I reinstalled from the Windows OS disk. The install is not compromised.
I've used the same CD for reinstalling 3 other machines (the whole network was compromised) and I get this behavior only on this machine. The other machines are fine.
I've scanned the D partition, didn't found anything on there, but this could be irrelevant if the rootkit is running (because it could be hiding his files). Maybe D: had autorun enabled and when I reinstalled Windows and accessed the D: drive, the rootkit came back.
I have the idea to boot from a bootable CD and scan from there (like WinInternals ERD commander).
Since I posted this help message, I've been reading a lot of threads from here and testing some of the tools mentioned here (like mbam) and I think I'm getting close to removing this rootkit.
Will try a reinstall later today and post here if the rootkit still persists. Unfortunatelly, I didn't saved a copy of the rootkit, so if I will remove it, I would never know what it does. I scan it on virustotal but it was only detected by 4 avs and only using heuristics (so it's a new one).
p.s. found a log from unhackme
Partizan 1.4 started.
Day: 21. Month:6.2009 Time (GMT +0):19:6:33
Windows Version:5.1 Build:2600
Partizan driver is active.
Opening command file: SUCCESS.
Safe deleting file:
so, the rootkit was placed in SYSTEM32\DRIVERS.
Edited by zamolx3, 22 June 2009 - 11:16 AM.