Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Net-worm.Win32.Kido.ih [Solved]

Started by Flegias , Feb 12 2009 04:45 AM

  • This topic is locked This topic is locked

#1
Flegias
Posted 12 February 2009 - 04:45 AM

Flegias

    Member

  • Member
  • PipPip
  • 32 posts
Hello!

My pc is running very slow recently and Kaspersky Anti Virus shows me some warnings about the disinfection of Net-worm.Win32.Kido.ih every day.

Can you help me?

Thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11.34.55, on 12/02/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\HPZinw12.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINNT\system32\internat.exe
F:\Programmi\SPAC Automazione CAD 2008\CAD\SCAD2008.EXE
C:\Programmi\File comuni\Autodesk Shared\AcHelp.exe
C:\WINNT\system32\rundll32.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [wimsnn] Wscript C:\WINNT\ACTIVE SETUP LOGMSE.VBS /B
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmi\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Statistiche sulla protezione del traffico Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34AF2CE-F228-47F9-8D01-5AEDBF139AFA}: NameServer = 151.99.125.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: Xway TCP/IP (XipConnect) - Unknown owner - C:\XWAYDRV\XIPCONNECT.EXE (file missing)

--
End of file - 5607 bytes
  • 0

Advertisements

#2
fenzodahl512
Posted 13 February 2009 - 04:38 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following....



Please download The Comedian.exe to your desktop
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished




NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..
  • 0

#3
Flegias
Posted 13 February 2009 - 09:00 AM

Flegias

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hi fenzodahl512,

thank you for helping me!

The infected files found by Malwarebytes' were on another pc connected as a network unit even if before the scan I removed the check on its letter. Why Malwarebytes' scanned the network unit?
Should I open a new thread about the cleaning of the other pc?
Thank you!

Malwarebytes' Anti-Malware 1.34
Versione del database: 1757
Windows 5.0.2195 Service Pack 4

13/02/2009 15.30.26
mbam-log-2009-02-13 (15-30-26).txt

Tipo di scansione: Scansione completa (A:\|C:\|D:\|E:\|F:\|)
Elementi scansionati: 105180
Tempo trascorso: 1 hour(s), 1 minute(s), 32 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 0
Cartelle infette: 1
File infetti: 2

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
(Nessun elemento malevolo rilevato)

Cartelle infette:
G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 (Trojan.Conficker.H) -> Quarantined and deleted successfully.

File infetti:
G:\autorun.inf (Trojan.Conficker.H) -> Quarantined and deleted successfully.
G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx (Trojan.Conficker.H) -> Quarantined and deleted successfully.
  • 0

#4
Flegias
Posted 13 February 2009 - 09:01 AM

Flegias

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Logfile of random's system information tool 1.05 (written by random/random)
Run by Administrator at 2009-02-13 15:41:33
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 81 MB (2%) free of 3 GB
Total RAM: 511 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15.42.04, on 13/02/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\HPZinw12.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINNT\system32\internat.exe
C:\Programmi\Outlook Express\msimn.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Programmi\Trend Micro\HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [wimsnn] Wscript C:\WINNT\ACTIVE SETUP LOGMSE.VBS /B
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmi\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programmi\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Statistiche sulla protezione del traffico Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34AF2CE-F228-47F9-8D01-5AEDBF139AFA}: NameServer = 151.99.125.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: Xway TCP/IP (XipConnect) - Unknown owner - C:\XWAYDRV\XIPCONNECT.EXE (file missing)

--
End of file - 5641 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - F:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
IEVkbdBHO Class - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll [2008-07-29 62728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\programmi\google\googletoolbar1.dll [2009-01-12 2423872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\System32\msdxm.ocx [2005-06-03 850192]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\programmi\google\googletoolbar1.dll [2009-01-12 2423872]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"AtiPTA"=C:\WINNT\system32\atiptaxx.exe [2001-09-27 245760]
"wimsnn"=Wscript C:\WINNT\ACTIVE SETUP LOGMSE.VBS /B []
""= []
"AVP"=C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2009-02-04 206088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=C:\WINNT\system32\internat.exe [1999-12-23 20752]

C:\Documents and Settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica
ERUNT AutoBackup.lnk - C:\Programmi\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\WINNT\system32\klogon.dll [2008-07-29 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9}

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"DisableLockWorkstation"=0
"DisableChangePassword"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149
"NoClose"=0
"NoLogoff"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.scr - open - "%windir%\system32\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-02-13 15:41:33 ----D---- C:\rsit
2009-02-13 14:23:29 ----D---- C:\WINNT\ERDNT
2009-02-13 14:23:14 ----D---- C:\Programmi\ERUNT
2009-02-11 09:18:11 ----D---- C:\Programmi\Trend Micro
2009-02-06 14:44:24 ----D---- C:\Programmi\Malwarebytes' Anti-Malware
2009-01-29 16:49:03 ----A---- C:\WINNT\gmer.ini
2009-01-29 16:49:01 ----A---- C:\WINNT\gmer_uninstall.cmd
2009-01-29 16:49:01 ----A---- C:\WINNT\gmer.dll
2009-01-29 16:49:00 ----A---- C:\WINNT\gmer.exe
2009-01-26 09:33:21 ----A---- C:\WINNT\oodcnt.INI
2009-01-23 16:50:45 ----D---- C:\WINNT\system32\oodag

======List of files/folders modified in the last 1 months======

2009-02-13 15:41:34 ----AD---- C:\WINNT\system32
2009-02-13 15:40:30 ----RASHD---- C:\WINNT\Temp
2009-02-13 15:36:09 ----AD---- C:\WINNT\Debug
2009-02-13 15:35:40 ----D---- C:\Documents and Settings\All Users\Dati applicazioni\Kaspersky Lab
2009-02-13 15:34:34 ----D---- C:\WINNT\system32\NtmsData
2009-02-13 15:32:53 ----AD---- C:\WINNT\system32\drivers
2009-02-13 15:32:14 ----AD---- C:\WINNT\security
2009-02-13 15:32:08 ----A---- C:\WINNT\SchedLgU.Txt
2009-02-13 15:30:57 ----RAD---- C:\Programmi
2009-02-13 14:23:29 ----AD---- C:\WINNT
2009-02-13 10:18:47 ----SHD---- C:\WINNT\CSC
2009-02-13 10:00:08 ----ASD---- C:\WINNT\Tasks
2009-01-28 18:01:41 ----SHD---- C:\WINNT\Installer
2009-01-28 18:00:09 ----D---- C:\Documents and Settings\Administrator\Dati applicazioni\Adobe
2009-01-23 17:07:55 ----RSD---- C:\WINNT\assembly
2009-01-23 17:07:53 ----AD---- C:\Programmi\File comuni
2009-01-23 17:07:28 ----AC---- C:\WINNT\citect.ini
2009-01-23 17:05:39 ----D---- C:\Programmi\File comuni\InstallShield
2009-01-23 17:05:25 ----HD---- C:\Programmi\InstallShield Installation Information
2009-01-23 17:05:25 ----D---- C:\Programmi\File comuni\Designer
2009-01-21 10:04:40 ----D---- C:\Programmi\Adobe
2009-01-14 08:43:39 ----HD---- C:\WINNT\inf

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 KLIF;Kaspersky Lab Driver; C:\WINNT\system32\DRIVERS\klif.sys [2009-02-04 215824]
R2 cvintdrv;cvintdrv; C:\WINNT\system32\drivers\cvintdrv.sys [2003-07-29 7140]
R2 eugss;EUTRON SmartKey GSS2 Driver; \??\C:\WINNT\system32\Drivers\eugss2k.sys []
R2 eusk2par;EUTRON SmartKey Parallel Driver; \??\C:\WINNT\system32\Drivers\eusk2par.sys []
R2 HidUsb;Driver di classe HID Microsoft; C:\WINNT\System32\DRIVERS\hidusb.sys [1999-10-04 13904]
R2 Sentinel;Sentinel; C:\WINNT\System32\Drivers\SENTINEL.SYS [2005-01-10 90168]
R3 ati2mtaa;ati2mtaa; C:\WINNT\System32\DRIVERS\ati2mtaa.sys [2001-09-26 291121]
R3 Duntlw;UNTLW device; C:\WINNT\System32\Drivers\DuntlwNT.sys [2001-08-23 46976]
R3 E100B;Intel® PRO Adapter Driver; C:\WINNT\System32\DRIVERS\e100bnt5.sys [2001-07-20 123152]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; C:\WINNT\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 mouhid;Driver di mouse HID; C:\WINNT\System32\DRIVERS\mouhid.sys [2003-06-19 11632]
R3 skeyusb;SmartKey USB; C:\WINNT\System32\Drivers\skeyusb.sys [2006-03-10 43968]
R3 smwdm;smwdm; C:\WINNT\system32\drivers\smwdm.sys [2001-04-13 416264]
R3 StillCam;Driver per fotocamera digitale seriale; C:\WINNT\System32\DRIVERS\serscan.sys [1999-12-22 6832]
R3 uhcd;Driver host controller Universal USB Microsoft; C:\WINNT\System32\DRIVERS\uhcd.sys [2003-06-19 32848]
R3 usbhub;Driver hub USB standard Microsoft; C:\WINNT\System32\DRIVERS\usbhub.sys [2003-06-19 40176]
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\system32\DRIVERS\CCDECODE.sys [2004-07-09 16384]
S3 gmer;gmer; C:\WINNT\System32\DRIVERS\gmer.sys [2009-01-29 85969]
S3 gpibclsb;GPIB Board Class Driver; C:\WINNT\System32\Drivers\gpibclsb.sys []
S3 gpibclsd;GPIB Device Class Driver; C:\WINNT\System32\Drivers\gpibclsd.sys []
S3 HPFLASH0;HPFLASH0; \??\C:\swsetup\SP30221\HPFlash.sys []
S3 MPE;BDA MPE Filter; C:\WINNT\system32\DRIVERS\MPE.sys [2004-07-09 15104]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\system32\drivers\MSTEE.sys [2002-12-12 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\system32\DRIVERS\NABTSFEC.sys [2004-07-09 83968]
S3 SLIP;BDA Slip De-Framer; C:\WINNT\system32\DRIVERS\SLIP.sys [2004-07-09 10880]
S3 streamip;BDA IPSink; C:\WINNT\system32\DRIVERS\StreamIP.sys [2004-07-09 14976]
S3 tap0801;TAP-Win32 Adapter V8; C:\WINNT\system32\DRIVERS\tap0801.sys [2004-06-24 23552]
S3 USBSTOR;Driver archiviazione di massa USB; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [2003-06-19 21552]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\system32\DRIVERS\WSTCODEC.SYS [2004-07-09 18688]
S4 IntelIde;IntelIde; C:\WINNT\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AVP;Kaspersky Anti-Virus; C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2009-02-04 206088]
R2 StiSvc;Still Image Service; C:\WINNT\system32\stisvc.exe [2003-06-19 62224]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINNT\System32\Ati2evxx.exe [2000-11-30 57344]
S2 XipConnect;Xway TCP/IP; C:\XWAYDRV\XIPCONNECT.EXE []
S3 Adobe LM Service;Adobe LM Service; C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-10-02 69632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-12 138168]
S3 IDriverT;InstallDriver Table Manager; C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Programmi\File comuni\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINNT\system32\hpzipm12.exe [2003-10-22 65536]

-----------------EOF-----------------
  • 0

#5
Flegias
Posted 13 February 2009 - 09:01 AM

Flegias

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
info.txt logfile of random's system information tool 1.05 2009-02-13 15:42:20

======Uninstall list======

-->msiexec /x{1C32666E-3F65-4A9A-BC4D-FE293015FE7B}
Adobe Acrobat 7.0 Professional - Español, Italiano, Português-->msiexec /I {AC76BA86-1034-4700-7760-000000000002}
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000702}
Adobe Flash Player 10 ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 9 ActiveX-->C:\WINNT\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Aggiornamento cumulativo 1 per Windows 2000 SP4-->"C:\WINNT\$NtUpdateRollupPackUninstall$\spuninst\spuninst.exe"
Aggiornamento rapido di Windows 2000 - KB829558-->C:\WINNT\$NtUninstallKB829558$\spuninst\spuninst.exe
Aggiornamento rapido di Windows 2000 - KB842773-->C:\WINNT\$NtUninstallKB842773$\spuninst\spuninst.exe
ATI Display Driver-->rundll32 C:\WINNT\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CCleaner (remove only)-->"C:\Programmi\CCleaner\uninst.exe"
ERUNT 1.1j-->C:\Programmi\ERUNT\unins000.exe
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\programmi\google\googletoolbar1.dll"
HijackThis 2.0.2-->"C:\Programmi\Trend Micro\HijackThis\HijackThis.exe" /uninstall
hp LaserJet-all-in-one-->C:\Programmi\hp\Digital Imaging\{1B4B2D13-BA87-4c7c-8B67-0EE7CE698415}\setup\hpzscr01.exe -datfile hpbscr01.dat
HP Software Update-->MsiExec.exe /X{DDA2B32F-EB16-4C96-A130-4E4A4C1E6B12}
Intel® PRO Ethernet Adapter and Software-->Prounstl.exe
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
Kaspersky Anti-Virus 2009-->MsiExec.exe /I{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
LaserAIO-->MsiExec.exe /I{DD23CAA4-8872-4B95-B263-EA46FD82CF19}
Malwarebytes' Anti-Malware-->"C:\Programmi\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110410-6000-11D3-8CFE-0150048383C9}
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
OrderReminder hp LaserJet 3015/3020/3030/3380-->C:\Programmi\Hewlett-Packard\OrderReminder\OrderReminder\Uninstall-hpLJ_3015-3020-3030-3380\installerhelper.exe C:\Programmi\Hewlett-Packard\OrderReminder\OrderReminder\Uninstall-hpLJ_3015-3020-3030-3380\installerhelper.properties -from-addremove
Sentinel System Driver 5.41.1 (32-bit)-->MsiExec.exe /I{5081528F-5DD5-49BA-8213-9A6A13502497}
SPAC Automazione 2008 (f:\Programmi\SPAC Automazione CAD 2008) (IT)-->"C:\Programmi\InstallShield Installation Information\{DA597CCD-0421-413A-8B16-670EA615F468}\setup.exe" -runfromtemp -l0x0010 -removeonly
SPAC Automazione CAD 2008 SP1-->Msiexec.exe /uninstall {115B172C-E863-40B9-94D9-032F70263D8F} /package {8E006790-D4DD-4420-80D5-1983ADBB46A8} /qb
SPAC Automazione CAD 2008-->Msiexec.exe /I {8E006790-D4DD-4420-80D5-1983ADBB46A8}
UNITELWAY WDM Driver-->C:\WINNT\IsUninst.exe -fC:\XWAYDRV\UNITELWAYW2KDriverUninst.isu
Windows 2000 Service Pack 4-->C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Installer 3.0 (KB884016)-->C:\WINNT\$MSI30UninstallMSI30-KB884016$\spuninst\spuninst.exe
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Programmi\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

System event log

Computer Name: PC-JOLLY
Event Code: 134
Message: È stata ricevuta una notifica di arrivo dell'interfaccia per la periferica:


\\?\USBSTOR#Disk&Ven_CBM&Prod_Flash_Disk&Rev_5.00#1612360089676C00&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Record Number: 5
Source Name: Removable Storage Service
Time Written: 20090211124713.000000+060
Event Type: information
User:

Computer Name: PC-JOLLY
Event Code: 7000
Message: Il servizio Xway TCP/IP non è stato avviato per il seguente errore:
Impossibile trovare il file specificato.


Record Number: 4
Source Name: Service Control Manager
Time Written: 20090211124417.000000+060
Event Type: error
User:

Computer Name: PC-JOLLY
Event Code: 6005
Message: Il servizio Registro eventi è stato avviato.

Record Number: 3
Source Name: EventLog
Time Written: 20090211124359.000000+060
Event Type: information
User:

Computer Name: PC-JOLLY
Event Code: 6009
Message: Microsoft ® Windows 2000 ® 5.0 2195 Service Pack 4 Uniprocessor Free.

Record Number: 2
Source Name: EventLog
Time Written: 20090211124359.000000+060
Event Type: information
User:

Computer Name: PC-JOLLY
Event Code: 105
Message: The service was started.

Record Number: 1
Source Name: Ati HotKey Poller
Time Written: 20090211124404.000000+060
Event Type: information
User:

Application event log

Computer Name: PC-JOLLY
Event Code: 1704
Message: Applicazione del criterio di protezione agli oggetti del criterio di gruppo riuscita.

Record Number: 5
Source Name: SceCli
Time Written: 20080923093008.000000+120
Event Type: information
User:

Computer Name: PC-JOLLY
Event Code: 1704
Message: Applicazione del criterio di protezione agli oggetti del criterio di gruppo riuscita.

Record Number: 4
Source Name: SceCli
Time Written: 20080922121551.000000+120
Event Type: information
User:

Computer Name: PC-JOLLY
Event Code: 1704
Message: Applicazione del criterio di protezione agli oggetti del criterio di gruppo riuscita.

Record Number: 3
Source Name: SceCli
Time Written: 20080919091413.000000+120
Event Type: information
User:

Computer Name: PC-JOLLY
Event Code: 1704
Message: Applicazione del criterio di protezione agli oggetti del criterio di gruppo riuscita.

Record Number: 2
Source Name: SceCli
Time Written: 20080918090919.000000+120
Event Type: information
User:

Computer Name: PC-JOLLY
Event Code: 1704
Message: Applicazione del criterio di protezione agli oggetti del criterio di gruppo riuscita.

Record Number: 1
Source Name: SceCli
Time Written: 20080911073419.000000+120
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Os2LibPath"=%SystemRoot%\system32\os2\dll;
"Path"=C:\Programmi\File comuni\ArchestrA\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Programmi\File comuni\Schneider Electric Shared\SSTA\;C:\Programmi\File comuni\Schneider Electric Shared\SRCSDK\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 0 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=000a
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------
  • 0

#6
Flegias
Posted 13 February 2009 - 09:24 AM

Flegias

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-13 16:21:44
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xBD5F8B96] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwClose [0xBD5F9142] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwConnectPort [0xBD5FAB82] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateFile [0xBD5FA538] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateKey [0xBD5F830C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xBD5FC4E6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwCreateThread [0xBD5F8F3E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDeleteKey [0xBD5F874E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDeleteValueKey [0xBD5F894E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xBD5FA844] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwDuplicateObject [0xBD5FC9F2] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwEnumerateKey [0xBD5F8A64] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwEnumerateValueKey [0xBD5F8ACC] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwFsControlFile [0xBD5FA6FA] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwLoadDriver [0xBD5FBFAA] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenFile [0xBD5FA394] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenKey [0xBD5F846E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenProcess [0xBD5F8D64] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenSection [0xBD5FC510] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwOpenThread [0xBD5F8CBA] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwQueryKey [0xBD5F8B34] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xBD5F8838] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwQueryValueKey [0xBD5F8616] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwReplaceKey [0xBD5F7F8E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xBD5FB40C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwRestoreKey [0xBD5F80F0] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSaveKey [0xBD5F7D8C] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSecureConnectPort [0xBD5FAA24] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSetSecurityObject [0xBD5FC0A4] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSetSystemInformation [0xBD5FC53A] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSetValueKey [0xBD5F84C4] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwSystemDebugControl [0xBD5FBED6] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwTerminateProcess [0xBD5F8E0E] <-- ROOTKIT !!!
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_w2K_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xBD5F8E80] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

? djznmxg.sys Impossibile trovare il file specificato. !
? C:\WINNT\system32\drivers\sptd.sys Impossibile accedere al file. Il file è utilizzato da un altro processo.

---- User code sections - GMER 1.0.14 ----

.text C:\WINNT\system32\services.exe[296] ntdll.dll!NtQueryInformationProcess 784688CC 5 Bytes JMP 01599DB4
.text C:\WINNT\system32\services.exe[296] NETAPI32.dll!NetpwPathCanonicalize 7CE0AAA1 5 Bytes JMP 01599D54
? C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[548] C:\WINNT\system32\KERNEL32.dll time/date stamp mismatch;
.text C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[548] USER32.dll!UserClientDllInitialize + 31F 77E42268 4 Bytes [ 70, 11, 41, 6D ]
.text C:\WINNT\System32\svchost.exe[576] ntdll.dll!NtQueryInformationProcess 784688CC 5 Bytes JMP 009E9DB4
.text C:\WINNT\System32\svchost.exe[576] NETAPI32.dll!NetpwPathCanonicalize 7CE0AAA1 5 Bytes JMP 009E9D54
? C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1272] C:\WINNT\system32\KERNEL32.dll time/date stamp mismatch;
.text C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1272] USER32.dll!UserClientDllInitialize + 31F 77E42268 4 Bytes [ 70, 11, 41, 6D ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINNT\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [BFF3B97E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [BFF3B92A] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [BFF56B4E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [BFF3B97E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BFF27B7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BFF28728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BFF285FE] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BFF27AB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BFF27BFA] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.DLL!READ_PORT_UCHAR] [BFF3AC5A] sptd.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [BF8BF530] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\msgpc.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [BF8BF530] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\wdmaud.sys[NTOSKRNL.EXE!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[NTOSKRNL.EXE!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ipsec.sys[NTOSKRNL.EXE!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\kmixer.sys[NTOSKRNL.EXE!IoCreateDevice] [BF8BF400] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [77897955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [77897955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [77897955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [778978DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [77897955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [77897955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [77897955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [77897955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryW] [7789786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7789771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [77897800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [77897955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [778978DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[952] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [77897A04] C:\WINNT\system32\shim.dll (Shim Engine DL
  • 0

#7
fenzodahl512
Posted 13 February 2009 - 10:53 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello.. your GMER report is too long and been cut-off.. Please redo GMER step again and attach the log here..

Please refer to the picture below.. Please use Add Reply button..

At the right-end corner at below of your reply page, you will see a picture like below.. Click it for further view..

Posted Image


Save GMER report as Notepad on your Desktop and upload that file. Press the UPLOAD button next to it.. Wait untill the uploading attachment process is completed..

Then press Add Reply


Regards
fenzodahl512
  • 0

#8
Flegias
Posted 16 February 2009 - 02:51 AM

Flegias

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
Hello fenzodahl512,

see the attachment for the gmer log.

thank you!

Attached Files

  • Attached File  gmer.txt   37.34KB   460 downloads

  • 0

#9
fenzodahl512
Posted 16 February 2009 - 03:08 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
I'm glad I insist the GMER report because now I see a rootkit inside your computer.. Lets do this...


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
  • 0

#10
Flegias
Posted 16 February 2009 - 04:11 AM

Flegias

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
During the final steps of combofix, after the reboot I had some errors because of the not enough space on disk.

However the combofix log was created:

ComboFix 09-02-15.01 - Administrator 16/02/2009 10.23.45.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1040.18.511.334 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\Web\default.htt

.
((((((((((((((((((((((((( Files Creati Da 2009-01-16 al 2009-02-16 )))))))))))))))))))))))))))))))))))
.

2009-02-13 15:41 . 09-02-13 15:42 <DIR> d-------- C:\rsit
2009-02-13 14:23 . 09-02-13 14:23 <DIR> d-------- c:\programmi\ERUNT
2009-02-11 09:18 . 09-02-11 09:18 <DIR> d-------- c:\programmi\Trend Micro
2009-02-10 12:08 . 09-02-10 12:08 0 --ahs---- c:\winnt\klif.spi
2009-02-06 14:44 . 09-02-13 14:26 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2009-02-06 14:44 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-06 14:44 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-01-29 16:49 . 09-02-16 09:18 250 --a------ c:\winnt\gmer.ini
2009-01-26 09:33 . 09-01-26 09:33 0 --a------ c:\winnt\oodcnt.INI
2009-01-23 16:50 . 09-01-26 09:32 <DIR> d-------- c:\winnt\system32\oodag

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 09:31 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2009-02-04 14:44 33,808 ----a-w c:\winnt\system32\drivers\klbg.sys
2009-02-04 07:58 89,601 ----a-w c:\winnt\system32\drivers\klick.dat
2009-02-04 07:58 101,287 ----a-w c:\winnt\system32\drivers\klin.dat
2009-01-23 16:05 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-01-23 16:05 --------- d-----w c:\programmi\File comuni\InstallShield
2009-01-12 16:30 --------- d-----w c:\programmi\OpenVPN
2009-01-12 08:24 --------- d-----w c:\programmi\Google
2009-01-09 14:11 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-09 13:49 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-09 13:49 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-01-09 10:19 --------- d-----w c:\programmi\Kaspersky Lab
2008-12-23 13:52 --------- d-----w c:\programmi\File comuni\Adobe
2007-04-18 15:22 271 ---h--w c:\programmi\desktop.ini
2007-04-18 15:22 22,075 -c-h--w c:\programmi\folder.htt
1999-12-23 00:00 32,528 -c--a-w c:\winnt\inf\wbfirdma.sys
2005-08-16 03:40 171,926 --sha-r c:\winnt\system32\dwfvqwxb.dll
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-23 01:00 20752 c:\winnt\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wimsnn"="Wscript" [X]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [09-02-04 15:44 206088]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [01-09-27 00:39 245760 c:\winnt\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-23 01:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\programmi\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 188176]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
ERUNT AutoBackup.lnk - c:\programmi\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R?2 spbeu;Driver Manager;c:\winnt\system32\svchost.exe -k netsvcs [1999-12-23 7952]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2008-01-29 33808]
R2 eugss;EUTRON SmartKey GSS2 Driver;c:\winnt\system32\drivers\eugss2k.sys [2008-01-21 63336]
R2 eusk2par;EUTRON SmartKey Parallel Driver;c:\winnt\system32\drivers\eusk2par.sys [2008-01-21 30656]
R3 Duntlw;UNTLW device;c:\winnt\system32\drivers\DuntlwNT.sys [2007-09-18 46976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [2008-04-30 24592]
S2 XipConnect;Xway TCP/IP;c:\xwaydrv\XIPCONNECT.EXE --> c:\xwaydrv\XIPCONNECT.EXE [?]
S3 gpibclsb;GPIB Board Class Driver;c:\winnt\system32\Drivers\gpibclsb.sys --> c:\winnt\system32\Drivers\gpibclsb.sys [?]
S3 gpibclsd;GPIB Device Class Driver;c:\winnt\system32\Drivers\gpibclsd.sys --> c:\winnt\system32\Drivers\gpibclsd.sys [?]
S3 HPFLASH0;HPFLASH0;\??\c:\swsetup\SP30221\HPFlash.sys --> c:\swsetup\SP30221\HPFlash.sys [?]
S3 skeyusb;SmartKey USB;c:\winnt\system32\drivers\skeyusb.sys [2008-01-21 43968]
S3 tap0801;TAP-Win32 Adapter V8;c:\winnt\system32\drivers\tap0801.sys [2004-06-24 23552]

--- Altri Servizi/Drivers In Memoria ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lrdeqjddb
spbeu
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = <local>
IE: Converti destinazione link in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {C34AF2CE-F228-47F9-8D01-5AEDBF139AFA} = 151.99.125.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 10:32:02
Windows 5.0.2195 Service Pack 4 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\gmer]
"ImagePath"="System32\DRIVERS\gmer.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\spbeu]
"ServiceDll"="c:\winnt\system32\dwfvqwxb.dll"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(268)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Ora fine scansione: 2009-02-16 10:49:38 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-02-16 09:49:33

Pre-Run: 131.485.696 byte disponibili
Post-Run: 55,005,184 byte disponibili

130 --- E O F --- 2008-07-14 08:19:41
  • 0

Advertisements

#11
fenzodahl512
Posted 16 February 2009 - 04:42 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSVC::
spbeu
lrdeqjddb

Driver::
spbeu
lrdeqjdd

File::
c:\winnt\system32\dwfvqwxb.dll
c:\winnt\system32\internat.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#12
Flegias
Posted 16 February 2009 - 05:40 AM

Flegias

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix 09-02-15.01 - Administrator 16/02/2009 12.01.53.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1040.18.511.346 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\CFScript.txt

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

FILE ::
c:\winnt\system32\dwfvqwxb.dll
c:\winnt\system32\internat.exe
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\dwfvqwxb.dll
c:\winnt\system32\internat.exe

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SPBEU
-------\Service_spbeu


((((((((((((((((((((((((( Files Creati Da 2009-01-16 al 2009-02-16 )))))))))))))))))))))))))))))))))))
.

2009-02-16 11:10 . 09-02-16 11:12 <DIR> d-------- c:\winnt\SHELLNEW
2009-02-16 11:09 . 09-02-16 11:09 <DIR> d-------- c:\programmi\Microsoft.NET
2009-02-13 15:41 . 09-02-13 15:42 <DIR> d-------- C:\rsit
2009-02-13 14:23 . 09-02-13 14:23 <DIR> d-------- c:\programmi\ERUNT
2009-02-11 09:18 . 09-02-11 09:18 <DIR> d-------- c:\programmi\Trend Micro
2009-02-10 12:08 . 09-02-10 12:08 0 --ahs---- c:\winnt\klif.spi
2009-01-29 16:49 . 09-02-16 09:18 250 --a------ c:\winnt\gmer.ini
2009-01-26 09:33 . 09-01-26 09:33 0 --a------ c:\winnt\oodcnt.INI
2009-01-23 16:50 . 09-01-26 09:32 <DIR> d-------- c:\winnt\system32\oodag

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 10:18 --------- d-----w c:\programmi\Google
2009-02-16 09:56 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2009-02-16 09:45 --------- d-----w c:\programmi\Hewlett-Packard
2009-02-04 14:44 33,808 ----a-w c:\winnt\system32\drivers\klbg.sys
2009-02-04 07:58 89,601 ----a-w c:\winnt\system32\drivers\klick.dat
2009-02-04 07:58 101,287 ----a-w c:\winnt\system32\drivers\klin.dat
2009-01-23 16:05 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-01-23 16:05 --------- d-----w c:\programmi\File comuni\InstallShield
2009-01-12 16:30 --------- d-----w c:\programmi\OpenVPN
2009-01-09 14:11 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-09 13:49 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-09 13:49 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-01-09 10:19 --------- d-----w c:\programmi\Kaspersky Lab
2008-12-23 13:52 --------- d-----w c:\programmi\File comuni\Adobe
2007-04-18 15:22 271 ---h--w c:\programmi\desktop.ini
2007-04-18 15:22 22,075 -c-h--w c:\programmi\folder.htt
1999-12-23 00:00 32,528 -c--a-w c:\winnt\inf\wbfirdma.sys
2005-08-16 03:40 171,926 --sha-r c:\winnt\system32\dwfvqwxb.dll
.

((((((((((((((((((((((((((((( SnapShot@lun 2009-02-16_10.35.20.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-18 13:54:08 110,592 -c--a-w c:\winnt\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
+ 2009-02-16 10:12:00 110,592 ----a-w c:\winnt\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll
- 2008-01-18 13:54:08 64,088 -c--a-w c:\winnt\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2009-02-16 10:12:00 64,088 ----a-w c:\winnt\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
- 2008-01-18 13:54:08 229,376 -c--a-w c:\winnt\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
+ 2009-02-16 10:12:00 229,376 ----a-w c:\winnt\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL
- 2008-01-18 13:54:09 4,096 -c--a-w c:\winnt\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
+ 2009-02-16 10:12:00 4,096 ----a-w c:\winnt\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll
- 2008-01-18 13:54:08 223,800 -c--a-w c:\winnt\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2009-02-16 10:11:59 223,800 ----a-w c:\winnt\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
- 2008-01-18 13:54:09 16,384 -c--a-w c:\winnt\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
+ 2009-02-16 10:12:00 16,384 ----a-w c:\winnt\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll
- 2008-01-18 13:55:46 593,920 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-02-16 10:14:16 593,920 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-01-18 13:55:46 12,288 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-02-16 10:14:16 12,288 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-01-18 13:55:46 135,168 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-02-16 10:14:16 135,168 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-01-18 13:55:46 11,264 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-02-16 10:14:16 11,264 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-01-18 13:55:46 27,136 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-02-16 10:14:16 27,136 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-01-18 13:55:46 4,096 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-02-16 10:14:16 4,096 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-01-18 13:55:47 794,624 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-02-16 10:14:16 794,624 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-01-18 13:55:46 249,856 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-02-16 10:14:16 249,856 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-01-18 13:55:46 61,440 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-02-16 10:14:16 61,440 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-01-18 13:55:47 23,040 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-02-16 10:14:16 23,040 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-01-18 13:55:46 286,720 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-02-16 10:14:16 286,720 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-01-18 13:55:45 409,600 -c--a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-02-16 10:14:15 409,600 ----a-r c:\winnt\Installer\{91110410-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-01-09 10:07:22 233,576 ----a-w c:\winnt\system32\FNTCACHE.DAT
+ 2009-02-16 11:08:38 313,176 ----a-w c:\winnt\system32\FNTCACHE.DAT
.
-- Snapshot per reimpostare la data corrente --
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wimsnn"="Wscript" [X]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [09-02-04 15:44 206088]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [01-09-27 00:39 245760 c:\winnt\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\programmi\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 188176]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
ERUNT AutoBackup.lnk - c:\programmi\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2008-01-29 33808]
R2 eugss;EUTRON SmartKey GSS2 Driver;c:\winnt\system32\drivers\eugss2k.sys [2008-01-21 63336]
R2 eusk2par;EUTRON SmartKey Parallel Driver;c:\winnt\system32\drivers\eusk2par.sys [2008-01-21 30656]
R3 Duntlw;UNTLW device;c:\winnt\system32\drivers\DuntlwNT.sys [2007-09-18 46976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [2008-04-30 24592]
S2 XipConnect;Xway TCP/IP;c:\xwaydrv\XIPCONNECT.EXE --> c:\xwaydrv\XIPCONNECT.EXE [?]
S3 gpibclsb;GPIB Board Class Driver;c:\winnt\system32\Drivers\gpibclsb.sys --> c:\winnt\system32\Drivers\gpibclsb.sys [?]
S3 gpibclsd;GPIB Device Class Driver;c:\winnt\system32\Drivers\gpibclsd.sys --> c:\winnt\system32\Drivers\gpibclsd.sys [?]
S3 HPFLASH0;HPFLASH0;\??\c:\swsetup\SP30221\HPFlash.sys --> c:\swsetup\SP30221\HPFlash.sys [?]
S3 skeyusb;SmartKey USB;c:\winnt\system32\drivers\skeyusb.sys [2008-01-21 43968]
S3 tap0801;TAP-Win32 Adapter V8;c:\winnt\system32\drivers\tap0801.sys [2004-06-24 23552]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
uinocitw
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = <local>
IE: Converti destinazione link in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {C34AF2CE-F228-47F9-8D01-5AEDBF139AFA} = 151.99.125.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 12:11:11
Windows 5.0.2195 Service Pack 4 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


c:\winnt\system32\dwfvqwxb.dll 171926 bytes executable

Scansione completata con successo
Files nascosti: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uinocitw]
"ServiceDll"="c:\winnt\system32\dwfvqwxb.dll"
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="2BB9A136B36967DA8A1AA9BF6E95382A1E1E101B707BBEFCC2F01AB1EB48A05EE693D594634D6444076F6F95E9BAC90
E37B40CAB73A4AE4EC08AB4253DDE026A47925D2E3BA3D30286B76DA51C0DE3B01DCA5D3FDA5C4919677B69786612AC40E48F
CFDF4A5A09B8BB7D19287D4108253AC17E8AA73B657BF618D3FC8F80E42BFAF607B786355B03F8E3AF87EB5EC0EE9A11AB754
02EDB87594D4FB74B1CF76BE948A276C6C9A56C392031E4A840198A70C0679E70778AC6969980E20CA9B23636978794C882C8
7618F9E212591722E51472F4D464A853B1DF914BEBFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BE
CC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933C038D530D6EB3452BA7FD869164D6794
F4224889BADE41F889F5551A6EE4C80CE945E0ABBC18701F3EAC50D57B0C1F8DBAB98C3CB8CE1F1BB0AEA51689D84EE330A08
C0EFDCCD6253BDC556F948786CD8CA011A0CB0225E761A5B472B504E74863F58CB6A69CEC931895C334EDFBCA98657F7E5D23
10B16A2067FAE0FA7015DF33554B843829EF50CD0F194F21C18AABA8D1820A8F21645ED9537789033F9904B225374C55A6E3E
EB6D3D4646BBF2C7B1B66CBB607F4A3B25BA02A081EA4F941599F4355C55D11BB94C279072C735530E561906424DC190E56D5
1AE9BEE3FEDA04D1E6DC76A880348B8E0F40696E732416BB880A24403048E2D0D0B2FA5C3A456F1F9B92767A838AA4BC210E4
B5737679D407111E8981BEDFA425B590EFB7B2A40BA601A7955AB27CA2A40E020E4133D520F8BD67874CEBF7C2ECAC958C459
E7FEB0B70C58D250A250057E9D5767C01E6D1B9A2EFCF584312A6F36E15ACE2E8E15DDA8F20E9E8D4CE74EF41E07BDBC348BA
D675D4454B86B2AB0B674BC461864D3F33DCF3CF7C2272B5FBF2E665D45E02EE0401E41D7AD4B8773694A49E978636D780597
243611E895E17C0FD4D05FB4BC26739D87E06761B08C711D700CF6B878C612312F3E61FB88544FF65035D47B7D3F58005360B
0727625739BC3157C45F28AFB78E90E5E80C789E10E803AAE2C9FC5445900DC957590B898E9F980B79F3AC65B3E8236F647FB
A85DF0ACA6407934A497B31270E698991A8E9DEEDC9B9012D05046CEDA5ED6312C73B142539AC5B11D300FADCABABC0FEB084
4A1CC5C95A2527D48C5B20CE9D7E255D4522E9828EFC0F25B9D2C69F354A8BAD93489F460764A09F0020CBB70C46FBDD291B6
556D2D77C97FCFEC1109AE1BDE536D5CA5D6FC889E5F45C56B8B304A6698580430140BFE21D5D5F511784A66331739A66C920
A346C287355DE9236BB0E09243F4E4F0D65E82CE5C590F034FDF801A5D914E0544724D293411C8E57E2FB77952418871F1096
4358ED78D8DDABF5DD66FD2342790E7CDC"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Ora fine scansione: 2009-02-16 12:17:27 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-02-16 11:17:19
ComboFix2.txt 2009-02-16 09:49:43

Pre-Run: 86.302.720 byte disponibili
Post-Run: 89,911,296 byte disponibili

176 --- E O F --- 2008-07-14 08:19:41



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12.19.29, on 16/02/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\atiptaxx.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINNT\explorer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [wimsnn] Wscript C:\WINNT\ACTIVE SETUP LOGMSE.VBS /B
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmi\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programmi\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Statistiche sulla protezione del traffico Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34AF2CE-F228-47F9-8D01-5AEDBF139AFA}: NameServer = 151.99.125.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: Xway TCP/IP (XipConnect) - Unknown owner - C:\XWAYDRV\XIPCONNECT.EXE (file missing)

--
End of file - 5220 bytes
  • 0

#13
fenzodahl512
Posted 16 February 2009 - 06:05 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
c:\winnt\system32\dwfvqwxb.dll

Driver::
uinocitw

NetSvc::
uinocitw

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wimsnn"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uinocitw]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#14
Flegias
Posted 16 February 2009 - 07:44 AM

Flegias

    Member

  • Topic Starter
  • Member
  • PipPip
  • 32 posts
ComboFix 09-02-15.01 - Administrator 16/02/2009 14.22.11.3 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1040.18.511.372 [GMT 1:00]
Eseguito da: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Opzioni usate :: c:\documents and settings\Administrator\Desktop\CFScript.txt

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\dwfvqwxb.dll

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UINOCITW
-------\Service_uinocitw


((((((((((((((((((((((((( Files Creati Da 2009-01-16 al 2009-02-16 )))))))))))))))))))))))))))))))))))
.

2009-02-16 11:10 . 09-02-16 11:12 <DIR> d-------- c:\winnt\SHELLNEW
2009-02-16 11:09 . 09-02-16 11:09 <DIR> d-------- c:\programmi\Microsoft.NET
2009-02-13 15:41 . 09-02-13 15:42 <DIR> d-------- C:\rsit
2009-02-13 14:23 . 09-02-13 14:23 <DIR> d-------- c:\programmi\ERUNT
2009-02-11 09:18 . 09-02-11 09:18 <DIR> d-------- c:\programmi\Trend Micro
2009-02-10 12:08 . 09-02-10 12:08 0 --ahs---- c:\winnt\klif.spi
2009-01-29 16:49 . 09-02-16 09:18 250 --a------ c:\winnt\gmer.ini
2009-01-26 09:33 . 09-01-26 09:33 0 --a------ c:\winnt\oodcnt.INI
2009-01-23 16:50 . 09-01-26 09:32 <DIR> d-------- c:\winnt\system32\oodag

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 13:18 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2009-02-16 11:08 --------- d-----w c:\programmi\Google
2009-02-16 09:45 --------- d-----w c:\programmi\Hewlett-Packard
2009-02-04 14:44 33,808 ----a-w c:\winnt\system32\drivers\klbg.sys
2009-02-04 07:58 89,601 ----a-w c:\winnt\system32\drivers\klick.dat
2009-02-04 07:58 101,287 ----a-w c:\winnt\system32\drivers\klin.dat
2009-01-23 16:05 --------- d--h--w c:\programmi\InstallShield Installation Information
2009-01-23 16:05 --------- d-----w c:\programmi\File comuni\InstallShield
2009-01-12 16:30 --------- d-----w c:\programmi\OpenVPN
2009-01-09 14:11 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2009-01-09 13:49 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2009-01-09 13:49 --------- d-----w c:\documents and settings\Administrator\Dati applicazioni\Malwarebytes
2009-01-09 10:19 --------- d-----w c:\programmi\Kaspersky Lab
2008-12-23 13:52 --------- d-----w c:\programmi\File comuni\Adobe
2007-04-18 15:22 271 ---h--w c:\programmi\desktop.ini
2007-04-18 15:22 22,075 -c-h--w c:\programmi\folder.htt
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [09-02-04 15:44 206088]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [01-09-27 00:39 245760 c:\winnt\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\programmi\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 188176]

c:\documents and settings\Administrator\Menu Avvio\Programmi\Esecuzione automatica\
ERUNT AutoBackup.lnk - c:\programmi\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\winnt\system32\drivers\klbg.sys [2008-01-29 33808]
R2 eugss;EUTRON SmartKey GSS2 Driver;c:\winnt\system32\drivers\eugss2k.sys [2008-01-21 63336]
R2 eusk2par;EUTRON SmartKey Parallel Driver;c:\winnt\system32\drivers\eusk2par.sys [2008-01-21 30656]
R3 Duntlw;UNTLW device;c:\winnt\system32\drivers\DuntlwNT.sys [2007-09-18 46976]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [2008-04-30 24592]
S2 XipConnect;Xway TCP/IP;c:\xwaydrv\XIPCONNECT.EXE --> c:\xwaydrv\XIPCONNECT.EXE [?]
S3 gpibclsb;GPIB Board Class Driver;c:\winnt\system32\Drivers\gpibclsb.sys --> c:\winnt\system32\Drivers\gpibclsb.sys [?]
S3 gpibclsd;GPIB Device Class Driver;c:\winnt\system32\Drivers\gpibclsd.sys --> c:\winnt\system32\Drivers\gpibclsd.sys [?]
S3 HPFLASH0;HPFLASH0;\??\c:\swsetup\SP30221\HPFlash.sys --> c:\swsetup\SP30221\HPFlash.sys [?]
S3 skeyusb;SmartKey USB;c:\winnt\system32\drivers\skeyusb.sys [2008-01-21 43968]
S3 tap0801;TAP-Win32 Adapter V8;c:\winnt\system32\drivers\tap0801.sys [2004-06-24 23552]
.
.
------- Scansione supplementare -------
.
uStart Page = hxxp://www.google.it/
uInternet Settings,ProxyOverride = <local>
IE: Converti destinazione link in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti destinazione link in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti i link selezionati in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Converti i link selezionati in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Converti in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti nel file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Converti selezione in Adobe PDF - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converti selezione in file PDF esistente - f:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
TCP: {C34AF2CE-F228-47F9-8D01-5AEDBF139AFA} = 151.99.125.1
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 14:31:24
Windows 5.0.2195 Service Pack 4 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="2BB9A136B36967DA8A1AA9BF6E95382A1E1E101B707BBEFCC2F01AB1EB48A05EE693D594634D6444076F6F95E9BAC90
E37B40CAB73A4AE4EC08AB4253DDE026A47925D2E3BA3D30286B76DA51C0DE3B01DCA5D3FDA5C4919677B69786612AC40E48F
CFDF4A5A09B8BB7D19287D4108253AC17E8AA73B657BF618D3FC8F80E42BFAF607B786355B03F8E3AF87EB5EC0EE9A11AB754
02EDB87594D4FB74B1CF76BE948A276C6C9A56C392031E4A840198A70C0679E70778AC6969980E20CA9B23636978794C882C8
7618F9E212591722E51472F4D464A853B1DF914BEBFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BE
CC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC7933C038D530D6EB3452BA7FD869164D6794
F4224889BADE41F889F5551A6EE4C80CE945E0ABBC18701F3EAC50D57B0C1F8DBAB98C3CB8CE1F1BB0AEA51689D84EE330A08
C0EFDCCD6253BDC556F948786CD8CA011A0CB0225E761A5B472B504E74863F58CB6A69CEC931895C334EDFBCA98657F7E5D23
10B16A2067FAE0FA7015DF33554B843829EF50CD0F194F21C18AABA8D1820A8F21645ED9537789033F9904B225374C55A6E3E
EB6D3D4646BBF2C7B1B66CBB607F4A3B25BA02A081EA4F941599F4355C55D11BB94C279072C735530E561906424DC190E56D5
1AE9BEE3FEDA04D1E6DC76A880348B8E0F40696E732416BB880A24403048E2D0D0B2FA5C3A456F1F9B92767A838AA4BC210E4
B5737679D407111E8981BEDFA425B590EFB7B2A40BA601A7955AB27CA2A40E020E4133D520F8BD67874CEBF7C2ECAC958C459
E7FEB0B70C58D250A250057E9D5767C01E6D1B9A2EFCF584312A6F36E15ACE2E8E15DDA8F20E9E8D4CE74EF41E07BDBC348BA
D675D4454B86B2AB0B674BC461864D3F33DCF3CF7C2272B5FBF2E665D45E02EE0401E41D7AD4B8773694A49E978636D780597
243611E895E17C0FD4D05FB4BC26739D87E06761B08C711D700CF6B878C612312F3E61FB88544FF65035D47B7D3F58005360B
0727625739BC3157C45F28AFB78E90E5E80C789E10E803AAE2C9FC5445900DC957590B898E9F980B79F3AC65B3E8236F647FB
A85DF0ACA6407934A497B31270E698991A8E9DEEDC9B9012D05046CEDA5ED6312C73B142539AC5B11D300FADCABABC0FEB084
4A1CC5C95A2527D48C5B20CE9D7E255D4522E9828EFC0F25B9D2C69F354A8BAD93489F460764A09F0020CBB70C46FBDD291B6
556D2D77C97FCFEC1109AE1BDE536D5CA5D6FC889E5F45C56B8B304A6698580430140BFE21D5D5F511784A66331739A66C920
A346C287355DE9236BB0E09243F4E4F0D65E82CE5C590F034FDF801A5D914E0544724D293411C8E57E2FB77952418871F1096
4358ED78D8DDABF5DD66FD2342790E7CDC"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(264)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1304)
c:\winnt\AppPatch\AcLayers.DLL
.
Ora fine scansione: 2009-02-16 14:37:07 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2009-02-16 13:36:59
ComboFix2.txt 2009-02-16 11:17:29
ComboFix3.txt 2009-02-16 09:49:43

Pre-Run: 95.592.448 byte disponibili
Post-Run: 87,470,080 byte disponibili

124 --- E O F --- 2008-07-14 08:19:41



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14.40.49, on 16/02/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\atiptaxx.exe
C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\WINNT\explorer.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmi\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Programmi\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Converti destinazione link in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti destinazione link in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti i link selezionati in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Converti i link selezionati in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Converti in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti nel file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Converti selezione in Adobe PDF - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Converti selezione in file PDF esistente - res://F:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Statistiche sulla protezione del traffico Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{C34AF2CE-F228-47F9-8D01-5AEDBF139AFA}: NameServer = 151.99.125.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\hpzipm12.exe
O23 - Service: Xway TCP/IP (XipConnect) - Unknown owner - C:\XWAYDRV\XIPCONNECT.EXE (file missing)

--
End of file - 5165 bytes
  • 0

#15
fenzodahl512
Posted 16 February 2009 - 09:16 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.


  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.


When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



How is the computer now? :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP