A questo punto ho provato a risolvere seguendo una guida alla rimozione di rootkit ma se devo risolvere a basso livello non sono proprio capace, quindi chiedo aiuto.
Di seguito allego il file di LOG prodotto dalla scansione con Gmer
GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2010-01-11 18:32:00
Windows 5.1.2600 Service Pack 3
Running: gmer[1].exe; Driver: C:\DOCUME~1\MARIKA\IMPOST~1\Temp\pxtdapod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xA4C1C1CC]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xA4C1C206]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xA4C1C51A]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xA4C1C3F6]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xA4C1C292]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xA4C1C18E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xA4C1C64E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xA4C1C316]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xA4C1C34E]
Code 86418AF8 ZwEnumerateKey
Code 8672FD90 ZwFlushInstructionCache
Code 86548DEE IofCallDriver
Code 8640D23E IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 86548DF3
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8640D243
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6814 5 Bytes JMP 8672FD94
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 5 Bytes JMP 86418AFC
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[1564] ntdll.dll!NtWriteFile 7C91DF7E 5 Bytes JMP 03F05C30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\WINDOWS\Explorer.EXE[1564] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 03F052E0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 00365A30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtCreateSection 7C91D17E 5 Bytes JMP 00365B50 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 003659C0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtOpenSection 7C91D62E 5 Bytes JMP 00365BF0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtWriteFile 7C91DF7E 5 Bytes JMP 00365C30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 003652E0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] kernel32.dll!OutputDebugStringA 7C85AD4C 5 Bytes JMP 00365E30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!PostMessageW 7E398CCB 5 Bytes JMP 00365120 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 402B541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!PostThreadMessageW 7E3A77B8 5 Bytes JMP 00361F10 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!PostThreadMessageA 7E3A77C5 5 Bytes JMP 00361D00 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageW 7E3A929A 5 Bytes JMP 00364EE0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!PostMessageA 7E3AAAFD 5 Bytes JMP 003650E0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageTimeoutW 7E3ACDAA 5 Bytes JMP 00364FF0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 4038D6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendNotifyMessageW 7E3AD64F 5 Bytes JMP 00364F60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageCallbackW 7E3AD6DB 5 Bytes JMP 00365090 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageA 7E3AF3C2 5 Bytes JMP 00364EA0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageTimeoutA 7E3AFB6B 5 Bytes JMP 00364FA0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 4048441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40484351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 404843BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40484222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 40484284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendNotifyMessageA 7E3D3948 5 Bytes JMP 00364F20 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 40484482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 404842E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageCallbackA 7E3EB129 5 Bytes JMP 00365040 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ADVAPI32.dll!CredEnumerateW 77F88099 7 Bytes JMP 00365200 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] CRYPT32.dll!CryptUnprotectData 77A5BAF0 7 Bytes JMP 00365180 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!sendto 71A32F51 5 Bytes JMP 00362060 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 056F000A
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!WSASocketW 71A3404E 7 Bytes JMP 00362120 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!connect 71A34A07 5 Bytes JMP 003620A0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 003620E0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!WSAConnect 71A40C81 5 Bytes JMP 00362020 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!HttpSendRequestW 3F9EFABE 5 Bytes JMP 00361F90 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!HttpSendRequestA 3F9FEE89 5 Bytes JMP 00361F30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!InternetWriteFile 3FA460F6 5 Bytes JMP 00361F60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!HttpSendRequestExA 3FA5A75A 5 Bytes JMP 00361FF0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!HttpSendRequestExW 3FA5A7B3 5 Bytes JMP 00361FC0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ole32.dll!OleLoadFromStream 774F9C85 5 Bytes JMP 404847A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Programmi\Internet Explorer\iexplore.exe[1624] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Modules - GMER 1.0.15 ----
Module \systemroot\system32\drivers\H8SRTfumltprmvm.sys (*** hidden *** ) A5A6D000-A5A8A000 (118784 bytes)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [212] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x00BA0000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1432] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1564] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [1624] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1788] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1944] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2108] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2680] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3312] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3572] 0x10000000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTpkhbotolhu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTlpabbwqgrr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcrvdcbobod.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTpkhbotolhu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTlpabbwqgrr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcrvdcbobod.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTpkhbotolhu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTlpabbwqgrr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcrvdcbobod.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTpkhbotolhu.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTlpabbwqgrr.dat
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcrvdcbobod.dll
---- EOF - GMER 1.0.15 ----
Rootkit scan 2010-01-11 18:32:00
Windows 5.1.2600 Service Pack 3
Running: gmer[1].exe; Driver: C:\DOCUME~1\MARIKA\IMPOST~1\Temp\pxtdapod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xA4C1C1CC]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xA4C1C206]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xA4C1C51A]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xA4C1C3F6]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xA4C1C292]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xA4C1C18E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xA4C1C64E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xA4C1C316]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xA4C1C34E]
Code 86418AF8 ZwEnumerateKey
Code 8672FD90 ZwFlushInstructionCache
Code 86548DEE IofCallDriver
Code 8640D23E IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 86548DF3
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8640D243
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6814 5 Bytes JMP 8672FD94
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 5 Bytes JMP 86418AFC
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[1564] ntdll.dll!NtWriteFile 7C91DF7E 5 Bytes JMP 03F05C30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\WINDOWS\Explorer.EXE[1564] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 03F052E0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 00365A30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtCreateSection 7C91D17E 5 Bytes JMP 00365B50 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes JMP 003659C0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtOpenSection 7C91D62E 5 Bytes JMP 00365BF0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ntdll.dll!NtWriteFile 7C91DF7E 5 Bytes JMP 00365C30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 003652E0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] kernel32.dll!OutputDebugStringA 7C85AD4C 5 Bytes JMP 00365E30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!PostMessageW 7E398CCB 5 Bytes JMP 00365120 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 402B541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!PostThreadMessageW 7E3A77B8 5 Bytes JMP 00361F10 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!PostThreadMessageA 7E3A77C5 5 Bytes JMP 00361D00 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageW 7E3A929A 5 Bytes JMP 00364EE0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!PostMessageA 7E3AAAFD 5 Bytes JMP 003650E0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageTimeoutW 7E3ACDAA 5 Bytes JMP 00364FF0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 4038D6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendNotifyMessageW 7E3AD64F 5 Bytes JMP 00364F60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageCallbackW 7E3AD6DB 5 Bytes JMP 00365090 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageA 7E3AF3C2 5 Bytes JMP 00364EA0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageTimeoutA 7E3AFB6B 5 Bytes JMP 00364FA0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 4048441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 40484351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 404843BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 40484222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 40484284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendNotifyMessageA 7E3D3948 5 Bytes JMP 00364F20 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 40484482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 404842E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] USER32.dll!SendMessageCallbackA 7E3EB129 5 Bytes JMP 00365040 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ADVAPI32.dll!CredEnumerateW 77F88099 7 Bytes JMP 00365200 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] CRYPT32.dll!CryptUnprotectData 77A5BAF0 7 Bytes JMP 00365180 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!sendto 71A32F51 5 Bytes JMP 00362060 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 056F000A
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!WSASocketW 71A3404E 7 Bytes JMP 00362120 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!connect 71A34A07 5 Bytes JMP 003620A0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 003620E0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WS2_32.dll!WSAConnect 71A40C81 5 Bytes JMP 00362020 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!HttpSendRequestW 3F9EFABE 5 Bytes JMP 00361F90 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!HttpSendRequestA 3F9FEE89 5 Bytes JMP 00361F30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!InternetWriteFile 3FA460F6 5 Bytes JMP 00361F60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!HttpSendRequestExA 3FA5A75A 5 Bytes JMP 00361FF0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] WININET.dll!HttpSendRequestExW 3FA5A7B3 5 Bytes JMP 00361FC0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Programmi\Internet Explorer\iexplore.exe[1624] ole32.dll!OleLoadFromStream 774F9C85 5 Bytes JMP 404847A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Programmi\Internet Explorer\iexplore.exe[1624] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Programmi\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Modules - GMER 1.0.15 ----
Module \systemroot\system32\drivers\H8SRTfumltprmvm.sys (*** hidden *** ) A5A6D000-A5A8A000 (118784 bytes)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [212] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x00BA0000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1432] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1564] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\Programmi\Internet Explorer\iexplore.exe [1624] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1788] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1944] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [2108] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2680] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3312] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [3572] 0x10000000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTpkhbotolhu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTlpabbwqgrr.dat
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll
Reg HKLM\SYSTEM\ControlSet001\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcrvdcbobod.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTpkhbotolhu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTlpabbwqgrr.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcrvdcbobod.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTpkhbotolhu.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTlpabbwqgrr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcrvdcbobod.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTfumltprmvm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTpkhbotolhu.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTlpabbwqgrr.dat
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTntjkhmuwij.dll
Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcrvdcbobod.dll
---- EOF - GMER 1.0.15 ----
Non so davvero come fare!