HELP !
My tabletpc (XP tablet sp2) appears free from virus and malware all appears tu run well.. but...

if i try to find CCleaner with google..... the system close Internet Explorer..
if i type www.CCleaner.... the system close Internet Explorer
if i use firefox... the same...

if i create a folder called CCleaner... when i try to open the folder.. Explorer will closed..

if i try tu run the installation program of CCleaner.. after the language request.. the program is closed

if i try to download Hijackthis... alway the same...

WHY ? somebody have the solution? all like to be an allergy to CCleaner in any form

there is a virus inside ??

Thanks to help, Ciao from Italy

Hello Allx1,

I think I know what might be troubling you, and it's definitely a troublesome type malware infection.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

T H A N K S ! I try immediatly...

I just open a new topic called "Hijack this log" with the file from the combofix analysys.
I hope it was right..
thanks for the help

Al

ComboFix 08-08-27.06 - Administrator 2008-08-28 19.34.31.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.216 [GMT 2:00]
Eseguito da: D:\Software\combo-fix\Combo-Fix.exe

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((( Files Creati Da 2008-07-28 al 2008-08-28 )))))))))))))))))))))))))))))))))))
.

2008-08-28 19:30 . <DIR> C:\327882R2FWJFW
2008-08-28 18:33 . 2008-08-28 18:33 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-28 16:09 . 2008-08-28 16:09 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-08-22 09:23 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-22 09:23 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-22 09:23 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-22 09:23 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-22 09:22 . 2008-08-22 09:22 <DIR> d-------- C:\Programmi\Spyware Doctor
2008-08-22 09:22 . 2008-08-22 09:22 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\PC Tools
2008-08-22 09:21 . 2006-10-05 04:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-22 09:21 . 2006-10-05 04:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-22 09:20 . 2008-08-22 09:20 <DIR> d-------- C:\Programmi\Picasa2
2008-08-22 02:24 . 2008-08-22 02:24 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Google Updater
2008-08-22 02:14 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-22 02:13 . 2008-08-22 02:13 <DIR> d-------- C:\Programmi\Panda Security
2008-08-19 22:00 . 2008-08-19 22:00 <DIR> d-------- C:\Programmi\Enigma Software Group
2008-08-19 11:14 . 2008-08-19 11:14 <DIR> d-------- C:\Programmi\Alwil Software
2008-08-09 23:09 . 2008-08-09 23:09 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\Apple Computer
2008-08-09 23:08 . 2008-08-09 23:08 <DIR> d-------- C:\Programmi\iTunes
2008-08-09 23:08 . 2008-08-09 23:08 <DIR> d-------- C:\Programmi\iPod
2008-08-09 23:08 . 2008-08-09 23:08 <DIR> d-------- C:\Programmi\Bonjour
2008-08-09 23:06 . 2008-08-09 23:06 <DIR> d-------- C:\Programmi\QuickTime
2008-08-09 23:06 . 2008-08-09 23:06 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Apple Computer
2008-08-09 23:05 . 2008-08-09 23:05 <DIR> d-------- C:\Programmi\Apple Software Update
2008-08-09 23:05 . 2008-07-22 20:32 32,000 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-08-09 23:04 . 2008-08-09 23:04 <DIR> d-------- C:\Programmi\File comuni\Apple
2008-08-09 23:04 . 2008-08-09 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Apple
2008-08-09 22:31 . 2004-08-19 15:39 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-08-09 22:31 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-08-09 22:31 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys
2008-07-30 19:24 . 2008-07-30 19:24 <DIR> d-------- C:\Documents and Settings\Administrator\IGC
2008-07-30 18:34 . 2008-07-30 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\DassaultSystemes
2008-07-30 18:34 . 2008-07-30 18:34 <DIR> d-------- C:\Documents and Settings\Administrator\Dati applicazioni\DassaultSystemes
2008-07-30 18:33 . 2008-07-30 18:33 <DIR> d-------- C:\Programmi\File comuni\SolidWorks Shared
2008-07-30 18:33 . 2008-07-30 18:33 0 --a------ C:\WINDOWS\eDrawingOfficeAutomator.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-04-03 20:43 5,224 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-03 20:43 8 --sh--r C:\WINDOWS\system32\E62E1B2D2F.sys
2007-02-13 18:37 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012007021320070214\index.dat
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 05:00 15360]
"PcSync"="D:\Software\nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 15:08 860160]
"MsnMsgr"="C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-22 02:25 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-19 11:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-19 11:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-19 11:10 114688]
"TabletWizard"="C:\WINDOWS\help\SplshWrp.exe" [2004-08-19 15:39 16384]
"TabletTip"="C:\Programmi\File comuni\microsoft shared\ink\tabtip.exe" [2005-04-26 05:10 271872]
"AzMixerSel"="C:\Programmi\Realtek\InstallShield\AzMixerSel.exe" [2005-05-13 14:40 45056]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-19 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-19 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-19 05:00 455168]
"RemoteControl"="C:\Programmi\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"Snippet"="C:\Programmi\Microsoft Enhancement Pack\Snipping Tool\SnippingTool.exe" [2005-10-31 09:46 68312]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-31 18:35 7118848]
"LManager"="C:\Programmi\Launch Manager\QtZgAcer.EXE" [2005-11-09 12:42 397312]
"AcerSoftButton"="C:\Acer\Soft Button\tabletpc.exe" [2005-10-05 16:11 262144]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00 397312]
"epm-dm"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-09 14:19 212992]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"InCD"="C:\Programmi\Ahead\InCD\InCD.exe" [2005-07-25 11:01 1397760]
"DataLayer"="C:\Programmi\File comuni\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="D:\Software\nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 16:29 176128]
"Adobe Photo Downloader"="C:\Programmi\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 18:41 57344]
"AppleSyncNotifier"="C:\Programmi\File comuni\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]
"ISTray"="C:\Programmi\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-26 16:23 14837248 C:\WINDOWS\RTHDCPL.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-19 05:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"MsmqIntCert"="mqrt.dll" [2007-07-06 14:50 177152 C:\WINDOWS\system32\mqrt.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 05:00 15360]
"DWQueuedReporting"="C:\PROGRA~1\FILECO~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29 39264]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Alice ti aiuta.lnk - C:\Programmi\Alice ti aiuta\bin\matcli.exe [2007-03-03 01:51:01 212992]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2004-08-19 15:39 47104 C:\Programmi\File comuni\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2004-03-17 11:43 11776 C:\WINDOWS\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2004-08-19 15:39 30208 C:\WINDOWS\system32\TPGWLNOT.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePower Management]
--a------ 2005-11-09 11:04 3084288 C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADMTray.exe]
--a------ 2005-09-30 20:43 2462208 C:\Acer\Empowering Technology\admtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
--a------ 2005-07-26 11:36 69632 C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
--a------ 2005-11-09 14:19 212992 c:\Acer\Empowering Technology\ePower\epm-dm.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\System32\\mqsvc.exe"=
"C:\\Programmi\\C6 Messenger\\plugin\\fsmodule\\C6FileSharing.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\C6 Messenger\\c6Messenger.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-09-06 14:26]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]
R3 DHBtnKey;Acer Tablet PC Key Buttons HID Driver;C:\WINDOWS\system32\DRIVERS\DHBtnKey.sys [2005-10-07 17:04]
R3 WacomPen;Driver HID penna interfaccia seriale Wacom;C:\WINDOWS\system32\DRIVERS\wacompen.sys [2004-08-03 23:04]
S3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34]
S3 ramdskNT;RamDiskNT;C:\WINDOWS\system32\drivers\ramdskNT.sys [2001-10-08 09:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e3f4866-966d-11db-8b54-00163624d2ca}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0c9d9da-ae40-11dc-8c91-00163624d2ca}]
\Shell\AutoRun\command - F:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f51f3f14-ae42-11dc-8c92-00163624d2ca}]
\Shell\AutoRun\command - F:\VMC_PBStarter.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - INT15.SYS
*Newly Created Service* - PROCEXP90
*Newly Created Service* - TMCOMM
.
Contenuto della cartella 'Scheduled Tasks'

2008-08-28 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Programmi\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2008-08-19 C:\WINDOWS\Tasks\Schedule Task Weekly.job
- C:\Programmi\Registry Easy\RE.exe []

2008-08-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Dati applicazioni\Mozilla\Firefox\Profiles\1e6sf9no.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 19:37:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-08-28 19:38:06
ComboFix-quarantined-files.txt 2008-08-28 17:38:02

Pre-Run: 9,341,386,752 byte disponibili
Post-Run: 10,520,215,552 byte disponibili

198 --- E O F --- 2008-07-18 18:11:29

Hello Allx1,

There honestly isn't a lot that stands out in that log.

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2

• Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
• When you have done this, disconnect from the Internet and close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.
• Double-click on Gmer.exe to start the program.
• Allow the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Click on "Settings", then check the first five settings:
  *System Protection and Tracing
  *Processes
  *Save created processes to the log
  *Drivers
  *Save loaded drivers to the log
• You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.

• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

With malwarebytes anti-malware all was good... nothing was detected..
now I tri with gmer..

Here the results of gmer analysis:
what do you think about it? thanks for your help
All

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-28 23:44:25
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF4FB1618]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF4FB14D4]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xF52B1794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xF52B1F1E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF4FB19B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF4FB10AC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF4FB15AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF4FB0FEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF4FB1050]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF4FB16CE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF4FB168E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF4FB180E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xF52B0D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xF52B0384]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys Impossibile trovare il file specificato. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\System32\svchost.exe[2360] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe[2844] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2852] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\System32\alg.exe[3652] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Programmi\Alwil Software\Avast4\ashWebSv.exe[3692] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text ...

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cef0d968
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016cef0d968@0015a054b32c 0x2A 0x4B 0x9B 0x26 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cef0d968
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016cef0d968@0015a054b32c 0x2A 0x4B 0x9B 0x26 ...

---- EOF - GMER 1.0.14 ----

Hello Allx1,

Download LinkOptfix from Here and save it to your desktop

Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later

To run the fix , double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it finds the filename, creates a backups folder, moves the file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions on its reg entry, removes the reg entry then resets the permissions on its file and then restarts explorer.exe, you should then be able to run HijackThis and post a log and also run CCleaner, if you can then ignore the rest of this post and reply so we can then check for the gromozon part of the infection.


If you have problems and explorer.exe doesnt restart then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor,

Click the [+] next to HKEY_LOCAL_MACHINE
Click the [+] next to SOFTWARE
Click the [+] next to Microsoft
Click the [+] next to Windows NT
Click the [+] next to Current Version
Click the [+] next to Image File Execution Options

Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart

You should not need the manual instructions as the fixtool should remove it fine but its best to be safe and provide an alternative just incase its needed,

Let me know if you have any problems or questions

just done!
I've yet analysed the pc with CCleaner all like to work well now

Here the hijackthis log file in attachement

Do you see something dangerous?

thanks
Al

Hello Allx1,


There looks to be a couple of really nasty infections infecting your computer, but it looks like we just took care of one of them.

Download the Gromozon remover from here: http://www.prevx.com/gromozon.asp

Run the program and follow the prompts, when its finished it will create a logfile in C:\ named Gromozon_removal.log, please post the contents of that file back on here.

.. here the results of the scan... all like to be safe...


Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Programmi\File comuni


Trojan.Gromozon does not exist - your system is clean.

Hello Allx1,

Do you have a broadband connection availabe for your use? If you do, I'd like you to download, install, and run this file: http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/

If you run into any troubles with it, let me know. If you can get it, please let me know if it finds any infected items.

I will do it...

But what do you think about the actual state? nothing at the moment show sign of malware?

thanks for your help.. Rip

Ciao Al

I run the Kaspesrky 2 time to check all ..... results: " No threads found" !!

Now? I'm safe or yet infected by deep infection?

Hello Allx1,

Your previous logs were clean of infection except for the rootkit type issues. Now that those are resolved, I think your good to go. Do you notice any other current malware type troubles, or is your computer running ok now?

All like to be ok on pc...

only always to slow to start... but i think it's normal with windows ...

thanks a lot for your help.. i dont understude wich infection was active but the important is to be safe

Can i leave the hospital doctor Rip?

Hello Allx1,


I think your good to go

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
  • 
  
  
  
• When shown the disclaimer, Select "2"

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program or there will be a conflict.

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.