grazie per l'aiuto...
ho provato il tool di andorra24 ma sembra non funzionare; l'ho lanciato un paio di volte ma ad un certo punto si blocca....
Di seguito allego i log ottenuti con Gmer come suggerito da BilloKenobi:
GMER 1.0.10.10122 -
http://www.gmer.net
Autostart 2006-09-02 16:28:36
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On
SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit =
C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\avldr@DLLName = avldr.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
MDM /*Machine Debug Manager*/@ = "C:\Programmi\File comuni\Microsoft
Shared\VS7DEBUG\MDM.EXE"
PAVFNSVR /*Panda Function Service*/@ = "C:\Programmi\Panda
Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe"
PavPrSrv /*Panda Process Protection Service*/@ = "C:\Programmi\File
comuni\Panda Software\PavShld\pavprsrv.exe"
PAVSRV /*Panda anti-virus service*/@ = "C:\Programmi\Panda
Software\Panda Platinum 2006 Internet Security\pavsrv51.exe"
pmshellsrv /*Panda Antispam Engine*/@ = C:\Programmi\Panda
Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
PNMSRV /*Panda Network Manager*/@ = "c:\programmi\panda software\panda
platinum 2006 internet security\firewall\PNMSRV.EXE"
PREVXAgent /*Prevx Agent*/@ = "C:\Programmi\Prevx1\PXAgent.exe" -f
PSIMSVC /*Panda IManager Service*/@ = "C:\Programmi\Panda
Software\Panda Platinum 2006 Internet Security\PsImSvc.exe"
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ =
C:\Programmi\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
SrvTlo /*SrvTlo*/@ = "C:\Programmi\File comuni\System\QgS.exe"
TPSrv /*Panda TPSrv*/@ = "C:\Programmi\Panda Software\Panda Platinum
2006 Internet Security\TPSrv.exe"
WinNie /*WinNie*/@ = "C:\Programmi\File comuni\System\sJhnI.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@APVXDWIN"C:\Programmi\Panda Software\Panda Platinum 2006 Internet
Security\APVXDWIN.EXE" /s = "C:\Programmi\Panda Software\Panda
Platinum 2006 Internet Security\APVXDWIN.EXE" /s
@SCANINICIO"C:\Programmi\Panda Software\Panda Platinum 2006 Internet
Security\Inicio.exe" = "C:\Programmi\Panda Software\Panda Platinum
2006 Internet Security\Inicio.exe"
@SmappC:\Programmi\Analog Devices\SoundMAX\SMTray.exe =
C:\Programmi\Analog Devices\SoundMAX\SMTray.exe
@RemoteControlC:\Programmi\CyberLink\PowerDVD\PDVDServ.exe =
C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe =
C:\WINDOWS\system32\NeroCheck.exe
@sgrx1.exeC:\WINDOWS\TEMP\sgrx1.exe = C:\WINDOWS\TEMP\sgrx1.exe
@PrevxOneC:\Programmi\Prevx1\PXConsole.exe = C:\Programmi\Prevx1\PXConsole.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MSMSGS"C:\Programmi\Messenger\msmsgs.exe" /background =
"C:\Programmi\Messenger\msmsgs.exe" /background
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video
del Pannello di controllo*/deskpan.dll /*file not found*/ =
deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property
Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous
Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager
Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle
Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL =
C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook
Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL =
C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook
Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL =
C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon
Handler*/C:\Programmi\Microsoft Office\OFFICE11\msohev.dll =
C:\Programmi\Microsoft Office\OFFICE11\msohev.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell
extension*/C:\Programmi\WinRAR\rarext.dll =
C:\Programmi\WinRAR\rarext.dll
@{65756541-C65C-11CD-0000-4B656E696100} /*Panda
Antivirus*/C:\Programmi\Panda Software\Panda Platinum 2006 Internet
Security\PAVOLE.DLL = C:\Programmi\Panda Software\Panda Platinum 2006
Internet Security\PAVOLE.DLL
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Panda Antivirus@{65756541-C65C-11CD-0000-4B656E696100} =
C:\Programmi\Panda Software\Panda Platinum 2006 Internet
Security\PAVOLE.DLL
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} =
C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Panda Antivirus@{65756541-C65C-11CD-0000-4B656E696100} =
C:\Programmi\Panda Software\Panda Platinum 2006 Internet
Security\PAVOLE.DLL
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programmi\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll = C:\Programmi\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
@{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}C:\Documents and Settings\All
Users\Dati applicazioni\Prevx\pxbho.dll = C:\Documents and
Settings\All Users\Dati applicazioni\Prevx\pxbho.dll
@{978F954C-3467-5F21-E573-7993B594DABF}C:\WINDOWS\skiku1.dll /*file
not found*/ = C:\WINDOWS\skiku1.dll /*file not found*/
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome =
http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
@Start
Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start
Pagehttp://www.virgilio.it/ =
http://www.virgilio.it/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID =
C:\Programmi\File comuni\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information
Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
>>>
000000000001@PackedCatalogItem = C:\Programmi\Panda Software\Panda
Platinum 2006 Internet Security\pavlsp.dll
000000000002@PackedCatalogItem = C:\Programmi\Panda Software\Panda
Platinum 2006 Internet Security\pavlsp.dll
000000000003@PackedCatalogItem = C:\Programmi\Panda Software\Panda
Platinum 2006 Internet Security\pavlsp.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009@PackedCatalogItem = C:\Programmi\Panda Software\Panda Platinum 2006 Internet
Security\pavlsp.dll
C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione
automatica = Avvio veloce di Adobe Reader.lnk
---- EOF - GMER 1.0.10 ----
GMER 1.0.10.10122 -
http://www.gmer.net
Rootkit 2006-09-02 16:35:49
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.10 ----
SSDT pxfsf.sys
ZwAlertResumeThread
SSDT pxfsf.sys
ZwAllocateUserPhysicalPages
SSDT pxfsf.sys
ZwAllocateVirtualMemory
SSDT pxfsf.sys
ZwClose
SSDT pxfsf.sys
ZwCompactKeys
SSDT pxfsf.sys
ZwCompressKey
SSDT pxfsf.sys
ZwCreateDirectoryObject
SSDT pxfsf.sys
ZwCreateEvent
SSDT pxfsf.sys
ZwCreateEventPair
SSDT pxfsf.sys
ZwCreateFile
SSDT pxfsf.sys
ZwCreateIoCompletion
SSDT pxfsf.sys
ZwCreateJobObject
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwCreateKey
SSDT pxfsf.sys
ZwCreateMailslotFile
SSDT pxfsf.sys
ZwCreateMutant
SSDT pxfsf.sys
ZwCreateNamedPipeFile
SSDT pxfsf.sys
ZwCreatePort
SSDT pxfsf.sys
ZwCreateProcess
SSDT pxfsf.sys
ZwCreateProcessEx
SSDT pxfsf.sys
ZwCreateSection
SSDT pxfsf.sys
ZwCreateSemaphore
SSDT pxfsf.sys
ZwCreateSymbolicLinkObject
SSDT pxfsf.sys
ZwCreateThread
SSDT pxfsf.sys
ZwCreateTimer
SSDT pxfsf.sys
ZwCreateToken
SSDT pxfsf.sys
ZwDeleteFile
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwDeleteKey
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwDeleteValueKey
SSDT pxfsf.sys
ZwDeviceIoControlFile
SSDT pxfsf.sys
ZwDuplicateObject
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwEnumerateKey
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwEnumerateValueKey
SSDT pxfsf.sys
ZwFreeUserPhysicalPages
SSDT pxfsf.sys
ZwFreeVirtualMemory
SSDT pxfsf.sys
ZwImpersonateAnonymousToken
SSDT pxfsf.sys
ZwImpersonateThread
SSDT pxfsf.sys
ZwLoadDriver
SSDT pxfsf.sys
ZwLoadKey
SSDT pxfsf.sys
ZwLoadKey2
SSDT pxfsf.sys
ZwLockRegistryKey
SSDT pxfsf.sys
ZwLockVirtualMemory
SSDT pxfsf.sys
ZwMapViewOfSection
SSDT pxfsf.sys
ZwOpenFile
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwOpenKey
SSDT pxfsf.sys
ZwOpenProcess
SSDT pxfsf.sys
ZwOpenProcessToken
SSDT pxfsf.sys
ZwOpenSection
SSDT pxfsf.sys
ZwOpenThread
SSDT pxfsf.sys
ZwOpenThreadToken
SSDT pxfsf.sys
ZwProtectVirtualMemory
SSDT pxfsf.sys
ZwQueryInformationProcess
SSDT pxfsf.sys
ZwQueryInformationThread
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwQueryKey
SSDT pxfsf.sys
ZwQueryMultipleValueKey
SSDT pxfsf.sys
ZwQueryOpenSubKeys
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwQueryValueKey
SSDT pxfsf.sys
ZwQueueApcThread
SSDT pxfsf.sys
ZwReadFile
SSDT pxfsf.sys
ZwReadVirtualMemory
SSDT pxfsf.sys
ZwRenameKey
SSDT pxfsf.sys
ZwReplaceKey
SSDT pxfsf.sys
ZwRestoreKey
SSDT pxfsf.sys
ZwResumeProcess
SSDT pxfsf.sys
ZwResumeThread
SSDT pxfsf.sys
ZwSaveKey
SSDT pxfsf.sys
ZwSaveKeyEx
SSDT pxfsf.sys
ZwSaveMergedKeys
SSDT pxfsf.sys
ZwSetContextThread
SSDT pxfsf.sys
ZwSetInformationKey
SSDT pxfsf.sys
ZwSetInformationProcess
SSDT pxfsf.sys
ZwSetInformationThread
SSDT pxfsf.sys
ZwSetSystemInformation
SSDT \SystemRoot\System32\Drivers\ShldDrv.SYS
ZwSetValueKey
SSDT pxfsf.sys
ZwSuspendProcess
SSDT pxfsf.sys
ZwSuspendThread
SSDT pxfsf.sys
ZwSystemDebugControl
SSDT pxfsf.sys
ZwTerminateJobObject
SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
ZwTerminateThread
SSDT pxfsf.sys
ZwUnloadDriver
SSDT pxfsf.sys
ZwUnloadKey
SSDT pxfsf.sys
ZwUnloadKeyEx
SSDT pxfsf.sys
ZwUnlockVirtualMemory
SSDT pxfsf.sys
ZwUnmapViewOfSection
SSDT pxfsf.sys
ZwWriteFile
SSDT \??\C:\WINDOWS\system32\PavSRK.sys
ZwWriteVirtualMemory
---- Devices - GMER 1.0.10 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE
[F95CA810] ShldDrv.SYS
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA
[F95CABD8] ShldDrv.SYS
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE
[F95CA7D2] ShldDrv.SYS
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA
[F95CAB9A] ShldDrv.SYS
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE
[F95CA7D2] ShldDrv.SYS
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA
[F95CAB9A] ShldDrv.SYS
---- Files - GMER 1.0.10 ----
File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume
Information\_restore{BDB1EC6F-D127-4A28-83A2-262C1D8B506C}
File F:\System Volume Information\MountPointManagerRemoteDatabase
File F:\System Volume Information\tracking.log
File F:\System Volume
Information\_restore{167E266E-6D1B-40D9-96E1-07BBDC9347CC}
File F:\System Volume
Information\_restore{365ED133-C3A3-4569-81F4-D5DAF813838F}
File F:\System Volume
Information\_restore{BDB1EC6F-D127-4A28-83A2-262C1D8B506C}
---- EOF - GMER 1.0.10 ----