Jump to content

TDSS Rootkit and more?


Recommended Posts

On October 28, surfing the web, I have got a fake anti-virus. Immediately I have killed Firefox but It was to late.

The consequence has been quite clear: I was not more able to connect to the majority of web site including Malwarebytes web pages, I was not more able to send/check for mail, a lot of different services have been blocked to listen their port (as for example: 3537), the Malwarebytes' Anti-Malware installed on my PC did not started any more.

At the time of the infection on my computer was running Avira AntiVir Personal.

For a different computer, I have accessed the Malwarebytes forum and following some advices I have tried to restore the system.

First, I have renamed "mbam.exe" as "winlogon.exe"

Malwarebytes' Anti-Malware 1.46

Versione database: 4915

I have started winlogon.exe (mbam.exe) and with a quick scan I have got the following results:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.139,93.188.160.19

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{30558659-1ba8-4ae0-b958-865f7cc9bb49}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.139,93.188.160.19

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{55eb5c9c-0f36-4b16-bd0e-c36653eabb06}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.139,93.188.160.19

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{55eb5c9c-0f36-4b16-bd0e-c36653eabb06}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.139,93.188.160.19

With winlogon.exe (mbam.exe) I have restored the file.

I have started winlogon.exe (mbam.exe) and I have done a complete scan and:

C:\System Volume Information\_restore{96CF19D8-81C3-4A35-8411-E2299A2E4BBA}\RP54\A0006210.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

I have manually updated the DNS and I was able again to access the web.

The infection was still there because I was not able to run Malwarebytes (as to update mbam.exe) and I was not able to send/check for mail, and a lot of different services have been blocked to listen their port. Furthermore the desktop color was not correctly updated.

I have downloaded and executed TDSKiller and detected 1 object:

nipxibaf (ce86c74a779068f845415362ef381228) C:\WINDOWS\system32\drivers\nipxibaf.sys

Suspicious file (Forged): C:\WINDOWS\system32\drivers\nipxibaf.sys. Real md5: ce86c74a779068f845415362ef381228, Fake md5: 3c649ba47600ca99363655d6c1835472

Backup copy not found, trying to cure infected file..

Cure success, using it..

C:\WINDOWS\system32\drivers\nipxibaf.sys - will be cured after reboot

Rootkit.Win32.TDSS.tdl3(nipxibaf) - User select action: Cure

Now the system "seems" restored and everything works correctly!

I have updated the database of Malwarebytes and I done a quick scan with no object found.

I have executed TDSKiller with no object found.

I have executed a complete Malwarebytes scan and detected 1 object:

C:\System Volume Information\_restore{96CF19D8-81C3-4A35-8411-E2299A2E4BBA}\RP54\A0006211.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

I have executed a quick Malwarebytes with no object found.

I have executed ROOTREPEAL

==================================================

Scan Start Time: 2010/10/29 00:08

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Hidden/Locked Files

-------------------

Path: c:\windows\temp\hlktmp

Status: Allocation size mismatch (API: 17473536, Raw: 0)

Path: C:\Documents and Settings\Amministratore\Impostazioni locali\Temp\~DFFA1C.tmp

Status: Invisible to the Windows API!

Hidden Services

-------------------

Service Name: ztdwm

Image Path%SystemRoot%\system32\svchost.exe -k netsvcs

What can I do now to verify if my system is really restored?

Thanks,

Arnolfi

Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

  • Close Internet Explorer and any other open browsers
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • Click the Empty Selected button.
  • No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please download Rootkit Unhooker and save it on your desktop.

http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE

  • Temporarily disable your antivirus and antimalware real-time protection before performing a scan by following the directions that apply HERE
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Processes, Drivers, Stealth Code, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Re-enable your security programs
  • Copy the entire contents of the report and paste it in your next reply.

---------

Please also download MBRCheck to your desktop

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

  • Double click MBRCheck.exe to run (Vista and Win 7 users should right-click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix . Please read it carefully before proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Before downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to rayman.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. To Launch Combofix

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\rayman.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post C:\ComboFix.txt in your next reply.

-------------------

Please copy/paste the following Logs into your next reply (do NOT attach them):

1. The Rootkit Unhooker Log

2. The MBRCheck Log

3. C:\Combofix.txt

Link to post
Share on other sites

Hi negster22,

I have completed the last step, i.e. I have run ComboFix and I have copied the report to this thread.

Some notes:

I have disable the the anti-virus (AntiVir Desktop) but ComboFix told me that it was still running.

I don't have the Panda Antivirus Pro 2010 now.

Thanks,

Arnolfi

# #######################################

ComboFix 10-10-28.06 - Amministratore 29/10/2010 15.44.59.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2046.1549 [GMT 2:00]

Eseguito da: c:\documents and settings\Amministratore\desktop\rayman.exe

Opzioni usate :: /killall

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0012F334-0000-0000-FEEC-DA7768D21500}

AV: Panda Antivirus Pro 2010 *On-access scanning enabled* (Updated) {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}

ATTENZIONE - QUESTO PC NON HA LA CONSOLE DI RIPRISTINO DI EMERGENZA INSTALLATA !!

.

Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Amministratore\GoToAssistDownloadHelper.exe

c:\recycled\Recycled

.

((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FAD

-------\Legacy_SSHNAS

((((((((((((((((((((((((( Files Creati Da 2010-09-28 al 2010-10-29 )))))))))))))))))))))))))))))))))))

.

2010-10-14 11:23 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll

2010-10-14 11:23 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-14 11:23 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-10-14 11:23 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2010-10-13 13:13 . 2010-10-13 13:13 -------- d-----w- c:\documents and settings\Amministratore\Dati applicazioni\HDI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-28 15:53 . 2010-06-21 13:31 58504 ----a-w- c:\windows\system32\drivers\nipxibaf.sys

2010-09-24 09:49 . 2010-09-24 09:45 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2010-09-18 10:23 . 2004-09-09 08:36 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-09-09 08:36 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-09-09 08:36 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-09-09 08:36 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:49 . 2004-09-09 08:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:49 . 2004-09-09 08:36 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:49 . 2004-09-09 08:36 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-09-09 08:36 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-09-01 07:54 . 2004-09-09 08:37 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-09-09 08:37 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:58 . 2004-09-09 08:37 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-27 01:43 . 2010-07-22 06:19 5632 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-26 13:39 . 2004-09-09 08:37 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-23 16:12 . 2004-09-09 08:36 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-09-09 08:37 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:44 . 2004-09-09 08:37 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-06-25 11:57 . 2010-06-25 11:57 158720 ----a-w- c:\programmi\internet explorer\plugins\LV2010ActiveXControl.dll

2004-03-15 15:51 . 2004-03-15 15:51 114688 ----a-w- c:\programmi\internet explorer\plugins\LV71ActiveXControl.dll

2003-05-01 07:36 . 2003-05-01 07:36 114688 ----a-w- c:\programmi\internet explorer\plugins\LV7ActiveXControl.dll

2005-10-12 13:04 . 2005-10-12 13:04 131072 ----a-w- c:\programmi\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 08:48 . 2007-02-08 08:48 133920 ----a-w- c:\programmi\internet explorer\plugins\LV82ActiveXControl.dll

2007-07-24 17:03 . 2007-07-24 17:03 118784 ----a-w- c:\programmi\internet explorer\plugins\LV85ActiveXControl.dll

2008-12-10 12:50 . 2008-12-10 12:50 118784 ----a-w- c:\programmi\internet explorer\plugins\LV86ActiveXControl.dll

2010-05-25 10:43 . 2010-05-25 10:43 158720 ----a-w- c:\programmi\internet explorer\plugins\LV90ActiveXControl.dll

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-05-26 413696]

"nwiz"="nwiz.exe" [2006-01-19 1519616]

"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]

"NI-VISA Server"="c:\programmi\IVI Foundation\VISA\WinNT\NIvisa\NIVisaServer.exe" [2010-06-23 94352]

"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"HP Component Manager"="c:\programmi\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"DVDLauncher"="c:\programmi\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]

"Document Manager"="c:\programmi\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Apoint"="c:\programmi\Apoint\Apoint.exe" [2005-10-07 176128]

"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]

"RemoteControl"="c:\programmi\Roxio\Roxio DVDMax Player\PDVDServ.exe" [2003-10-27 32768]

"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-19 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"DataFinder"="c:\programmi\National Instruments\Shared\DataFinderDesktop\bin\DataFinder.exe" [2010-06-08 2921568]

"niDevMon"="c:\programmi\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2010-04-20 109712]

"NI Background Service"="c:\programmi\National Instruments\Shared\Update Service\niupdate.exe" [2010-08-10 77824]

"IntelZeroConfig"="c:\programmi\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]

"IntelWireless"="c:\programmi\File comuni\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\programmi\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Programmi\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe"=

"c:\\Programmi\\National Instruments\\MAX\\NIMax.exe"=

"c:\\Programmi\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe"=

"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=

"c:\\Programmi\\National Instruments\\Shared\\RT Error\\lvrterr.exe"=

"c:\\Programmi\\National Instruments\\NI-RIO\\RioDeviceSetup.exe"=

"c:\\Programmi\\IVI Foundation\\VISA\\WinNT\\NIvisa\\NIVisaServer.exe"=

"c:\\Programmi\\National Instruments\\Real-Time Execution Trace Toolkit 2.0\\rtett.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Programmi\\IVI Foundation\\IVI\\Drivers\\niScope\\NI-SCOPE Soft Front Panel.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programmi\\National Instruments\\Shared\\mDNS Responder\\nimdnsResponder.exe"=

"c:\\Programmi\\National Instruments\\SignalExpress\\SignalExpress.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Programmi\\National Instruments\\Shared\\DataFinderDesktop\\bin\\DataFinder.exe"=

"c:\\WINDOWS\\system32\\nipalsm.exe"=

"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Programmi\\FileZilla FTP Client\\filezilla.exe"=

"c:\\Programmi\\IVI Foundation\\IVI\\Drivers\\niScope\\NI-SCOPE Soft Front Panel_Classic.exe"=

"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\lkads.exe"=

"c:\\Programmi\\National Instruments\\Shared\\NI WebServer\\ApplicationWebServer.exe"=

"c:\\Programmi\\National Instruments\\Shared\\NI WebServer\\SystemWebServer.exe"=

"c:\\Programmi\\National Instruments\\LabVIEW 2010\\LabVIEW.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3363:TCP"= 3363:TCP:CRIO_VISERVER

"3580:TCP"= 3580:TCP:NI Max service port

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [24/03/2010 12.27.44 15448]

R0 nipxibaf;National Instruments PXI Bridge Access Driver;c:\windows\system32\drivers\nipxibaf.sys [21/06/2010 15.31.06 58504]

R0 nipxibrc;National Instruments PXI Bridge Configuration Driver;c:\windows\system32\drivers\nipxibrc.sys [21/06/2010 15.31.10 42136]

R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [25/03/2010 10.49.06 82360]

R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [24/03/2010 15.23.06 12696]

R2 NIApplicationWebServer;NI Application Web Server;c:\programmi\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [22/06/2010 17.02.52 47776]

R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [16/04/2007 15.40.36 37376]

R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [16/04/2007 15.40.38 21504]

R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [16/04/2007 17.04.12 674304]

R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [24/03/2010 15.23.06 12696]

R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [16/04/2007 17.06.28 50688]

R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\programmi\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [23/06/2010 13.14.54 131776]

R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\programmi\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [23/06/2010 16.21.24 193712]

R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [16/04/2007 15.41.52 30208]

R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [14/06/2010 13.55.40 11416]

R2 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [16/04/2007 15.42.28 111616]

R2 nistreamk;nistreamk;c:\windows\system32\drivers\nistreamkl.sys [17/06/2010 14.43.34 19608]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [23/06/2010 10.04.52 11432]

R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [11/06/2010 14.30.04 11432]

R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [24/08/2009 15.08.34 11360]

R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [01/02/2010 23.11.22 11872]

R3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [14/06/2010 14.30.06 21144]

S0 lpdsofnh;lpdsofnh; [x]

S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

S2 nitsuu;nitsuu;c:\windows\system32\nipalsm.exe [24/03/2010 15.23.06 12696]

S2 ztdwm;Security Microsoft;c:\windows\system32\svchost.exe -k netsvcs [09/09/2004 10.37.15 14336]

S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [05/12/2008 16.21.24 20104]

S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [21/06/2010 15.31.14 26192]

S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [21/06/2010 15.31.24 11344]

S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [21/06/2010 15.31.28 22608]

S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [15/12/2009 13.52.56 17480]

S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [17/07/2009 14.46.24 11352]

S3 nicmrk;nicmrk;c:\windows\system32\drivers\nicmrkl.sys [15/06/2010 15.53.12 11440]

S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [15/06/2010 15.47.22 11408]

S3 nicsrkw;nicsrkw;c:\windows\system32\DRIVERS\nicsrkw.sys --> c:\windows\system32\DRIVERS\nicsrkw.sys [?]

S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [25/02/2010 12.52.00 11336]

S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [06/02/2010 14.54.42 11344]

S3 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgkl.sys [19/02/2010 11.48.20 11360]

S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [15/06/2010 15.52.56 11408]

S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [15/06/2010 17.00.56 11408]

S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [02/02/2010 1.35.54 11352]

S3 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrkl.sys [03/12/2009 12.05.04 11864]

S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [02/02/2010 2.11.00 11904]

S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [23/07/2009 15.50.48 14464]

S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [23/07/2009 15.50.50 151683]

S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [01/02/2010 23.24.36 11880]

S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [05/02/2010 17.18.08 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [02/06/2010 18.44.34 11968]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [02/06/2010 18.45.32 11968]

S3 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdkl.sys [06/05/2010 15.33.28 11392]

S3 niraptrk;niraptrk;c:\windows\system32\drivers\niraptrkl.sys [15/06/2010 15.51.02 11400]

S3 niRFSA2k;niRFSA2k;c:\windows\system32\drivers\niRFSA2kl.sys [21/06/2010 16.28.04 11328]

S3 niRFSGk;niRFSGk;c:\windows\system32\drivers\niRFSGkl.sys [09/12/2009 10.30.18 11328]

S3 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe [31/07/2010 12.40.26 32392]

S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [14/07/2009 13.58.14 11376]

S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [10/02/2010 15.27.04 11352]

S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [05/02/2010 17.36.18 11344]

S3 nisldk;nisldk;c:\windows\system32\drivers\nisldkl.sys [18/06/2009 2.50.34 11344]

S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [14/07/2009 13.58.26 11376]

S3 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdkl.sys [04/06/2010 12.57.34 11424]

S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [15/06/2010 17.00.34 11408]

S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [05/01/2009 9.19.28 11312]

S3 nistc3rk;nistc3rk;c:\windows\system32\drivers\nistc3rkl.sys [03/05/2010 0.22.50 11400]

S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [31/08/2009 14.15.46 11360]

S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [01/09/2009 9.53.28 11336]

S3 niSynck;niSynck;c:\windows\system32\drivers\niSynckl.sys [22/06/2010 18.00.00 11408]

S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [06/02/2010 5.58.38 11360]

S3 nitnr2k;nitnr2k;c:\windows\system32\drivers\nitnr2kl.sys [09/12/2009 10.11.32 11328]

S3 nitsuk;nitsuk;c:\windows\system32\drivers\nitsukl.sys [05/05/2010 1.34.04 11424]

S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [15/06/2010 15.47.02 11432]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [23/06/2010 10.03.06 11432]

S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [14/08/2009 7.29.46 28256]

S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [15/06/2010 17.01.40 11408]

S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [15/06/2010 15.51.00 11408]

S3 nixsrkw;nixsrkw;c:\windows\system32\drivers\nixsrkw.sys [15/06/2010 15.51.00 11408]

S3 usb2vcom;Nokia CA-42 USB;c:\windows\system32\drivers\usb2vcom.sys [07/10/2008 19.53.23 22760]

S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

S4 PskSvcRetail;Panda PSK service;"c:\programmi\Panda Security\Panda Antivirus Pro 2010\PskSvc.exe" --> c:\programmi\Panda Security\Panda Antivirus Pro 2010\PskSvc.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ztdwm

.

.

------- Scansione supplementare -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: alinari.it\fototeca

TCP: {30558659-1BA8-4AE0-B958-865F7CC9BB49} = 208.67.222.222,208.67.220.220

TCP: {55EB5C9C-0F36-4B16-BD0E-C36653EABB06} = 208.67.222.222,208.67.220.220

DPF: {60E33102-59F1-44DA-BA3D-494BB9A80514} - hxxp://www.inps.it/Servizi/ParlaConNoi/VoipFiles/IPhona.cab

FF - ProfilePath - c:\documents and settings\Amministratore\Dati applicazioni\Mozilla\Firefox\Profiles\anwg0xfd.default\

FF - prefs.js: browser.startup.homepage -

FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\nplv2010win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\NPLV80Win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\NPLV82Win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\nplv85win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\nplv86win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\nplv90win32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

.

------- Associazioni dei file -------

.

.scr=DWGTrueViewScriptFile

.

- - - - CHIAVI ORFANE RIMOSSE - - - -

SafeBoot-klmdb.sys

AddRemove-Nokia PC Suite - c:\documents and settings\All Users\Dati applicazioni\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_7_1_ita_web.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-29 15:55

Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo

Files nascosti: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ztdwm]

"ServiceDll"="c:\windows\system32\vnkja.dll"

.

--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(932)

c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(988)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(3056)

c:\windows\system32\WININET.dll

c:\windows\system32\nview.dll

c:\windows\system32\NVWRSIT.DLL

c:\windows\system32\nvwddi.dll

c:\windows\system32\webcheck.dll

.

------------------------ Altri processi in esecuzione ------------------------

.

c:\programmi\Intel\WiFi\bin\S24EvMon.exe

c:\windows\System32\SCardSvr.exe

c:\programmi\Avira\AntiVir Desktop\sched.exe

c:\programmi\Avira\AntiVir Desktop\avguard.exe

c:\programmi\Wave Systems Corp\Common\DataServer.exe

c:\programmi\Intel\WiFi\bin\EvtEng.exe

c:\programmi\Java\jre6\bin\jqs.exe

c:\windows\system32\lkcitdl.exe

c:\windows\system32\lkads.exe

c:\windows\system32\lktsrv.exe

c:\programmi\National Instruments\MAX\nimxs.exe

c:\programmi\Dell\QuickSet\NICCONFIGSVC.exe

c:\programmi\National Instruments\Shared\Security\nidmsrv.exe

c:\programmi\National Instruments\Shared\NI WebServer\SystemWebServer.exe

c:\programmi\National Instruments\Shared\Tagger\tagsrv.exe

c:\programmi\NetLimiter 2 Monitor\nlsvc.exe

c:\windows\system32\nvsvc32.exe

c:\programmi\File comuni\Intel\WirelessCommon\RegSrvc.exe

c:\programmi\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

c:\programmi\Intel\WiFi\bin\WLKeeper.exe

c:\windows\system32\nipxism.exe

c:\programmi\NetLimiter 2 Monitor\NLClient.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\stsystra.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\programmi\Apoint\HidFind.exe

c:\programmi\Apoint\Apntex.exe

c:\windows\system32\wbem\unsecapp.exe

.

**************************************************************************

.

Ora fine scansione: 2010-10-29 16:01:18 - Il pc

Link to post
Share on other sites

Good Job!

Now we have to run Combofix again to get rid of more infected items:

1. Open Notepad and under Format-> make sure wordwrap is disabled (unchecked)

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all antimalware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

http://forums.malwarebytes.org/index.php?showtopic=66208&pid=336063&st=0entry336063

KillAll::
Collect::[75][4]
c:\windows\system32\vnkja.dll

Suspect::
c:\windows\system32\drivers\nipxibaf.sys

File::
c:\programmi\Panda Security\Panda Antivirus Pro 2010\PskSvc.exe
c:\windows\system32\drivers\usb6xxxkl.sys

Folder::
c:\programmi\Panda Security\

Driver::
ztdwm
lpdsofnh
PskSvcRetail
usb6xxxk

NetSvc::
ztdwm

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"NameServer"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{30558659-1ba8-4ae0-b958-865f7cc9bb49}]
"NameServer"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{55eb5c9c-0f36-4b16-bd0e-c36653eabb06)]
"DhcpNameServer"=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{55eb5c9c-0f36-4b16-bd0e-c36653eabb06}]
"NameServer"=""

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (rayman.exe)

This action will cause ComboFix to launch and begin scanning.

Combofix should prompt you to approve upload of a suspicious file during its run.

Please post back the log that is opens when it finishes called C:\Combofix.txt.

Re-enable your real-time protection.

Now, launch MBAM (ie winlogon.exe), update it and perform a quick scan. Remove all threats found.

Please upload this file to VirusTotal using the "Upload a file" function and post back the link to the scan report:

c:\windows\system32\drivers\nipxibaf.sys <===

If VirusTotal says the file was already scanned, I want you to rescan it and do not just post back the previous scan results.

Please post back:

1. C:\Combofix.txt,

2. The new MBAM log

3. The url to the VirusTotal scan results.

Thanks!!!

Link to post
Share on other sites

Hi negster22,

I have did the home work exactly as you suggest.

Some notes:

1)

The DNS 208.67.222.222 and 208.67.220.220 have been set from me and belong to the OpenDNS (www.opendns.com)

2)

In normal condition, the file c:\windows\system32\drivers\nipxibaf.sys is part of the National Instruments LabView software (www.ni.com/labview) installed in my PC.

Thanks,

Arnolfi

# #################################################

# Combofix Log

# #################################################

ComboFix 10-10-29.04 - Amministratore 30/10/2010 19.21.50.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.2046.1385 [GMT 2:00]

Eseguito da: c:\documents and settings\Amministratore\Desktop\rayman.exe

Opzioni usate :: c:\documents and settings\Amministratore\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {00000002-0002-0000-6C25-9E7C08000A00}

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {00000002-0002-0000-7C25-9E7C08000A00}

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {0012F334-0000-0000-FEEC-DA7768D21500}

AV: Panda Antivirus Pro 2010 *On-access scanning enabled* (Updated) {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}

FILE ::

"c:\programmi\Panda Security\Panda Antivirus Pro 2010\PskSvc.exe"

"c:\windows\system32\drivers\usb6xxxkl.sys"

file zipped: c:\windows\system32\drivers\nipxibaf.sys

.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\Ijl11.dll

.

((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_LPDSOFNH

-------\Legacy_PSKSVCRETAIL

-------\Legacy_USB6XXXK

-------\Legacy_ZTDWM

-------\Service_lpdsofnh

-------\Service_PskSvcRetail

-------\Service_usb6xxxk

-------\Service_ztdwm

((((((((((((((((((((((((( Files Creati Da 2010-09-28 al 2010-10-30 )))))))))))))))))))))))))))))))))))

.

2010-10-14 11:23 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll

2010-10-14 11:23 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-14 11:23 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-10-14 11:23 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2010-10-13 13:13 . 2010-10-13 13:13 -------- d-----w- c:\documents and settings\Amministratore\Dati applicazioni\HDI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-28 15:53 . 2010-06-21 13:31 58504 ----a-w- c:\windows\system32\drivers\nipxibaf.sys

2010-09-24 09:49 . 2010-09-24 09:45 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe

2010-09-18 10:23 . 2004-09-09 08:36 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-09-09 08:36 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-09-09 08:36 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-09-09 08:36 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:49 . 2004-09-09 08:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:49 . 2004-09-09 08:36 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:49 . 2004-09-09 08:36 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-09-09 08:36 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-09-01 07:54 . 2004-09-09 08:37 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-09-09 08:37 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:58 . 2004-09-09 08:37 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-27 01:43 . 2010-07-22 06:19 5632 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-26 13:39 . 2004-09-09 08:37 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-23 16:12 . 2004-09-09 08:36 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-09-09 08:37 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:44 . 2004-09-09 08:37 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-06-25 11:57 . 2010-06-25 11:57 158720 ----a-w- c:\programmi\internet explorer\plugins\LV2010ActiveXControl.dll

2004-03-15 15:51 . 2004-03-15 15:51 114688 ----a-w- c:\programmi\internet explorer\plugins\LV71ActiveXControl.dll

2003-05-01 07:36 . 2003-05-01 07:36 114688 ----a-w- c:\programmi\internet explorer\plugins\LV7ActiveXControl.dll

2005-10-12 13:04 . 2005-10-12 13:04 131072 ----a-w- c:\programmi\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 08:48 . 2007-02-08 08:48 133920 ----a-w- c:\programmi\internet explorer\plugins\LV82ActiveXControl.dll

2007-07-24 17:03 . 2007-07-24 17:03 118784 ----a-w- c:\programmi\internet explorer\plugins\LV85ActiveXControl.dll

2008-12-10 12:50 . 2008-12-10 12:50 118784 ----a-w- c:\programmi\internet explorer\plugins\LV86ActiveXControl.dll

2010-05-25 10:43 . 2010-05-25 10:43 158720 ----a-w- c:\programmi\internet explorer\plugins\LV90ActiveXControl.dll

.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* i valori vuoti & legittimi/default non sono visualizzati.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-19 7401472]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"QuickTime Task"="c:\programmi\QuickTime\qttask.exe" [2009-05-26 413696]

"nwiz"="nwiz.exe" [2006-01-19 1519616]

"NVHotkey"="nvHotkey.dll" [2006-01-19 73728]

"NI-VISA Server"="c:\programmi\IVI Foundation\VISA\WinNT\NIvisa\NIVisaServer.exe" [2010-06-23 94352]

"ISUSScheduler"="c:\programmi\File comuni\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\FILECO~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"HP Component Manager"="c:\programmi\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"DVDLauncher"="c:\programmi\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]

"Document Manager"="c:\programmi\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"Apoint"="c:\programmi\Apoint\Apoint.exe" [2005-10-07 176128]

"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-02-18 248040]

"RemoteControl"="c:\programmi\Roxio\Roxio DVDMax Player\PDVDServ.exe" [2003-10-27 32768]

"avgnt"="c:\programmi\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-19 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"DataFinder"="c:\programmi\National Instruments\Shared\DataFinderDesktop\bin\DataFinder.exe" [2010-06-08 2921568]

"niDevMon"="c:\programmi\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2010-04-20 109712]

"NI Background Service"="c:\programmi\National Instruments\Shared\Update Service\niupdate.exe" [2010-08-10 77824]

"IntelZeroConfig"="c:\programmi\Intel\WiFi\bin\ZCfgSvc.exe" [2008-08-20 1368064]

"IntelWireless"="c:\programmi\File comuni\Intel\WirelessCommon\iFrmewrk.exe" [2008-08-20 1191936]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\programmi\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\wxvault.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Programmi\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe"=

"c:\\Programmi\\National Instruments\\MAX\\NIMax.exe"=

"c:\\Programmi\\National Instruments\\Shared\\Example Finder\\1.0\\BIN\\NIExampleFinder.exe"=

"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Programmi\\Real\\RealPlayer\\realplay.exe"=

"c:\\Programmi\\National Instruments\\Shared\\RT Error\\lvrterr.exe"=

"c:\\Programmi\\National Instruments\\NI-RIO\\RioDeviceSetup.exe"=

"c:\\Programmi\\IVI Foundation\\VISA\\WinNT\\NIvisa\\NIVisaServer.exe"=

"c:\\Programmi\\National Instruments\\Real-Time Execution Trace Toolkit 2.0\\rtett.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Programmi\\IVI Foundation\\IVI\\Drivers\\niScope\\NI-SCOPE Soft Front Panel.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programmi\\National Instruments\\Shared\\mDNS Responder\\nimdnsResponder.exe"=

"c:\\Programmi\\National Instruments\\SignalExpress\\SignalExpress.exe"=

"c:\\Programmi\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Programmi\\National Instruments\\Shared\\DataFinderDesktop\\bin\\DataFinder.exe"=

"c:\\WINDOWS\\system32\\nipalsm.exe"=

"c:\\Programmi\\QuickTime\\QuickTimePlayer.exe"=

"c:\\Programmi\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Programmi\\FileZilla FTP Client\\filezilla.exe"=

"c:\\Programmi\\IVI Foundation\\IVI\\Drivers\\niScope\\NI-SCOPE Soft Front Panel_Classic.exe"=

"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\lkads.exe"=

"c:\\Programmi\\National Instruments\\Shared\\NI WebServer\\ApplicationWebServer.exe"=

"c:\\Programmi\\National Instruments\\Shared\\NI WebServer\\SystemWebServer.exe"=

"c:\\Programmi\\National Instruments\\LabVIEW 2010\\LabVIEW.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3363:TCP"= 3363:TCP:CRIO_VISERVER

"3580:TCP"= 3580:TCP:NI Max service port

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [24/03/2010 12.27.44 15448]

R0 nipxibaf;National Instruments PXI Bridge Access Driver;c:\windows\system32\drivers\nipxibaf.sys [21/06/2010 15.31.06 58504]

R0 nipxibrc;National Instruments PXI Bridge Configuration Driver;c:\windows\system32\drivers\nipxibrc.sys [21/06/2010 15.31.10 42136]

R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [25/03/2010 10.49.06 82360]

R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [24/03/2010 15.23.06 12696]

R2 NIApplicationWebServer;NI Application Web Server;c:\programmi\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe [22/06/2010 17.02.52 47776]

R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [16/04/2007 15.40.36 37376]

R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [16/04/2007 15.40.38 21504]

R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [16/04/2007 17.04.12 674304]

R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [24/03/2010 15.23.06 12696]

R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [16/04/2007 17.06.28 50688]

R2 niLXIDiscovery;National Instruments LXI Discovery Service;c:\programmi\IVI Foundation\VISA\WinNT\NIvisa\niLxiDiscovery.exe [23/06/2010 13.14.54 131776]

R2 nimDNSResponder;National Instruments mDNS Responder Service;c:\programmi\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe [23/06/2010 16.21.24 193712]

R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [16/04/2007 15.41.52 30208]

R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [14/06/2010 13.55.40 11416]

R2 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [16/04/2007 15.42.28 111616]

R2 nistreamk;nistreamk;c:\windows\system32\drivers\nistreamkl.sys [17/06/2010 14.43.34 19608]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [23/06/2010 10.04.52 11432]

R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [11/06/2010 14.30.04 11432]

R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [24/08/2009 15.08.34 11360]

R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [01/02/2010 23.11.22 11872]

R3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [14/06/2010 14.30.06 21144]

S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]

S2 nitsuu;nitsuu;c:\windows\system32\nipalsm.exe [24/03/2010 15.23.06 12696]

S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [05/12/2008 16.21.24 20104]

S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [21/06/2010 15.31.14 26192]

S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [21/06/2010 15.31.24 11344]

S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [21/06/2010 15.31.28 22608]

S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [15/12/2009 13.52.56 17480]

S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [17/07/2009 14.46.24 11352]

S3 nicmrk;nicmrk;c:\windows\system32\drivers\nicmrkl.sys [15/06/2010 15.53.12 11440]

S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [15/06/2010 15.47.22 11408]

S3 nicsrkw;nicsrkw;c:\windows\system32\DRIVERS\nicsrkw.sys --> c:\windows\system32\DRIVERS\nicsrkw.sys [?]

S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [25/02/2010 12.52.00 11336]

S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [06/02/2010 14.54.42 11344]

S3 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgkl.sys [19/02/2010 11.48.20 11360]

S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [15/06/2010 15.52.56 11408]

S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [15/06/2010 17.00.56 11408]

S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [02/02/2010 1.35.54 11352]

S3 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrkl.sys [03/12/2009 12.05.04 11864]

S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [02/02/2010 2.11.00 11904]

S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [23/07/2009 15.50.48 14464]

S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [23/07/2009 15.50.50 151683]

S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [01/02/2010 23.24.36 11880]

S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [05/02/2010 17.18.08 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [02/06/2010 18.44.34 11968]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [02/06/2010 18.45.32 11968]

S3 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdkl.sys [06/05/2010 15.33.28 11392]

S3 niraptrk;niraptrk;c:\windows\system32\drivers\niraptrkl.sys [15/06/2010 15.51.02 11400]

S3 niRFSA2k;niRFSA2k;c:\windows\system32\drivers\niRFSA2kl.sys [21/06/2010 16.28.04 11328]

S3 niRFSGk;niRFSGk;c:\windows\system32\drivers\niRFSGkl.sys [09/12/2009 10.30.18 11328]

S3 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe [31/07/2010 12.40.26 32392]

S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [14/07/2009 13.58.14 11376]

S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [10/02/2010 15.27.04 11352]

S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [05/02/2010 17.36.18 11344]

S3 nisldk;nisldk;c:\windows\system32\drivers\nisldkl.sys [18/06/2009 2.50.34 11344]

S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [14/07/2009 13.58.26 11376]

S3 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdkl.sys [04/06/2010 12.57.34 11424]

S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [15/06/2010 17.00.34 11408]

S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [05/01/2009 9.19.28 11312]

S3 nistc3rk;nistc3rk;c:\windows\system32\drivers\nistc3rkl.sys [03/05/2010 0.22.50 11400]

S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [31/08/2009 14.15.46 11360]

S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [01/09/2009 9.53.28 11336]

S3 niSynck;niSynck;c:\windows\system32\drivers\niSynckl.sys [22/06/2010 18.00.00 11408]

S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [06/02/2010 5.58.38 11360]

S3 nitnr2k;nitnr2k;c:\windows\system32\drivers\nitnr2kl.sys [09/12/2009 10.11.32 11328]

S3 nitsuk;nitsuk;c:\windows\system32\drivers\nitsukl.sys [05/05/2010 1.34.04 11424]

S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [15/06/2010 15.47.02 11432]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [23/06/2010 10.03.06 11432]

S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [14/08/2009 7.29.46 28256]

S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [15/06/2010 17.01.40 11408]

S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [15/06/2010 15.51.00 11408]

S3 nixsrkw;nixsrkw;c:\windows\system32\drivers\nixsrkw.sys [15/06/2010 15.51.00 11408]

S3 usb2vcom;Nokia CA-42 USB;c:\windows\system32\drivers\usb2vcom.sys [07/10/2008 19.53.23 22760]

.

.

------- Scansione supplementare -------

.

uStart Page = about:blank

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE: Google Sidewiki... - c:\programmi\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

Trusted Zone: alinari.it\fototeca

DPF: {60E33102-59F1-44DA-BA3D-494BB9A80514} - hxxp://www.inps.it/Servizi/ParlaConNoi/VoipFiles/IPhona.cab

FF - ProfilePath - c:\documents and settings\Amministratore\Dati applicazioni\Mozilla\Firefox\Profiles\anwg0xfd.default\

FF - prefs.js: browser.startup.homepage -

FF - plugin: c:\programmi\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\nplv2010win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\NPLV80Win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\NPLV82Win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\nplv85win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\nplv86win32.dll

FF - plugin: c:\programmi\Mozilla Firefox\plugins\nplv90win32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-30 19:39

Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo

Files nascosti: 0

**************************************************************************

.

--------------------- Dlls caricate dai processi in esecuzione ---------------------

- - - - - - - > 'winlogon.exe'(956)

c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(1012)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(3304)

c:\windows\system32\WININET.dll

c:\windows\system32\nview.dll

c:\windows\system32\NVWRSIT.DLL

c:\windows\system32\nvwddi.dll

c:\windows\system32\webcheck.dll

.

------------------------ Altri processi in esecuzione ------------------------

.

c:\programmi\Intel\WiFi\bin\S24EvMon.exe

c:\windows\System32\SCardSvr.exe

c:\programmi\Avira\AntiVir Desktop\sched.exe

c:\programmi\Avira\AntiVir Desktop\avguard.exe

c:\programmi\Wave Systems Corp\Common\DataServer.exe

c:\programmi\Intel\WiFi\bin\EvtEng.exe

c:\programmi\Java\jre6\bin\jqs.exe

c:\windows\system32\lkcitdl.exe

c:\windows\system32\lkads.exe

c:\windows\system32\lktsrv.exe

c:\programmi\National Instruments\MAX\nimxs.exe

c:\programmi\Dell\QuickSet\NICCONFIGSVC.exe

c:\programmi\National Instruments\Shared\Security\nidmsrv.exe

c:\programmi\National Instruments\Shared\NI WebServer\SystemWebServer.exe

c:\programmi\National Instruments\Shared\Tagger\tagsrv.exe

c:\programmi\NetLimiter 2 Monitor\nlsvc.exe

c:\windows\system32\nvsvc32.exe

c:\programmi\File comuni\Intel\WirelessCommon\RegSrvc.exe

c:\programmi\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe

c:\programmi\Intel\WiFi\bin\WLKeeper.exe

c:\programmi\NetLimiter 2 Monitor\NLClient.exe

c:\windows\system32\nipxism.exe

c:\windows\stsystra.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\programmi\Apoint\HidFind.exe

c:\programmi\Apoint\Apntex.exe

c:\programmi\HP\hpcoretech\comp\hptskmgr.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Ora fine scansione: 2010-10-30 19:44:21 - Il pc

Link to post
Share on other sites

Thank You for following directions so well.

The DNS 208.67.222.222 and 208.67.220.220 have been set from me and belong to the OpenDNS (www.opendns.com

I removed only the TCPIP redirects to known infected remote host servers as reported by Combofix here:

TCP: {30558659-1BA8-4AE0-B958-865F7CC9BB49} = 208.67.222.222,208.67.220.220

TCP: {55EB5C9C-0F36-4B16-BD0E-C36653EABB06} = 208.67.222.222,208.67.220.220

In normal condition, the file c:\windows\system32\drivers\nipxibaf.sys is part of the National Instruments LabView software (www.ni.com/labview) installed in my PC.

I saw the numerous National LabView program components in your log, and even though TDSSKiller flagged nipxibaf.sys, it appears in your TDSSKiller post-scan CF log as modified on 10-28 which corresponds with TDSSKilller's curing of that file:

2010-10-28 15:53 . 2010-06-21 13:31 58504 ----a-w- c:\windows\system32\drivers\nipxibaf.sys

I didn't delete nipxibaf.sys. I just had it uploaded to the Combofix author for analysis using the Suspect:: directive. It may have been erroneously flagged by TDSSKiller as a false positive which is probably the case.

The malicious service and driver that was present as flagged by RootRepeal is gone now.

Hidden Services

-------------------

Service Name: ztdwm

Image Path%SystemRoot%\system32\svchost.exe -k netsvcs

I would like you to do a repeat scan with RootRepeal to verify that please.

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry, when you see those detections:

http://www.eset.com/onlinescan/index.php

  • ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
  • Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  • Check the "Yes, I accept the terms of use" box.
  • Click "Start"
  • Approve the installation of the ActiveX control that's required to enable scanning
  • Make sure the box to
    • Remove found threats. is CHECKED!!
    • Click "Start"

    [*]Allow the definition data base to install

    [*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Please post back the ESET scan report and the RootRepeal results in your next reply!

Please let me know how your system is behaving now - are all the problems you reported in your initial post cleared up?

Link to post
Share on other sites

Hello negster22,

I appreciate very much your help.

Now the system "seems" to work correctly.

Actually the system has started to work normally after that TDSKiller has detected nipxibaf.sys as infected from a Rootkit.Win32.TDSS.tdl3 and it has cured it.

Fortunately you have helped me to discover the malicious service ztdwm!

I have operated a complete RootRepeal scan of driver c:.

I have executed RootRepeal from tab Report with all flags on.

RootRepeal has reported empty list for Hidden/Locked Files, Stealth Objects and Hidden Services.

In the following the RootRepeal report.

I have noticed that the RootRepeal report contains only the suspicious results for Drivers, Processes, SSDT and shadow SSDT. If you need I can post also the not-suspicious that I have saved from the respective tabs.

Thanks,

Arnolfi

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2010/10/31 00:44

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\rayman\catchme.sys

Address: 0xB4062000 Size: 31744 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB65B6000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA5E6000 Size: 8192 File Visible: No Signed: -

Status: -

Name: mbr.sys

Image Path: C:\DOCUME~1\AMMINI~1\IMPOST~1\Temp\mbr.sys

Address: 0xBA388000 Size: 23424 File Visible: No Signed: -

Status: -

Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xBA5EE000 Size: 7872 File Visible: No Signed: -

Status: -

Name: PROCEXP141.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP141.SYS

Address: 0xB0409000 Size: 9600 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB2D0A000 Size: 49152 File Visible: No Signed: -

Status: -

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xba6c1db6

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xba6c1dac

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xba6c1dbb

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xba6c1dc5

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xba6c1dca

#: 119 Function Name: NtOpenKey

Status: Hooked by "" at address 0x804d7ff1

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xba6c1d98

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xba6c1d9d

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xba6c1dd4

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xba6c1dcf

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xba6c1dc0

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xba6c1da7

==EOF==

Link to post
Share on other sites

Hello negster22,

here the log of ESET Online Scanner.

Regards,

Arnolfi

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=618fa8f526f2d7408f02316e2657334e

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-10-31 11:06:48

# local_time=2010-10-31 12:06:48 (+0100, ora solare Europa occidentale)

# country="Italy"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1536 16777175 100 0 0 0 0 0

# compatibility_mode=1797 16775141 100 94 234262 64029062 28104 0

# compatibility_mode=2304 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 3895 3895 0 0

# scanned=255923

# found=2

# cleaned=2

# scan_time=9466

C:\Documents and Settings\Amministratore\Dati applicazioni\Sun\Java\Deployment\cache\6.0\43\556445eb-745da3c9 probably a variant of Win32/Agent.DYXWUMY trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Amministratore\Dati applicazioni\Sun\Java\Deployment\cache\6.0\44\5473416c-76f05da9 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Hi Arnolfi,

You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 22, if you have not done that already.

You can check your currently installed JRE version here.

If you find you need to update to the Java Runtime Environment (JRE) 6 Update 22, then follow these steps:

1. Download the latest JRE version clicking the "Agree and Start Free Download" button.

2. Save the installer to your desktop.

3. Close any programs you may have running - especially your web browser.

4. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).

5. Reboot your system

6. Then from your desktop double-click on jxpiinstall.exe to install the newest version of the Sun Java Platform

7. "Install the Yahoo Toolbar' is prechecked by default, so be sure to UNCHECK it, if you do not care to have it, or You already have it installed - it is NOT part of the JRE install and it is NOT required for any Java applications.

8. You may verify that the current version installed properly by clicking http://java.com/en/download/installed.jsp here.

You should clear the Java cache because the threats ESET detected where downloaded there:

Open the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files

    [*]Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

    [*] Click OK to leave the Temporary Files Window

    [*]Click OK to leave the Java Control Panel.

Link to post
Share on other sites

One question about the file nipxibaf.sys (NI PXI Resource Manager Service): after it has been cured by TDSKiller, can I expect that it will work correctly or I have to reinstall it?

Arnolfi, "cured" is supposed to mean that the infected file was repaired to function normally again. However, if you are concerned and you do have the installer for this program, then I would advise you to reinstall it in the interest of "being safe rather than sorry". If it were my computer, and the functionality of this program was important to me, that is what I would do.

Be that as it may, You have done an Excellent Job!!

We have a few steps to finish up now!!

If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:

  • Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
  • Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)

If I asked You to download TDSSKiller or MBRCheck please delete these programs from your Desktop.

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\rayman.exe" /uninstall

This will do the following:

  • Uninstall Combofix and all its associated files and folders.
  • Flush your system restore points and create a new restore point.
  • Rehide your system files and folders
  • Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing! :lol:

Link to post
Share on other sites

Hi negster22,

I have followed the uninstall procedures, I have updated my software by following the input of the OSI and, of course, I am using MBAM as an on demand scanner!

Now I will try to read the articles you suggested and I hope to benefit from it.

>> Sincerely many thanks, Your help was very useful! <<

One last question:

I saw that my register file is full of fragments of old information due to install and uninstall procedures, like, for example, key information "c:\programmi\Panda Security\Panda Antivirus Pro 2010\PskSvc.exe" that don't exist any more.

1) Makes it sense to clean the register file?

2) There is a friendly software tool to do this job?

Arnolfi

Link to post
Share on other sites

You're welcome! :welcome:

I use CCleaner.

Be sure to download the "CCleaner Slim" Version at the very bottom of the page or You'll get a Toolbar Add-on as a Bonus!!

When You use the Registry -> "Scan for issues", it will prompt You to make a REG backup of all the issues it finds before deleting anything. This way You can restore your registry backups by double-clicking that REG file to add it back into the registry if any problems result or by doing the following:

Right-click on the .REG file created and select 'Merge'.

By default these files will be saved into your 'My Documents' folder.

I have never experienced a problem with CCleaner deletions but if you do, you have the registry back-up as a safety net.

Microsoft also offers a "Clean Up Center". I've never used it but I know others that have successfully.

Good Luck to You, Arnolfi!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.