exe
2007-03-11 16:42:58 gmer.sys cmd.exe [3388]: CreateProcess C:\wamp\wampserver.exe
2007-03-11 16:43:22 gmer.sys explorer.exe [360]: CreateProcess C:\Documents and Settings\king27\Desktop\gmer.exe
2007-03-11 16:44:48 gmer.sys rundll32.exe [3332]: CreateProcess C:\Programmi\ewido anti-spyware 4.0\Uninstall.exe
2007-03-11 16:44:48 gmer.sys Uninstall.exe [3620]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\~nsu.tmp\Au_.exe
2007-03-11 16:44:56 gmer.sys Au_.exe [3632]: CreateProcess C:\Programmi\ewido anti-spyware 4.0\guard.exe
2007-03-11 16:45:06 gmer.sys sargui.exe [2884]: CreateProcess C:\WINDOWS\winhlp32.exe
2007-03-11 16:50:27 gmer.sys explorer.exe [360]: CreateProcess C:\WINDOWS\regedit.exe
2007-03-11 16:51:09 gmer.sys rundll32.exe [3332]: CreateProcess C:\Programmi\Grisoft\AVG7\setup.exe
2007-03-11 16:56:31 gmer.sys setup.exe [4084]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\setup.exe
2007-03-11 16:58:25 gmer.sys rundll32.exe [3332]: CreateProcess C:\Programmi\iolo\System Mechanic Professional 6\UninstallSMPro.exe
2007-03-11 16:58:27 gmer.sys UninstallSMPro. [2120]: CreateProcess C:\Programmi\iolo\System Mechanic Professional 6\unins000.exe
2007-03-11 16:58:27 gmer.sys unins000.exe [1712]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\_iu14D2N.tmp
2007-03-11 16:58:40 gmer.sys winlogon.exe [428]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 16:58:42 gmer.sys Tablet.exe [1400]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 16:58:42 gmer.sys svchost.exe [728]: CreateProcess C:\WINDOWS\system32\wuauclt.exe
2007-03-11 17:00:10 gmer.sys System [4]: LoadDriver System32\drivers\dmboot.sys
2007-03-11 17:00:11 gmer.sys System [4]: CreateProcess C:\WINDOWS\system32\smss.exe
2007-03-11 17:00:11 gmer.sys smss.exe [164]: CreateProcess C:\WINDOWS\system32\autochk.exe
2007-03-11 17:00:13 gmer.sys smss.exe [164]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2007-03-11 17:00:13 gmer.sys smss.exe [164]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Fastfat
2007-03-11 17:00:14 gmer.sys smss.exe [164]: CreateProcess C:\WINDOWS\system32\csrss.exe
2007-03-11 17:00:15 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2007-03-11 17:00:15 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 17:00:15 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\framebuf.dll
2007-03-11 17:00:15 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga256.dll
2007-03-11 17:00:15 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga64k.dll
2007-03-11 17:00:15 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 17:00:15 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 17:00:15 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\framebuf.dll
2007-03-11 17:00:16 gmer.sys smss.exe [164]: CreateProcess C:\WINDOWS\system32\winlogon.exe
2007-03-11 17:00:18 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\services.exe
2007-03-11 17:00:18 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\lsass.exe
2007-03-11 17:00:19 gmer.sys csrss.exe [240]: LoadDriver \SystemRoot\System32\ATMFD.DLL
2007-03-11 17:00:20 gmer.sys services.exe [284]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 17:00:20 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 17:00:20 gmer.sys services.exe [284]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 17:02:27 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\ati2evxx.exe
2007-03-11 17:02:27 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\userinit.exe
2007-03-11 17:02:27 gmer.sys userinit.exe [820]: CreateProcess C:\WINDOWS\explorer.exe
2007-03-11 17:03:05 gmer.sys explorer.exe [840]: CreateProcess C:\Documents and Settings\king27\Desktop\gmer.exe
2007-03-11 17:03:26 gmer.sys explorer.exe [840]: CreateProcess C:\Documents and Settings\king27\Desktop\RootkitBuster.exe
2007-03-11 17:03:51 gmer.sys explorer.exe [840]: CreateProcess C:\Documents and Settings\king27\Desktop\EliBaglA.exe
2007-03-11 17:04:23 gmer.sys explorer.exe [840]: CreateProcess C:\Documents and Settings\king27\Desktop\3E68386.exe
2007-03-11 17:04:23 gmer.sys 3E68386.exe [968]: CreateProcess C:\Documents and Settings\king27\Desktop\3E68386.exe
2007-03-11 17:04:33 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 17:05:39 gmer.sys System [4]: LoadDriver System32\drivers\dmboot.sys
2007-03-11 17:05:39 gmer.sys System [4]: CreateProcess C:\WINDOWS\system32\smss.exe
2007-03-11 17:05:39 gmer.sys smss.exe [164]: CreateProcess C:\WINDOWS\system32\autochk.exe
2007-03-11 17:05:41 gmer.sys smss.exe [164]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2007-03-11 17:05:41 gmer.sys smss.exe [164]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Fastfat
2007-03-11 17:05:43 gmer.sys smss.exe [164]: CreateProcess C:\WINDOWS\system32\csrss.exe
2007-03-11 17:05:43 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2007-03-11 17:05:43 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 17:05:43 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\framebuf.dll
2007-03-11 17:05:43 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga256.dll
2007-03-11 17:05:43 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga64k.dll
2007-03-11 17:05:43 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 17:05:43 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 17:05:43 gmer.sys csrss.exe [216]: LoadDriver \SystemRoot\System32\framebuf.dll
2007-03-11 17:05:44 gmer.sys smss.exe [164]: CreateProcess C:\WINDOWS\system32\winlogon.exe
2007-03-11 17:05:46 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\services.exe
2007-03-11 17:05:46 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\lsass.exe
2007-03-11 17:05:47 gmer.sys csrss.exe [240]: LoadDriver \SystemRoot\System32\ATMFD.DLL
2007-03-11 17:05:47 gmer.sys services.exe [284]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 17:05:48 gmer.sys services.exe [284]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 17:05:48 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 17:05:59 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\ati2evxx.exe
2007-03-11 17:05:59 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\userinit.exe
2007-03-11 17:06:00 gmer.sys userinit.exe [708]: CreateProcess C:\WINDOWS\explorer.exe
2007-03-11 17:06:08 gmer.sys explorer.exe [728]: CreateProcess C:\Documents and Settings\king27\Desktop\gmer.exe
2007-03-11 17:07:51 gmer.sys explorer.exe [728]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2007-03-11 17:07:52 gmer.sys explorer.exe [728]: CreateProcess C:\Programmi\WinRAR\WinRAR.exe
2007-03-11 17:07:56 gmer.sys WinRAR.exe [948]: CreateProcess C:\WINDOWS\system32\notepad.exe
2007-03-11 17:08:39 gmer.sys explorer.exe [728]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2007-03-11 17:08:50 gmer.sys explorer.exe [728]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 17:09:22 gmer.sys explorer.exe [728]: CreateProcess C:\Programmi\WinRAR\WinRAR.exe
2007-03-11 17:09:28 gmer.sys explorer.exe [728]: CreateProcess E:\[Applicazioni]\[Utility]\kerio personal firewall 2.1.4\kerio-pf-214-en-win.exe
2007-03-11 17:09:33 gmer.sys kerio-pf-214-en [1076]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\pft3~tmp\Disk1\Setup.exe
2007-03-11 17:09:38 gmer.sys explorer.exe [728]: CreateProcess C:\Programmi\WinRAR\WinRAR.exe
2007-03-11 17:09:38 gmer.sys Setup.exe [1084]: CreateProcess C:\Programmi\File comuni\InstallShield\Engine\6\Intel 32\IKernel.exe
2007-03-11 17:19:53 gmer.sys explorer.exe [728]: CreateProcess C:\Documents and Settings\king27\Desktop\gmer.exe
2007-03-11 17:20:10 gmer.sys winlogon.exe [240]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 17:21:17 gmer.sys System [4]: LoadDriver system32\DRIVERS\msgpc.sys
2007-03-11 17:21:17 gmer.sys System [4]: LoadDriver system32\DRIVERS\ipnat.sys
2007-03-11 17:21:17 gmer.sys System [4]: LoadDriver system32\DRIVERS\wanarp.sys
2007-03-11 17:21:17 gmer.sys System [4]: CreateProcess C:\WINDOWS\system32\smss.exe
2007-03-11 17:21:17 gmer.sys smss.exe [316]: CreateProcess C:\WINDOWS\system32\autochk.exe
2007-03-11 17:21:19 gmer.sys smss.exe [316]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2007-03-11 17:21:19 gmer.sys smss.exe [316]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Fastfat
2007-03-11 17:21:22 gmer.sys smss.exe [316]: CreateProcess C:\WINDOWS\system32\csrss.exe
2007-03-11 17:21:22 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\ati2dvag.dll
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\ati2cqag.dll
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\atikvmag.dll
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\vga.dll
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\ati2dvag.dll
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\ati2cqag.dll
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\atikvmag.dll
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\ati3duag.dll
2007-03-11 17:21:23 gmer.sys csrss.exe [372]: LoadDriver \SystemRoot\System32\ativvaxx.dll
2007-03-11 17:21:23 gmer.sys smss.exe [316]: CreateProcess C:\WINDOWS\system32\winlogon.exe
2007-03-11 17:21:23 gmer.sys winlogon.exe [396]: CreateProcess C:\WINDOWS\system32\services.exe
2007-03-11 17:21:24 gmer.sys winlogon.exe [396]: CreateProcess C:\WINDOWS\system32\lsass.exe
2007-03-11 17:21:24 gmer.sys csrss.exe [396]: LoadDriver \SystemRoot\System32\ATMFD.DLL
2007-03-11 17:21:24 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 17:21:24 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 17:21:24 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 17:21:25 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\spoolsv.exe
2007-03-11 17:21:25 gmer.sys svchost.exe [696]: LoadDriver system32\DRIVERS\rdbss.sys
2007-03-11 17:21:25 gmer.sys svchost.exe [696]: LoadDriver system32\DRIVERS\mrxsmb.sys
2007-03-11 17:21:25 gmer.sys services.exe [440]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\ParVdm
2007-03-11 17:21:25 gmer.sys services.exe [440]: CreateProcess C:\PROGRA~1\DIRECT~2\DUService.exe
2007-03-11 17:21:25 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\inetsrv\inetinfo.exe
2007-03-11 17:21:25 gmer.sys services.exe [440]: CreateProcess C:\Programmi\Kerio\Personal Firewall\PERSFW.exe
2007-03-11 17:21:25 gmer.sys svchost.exe [696]: LoadDriver system32\DRIVERS\srv.sys
2007-03-11 17:21:25 gmer.sys services.exe [440]: CreateProcess C:\VEXPLITE\viritsvc.exe
2007-03-11 17:21:25 gmer.sys winlogon.exe [396]: CreateProcess C:\WINDOWS\system32\logonui.exe
2007-03-11 17:21:26 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 17:21:26 gmer.sys svchost.exe [696]: LoadDriver system32\DRIVERS\ipnat.sys
2007-03-11 17:21:27 gmer.sys Tablet.exe [1276]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 17:21:27 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\alg.exe
2007-03-11 17:22:11 gmer.sys svchost.exe [696]: CreateProcess C:\WINDOWS\system32\wuauclt.exe
2007-03-11 17:22:28 gmer.sys Tablet.exe [1276]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 17:22:29 gmer.sys winlogon.exe [396]: CreateProcess C:\WINDOWS\system32\ati2evxx.exe
2007-03-11 17:22:29 gmer.sys winlogon.exe [396]: CreateProcess C:\WINDOWS\system32\userinit.exe
2007-03-11 17:22:29 gmer.sys userinit.exe [1756]: CreateProcess C:\WINDOWS\explorer.exe
2007-03-11 17:22:30 gmer.sys Tablet.exe [1276]: CreateProcess C:\WINDOWS\system32\WTablet\TabUserW.exe
2007-03-11 17:22:30 gmer.sys Tablet.exe [1276]: CreateProcess C:\WINDOWS\system32\Tablet.exe
2007-03-11 17:22:31 gmer.sys explorer.exe [1828]: CreateProcess C:\Programmi\ULI5289\ALi5289.exe
2007-03-11 17:22:31 gmer.sys explorer.exe [1828]: CreateProcess C:\Programmi\QuickTime\qttask.exe
2007-03-11 17:22:31 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\svchost.exe
2007-03-11 17:22:31 gmer.sys explorer.exe [1828]: CreateProcess C:\VEXPLITE\monlite.exe
2007-03-11 17:22:31 gmer.sys explorer.exe [1828]: CreateProcess C:\Documents and Settings\king27\Desktop\3E68386.exe
2007-03-11 17:22:31 gmer.sys explorer.exe [1828]: CreateProcess C:\Programmi\FreeMem Professional\fmempro.exe
2007-03-11 17:22:31 gmer.sys 3E68386.exe [1968]: CreateProcess C:\Documents and Settings\king27\Desktop\3E68386.exe
2007-03-11 17:22:31 gmer.sys explorer.exe [1828]: CreateProcess C:\Programmi\RocketDock\RocketDock.exe
2007-03-11 17:22:31 gmer.sys explorer.exe [1828]: CreateProcess C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
2007-03-11 17:22:34 gmer.sys 3E68386.exe [2008]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 17:22:40 gmer.sys services.exe [440]: CreateProcess C:\WINDOWS\system32\imapi.exe
2007-03-11 17:22:44 gmer.sys svchost.exe [696]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 17:23:12 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2007-03-11 17:23:24 gmer.sys explorer.exe [1828]: CreateProcess C:\Documents and Settings\king27\Desktop\winpatrol101.exe
2007-03-11 17:23:26 gmer.sys winpatrol101.ex [444]: CreateProcess C:\WINDOWS\system32\ntvdm.exe
2007-03-11 17:23:29 gmer.sys ntvdm.exe [652]: CreateProcess C:\WINDOWS\Temp\_INS0432._MP
2007-03-11 17:23:33 gmer.sys _INS0432._MP [716]: CreateProcess C:\WINDOWS\explorer.exe
2007-03-11 17:23:33 gmer.sys monlite.exe [1960]: CreateProcess C:\VEXPLITE\viritexp.exe
2007-03-11 17:23:52 gmer.sys _INS0432._MP [716]: CreateProcess C:\WINDOWS\regedit.exe
2007-03-11 17:23:52 gmer.sys _INS0432._MP [716]: CreateProcess C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
2007-03-11 17:24:02 gmer.sys WINPAT~1.EXE [504]: CreateProcess C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrolEx.exe
2007-03-11 17:26:44 gmer.sys WinPatrolEx.exe [1628]: CreateProcess C:\Programmi\Internet Explorer\IEXPLORE.EXE
2007-03-11 17:28:14 gmer.sys explorer.exe [1828]: CreateProcess C:\Documents and Settings\king27\Desktop\gmer.exe
2007-03-11 17:36:09 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 17:36:15 gmer.sys rundll32.exe [1396]: CreateProcess C:\WINDOWS\system32\notepad.exe
2007-03-11 17:43:39 gmer.sys WinPatrolEx.exe [1628]: CreateProcess C:\Programmi\Internet Explorer\IEXPLORE.EXE
2007-03-11 17:44:30 gmer.sys WinPatrolEx.exe [1628]: CreateProcess C:\WINDOWS\system32\regsvr32.exe
2007-03-11 17:49:29 gmer.sys RocketDock.exe [2016]: CreateProcess C:\Programmi\Adobe\Photoshop CS\ImageReady.exe
2007-03-11 17:50:28 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 17:50:31 gmer.sys rundll32.exe [1532]: CreateProcess C:\WINDOWS\system32\notepad.exe
2007-03-11 17:51:12 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 17:51:15 gmer.sys rundll32.exe [1400]: CreateProcess C:\WINDOWS\system32\notepad.exe
2007-03-11 17:59:42 gmer.sys svchost.exe [696]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 17:59:54 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2007-03-11 17:59:54 gmer.sys explorer.exe [1828]: CreateProcess C:\Programmi\WinRAR\WinRAR.exe
2007-03-11 17:59:59 gmer.sys explorer.exe [1828]: CreateProcess C:\Programmi\WinRAR\WinRAR.exe
2007-03-11 18:00:06 gmer.sys explorer.exe [1828]: CreateProcess C:\Documents and Settings\king27\Desktop\RootkitRevealer\RootkitRevealer.exe
2007-03-11 18:00:07 gmer.sys services.exe [440]: CreateProcess C:\DOCUME~1\king27\IMPOST~1\Temp\NHUQCAXHBGV.exe
2007-03-11 18:00:08 gmer.sys NHUQCAXHBGV.exe [1000]: LoadDriver \??\C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
2007-03-11 18:01:08 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:01:08 gmer.sys cmd.exe [840]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:01:08 gmer.sys cmd.exe [840]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:02:13 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:02:13 gmer.sys cmd.exe [924]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:02:13 gmer.sys cmd.exe [924]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:02:48 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:02:48 gmer.sys cmd.exe [1040]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:02:48 gmer.sys cmd.exe [1040]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:02:56 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2007-03-11 18:02:56 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2007-03-11 18:04:17 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:04:17 gmer.sys cmd.exe [1972]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:04:17 gmer.sys cmd.exe [1972]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:04:22 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:04:22 gmer.sys cmd.exe [588]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:04:22 gmer.sys cmd.exe [588]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:14:19 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\regedit.exe
2007-03-11 18:30:57 gmer.sys RocketDock.exe [2016]: CreateProcess C:\Programmi\Macromedia\Dreamweaver 8\Dreamweaver.exe
2007-03-11 18:33:16 gmer.sys svchost.exe [696]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2007-03-11 18:35:07 gmer.sys explorer.exe [1828]: CreateProcess C:\WINDOWS\regedit.exe
2007-03-11 18:36:04 gmer.sys explorer.exe [1828]: CreateProcess C:\Documents and Settings\king27\Desktop\blbeta.exe
2007-03-11 18:36:04 gmer.sys blbeta.exe [456]: CreateProcess C:\Documents and Settings\king27\Desktop\blbeta.exe
2007-03-11 18:36:09 gmer.sys services.exe [440]: LoadDriver \??\C:\DOCUME~1\king27\IMPOST~1\Temp\F-Secure\BlackLight\fsbldrv.sys
2007-03-11 18:39:34 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:39:34 gmer.sys cmd.exe [1520]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:39:34 gmer.sys cmd.exe [1520]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:40:45 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:40:45 gmer.sys cmd.exe [1072]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:40:45 gmer.sys cmd.exe [1072]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:41:34 gmer.sys RocketDock.exe [2016]: CreateProcess C:\Programmi\Macromedia\Dreamweaver 8\Dreamweaver.exe
2007-03-11 18:41:37 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:41:37 gmer.sys cmd.exe [1984]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:41:37 gmer.sys cmd.exe [1984]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:43:14 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:43:14 gmer.sys cmd.exe [496]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:43:14 gmer.sys cmd.exe [496]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:43:16 gmer.sys NHUQCAXHBGV.exe [1000]: CreateProcess C:\WINDOWS\system32\cmd.exe
2007-03-11 18:43:16 gmer.sys cmd.exe [260]: CreateProcess C:\WINDOWS\system32\chcp.com
2007-03-11 18:43:16 gmer.sys cmd.exe [260]: CreateProcess C:\WINDOWS\system32\cmd.exe

[bho]

tnx a lot :)
Avatar utente
king27
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: dom mar 11, 2007 7:53 pm
Top

Messaggioda crazy.cat » dom mar 11, 2007 8:34 pm

Bastava il log della sezione autostart, così hai preso dentro anche un mucchio di programmi che erano aperti in quel momento che creano solo casino nel log

Prova a dare questo script ad avenger

Files to delete:
C:\Documents and Settings\king27\Dati applicazioni\hidires\m_hook.sys
C:\Documents and Settings\king27\Dati applicazioni\hidires\hidr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\hldrrr.exe

folders to delete:
C:\Documents and Settings\king27\Dati applicazioni\hidires
C:\WINDOWS\exefld

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK

registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | hldrrr

Per risolvere il resto dei problemi causati dal virus leggi l'articolo di Amantide
http://www.MegaLab.it/2657
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre
Top

Messaggioda king27 » dom mar 11, 2007 8:43 pm

le stringhe che hai postato le ho già eseguite correttamente :)

ora provo a vedere tutte le chiavi nella pagina che mi hai indicato

[^]

Grazie 1000

ti farò sapere! eheheh appena la cpu torna a livelli di utilizzo normali [fischio]

yo!
Avatar utente
king27
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: dom mar 11, 2007 7:53 pm
Top
Top

Messaggioda king27 » dom mar 11, 2007 9:01 pm

Ho verificato tutti i passaggi indicati :( file, chiavi, etc...
ma nulla di fatto!

GMER continua a mostrarmi quei 2 moduli hidden nella sez. relativa ai rootkit! la cpu 100% :(

S.O.S!

---- Devices - GMER 1.0.12 ----

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE BA749636

---- Modules - GMER 1.0.12 ----

Module (noname) (*** hidden *** ) 9421C000
Module (noname) (*** hidden *** ) 9421C000

---- EOF - GMER 1.0.12 ----
Avatar utente
king27
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: dom mar 11, 2007 7:53 pm
Top

Messaggioda king27 » dom mar 11, 2007 9:15 pm

ora in rootkit mostra le seguenti righe... e nn ho fatto nulla :(


? C:\WINDOWS\System32\Drivers\RKREVEAL150.sys IMpossibile trovare il file specificato
? C:\WINDOWS\System32\Drivers\RKREVEAL150.sys IMpossibile trovare il file specificato

Module (noname) (*** hidden *** ) 9421C000


AIUTO!
Avatar utente
king27
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: dom mar 11, 2007 7:53 pm
Top

Messaggioda The King of GnG » dom mar 11, 2007 10:10 pm

king27 ha scritto:ora in rootkit mostra le seguenti righe... e nn ho fatto nulla :(


? C:\WINDOWS\System32\Drivers\RKREVEAL150.sys IMpossibile trovare il file specificato
? C:\WINDOWS\System32\Drivers\RKREVEAL150.sys IMpossibile trovare il file specificato

Module (noname) (*** hidden *** ) 9421C000


AIUTO!


Da prompt dei comandi.....

sc stop RKREVEAL150.sys
sc delete RKREVEAL150.sys
People should just buy a cd and rip it. You are legal then" - William Henry Gates III (detto "Bill")
Avatar utente
The King of GnG
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 11144
Iscritto il: mer mar 02, 2005 8:24 pm
Località: La Biblioteca di Babele
Top

Messaggioda Amantide » dom mar 11, 2007 10:35 pm

The King of GnG ha scritto:
king27 ha scritto:ora in rootkit mostra le seguenti righe... e nn ho fatto nulla :(


? C:\WINDOWS\System32\Drivers\RKREVEAL150.sys IMpossibile trovare il file specificato
? C:\WINDOWS\System32\Drivers\RKREVEAL150.sys IMpossibile trovare il file specificato

Module (noname) (*** hidden *** ) 9421C000


AIUTO!


Da prompt dei comandi.....

sc stop RKREVEAL150.sys
sc delete RKREVEAL150.sys

Si tratta di un rootkit "buono" di Rootkit Revealer.

@ alfò
I comandi sc stop e sc delete si usano per terminare ed eliminare il servizio intero e non solo il file, quindi nel comando non si dovrebbe mettere .sys

Infatti dai log di Gmer si vede che il Bagle è stato eliminato. Un altra cosa che si nota è un sacco di file .exe nella cartella dei file temporanei. Potrebbero anche essere buoni però non mi ispirano la fiducia.

Intanto esegui questo script per Avenger:

Files to delete:
C:\DOCUME~1\king27\IMPOST~1\Temp\NHUQCAXHBGV.exe
C:\DOCUME~1\king27\IMPOST~1\Temp\pft3~tmp\Disk1\Setup.exe
C:\DOCUME~1\king27\IMPOST~1\Temp\setup.exe
C:\DOCUME~1\king27\IMPOST~1\Temp\~nsu.tmp\Au_.exe
C:\DOCUME~1\king27\IMPOST~1\Temp\bcrcgr.exe
C:\DOCUME~1\king27\IMPOST~1\Temp\gvflnp.exe
C:\DOCUME~1\king27\IMPOST~1\Temp\ncnwbg.exe
C:\WINDOWS\system32\1.tmp
C:\DOCUME~1\king27\IMPOST~1\Temp\WZSE0.TMP\setup.exe

Dopo fai la scansione con Kaspersky online e posta qui il report della scansione.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo
Top

Messaggioda The King of GnG » dom mar 11, 2007 10:47 pm

Si tratta di un rootkit "buono" di Rootkit Revealer.


[acc2]
People should just buy a cd and rip it. You are legal then" - William Henry Gates III (detto "Bill")
Avatar utente
The King of GnG
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 11144
Iscritto il: mer mar 02, 2005 8:24 pm
Località: La Biblioteca di Babele
Top

Messaggioda king27 » lun mar 12, 2007 2:19 pm

Stavo provando a reinstallare AVG7 antivirus ... alla fine dell'installazione mi riporta errori relativi a file avg... .sys driver che nn riesce a caricare!

Mentre WinPatrol ogni 2x3 mi avvisa che un programma... del quale nn riesco a leggere il nome... con estensione secondo lui .scr .. Company name %1 /S che vuole modificare il file NOTEPAD.EXE %1 ...

gmer in rootkit non mi segnala + i moduli hidden in rosso di ieri... e ridà:

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-12 13:15:25
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\System32\Drivers\avgclean.sys Impossibile trovare il file specificato.
? C:\WINDOWS\System32\Drivers\AVG7RSW.SYS Impossibile trovare il file specificato.
.text ntdll.dll!NtClose 7C91D586 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateFile 7C91D682 5 Bytes JMP 7203455D
.text ntdll.dll!NtCreateKey 7C91D6D6 5 Bytes JMP 72034F66
.text ntdll.dll!NtCreateProcess 7C91D754 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 7C91D769 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 7C91D793 5 Bytes JMP 720342D8
.text ntdll.dll!NtLoadDriver 7C91DB6E 5 Bytes JMP 72034936
.text ntdll.dll!NtSetValueKey 7C91E7BC 5 Bytes JMP 7203503A
.text ntdll.dll!NtWriteFile 7C91E9F3 5 Bytes JMP 720347B3

---- EOF - GMER 1.0.12 ----

la cpu sempre a 100% - explorer e forse anche 1 svchost ad un livello di utilizzo ram troppo elevato!

HLP :(
Avatar utente
king27
Neo Iscritto
Neo Iscritto
 
Messaggi: 5
Iscritto il: dom mar 11, 2007 7:53 pm
Top

Messaggioda crazy.cat » lun mar 12, 2007 2:45 pm

Prendi ccleaner e fagli svuotare i file temporanei di internet e la cartella temp, così eliminiamo qualche schifezza.

Poi vai sul sito della kasperky
http://www.kaspersky.com/virusscanner
e fai uno scan online, alla fine salva il log che ne risulta e postalo qui, così vediamo quanti virus ci sono nel tuo pc.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre
Top
Rispondi al messaggio

Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 19 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising