HiJack This log

Happy new Year!

I'm having some problems with different malwares found by AVG in the directory c:/windows/temp
I manually cancel every file in the directory, but they always come back.

Could you check my log file?
Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 0.40.08, on 01/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\firebird\firebird_1_5\bin\fbguard.exe
C:\WINDOWS\Nvds.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\firebird\firebird_1_5\bin\fbserver.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\VNICMon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Pando Networks\Pando\Pando.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmi\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmi\File comuni\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Programmi\stickies\stickies.exe
C:\WINDOWS\system32\dslAgent.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\System32\dslagent.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NIC Monitor] VNICMon.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82 "
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Pando] "C:\Programmi\Pando Networks\Pando\Pando.exe" /Automation
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Programmi\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [GSISETUP] C:\DOCUME~1\PAOLAI~1\IMPOST~1\Temp\GsiInst.exe INSTALL E:\DATAWA~4\ 13
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Startup: Stickies.lnk = C:\Programmi\stickies\stickies.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Promemoria del Calendario di Microsoft Works.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {373FF7F0-EB8B-11CD-8820-08002B2F4F5A} - http://ww3.pcn.minambiente.it/ecwplugins/COMCTL.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - http://www.photocity.it/areaclienti/inviafoto/ImageUploader4.cab
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} - http://ww3.pcn.minambiente.it/ecwplugins/ncs.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75930C67-DA77-4F0C-BC80-A176A289BE86}: NameServer = 85.37.17.58 85.38.28.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O20 - AppInit_DLLs: \\?\C:\WINDOWS\con.lhb
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winopn32 - C:\WINDOWS\SYSTEM32\winopn32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmi\Comodo\Firewall\cmdagent.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Programmi\firebird\firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Programmi\firebird\firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Service (NVIDIA Display Driver Service) - Unknown owner - C:\WINDOWS\Nvds.exe
O23 - Service: RZVJEYYG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\PAOLAI~1\IMPOST~1\Temp\RZVJEYYG.exe

 

Welcome back.

I see you have not updated your system since back in July when we removed a rootkit that you got. And now you're back with what appears to be another rootkit......not surprisingly I might add.

Lets dig around some, see what else is going on and we'll run an rk tool as well.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


Download GMER from here

• Right Click the Zip and Select "Extract All "
• Double-click gmer.exe to launch the program.
• Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.

 

Paola Iacovazzo - 07-01-02 8.48.16,04 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Paola Iacovazzo\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Programmi\File comuni\{38F2D1F0-0AF6-1040-0123-030401050027}
C:\Programmi\File comuni\{78F2D1F0-0AF6-1040-0123-030401050027}


((((((((((((((((((((((((((((((( Files Created from 2006-12-02 to 2007-01-02 ))))))))))))))))))))))))))))))))))


2007-01-02 08:39 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-01 11:39 297,442 --a------ C:\WINDOWS\system32\drivers\gwausb.sys
2007-01-01 11:39 24,576 --a------ C:\WINDOWS\system32\CoInst.dll
2007-01-01 11:39 16,384 --a------ C:\WINDOWS\system32\dslagent.exe
2007-01-01 00:13 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2007-01-01 00:13 937,984 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-01-01 00:13 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-01-01 00:13 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-01-01 00:13 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2007-01-01 00:13 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-01-01 00:13 77,824 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-01-01 00:13 76,800 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-01-01 00:13 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2007-01-01 00:13 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2007-01-01 00:13 723,968 --a------ C:\WINDOWS\system32\dpnet.dll
2007-01-01 00:13 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-01-01 00:13 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2007-01-01 00:13 667,648 --a------ C:\WINDOWS\system32\dinput8.dll
2007-01-01 00:13 648,704 --a------ C:\WINDOWS\system32\dinput.dll
2007-01-01 00:13 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2007-01-01 00:13 602,624 --a------ C:\WINDOWS\system32\dx7vb.dll
2007-01-01 00:13 590,336 --a------ C:\WINDOWS\system32\d3dramp.dll
2007-01-01 00:13 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2007-01-01 00:13 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-01-01 00:13 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-01-01 00:13 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-01-01 00:13 491,520 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-01-01 00:13 47,616 --a------ C:\WINDOWS\system32\d3dxof.dll
2007-01-01 00:13 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-01-01 00:13 467,968 --a------ C:\WINDOWS\system32\diactfrm.dll
2007-01-01 00:13 45,696 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-01-01 00:13 449,024 --a------ C:\WINDOWS\system32\qdvd.dll
2007-01-01 00:13 44,544 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-01-01 00:13 44,032 --a------ C:\WINDOWS\system32\dimap.dll
2007-01-01 00:13 436,224 --a------ C:\WINDOWS\system32\d3dim.dll
2007-01-01 00:13 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2007-01-01 00:13 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2007-01-01 00:13 381,952 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-01-01 00:13 355,328 --a------ C:\WINDOWS\system32\dsound.dll
2007-01-01 00:13 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2007-01-01 00:13 350,208 --a------ C:\WINDOWS\system32\d3drm.dll
2007-01-01 00:13 34,816 --a------ C:\WINDOWS\system32\d3dpmesh.dll
2007-01-01 00:13 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2007-01-01 00:13 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2007-01-01 00:13 324,096 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-01-01 00:13 32,768 --a------ C:\WINDOWS\system32\dpnhpast.dll
2007-01-01 00:13 311,808 --a------ C:\WINDOWS\system32\qdv.dll
2007-01-01 00:13 31,744 --a------ C:\WINDOWS\system32\pid.dll
2007-01-01 00:13 3,072 --a------ C:\WINDOWS\system32\dpnlobby.dll
2007-01-01 00:13 3,072 --a------ C:\WINDOWS\system32\dpnaddr.dll
2007-01-01 00:13 28,160 --a------ C:\WINDOWS\system32\dplaysvr.exe
2007-01-01 00:13 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2007-01-01 00:13 257,024 --a------ C:\WINDOWS\system32\qcap.dll
2007-01-01 00:13 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2007-01-01 00:13 223,232 --a------ C:\WINDOWS\system32\gcdef.dll
2007-01-01 00:13 217,600 --a------ C:\WINDOWS\system32\dplayx.dll
2007-01-01 00:13 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2007-01-01 00:13 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2007-01-01 00:13 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2007-01-01 00:13 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-01-01 00:13 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2007-01-01 00:13 171,520 --a------ C:\WINDOWS\system32\dmime.dll
2007-01-01 00:13 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2007-01-01 00:13 16,896 --a------ C:\WINDOWS\system32\dpnsvr.exe
2007-01-01 00:13 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-01-01 00:13 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-01-01 00:13 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-01-01 00:13 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-01-01 00:13 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2007-01-01 00:13 116,736 --a------ C:\WINDOWS\system32\dmusic.dll
2007-01-01 00:13 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2007-01-01 00:13 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2007-01-01 00:13 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-01-01 00:13 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-01-01 00:13 10,496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys
2007-01-01 00:13 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-01-01 00:13 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2007-01-01 00:13 1,798,144 --a------ C:\WINDOWS\system32\qedit.dll
2007-01-01 00:13 1,675,264 --a------ C:\WINDOWS\system32\dxdiagn.dll
2007-01-01 00:13 1,634,304 --a------ C:\WINDOWS\system32\d3d9.dll
2007-01-01 00:13 1,294,336 --a------ C:\WINDOWS\system32\dsound3d.dll
2007-01-01 00:13 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-01-01 00:13 1,189,888 --a------ C:\WINDOWS\system32\dx8vb.dll
2007-01-01 00:13 1,177,600 --a------ C:\WINDOWS\system32\d3d8.dll
2006-12-31 21:45 <DIR> d-------- C:\WINDOWS\Prefetch
2006-12-31 21:39 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
2006-12-31 21:39 587,776 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-12-31 21:39 50,688 --a------ C:\WINDOWS\system32\inetres.dll
2006-12-31 21:39 229,376 --a------ C:\WINDOWS\system32\srrstr.dll
2006-12-31 21:39 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-12-31 21:39 222,720 --a------ C:\WINDOWS\system32\qmgr.dll
2006-12-31 21:39 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-12-31 21:38 9,728 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-12-31 21:38 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-12-31 21:38 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-12-31 21:38 82,432 --a------ C:\WINDOWS\system32\comrepl.dll
2006-12-31 21:38 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-12-31 21:38 56,832 --a------ C:\WINDOWS\system32\colbact.dll
2006-12-31 21:38 495,616 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-12-31 21:38 495,616 --a------ C:\WINDOWS\system32\comuid.dll
2006-12-31 21:38 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-12-31 21:38 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-12-31 21:38 215,040 --a------ C:\WINDOWS\system32\catsrv.dll
2006-12-31 21:38 190,464 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-12-31 21:38 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-12-31 21:38 142,336 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-12-31 21:38 115,976 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-12-31 21:38 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-12-31 21:38 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-12-31 21:37 79,872 --a------ C:\WINDOWS\system32\irmon.dll
2006-12-31 21:37 7,680 --a------ C:\WINDOWS\system32\wshirda.dll
2006-12-31 21:37 55,296 --a------ C:\WINDOWS\system32\drivers\irda.sys
2006-12-31 21:37 100,352 --a------ C:\WINDOWS\system32\irftp.exe
2006-12-31 21:21 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-12-31 21:21 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2006-12-31 21:21 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-12-31 11:30 16,896 --a------ C:\WINDOWS\system32\winopn32.dll
2006-12-28 22:39 69,120 --a------ C:\WINDOWS\system32\drivers\inspect.sys
2006-12-28 22:39 61,056 --a------ C:\WINDOWS\system32\drivers\cmdmon.sys
2006-12-28 18:45 89,600 -r-hs---- C:\WINDOWS\Nvds.exe
2006-12-26 20:19 <DIR> d-------- C:\Programmi\BearShare
2006-12-26 17:43 <DIR> d-------- C:\My Downloads
2006-12-26 17:12 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-12-26 16:43 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-12-25 20:46 86,016 --------- C:\WINDOWS\system32\qtXLS.dll
2006-12-25 20:46 421,888 --------- C:\WINDOWS\system32\DFORRT.DLL
2006-12-25 20:46 <DIR> d-------- C:\Richard_Davies
2006-12-22 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Avg7
2006-12-22 21:36 <DIR> d-------- C:\Programmi\Downloaded Installations
2006-12-22 19:16 <DIR> d-------- C:\Documents and Settings\Paola Iacovazzo\Dati applicazioni\DivX
2006-12-22 11:44 118,784 --a------ C:\WINDOWS\system32\CoordTransXP.dll
2006-12-21 14:49 7,296 -ra------ C:\WINDOWS\system32\drivers\grmnusb.sys
2006-12-21 14:49 17,024 -ra------ C:\WINDOWS\system32\drivers\grmngen.sys
2006-12-21 14:17 49,152 -ra------ C:\WINDOWS\system32\INETWH32.dll
2006-12-21 14:17 1,089,536 --------- C:\WINDOWS\system32\ROBOEX32.DLL
2006-12-21 14:17 <DIR> d-------- C:\Garmin
2006-12-12 17:30 520,192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-12-12 17:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 17:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 17:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 17:25 806,912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 17:25 806,912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 17:25 790,528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 17:25 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 17:25 635,486 --a------ C:\WINDOWS\system32\DivX.dll
2006-12-12 17:25 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-12-12 17:25 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 17:25 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-12-12 17:25 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 17:25 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 17:25 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 17:25 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 17:24 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-12 17:24 118,784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-02 08:48 -------- d-------- C:\Programmi\File comuni
2007-01-01 11:57 -------- d-------- C:\Programmi\SpywareBlaster
2007-01-01 11:39 -------- d-------- C:\Programmi\IPM
2006-12-31 21:49 -------- d---s---- C:\Documents and Settings\Paola Iacovazzo\Dati applicazioni\Microsoft
2006-12-31 21:41 -------- d-------- C:\Programmi\Windows Media Player
2006-12-31 21:39 -------- d-------- C:\Programmi\Outlook Express
2006-12-31 21:39 -------- d-------- C:\Programmi\NetMeeting
2006-12-31 21:39 -------- d-------- C:\Programmi\File comuni\System
2006-12-31 11:25 -------- d-------- C:\Programmi\eMule
2006-12-31 11:14 -------- d-------- C:\Programmi\Grisoft
2006-12-29 14:09 -------- d-------- C:\Programmi\Franson
2006-12-28 22:39 -------- d-------- C:\Programmi\Comodo
2006-12-28 11:24 -------- d-------- C:\Programmi\Spybot - Search & Destroy
2006-12-26 17:12 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-12-22 18:59 -------- d-------- C:\Programmi\DivX
2006-12-21 14:29 -------- d--h----- C:\Programmi\InstallShield Installation Information
2006-11-24 20:09 -------- d-------- C:\Programmi\stickies
2006-11-24 20:09 -------- d-------- C:\Documents and Settings\Paola Iacovazzo\Dati applicazioni\stickies
2006-11-24 15:06 -------- d-------- C:\Programmi\File comuni\ESRI
2006-11-23 20:06 -------- d-------- C:\Programmi\CDex_170b2
2006-11-23 19:41 -------- d-------- C:\Programmi\PhotoFiltre
2006-11-22 13:24 -------- d-------- C:\Programmi\PrintEngine
2006-11-19 09:59 -------- d-------- C:\Programmi\MosUred
2006-11-19 09:49 -------- d-------- C:\Programmi\Pando Networks


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\ctfmon.exe "
"MSMSGS "= "\ "C:\\Programmi\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA "= "C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe "
"NIC Monitor "= "VNICMon.exe "
"EPSON Stylus C82 Series "= "C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \ "EPSON Stylus C82 Series\" /O6 \ "USB001\" /M \ "Stylus C82\" "
"WinPatrol "= "C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe "
"QuickTime Task "= "\ "C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"Pando "= "\ "C:\\Programmi\\Pando Networks\\Pando\\Pando.exe\" /Automation "
"Comodo Firewall "= "\ "C:\\Programmi\\Comodo\\Firewall\\CPF.exe\" /background "
"IMJPMIG8.1 "= "\ "C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32 "
"IMEKRMIG6.1 "= "C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE "
"DSLSTATEXE "= "C:\\Programmi\\IPM\\Adsl\\DataWay\\dslstat.exe icon "
"DSLAGENTEXE "= "dslagent.exe USB "
"!AVG Anti-Spyware "= "\ "C:\\Programmi\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "Pagina iniziale corrente "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
"Win32 "= "winnnit.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "
"Win32 "= "winnnit.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Precaricatore Browseui "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Daemon di cache delle categorie di componenti "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winopn32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060925-204440-299
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe, "c:\windows\asusmon.exe ",
backup-20060915-210015-341
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe, "c:\windows\asusmon.exe ",
backup-20060915-204155-177
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe, "c:\windows\asusmon.exe ",
backup-20060701-212236-865
O4 - HKLM\..\Run: [pjru1.exe] C:\WINDOWS\Temp\pjru1.exe
backup-20060701-212236-243
R3 - Default URLSearchHook is missing
backup-20060701-212236-776
O2 - BHO: Class - {2B4C0EB6-D2AC-DBDE-3D8F-27D3742FE28A} - C:\WINDOWS\xhukg1.dll (file missing)
backup-20060701-212236-733
O4 - HKLM\..\Run: [pjru2.exe] C:\WINDOWS\Temp\pjru2.exe
backup-20060701-212236-598
O2 - BHO: Class - {3F89486C-EA9A-3610-8D86-4F3B23E62E67} - C:\WINDOWS\xhukg1.dll (file missing)
backup-20060701-212236-848
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20060701-212236-214
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20060701-154717-646
O4 - HKLM\..\Run: [pjru1.exe] C:\WINDOWS\Temp\pjru1.exe
backup-20060630-130652-444
O4 - HKLM\..\Run: [pjru1.exe] C:\WINDOWS\Temp\pjru1.exe
backup-20051210-155040-953
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20051210-155040-463
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Programmi\RXToolBar\sfcont.dll (file missing)
backup-20051210-155040-762
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programmi\RXToolBar\sfcont.dll
backup-20051210-155040-858
O4 - HKLM\..\Run: [Microsoft Update] wuamkp.exe
backup-20051210-155040-746
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20051210-155040-495
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
backup-20051210-155040-673
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkp.exe
backup-20050602-101735-704
O4 - HKLM\..\RunServices: [Microsoft AOL Instant Messenger] MSAOL32.exe
backup-20050602-101735-545
O4 - HKCU\..\RunServices: [Windows Dynamic Loading Header] winDLL32.exe
backup-20050602-101735-443
O4 - HKLM\..\RunServices: [file laoder configuration] rnd32.exe
backup-20050602-101735-347
O4 - HKCU\..\Run: [file laoder configuration] rnd32.exe
backup-20050602-101735-257
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop.exe
backup-20050602-101735-214
O4 - HKCU\..\RunServices: [file laoder configuration] rnd32.exe
backup-20050602-101735-787
O4 - HKLM\..\Run: [file laoder configuration] rnd32.exe
Completion time: 07-01-02 8:49:09.89
C:\ComboFix.txt ... 07-01-02 08:49

 

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-02 08:55:16
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteValueKey
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetValueKey
SSDT \??\C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes [ 3A, D3, 69, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C4 80502640 4 Bytes [ 42, D2, 69, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1D4 80502650 4 Bytes [ B8, DB, 69, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [ AA, CE, 69, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 208 80502684 1 Byte [ C8 ]
.text ...
.text ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text ntdll.dll!NtClose 77F658AA 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F659F4 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F65A03 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F65A21 5 Bytes JMP 72033FC8

---- User code sections - GMER 1.0.12 ----

.text C:\Programmi\Messenger\msmsgs.exe[112] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Messenger\msmsgs.exe[112] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\Messenger\msmsgs.exe[112] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Messenger\msmsgs.exe[112] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\Comodo\Firewall\cpf.exe[188] ntdll.dll!LdrLoadDll 77F45669 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Comodo\Firewall\cpf.exe[188] ntdll.dll!LdrLoadDll + 4 77F4566D 2 Bytes [ 0B, 5F ]
.text C:\Programmi\Comodo\Firewall\cpf.exe[188] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Comodo\Firewall\cpf.exe[188] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\Comodo\Firewall\cpf.exe[188] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Comodo\Firewall\cpf.exe[188] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\firebird\firebird_1_5\bin\fbserver.exe[252] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\IPM\Adsl\DataWay\dslstat.exe[276] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\IPM\Adsl\DataWay\dslstat.exe[276] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\IPM\Adsl\DataWay\dslstat.exe[276] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\IPM\Adsl\DataWay\dslstat.exe[276] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\system32\dslagent.exe[284] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\dslagent.exe[284] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\dslagent.exe[284] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\dslagent.exe[284] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[400] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[400] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[400] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[400] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\system32\ctfmon.exe[432] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[432] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[432] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[432] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[860] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[860] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[860] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[860] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\system32\ati2evxx.exe[1372] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ati2evxx.exe[1372] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\ati2evxx.exe[1372] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\explorer.exe[1464] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[1464] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\explorer.exe[1464] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\firebird\firebird_1_5\bin\fbguard.exe[1496] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\Nvds.exe[1524] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkCalRem.exe[1584] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkCalRem.exe[1584] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkCalRem.exe[1584] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\File comuni\Microsoft Shared\Works Shared\WkCalRem.exe[1584] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\system32\snmp.exe[1732] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe[1916] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe[1916] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe[1916] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe[1916] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\system32\VNICMon.exe[1924] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\VNICMon.exe[1924] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\VNICMon.exe[1924] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\VNICMon.exe[1924] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE[1932] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE[1932] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE[1932] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE[1932] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe[1940] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe[1940] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe[1940] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe[1940] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\QuickTime\qttask.exe[1956] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\QuickTime\qttask.exe[1956] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\QuickTime\qttask.exe[1956] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\QuickTime\qttask.exe[1956] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\Pando Networks\Pando\pando.exe[1980] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\Pando Networks\Pando\pando.exe[1980] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\Pando Networks\Pando\pando.exe[1980] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\Pando Networks\Pando\pando.exe[1980] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\WinZip\WZQKPICK.EXE[2132] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\WinZip\WZQKPICK.EXE[2132] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\WinZip\WZQKPICK.EXE[2132] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\WinZip\WZQKPICK.EXE[2132] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\Programmi\stickies\stickies.exe[2160] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\Programmi\stickies\stickies.exe[2160] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\Programmi\stickies\stickies.exe[2160] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Programmi\stickies\stickies.exe[2160] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\WINDOWS\Temp\win77.tmp.exe[3128] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Temp\win77.tmp.exe[3128] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\Temp\win77.tmp.exe[3128] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\Temp\win77.tmp.exe[3128] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]
.text C:\gmer.exe[3464] ntdll.dll!LdrUnloadDll 77F457F8 3 Bytes [ FF, 25, 1E ]
.text C:\gmer.exe[3464] ntdll.dll!LdrUnloadDll + 4 77F457FC 2 Bytes [ 05, 5F ]
.text C:\gmer.exe[3464] kernel32.dll!LoadLibraryExW 77E5D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\gmer.exe[3464] kernel32.dll!FreeLibrary + 11 77E5E69D 4 Bytes [ 9B, 19, 1A, E7 ]

---- Files - GMER 1.0.12 ----

ADS C:\WINDOWS\system32: pvuku.exe

---- EOF - GMER 1.0.12 ----

 

Well, after having an additional pair of eyes look at this, it was pointed out to me that you have a Gromozon infection.

With a system that is updated, it's hard enough to try and clean without truly knowing if the system has any backdoors on it.

Seeing as your system is totally unpatched, the best thing for you to do is to reformat the system. You are rootkitted and backdoored to oblivion.

Then get it updated so this may not occur again.

If you can't update the system, then we'll see again in a few months next time you get rootkitted.

You can use this link for instructions on how to reformat.

Good luck.

 

This note on Gromozon might explain a bit what is going on in your system:
http://www.symantec.com/enterprise/...g/2006/08/gromozoncom_and_italian_spaghe.html

 

As you said, I formatted everything and installed the service pack 2.
Everything seems ok now.

Thanks.

 

That's great news, we're glad you decided to update and get secure. You should also impliment some other security apps for further protection as described below.

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

Thank you!

 

Glad we could be of assistance.

Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.