Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

Trojan sconosciuto, incancellabile..........

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

Trojan sconosciuto, incancellabile..........

Messaggioda mykyj » lun feb 05, 2007 5:10 pm

Ciao a tutti,è da circa 1 mese che sto cercando di eliminare un virus ma senza riuscirci.Come firewall uso Kerio ed è lui che mi segnala che questo file cerca di accedere alla zona attendibile o cerca di avviare altre applicazioni,il nome di questo file cambia ogni volta.Oggi è n€gmaa.exe io lo elimino xk kerio mi segnala che è nella cartella temp di windows,infatti se vado ad aprirla cè questo file che come icona a delle labbra rosse io lo elimino e al successivo riavvio me lo ritrovo con il nome di kszcca.exe-qwamaa.exe-xyjtaa.exe ecc. Quello che mi sembra strano è che cercando su google con questi nomi non si trova niente come se nessuno non avesse mai preso o sentito nominare questi file.Ho provato a seguire la guida che ho ho trovato su pcalsicuro xk sembrava che il virus che parlava era quello mio ma senza trovare le chiavi che diceva di cercare.Facendo una scansione online con Kaspersky mi dice che si tratta di trojan.win32.dialer.ru,ho fatto scansioni con avenger e gmer ma non trovano niente,non so più cosa fare.Qualcuno sa dirmi cosa posso provare per eliminare questo file?Vi metto l'img di Kerio x farvi capire meglio
Immagine
Avatar utente
mykyj
Aficionado
Aficionado
 
Messaggi: 89
Iscritto il: mar mag 30, 2006 12:44 am

Messaggioda crazy.cat » lun feb 05, 2007 5:17 pm

Puoi postare qui il log della scansione di kaspersky?
Sei sicuro che non ti abbia trovato altri file infetti?

Posta anche il log della scansione di Hijackthis.
Quando i molti governano, pensano solo a contentar sé stessi, si ha allora la tirannia più balorda e più odiosa: la tirannia mascherata da libertà.
Avatar utente
crazy.cat
MLI Hero
MLI Hero
 
Messaggi: 30959
Iscritto il: lun gen 12, 2004 1:38 pm
Località: Mestre

Messaggioda mykyj » mar feb 06, 2007 5:47 pm

Allora non so se è questo il log della scansione di kaspersky che intendi,ti metto l'img
Immagine
e poi cè questa che è il nome del virus
Immagine
adesso faccio il log hijackthis e poi lo posto [;)] [;)]
Avatar utente
mykyj
Aficionado
Aficionado
 
Messaggi: 89
Iscritto il: mar mag 30, 2006 12:44 am


Messaggioda Amantide » mar feb 06, 2007 6:11 pm

mykyj ha scritto:Allora non so se è questo il log della scansione di kaspersky che intendi,ti metto l'img

Veramente dovevi cliccare sul tasto Save Report As... ed incollare il risultato qui come il testo.
Si può notare che sono stati rilevati 3 file infetti, invece nell'immagine si vede solo uno.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda mykyj » mer feb 07, 2007 8:26 pm

Amantide ha scritto:
mykyj ha scritto:Allora non so se è questo il log della scansione di kaspersky che intendi,ti metto l'img

Veramente dovevi cliccare sul tasto Save Report As... ed incollare il risultato qui come il testo.
Si può notare che sono stati rilevati 3 file infetti, invece nell'immagine si vede solo uno.

Infatti mi sembrava di aver sbagliato qualcosa [:-H] comunque adesso rifaccio tutto perché ieri sera mio fratello ha usato il pc e oggi appena acceso Antivir mi segnala un virus [:p] così vedo se è riuscito ad eliminarlo e poi faccio anche il log Hijack e posto tutto così potete aiutarmi meglio [^]
Avatar utente
mykyj
Aficionado
Aficionado
 
Messaggi: 89
Iscritto il: mar mag 30, 2006 12:44 am

Messaggioda mykyj » mer feb 07, 2007 10:21 pm

Allora intanto ti metto il log di Hijackthis che a me sembra pulito:
Logfile of HijackThis v1.99.1
Scan saved at 20.59.08, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe
C:\Programmi\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programmi\LClock\LClock.exe
C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Programmi\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virgilio.it/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Programmi\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Programmi\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LClock] C:\Programmi\LClock\LClock.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programmi\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Compila Modulo - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Personalizza - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: RF Barra strumenti - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Salva Moduli - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Compila - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Compila Modulo - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Salva - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Salva Moduli - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Barra strumenti - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Programmi\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C337A1B2-591C-4A72-919B-D273F1A07D6D}: NameServer = 85.37.17.44 85.38.28.90
O20 - Winlogon Notify: SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: olMntrService - Olivetti - C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programmi\Spyware Terminator\sp_rsser.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Programmi\File comuni\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

appena adesso ho fatto una scansione con Antivir ti metto il log anche di quello,se vedi mi segnala closeapp.exe come virus e facendo una ricerca risulta essere una applicazione che serve per chiudere i programmi di Acrobat [uhm] comunque ecco il report:
AntiVir PersonalEdition Classic
Report file date: mercoledì 7 febbraio 2007 19:00

Scanning for 665819 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: User
Computer name: ACER-01VDCN9BDZ

Version information:
BUILD.DAT : 217 12749 Bytes 05/12/2006 17:00:00
AVSCAN.EXE : 7.0.3.5 208936 Bytes 15/01/2007 18:20:58
AVSCAN.DLL : 7.0.3.1 35880 Bytes 13/12/2006 19:07:40
LUKE.DLL : 7.0.3.2 143400 Bytes 13/12/2006 19:07:42
LUKERES.DLL : 7.0.2.0 9256 Bytes 13/12/2006 19:07:42
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31/05/2006 13:41:58
ANTIVIR1.VDF : 6.37.0.153 3131392 Bytes 12/01/2007 13:16:20
ANTIVIR2.VDF : 6.37.1.37 495616 Bytes 05/02/2007 15:30:08
ANTIVIR3.VDF : 6.37.1.51 25600 Bytes 07/02/2007 17:59:12
AVEWIN32.DLL : 7.3.1.34 2290176 Bytes 02/02/2007 00:28:26
AVPREF.DLL : 7.0.2.0 23592 Bytes 13/12/2006 19:07:40
AVREP.DLL : 6.37.1.1 1105960 Bytes 31/01/2007 19:42:32
AVRPBASE.DLL : 7.0.0.0 2162728 Bytes 26/09/2006 13:41:56
AVPACK32.DLL : 7.2.0.5 368680 Bytes 25/10/2006 20:52:00
AVREG.DLL : 7.0.1.2 30760 Bytes 15/01/2007 18:20:58
NETNT.DLL : 6.32.0.0 6696 Bytes 27/09/2005 07:56:50
RCIMAGE.DLL : 7.0.1.3 2097192 Bytes 13/12/2006 19:07:34
RCTEXT.DLL : 7.0.12.1 77864 Bytes 13/12/2006 19:07:34

Configuration settings for the scan:
Jobname..........................: Local Drives
Configuration file...............: C:\Programmi\AntiVir PersonalEdition Classic\alldrives.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Expanded search settings.........: 0x00007000

Start of the scan: mercoledì 7 febbraio 2007 19:00

The scan of running processes will be started
Scan process 'AVSCAN.EXE' - '1' Modules have been scanned
Scan process 'AVCENTER.EXE' - '1' Modules have been scanned
Scan process 'WMIPRVSE.EXE' - '1' Modules have been scanned
Scan process 'avgnt.exe' - '1' Modules have been scanned
Scan process 'kpf4gui.exe' - '1' Modules have been scanned
Scan process 'kpf4gui.exe' - '1' Modules have been scanned
Scan process 'kpf4ss.exe' - '1' Modules have been scanned
Scan process 'WUAUCLT.EXE' - '1' Modules have been scanned
Scan process 'CTFMON.EXE' - '1' Modules have been scanned
Scan process 'robotaskbaricon.exe' - '1' Modules have been scanned
Scan process 'Spywareterminatorshield.Exe' - '1' Modules have been scanned
Scan process 'LClock.exe' - '1' Modules have been scanned
Scan process 'SynTPEnh.exe' - '1' Modules have been scanned
Scan process 'alg.exe' - '1' Modules have been scanned
Scan process 'SynTPLpr.exe' - '1' Modules have been scanned
Scan process 'BDSS.EXE' - '1' Modules have been scanned
Scan process 'EXPLORER.EXE' - '1' Modules have been scanned
Scan process 'XCOMMSVR.EXE' - '1' Modules have been scanned
Scan process 'WDFMGR.EXE' - '1' Modules have been scanned
Scan process 'SVCHOST.EXE' - '1' Modules have been scanned
Scan process 'SP_RSSER.EXE' - '1' Modules have been scanned
Scan process 'olMntrService.exe' - '1' Modules have been scanned
Scan process 'oodag.exe' - '1' Modules have been scanned
Scan process 'avguard.exe' - '1' Modules have been scanned
Scan process 'csrnbkcm.exe' - '1' Modules have been scanned
Scan process 'sched.exe' - '1' Modules have been scanned
Scan process 'spoolsv.exe' - '1' Modules have been scanned
Scan process 'SVCHOST.EXE' - '1' Modules have been scanned
Scan process 'SVCHOST.EXE' - '1' Modules have been scanned
Scan process 'SVCHOST.EXE' - '1' Modules have been scanned
Scan process 'SVCHOST.EXE' - '1' Modules have been scanned
Scan process 'SVCHOST.EXE' - '1' Modules have been scanned
Scan process 'Ati2evxx.exe' - '1' Modules have been scanned
Scan process 'LSASS.EXE' - '1' Modules have been scanned
Scan process 'SERVICES.EXE' - '1' Modules have been scanned
Scan process 'winlogon.exe' - '1' Modules have been scanned
Scan process 'csrss.exe' - '1' Modules have been scanned
Scan process 'smss.exe' - '1' Modules have been scanned
38 processes with 38 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( 10 files ).


Starting the file scan:

Begin scan in 'C:\' <ACER>
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\closeapp.exe
[DETECTION] Contains signature of the application APPL/CloseApp
[INFO] The file was moved to '463915db.qua'!
C:\WINDOWS\system32\csrnbkcm.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.ABA.2
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\Programmi\eMule\Incoming\Acronis True Image ver.10.0 serial cracks.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.aii.59
[WARNING] The file was ignored!
C:\Programmi\a-squared Anti-Malware\Quarantine\c3c3197def2f28875a3bcfe438613505.a2q
[0] Archive type: ZIP
--> WINDOWS/TEMP/htzlaa.exe
[DETECTION] Is the Trojan horse TR/Dialer.RU.1
[INFO] The file was moved to '462d2c9c.qua'!
Begin scan in 'D:\' <ACERDATA>
Begin scan in 'E:\'
The path E:\ could not be found!
Periferica non pronta.



End of the scan: mercoledì 7 febbraio 2007 20:47
Used time: 1:46:30 min

The scan has been done completely.

4221 Scanning directories
248809 Files were scanned
4 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
248805 Files not concerned
6967 Archives were scanned
4 Warnings
14 Notes
Magari domani faccio una scansione online e vi posto anche quella se è meglio [;)] [;)]
Avatar utente
mykyj
Aficionado
Aficionado
 
Messaggi: 89
Iscritto il: mar mag 30, 2006 12:44 am

Messaggioda Amantide » mer feb 07, 2007 10:39 pm

Temo che oltre ai file indicati ci sia anche il rootkit rustock.
Fai la scansione con Gmer delle sezioni Autostart e Rootkit e posta qui i log.
Per fare il log scegli prima il tab Autostart, spunta la voce Show all e clicca su Scan. A scansione terminata clicca su Copy ed incolla il risultato su blocco note o direttamente qui.
Ripeti l'operazione anche per Rootkit.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda mykyj » ven feb 09, 2007 5:49 pm

Mi avevano gia deto che forse era rustock e mi avevano fatto fare la scansione con gmer ti metto il log questo è quello vecchio è solo per capire se era vero che non cera niente,al limite lo posso rifare:
R 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-12 19:06:00
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwClose
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwCreateFile
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcessEx
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwCreateSection
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwDeleteKey
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwDeleteValueKey
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwLoadDriver
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwOpenFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetInformationFile
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwSetValueKey
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwTerminateProcess
SSDT \??\C:\Documents and Settings\All Users\Dati applicazioni\Spyware Terminator\sp_rsdrv2.sys ZwWriteFile

---- Kernel code sections - GMER 1.0.12 ----

PAGENDSM NDIS.sys!NdisMIndicateStatus F8415A5F 6 Bytes [ FF, 25, 88, F5, DE, EB ]

---- User code sections - GMER 1.0.12 ----

.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001307AC
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00130720
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] WS2_32.dll!socket 71A33B91 5 Bytes JMP 001308C4
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00130838
.text C:\Programmi\AntiVir PersonalEdition Classic\sched.exe[220] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00130950
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001307AC
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00130720
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] WININET.dll!InternetOpenW 7718AEFD 5 Bytes JMP 00130DB0
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] WININET.dll!InternetConnectA 771930C3 5 Bytes JMP 00130F54
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] WININET.dll!InternetOpenA 771958BA 5 Bytes JMP 00130D24
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] WININET.dll!InternetOpenUrlA 77195B6D 5 Bytes JMP 00130E3C
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] WININET.dll!InternetConnectW 7719EE00 5 Bytes JMP 00130FE0
.text C:\Programmi\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe[248] WININET.dll!InternetOpenUrlW 771A5B52 5 Bytes JMP 00130EC8
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\Explorer.EXE[268] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\Explorer.EXE[268] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\Explorer.EXE[268] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00080720
.text C:\WINDOWS\Explorer.EXE[268] WININET.dll!InternetOpenW 7718AEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\Explorer.EXE[268] WININET.dll!InternetConnectA 771930C3 5 Bytes JMP 00080F54
.text C:\WINDOWS\Explorer.EXE[268] WININET.dll!InternetOpenA 771958BA 5 Bytes JMP 00080D24
.text C:\WINDOWS\Explorer.EXE[268] WININET.dll!InternetOpenUrlA 77195B6D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\Explorer.EXE[268] WININET.dll!InternetConnectW 7719EE00 5 Bytes JMP 00080FE0
.text C:\WINDOWS\Explorer.EXE[268] WININET.dll!InternetOpenUrlW 771A5B52 5 Bytes JMP 00080EC8
.text C:\WINDOWS\Explorer.EXE[268] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\Explorer.EXE[268] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\Explorer.EXE[268] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001307AC
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe[468] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00130720
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000301A8
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00030090
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00030694
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000302C0
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00030234
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00030004
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0003011C
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000304F0
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0003057C
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000303D8
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0003034C
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00030464
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00030608
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000307AC
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00030720
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000308C4
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00030838
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00030950
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WININET.dll!InternetOpenW 7718AEFD 5 Bytes JMP 00030DB0
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WININET.dll!InternetConnectA 771930C3 5 Bytes JMP 00030F54
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WININET.dll!InternetOpenA 771958BA 5 Bytes JMP 00030D24
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WININET.dll!InternetOpenUrlA 77195B6D 5 Bytes JMP 00030E3C
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WININET.dll!InternetConnectW 7719EE00 5 Bytes JMP 00030FE0
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4ss.exe[528] WININET.dll!InternetOpenUrlW 771A5B52 5 Bytes JMP 00030EC8
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\oodag.exe[560] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\oodag.exe[560] WS2_32.dll!socket 71A33B91 5 Bytes JMP 001308C4
.text C:\WINDOWS\system32\oodag.exe[560] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00130838
.text C:\WINDOWS\system32\oodag.exe[560] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\oodag.exe[560] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\oodag.exe[560] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00130720
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001307AC
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00130720
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] WS2_32.dll!socket 71A33B91 5 Bytes JMP 001308C4
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00130838
.text C:\Programmi\Sunbelt Software\Personal Firewall\kpf4gui.exe[592] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00130950
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001307AC
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00130720
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] WS2_32.dll!socket 71A33B91 5 Bytes JMP 001308C4
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00130838
.text C:\Programmi\Olivetti\ANY_WAY\olMntrService.exe[628] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!CreateThread 7C810637 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!WinExec 7C86136D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[764] KERNEL32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[764] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[764] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00160720
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[792] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[792] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[792] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[792] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[792] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[792] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\winlogon.exe[792] WININET.dll!InternetOpenW 7718AEFD 5 Bytes JMP 00070DB0
.text C:\WINDOWS\system32\winlogon.exe[792] WININET.dll!InternetConnectA 771930C3 5 Bytes JMP 00070F54
.text C:\WINDOWS\system32\winlogon.exe[792] WININET.dll!InternetOpenA 771958BA 5 Bytes JMP 00070D24
.text C:\WINDOWS\system32\winlogon.exe[792] WININET.dll!InternetOpenUrlA 77195B6D 5 Bytes JMP 00070E3C
.text C:\WINDOWS\system32\winlogon.exe[792] WININET.dll!InternetConnectW 7719EE00 5 Bytes JMP 00070FE0
.text C:\WINDOWS\system32\winlogon.exe[792] WININET.dll!InternetOpenUrlW 771A5B52 5 Bytes JMP 00070EC8
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[836] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[836] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[836] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\services.exe[836] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\services.exe[836] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\services.exe[836] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\LClock\LClock.exe[912] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Programmi\LClock\LClock.exe[912] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001307AC
.text C:\Programmi\LClock\LClock.exe[912] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00130720
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\System32\Ati2evxx.exe[996] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\WINDOWS\System32\Ati2evxx.exe[996] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 001307AC
.text C:\WINDOWS\System32\Ati2evxx.exe[996] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1040] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1192] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1192] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1192] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1192] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenW 7718AEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetConnectA 771930C3 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenA 771958BA 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 77195B6D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetConnectW 7719EE00 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1192] WININET.dll!InternetOpenUrlW 771A5B52 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Programmi\Softwin\BitDefender8\bdnagent.exe[1360] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1428] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!socket 71A33B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!bind 71A33E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!connect 71A3406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenW 7718AEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetConnectA 771930C3 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenA 771958BA 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenUrlA 77195B6D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetConnectW 7719EE00 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenUrlW 771A5B52 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wdfmgr.exe[1488] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wdfmgr.exe[1488] USER32.dll!SetWindowsHookExW 77D2E4AF 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wdfmgr.exe[1488] USER32.dll!SetWindowsHookExA 77D311E9 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\spoolsv.exe[1704] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1704] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1704] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1704] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1704] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1704] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1704] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1704] kernel32.dll!CreateRemoteThread
Avatar utente
mykyj
Aficionado
Aficionado
 
Messaggi: 89
Iscritto il: mar mag 30, 2006 12:44 am

Messaggioda Amantide » ven feb 09, 2007 5:55 pm

Questo log è pulito, postami quelli nuovi, sia Rootkit che Autostart.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda mykyj » ven feb 09, 2007 8:08 pm

Infatti così mi aveva detto anche l'altra persona che mi stava aiutando,comunque dopo ieri che quando ho scansionato il pc con Antivir e che mi aveva trovato ed eliminato il 2-3 virus e adesso non cè più il file dalle labbra rosse nella cartella temp di windows che di solito si riformava sempre [applauso+] che sia la volta buona che sono riuscito ad eliminarlo? [^] Speriamo comunque ti faccio di nuovo i log con gmer e poi te li posto però tra un po' non subito [;)] [;)] ciao e grazie [^]
Avatar utente
mykyj
Aficionado
Aficionado
 
Messaggi: 89
Iscritto il: mar mag 30, 2006 12:44 am

Messaggioda Amantide » ven feb 09, 2007 8:29 pm

Ah, già... ora che guardo meglio il tuo nick mi ricordo bene i tuo "caso", prima ero confusa dall'avatar diverso. [sh]
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Messaggioda mykyj » dom feb 11, 2007 6:59 pm

Come ti ho detto adeso sembra tutto apposto [^] dunque intanto non faccio di novo la scansione con gmer se mi si ripresenta il problema ti faccio un fischio [fischio] intanto volevo ringraziarti per l'aiuto [grazie] e speriamo in bene che sia la volta buona [8D]
Avatar utente
mykyj
Aficionado
Aficionado
 
Messaggi: 89
Iscritto il: mar mag 30, 2006 12:44 am


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Bing [Bot] e 0 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising