log HJT (era "problema con trojan")

[ufino]

ecco i log di gmer

questo è quello ottenuto con il rootkit:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-31 11:36:03
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F9473220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F9473480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F94735A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F94735D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F9473220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F9473480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F94735A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F94735D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F9473220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F9473480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F94735A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F94735D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F9473220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F9473480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F94735A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F94735D0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F9473220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F9473480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F94735A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F94735D0] wpsdrvnt.sys

---- EOF - GMER 1.0.10 ----






questo invece quello con l'autostart:

GMER 1.0.10.10122 - http://www.gmer.net
Autostart 2006-08-31 11:36:49
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswUpdSv /*avast! iAVS4 Control Service*/@ = "C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe"
avast! Antivirus /*avast! Antivirus*/@ = "C:\Programmi\Alwil Software\Avast4\ashServ.exe"
Crypkey License /*Crypkey License*/@ = crypserv.exe
EPSONStatusAgent2 /*EPSON Printer Status Agent2*/@ = C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
Iomega Activity Disk2 /*Iomega Activity Disk2*/@ = "C:\PROGRA~1\Iomega\System32\ActivityDisk.exe"
matlabserver /*MATLAB Server*/@ = C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SmcService /*Sygate Personal Firewall*/@ = C:\Programmi\Sygate\SPF\smc.exe
Spooler /*Spooler di stampa*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ToUcamVPropertyC:\Programmi\Philips ToUcam Camera\VProperty.exe a m C a m e r a \ V P r o p e r t y . e x e /*file not found*/ = C:\Programmi\Philips ToUcam Camera\VProperty.exe a m C a m e r a \ V P r o p e r t y . e x e /*file not found*/
@SunJavaUpdateSchedC:\Programmi\Java\jre1.5.0_03\b in\jusched.exe = C:\Programmi\Java\jre1.5.0_03\bin\jusched.exe
@SmcServiceC:\PROGRA~1\Sygate\SPF\smc.exe -startgui = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
@S3TRAY2S3tray2.exe = S3tray2.exe
@S3hotkeyS3hotkey.exe = S3hotkey.exe
@QuickTime Task"C:\Programmi\QuickTime\qttask.exe" -atboottime = "C:\Programmi\QuickTime\qttask.exe" -atboottime
@iTunesHelper"C:\Programmi\iTunes\iTunesHelper.exe " = "C:\Programmi\iTunes\iTunesHelper.exe"
@EM_EXECC:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EX EC.EXE = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
@Drag'n'Drop_Autolaunch"C:\Programmi\Iomega HotBurn\Autolaunch.exe" = "C:\Programmi\Iomega HotBurn\Autolaunch.exe"
@CnxDslTaskBar"C:\Programmi\FlyNet\CnxDslTb.exe" = "C:\Programmi\FlyNet\CnxDslTb.exe"
@avast!C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run @ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Estensione panoramica video del Pannello di controllo*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{0A082D00-EC93-11D0-B1E6-80580BC10627} /*Corel Media Folder Root Menu Handler*/(null) =
@{0FBF99C1-4127-11D1-B1E6-C17E96D9180A} /*Folder To Corel Media Folder Menu Handler*/(null) =
@{854AF161-1AE1-11D1-AB9B-00C0F00683EB} /*Corel Media Folder*/(null) =
@{E856F161-1AE5-11d1-AB9B-00C0F00683EB} /*Corel Media Folder*/(null) =
@{CDB89701-262F-11D1-AB9C-00C0F00683EB} /*Corel Media Find Folder*/(null) =
@{F8152501-455F-11D1-B1E6-444553540000} /*Corel Media Folder Copy Hook Handler*/(null) =
@{8E524B0D-04F0-11D1-B74A-00A0C90646A4} /*IconFactTemp.NSIconHandlerFactory*/(null) =
@{A2AC368A-F883-11D0-B745-00A0C90646A4} /*NSFiltManDll.FiltManCom*/(null) =
@{B63FCD5A-2396-11D1-B762-00A0C90646A4} /*¼*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Cartelle Web*/C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L = C:\PROGRA~1\FILECO~1\MICROS~1\WEBFOL~1\MSONSEXT.DL L
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Programmi\Microsoft Office\Office10\msohev.dll = C:\Programmi\Microsoft Office\Office10\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B8323370-FF27-11D2-97B6-204C4F4F5020} /*SmartFTP Shell Extension DLL*/C:\Programmi\SmartFTP Client 2.0\smarthook.dll = C:\Programmi\SmartFTP Client 2.0\smarthook.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Programmi\iTunes\iTunesMiniPlayer.dll = C:\Programmi\iTunes\iTunesMiniPlayer.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Programmi\Alwil Software\Avast4\ashShell.dll = C:\Programmi\Alwil Software\Avast4\ashShell.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Programmi\OpenOffice.org 2.0\program\shlxthdl.dll"
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programmi\Alwil Software\Avast4\ashShell.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx = C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
@{53707962-6F74-2D53-2644-206D7942484F}C:\Programmi\Spybot - Search & Destroy\SDHelper.dll /*file not found*/ = C:\Programmi\Spybot - Search & Destroy\SDHelper.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\SCREEN~1.SCR

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://global.acer.com/ = http://global.acer.com/
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=hom e
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Programmi\File comuni\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
ms-itss@CLSID = C:\Programmi\File comuni\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\FILECO~1\MICROS~1\WEBCOM~1\10\OWC10.DL L
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica >>>
Windows Update.hta = Windows Update.hta
Microsoft Office.lnk = Microsoft Office.lnk
EPSON Status Monitor 3 Environment Check 2.lnk = EPSON Status Monitor 3 Environment Check 2.lnk

---- EOF - GMER 1.0.10 ----




c'è qlcs che ti può essere utile per capire che sta succedendo?!?