Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infectd with a few kinds of "Adware.win32"


  • This topic is locked This topic is locked
14 replies to this topic

#1 Firubat

Firubat

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 21 December 2008 - 10:24 AM

Hello!
i had some weird stuff going on on the computer, from pop-outs and error messages to porn soundtracks, but most of it gone after i used SmitfraudFix and Malewarebytes' anti-malware. now im only experiencing a slow computer (and other problems that are probably not related but i'll tell about them too - keyboard doing trouble and problems with the graphic accelerator).
i ran a kaspersky scan and it showed that i am still infected. here is the report:

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, December 21, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, December 21, 2008 09:40:33
Records in database: 1495178
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 114225
Threat name 5
Infected objects 7
Suspicious objects 0
Duration of the scan 03:28:39

File name Threat name Threats count
C:\Program Files\STK018_V2.01\STK018M.exe/C:\Program Files\STK018_V2.01\STK018M.exe Infected: not-a-virus:AdWare.Win32.Cres 1
C:\Documents and Settings\Owner\Local Settings\Temp\Acr7F28.tmp Infected: Exploit.Win32.Pidief.gx 1
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QZTZI6KO\us[1].pdf Infected: Exploit.Win32.Pidief.gx 1
C:\Program Files\HbTools\Bin\4.6.2.0\HbtWeatherOnTray.exe Infected: not-a-virus:AdWare.Win32.Hotbar.an 1
C:\Program Files\HbTools\Bin\4.6.2.0\ShprRprtHbt.exe Infected: not-a-virus:AdWare.Win32.Shopper.e 1
C:\Program Files\STK018_V2.01\STK018D.exe Infected: not-a-virus:AdWare.Win32.Cres.a 1
C:\Program Files\STK018_V2.01\STK018M.exe Infected: not-a-virus:AdWare.Win32.Cres 1
The selected area was scanned.

And here is the RSIT log:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Owner at 2008-12-21 17:21:56
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 16 GB (29%) free of 57 GB
Total RAM: 510 MB (19% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:21:57, on 21/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\ZSSnp211.exe
C:\windows\Domino.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\STK018_V2.01\STK018M.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Owner\שולחן העבודה\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {54B02808-B60E-44CD-A72D-9865117E4E62} - (no file)
O2 - BHO: AGFormHelperObj Class - {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} - C:\Program Files\agat\AGForm\AGFormsHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Radio_Israel Toolbar - {889eb3f6-f16b-4bc0-bc81-9c407c8a3240} - C:\Program Files\Radio_Israel\tbRadi.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AGForms - {ed2e7de7-07db-4941-a06d-f780b93ba730} - C:\Program Files\agat\AGForm\AGForms.dll
O4 - HKLM\..\Run: [Hebrew] C:\Program Files\???? ?? ????\Hebrew.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZSSnp211] C:\windows\ZSSnp211.exe
O4 - HKLM\..\Run: [Domino] C:\windows\Domino.exe
O4 - HKLM\..\Run: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: ??? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195980516390
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.tapuz.co.il/albums/album/ImageUploader4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallTest - Unknown owner - C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Metric Conversion Calculator Installer - Unknown owner - C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE (file missing)
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9030 bytes

======Scheduled tasks folder======

C:\windows\tasks\AppleSoftwareUpdate.job
C:\windows\tasks\Norton Security Scan for Owner.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-06-03 1404928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54B02808-B60E-44CD-A72D-9865117E4E62}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6}]
AGFormHelperObj Class - C:\Program Files\agat\AGForm\AGFormsHelper.dll [2008-07-17 76144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 440056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2006-11-30 67136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 324416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll [2008-10-15 737776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{74CC49F7-EB32-4A08-B204-948962A6E3DB}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{889eb3f6-f16b-4bc0-bc81-9c407c8a3240} - Radio_Israel Toolbar - C:\Program Files\Radio_Israel\tbRadi.dll [2006-07-12 994384]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar3.dll [2007-01-19 2403392]
{ed2e7de7-07db-4941-a06d-f780b93ba730} - AGForms - C:\Program Files\agat\AGForm\AGForms.dll [2008-07-31 444784]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Hebrew"=C:\Program Files\הפוך על הפוך\Hebrew.exe []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-10 289576]
"ZSSnp211"=C:\windows\ZSSnp211.exe [2007-04-06 57344]
"Domino"=C:\windows\Domino.exe [2006-08-18 49152]
"ShStatEXE"=c:\program files\mcafee\virusscan enterprise\\SHSTAT.EXE [2006-11-30 112216]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"=C:\Program Files\MSN Messenger\msnmsgr.exe [2007-01-19 5674352]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-15 68856]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-12-16 342848]
"ctfmon.exe"=C:\windows\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
C:\windows\ALCMTR.EXE [2004-09-23 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
C:\windows\ALCWZRD.EXE [2004-09-24 2559488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-01-19 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HbTools]
C:\Program Files\HbTools\Bin\4.7.0.0\HbtOEAddOn.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-09-10 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oanlvtdx]
C:\WINDOWS\system32\kihwsubj.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe [2008-06-03 21718312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyAxe]
C:\Program Files\SpyAxe\spyaxe.exe /h []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe [2006-11-09 49263]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-15 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherOnTray]
C:\Program Files\HbTools\Bin\4.7.0.0\HbtWeatherOnTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\קיצור דרך לעמוד המאפיינים של High Definition Audio]
C:\windows\system32\HDAudPropShortcut.exe [2004-03-17 61952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Adobe Gamma Loader.exe.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^RaConfig2500.lnk]
C:\WINDOWS\system32\RACONF~1.EXE [2004-02-24 425984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^תפריט התחלה^תוכניות^הפעלה^Xfire.lnk]
C:\PROGRA~1\Xfire\Xfire.exe [2006-06-07 4154504]

C:\Documents and Settings\All Users\תפריט התחלה\תוכניות\הפעלה
STK018 PNP Monitor.lnk - C:\Program Files\STK018_V2.01\STK018M.exe

C:\Documents and Settings\Owner\תפריט התחלה\תוכניות\הפעלה
PowerReg Scheduler V3.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\windows\system32\Ati2evxx.dll [2005-01-20 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\windows\system32\igfxsrvc.dll [2004-06-06 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\windows\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
IPC Configuration Utility - IPC Configuration Utility

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\MSMSGS.EXE"="C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows NetMeeting"
"C:\Soldat\Soldat.exe"="C:\Soldat\Soldat.exe:*:Enabled:Soldat"
"C:\Program Files\World of Warcraft\WoW-1.5.0-enGB-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.5.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.4.0-enGB-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.4.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.5.1.4449-to-1.6.0-enGB-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.5.1.4449-to-1.6.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.6.0.4500-to-1.6.1-enGB-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.6.0.4500-to-1.6.1-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Documents and Settings\Owner\My Documents\WoW-1.6.1.4544v2-to-0.7.0-enGB-downloader.exe"="C:\Documents and Settings\Owner\My Documents\WoW-1.6.1.4544v2-to-0.7.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Documents and Settings\Owner\My Documents\G4_Short-downloader.exe"="C:\Documents and Settings\Owner\My Documents\G4_Short-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U45I7TGL\WOW_Coke-downloader[1].exe"="C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U45I7TGL\WOW_Coke-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\Documents and Settings\Owner\My Documents\WOW_Coke-downloader.exe"="C:\Documents and Settings\Owner\My Documents\WOW_Coke-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VST09NA1\WoW-Onyxia-downloader[1].exe"="C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\VST09NA1\WoW-Onyxia-downloader[1].exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.6.1.4544-to-1.7.0-enGB-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.6.1.4544-to-1.7.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoWTest\WoW-0.7.0.4671-to-0.8.0-enGB-downloader.exe"="C:\Program Files\World of Warcraft\WoWTest\WoW-0.7.0.4671-to-0.8.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\World of Warcraft\WoW-1.7.1.4695-to-1.8.0-enGB-downloader.exe"="C:\Program Files\World of Warcraft\WoW-1.7.1.4695-to-1.8.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE"="C:\Program Files\Microsoft Games\Age of Empires\EMPIRES.EXE:*:Disabled:Age of Empires"
"C:\Program Files\Turbine\Dungeons & Dragons Online - Stormreach\dndclient.exe"="C:\Program Files\Turbine\Dungeons & Dragons Online - Stormreach\dndclient.exe:*:Enabled:dndclient"
"C:\Cavedog\Kingdoms\KINGDOMS.icd"="C:\Cavedog\Kingdoms\KINGDOMS.icd:*:Enabled:Total Annihilation: Kingdoms"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX19.719\RR_0919025.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX19.719\RR_0919025.exe:*:ENABLED:0"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX19.563\RR_0919025.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX19.563\RR_0919025.exe:*:ENABLED:0"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX27.641\RR_0919025.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX27.641\RR_0919025.exe:*:ENABLED:0"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.625\RR_0919025.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.625\RR_0919025.exe:*:ENABLED:0"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX03.766\RR_0919025.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX03.766\RR_0919025.exe:*:ENABLED:0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe"="C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"
"C:\Program Files\Codemasters\The Lord of the Rings Online\lotroclient.exe"="C:\Program Files\Codemasters\The Lord of the Rings Online\lotroclient.exe:*:Enabled:lotroclient.exe"
"C:\Documents and Settings\Owner\My Documents\הד\eMule0.48a\emule.exe"="C:\Documents and Settings\Owner\My Documents\הד\eMule0.48a\emule.exe:*:Enabled:eMule"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Documents and Settings\Owner\My Documents\RR_0919025.exe"="C:\Documents and Settings\Owner\My Documents\RR_0919025.exe:*:Disabled:0"
"C:\Program Files\Softnyx\WolfTeam\Wolfteam.bin"="C:\Program Files\Softnyx\WolfTeam\Wolfteam.bin:*:Enabled:WolfTeam"
"C:\Program Files\Server-Extractor2\ServerEx.exe"="C:\Program Files\Server-Extractor2\ServerEx.exe:*:Enabled:ServerExtractor2"
"C:\Program Files\Valve\hl.exe"="C:\Program Files\Valve\hl.exe:*:Disabled:Half-Life Launcher"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\DOCUME~1\Owner\LOCALS~1\Temp\60325cahp25cas.exe"="C:\DOCUME~1\Owner\LOCALS~1\Temp\60325cahp25cas.exe:*:Enabled:Enabled"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Disabled:Azureus"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"
"C:\Program Files\IncrediMail\bin\IncMail.exe"="C:\Program Files\IncrediMail\bin\IncMail.exe:*:Disabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\ImpCnt.exe"="C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Disabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\IMApp.exe"="C:\Program Files\IncrediMail\bin\IMApp.exe:*:Disabled:IncrediMail"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{466a85af-a58b-11dd-b7cc-000e2e3fd28b}]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebbf61ba-76ab-11dd-b756-001111956c7e}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======File associations======

.bat - open -
.bat - edit -
.scr - open -
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2008-12-21 13:52:34 ----D---- C:\Program Files\winMd5Sum
2008-12-20 17:28:51 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-12-20 17:28:43 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-20 16:13:36 ----D---- C:\Documents and Settings\Owner\Application Data\McAfee
2008-12-20 16:02:01 ----D---- C:\Program Files\trend micro
2008-12-20 16:01:57 ----D---- C:\rsit
2008-12-19 17:34:17 ----A---- C:\windows\system32\tmp.txt
2008-12-19 17:34:00 ----A---- C:\rapport.txt
2008-12-16 09:58:03 ----D---- C:\Documents and Settings\Owner\Application Data\COWON
2008-12-16 09:29:37 ----D---- C:\Program Files\Common Files\COWON
2008-12-16 09:29:36 ----D---- C:\Program Files\JetAudio
2008-12-11 17:12:57 ----D---- C:\Program Files\MP3 Player Utilities 4.05
2008-12-10 09:06:49 ----HD---- C:\windows\$NtUninstallKB955839$
2008-12-10 09:04:40 ----HD---- C:\windows\$NtUninstallKB952069_WM9$
2008-12-10 09:04:11 ----HD---- C:\windows\$NtUninstallKB954600$
2008-12-10 09:03:58 ----HD---- C:\windows\$NtUninstallKB956802$
2008-12-05 10:58:27 ----D---- C:\Documents and Settings\Owner\Application Data\Download Manager
2008-12-04 06:18:19 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-12-03 10:15:52 ----D---- C:\Program Files\GOV.IL
2008-12-03 10:15:52 ----D---- C:\Program Files\agat

======List of files/folders modified in the last 1 months======

2008-12-21 16:57:16 ----A---- C:\windows\SchedLgU.Txt
2008-12-21 10:06:30 ----A---- C:\windows\NeroDigital.ini
2008-12-20 16:26:30 ----A---- C:\windows\ntbtlog.txt
2008-12-13 08:38:02 ----A---- C:\windows\system32\mshtml.dll
2008-12-10 09:06:54 ----A---- C:\windows\imsins.BAK
2008-12-10 09:06:30 ----A---- C:\windows\win.ini
2008-12-10 01:24:38 ----A---- C:\windows\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\windows\system32\drivers\AFS2K.sys [2005-04-05 43488]
R1 intelppm;Intel Processor Driver; C:\windows\system32\DRIVERS\intelppm.sys [2008-04-14 39936]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\windows\system32\drivers\mfetdik.sys [2006-11-30 52136]
R2 mdmxsdk;mdmxsdk; C:\windows\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R2 npkcrypt;npkcrypt; \??\C:\Nexon\MapleStory Beginner Version\npkcrypt.sys []
R3 ati2mtag;ati2mtag; C:\windows\system32\DRIVERS\ati2mtag.sys [2005-01-20 965632]
R3 E100B;Intel® PRO Adapter Driver; C:\windows\system32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;אװ װךח ׀הח UAA י Microsoft גׁױט High Definition Audio; C:\windows\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\windows\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\windows\system32\DRIVERS\HPZid412.sys [2004-01-05 51056]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\windows\system32\DRIVERS\HPZipr12.sys [2004-01-05 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\windows\system32\DRIVERS\HPZius12.sys [2004-01-05 21488]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\windows\system32\drivers\RtkHDAud.sys [2004-09-24 2276672]
R3 mfeapfk;McAfee Inc.; C:\windows\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; C:\windows\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; C:\windows\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; C:\windows\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 mouhid;Mouse HID Driver; C:\windows\system32\DRIVERS\mouhid.sys [2001-09-18 12160]
R3 RT2500;RT2500 Wireless Driver; C:\windows\system32\DRIVERS\RT2500.sys [2004-02-17 104448]
R3 SMBios;Intel ® System Management BIOS Service; C:\windows\system32\DRIVERS\SMBios.sys [2004-06-07 36484]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\windows\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\windows\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\windows\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\windows\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 kbdhid;Keyboard HID Driver; C:\windows\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
S3 CCDECODE;Closed Caption Decoder; C:\windows\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 dump_wmimmc;dump_wmimmc; \??\C:\Nexon\MapleStory Beginner Version\GameGuard\dump_wmimmc.sys []
S3 HdAudAddService;מנהל התקן של פונקציות UAA של Microsoft עבור שירות High Definition Audio; C:\windows\system32\drivers\HdAudio.sys [2004-03-17 113664]
S3 HSF_DP;HSF_DP; C:\windows\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
S3 HSFHWBS2;HSFHWBS2; C:\windows\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
S3 ialm;ialm; C:\windows\system32\DRIVERS\ialmnt5.sys [2004-06-06 730653]
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\windows\system32\drivers\mbamswissarmy.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\windows\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\windows\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\windows\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NPPTNT2;NPPTNT2; \??\C:\windows\system32\npptNT2.sys []
S3 SLIP;BDA Slip De-Framer; C:\windows\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\windows\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\windows\System32\Drivers\usbaapl.sys [2008-09-10 32000]
S3 USBSTOR;USB Mass Storage Driver; C:\windows\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 vvftav211;vvftav211; C:\windows\system32\drivers\vvftav211.sys [2007-12-10 480128]
S3 winachsf;winachsf; C:\windows\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]
S3 WpdUsb;WpdUsb; C:\windows\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\windows\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\windows\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 XDva145;XDva145; \??\C:\windows\system32\XDva145.sys []
S3 XDva152;XDva152; \??\C:\windows\system32\XDva152.sys []
S3 XDva164;XDva164; \??\C:\windows\system32\XDva164.sys []
S3 XDva165;XDva165; \??\C:\windows\system32\XDva165.sys []
S3 XDva168;XDva168; \??\C:\windows\system32\XDva168.sys []
S3 XDva170;XDva170; \??\C:\windows\system32\XDva170.sys []
S3 XDva177;XDva177; \??\C:\windows\system32\XDva177.sys []
S3 XDva178;XDva178; \??\C:\windows\system32\XDva178.sys []
S3 XDva181;XDva181; \??\C:\windows\system32\XDva181.sys []
S3 XDva189;XDva189; \??\C:\windows\system32\XDva189.sys []
S3 ZSMC30x;USB PC Camera Service ZSMC30x; C:\windows\System32\Drivers\ZS211.sys [2007-12-05 1537024]
S4 sr;System Restore Filter Driver; C:\windows\system32\DRIVERS\sr.sys [2008-04-14 73344]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-10 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\windows\system32\Ati2evxx.exe [2005-01-20 344064]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\windows\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-10 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2005-01-19 516096]
S2 InstallTest;InstallTest; C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe /test []
S2 Metric Conversion Calculator Installer;Metric Conversion Calculator Installer; C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE /update []
S2 NNServ;NNServ; C:\Program Files\NewDotNet\nnrun.exe C:\Program Files\NewDotNet\nncore.dll ServiceStart []
S3 aspnet_state;ASP.NET State Service; C:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 138168]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-01-05 65795]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 usprserv;User Privilege Service; C:\windows\System32\svchost.exe [2008-04-14 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-12-01 908800]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

for some reason it didn't generate an info.txt file - trie a couple of times though...

i'd like to know what to do, how should i protect myself in the future (right now i'm using McAfee), and some general info about those malware would be nice too...

Thanks!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,946 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:16 PM

Posted 28 December 2008 - 04:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Firubat

Firubat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 31 December 2008 - 10:06 AM

Thank you for the reply.
I haven't solved the problems yet. Everything i wrote in the initial post is still relevant, except for the problems with the graphic card, which have gotten worse. I don't know if they have anything to do with the maleware except for the fact that they appeared at about the same time. If you think it's connected than tell me and i'll post more details.

This is the DSS.txt:

DDS (Version 1.1.0) - FAT32x86
Run by Owner at 16:55:20.04 on 31/12/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1255.44.1037.18.510.99 [GMT 2:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\ZSSnp211.exe
C:\windows\Domino.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\STK018_V2.01\STK018M.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\שולחן העבודה\dds.com

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {54B02808-B60E-44CD-A72D-9865117E4E62} - No File
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - c:\program files\agat\agform\AGFormsHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: {74CC49F7-EB32-4A08-B204-948962A6E3DB} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Radio_Israel Toolbar: {889eb3f6-f16b-4bc0-bc81-9c407c8a3240} - c:\program files\radio_israel\tbRadi.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - c:\program files\agat\agform\AGForms.dll
EB: {66B90ADB-0BE3-40AE-8680-84A6F0577CA0} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Hebrew] c:\program files\הפוך על הפוך\Hebrew.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\\SHSTAT.EXE" /STANDALONE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\owner\תפריט התחלה\תוכניות\הפעלה\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\תפריטה~1\תוכניות\הפעלה\stk018~1.lnk - c:\program files\stk018_v2.01\STK018M.exe
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.05\amvconverter\grab.html
IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 4.05\mediamanager\grab.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
STS: IPC Configuration Utility - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ua6b8ryv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=he-il&FORM=MICPHU&q=
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2007-11-14 104000]
R2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\Mcshield.exe" [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe" [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-11-14 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-11-14 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-11-14 168776]
S2 InstallTest;InstallTest;"c:\program files\digital design ltd\metric conversion calculator\InstallTest.exe" /test []
S2 Metric Conversion Calculator Installer;Metric Conversion Calculator Installer;"c:\program files\digital design ltd\metric conversion calculator\MCCINST.EXE" /update []
S2 NNServ;NNServ;"c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" ServiceStart []
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\maplestory beginner version\gameguard\dump_wmimmc.sys []
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-20 38496]
S3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys [2008-11-3 480128]
S3 XDva145;XDva145;\??\c:\windows\system32\XDva145.sys []
S3 XDva152;XDva152;\??\c:\windows\system32\XDva152.sys []
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys []
S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys []
S3 XDva168;XDva168;\??\c:\windows\system32\XDva168.sys []
S3 XDva170;XDva170;\??\c:\windows\system32\XDva170.sys []
S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys []
S3 XDva178;XDva178;\??\c:\windows\system32\XDva178.sys []
S3 XDva181;XDva181;\??\c:\windows\system32\XDva181.sys []
S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys []
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\ZS211.sys [2008-11-3 1537024]

=============== Created Last 30 ================

2008-12-31 08:37 <DIR> --d----- c:\program files\Hebrew Crossword
2008-12-28 10:25 <DIR> --dsh--- C:\FOUND.005
2008-12-25 18:06 0 a------- c:\windows\ativpsrm.bin
2008-12-25 18:04 <DIR> --d----- c:\program files\ATI
2008-12-21 17:43 <DIR> --d----- c:\docume~1\owner\applic~1\InfraRecorder
2008-12-21 17:43 <DIR> --d----- c:\program files\InfraRecorder
2008-12-21 15:01 664 a------- c:\windows\system32\d3d9caps.dat
2008-12-21 13:52 <DIR> --d----- c:\program files\winMd5Sum
2008-12-20 17:28 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2008-12-20 17:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-20 17:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-20 17:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-20 16:13 <DIR> --d----- c:\docume~1\owner\applic~1\McAfee
2008-12-20 16:02 <DIR> --d----- c:\program files\trend micro
2008-12-19 17:34 2,740 a------- c:\windows\system32\tmp.reg
2008-12-18 10:04 109 a--sh--- c:\windows\system32\274535665.dat
2008-12-16 09:58 <DIR> --d----- c:\docume~1\owner\applic~1\COWON
2008-12-16 09:29 <DIR> --d----- c:\program files\common files\COWON
2008-12-16 09:29 <DIR> --d----- c:\program files\JetAudio
2008-12-11 17:12 <DIR> --d----- c:\program files\MP3 Player Utilities 4.05
2008-12-04 06:18 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-03 10:15 <DIR> --d----- c:\program files\GOV.IL
2008-12-03 10:15 <DIR> --d----- c:\program files\agat
2008-12-01 22:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-01 22:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-01 22:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-01 22:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-01 22:11 69,112 a------- c:\windows\system32\ativvaxx.cap
2008-12-01 21:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-01 21:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-01 21:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-01 21:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-01 21:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-01 21:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-01 21:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll

==================== Find3M ====================

2008-12-13 08:38 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-02 00:13 3,452,928 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-02 00:13 3,452,928 a------- c:\windows\system32\dllcache\ati2mtag.sys
2008-12-01 22:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-01 22:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-01 22:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-01 22:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-01 22:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-01 22:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-01 22:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-01 22:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-01 22:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-01 22:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-01 22:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-01 22:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-01 21:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-01 21:51 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2008-12-01 21:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-12-01 14:35 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-11-08 17:01 352,542 a------- c:\windows\system32\perfh00d.dat
2008-11-08 17:01 70,952 a------- c:\windows\system32\perfc00d.dat
2008-10-30 16:45 180,720 a------- c:\windows\system32\atiicdxx.dat
2008-10-24 13:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 14:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 14:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-21 20:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-16 15:12 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 15:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 18:37 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 09:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 09:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-14 17:02 21,840 a------- c:\windows\system32\SIntfNT.dll
2008-10-14 17:02 17,212 a------- c:\windows\system32\SIntf32.dll
2008-10-14 17:02 12,067 a------- c:\windows\system32\SIntf16.dll
2008-10-14 16:46 94,208 a------- c:\windows\DIIUnin.exe
2008-10-14 16:46 2,829 a------- c:\windows\DIIUnin.pif
2008-10-03 12:04 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 12:04 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2006-11-19 12:07 0 a------- c:\documents and settings\owner\ignorelist.dat
2006-09-13 19:02 0 a------- c:\documents and settings\owner\WoW-1.11.2.5464-to-0.12.0.5496-enGB-patch.exe
2005-05-25 18:44 774,144 a------- c:\program files\RngInterstitial.dll
2008-06-23 22:46 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-06-23 22:46 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-06-23 22:46 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat

============= FINISH: 16:56:13.23 ===============

#4 Firubat

Firubat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 31 December 2008 - 10:20 AM

:thumbsup: I think that the attachment didn't attach itself, so i give it another shot.

Attached Files



#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:16 PM

Posted 01 January 2009 - 01:10 PM

Hello, Firubat
Can you translate this for me?

31/12/2008 08:27:28, error: Disk [11] - - \Device\Harddisk0\D.
31/12/2008 08:27:28, error: Disk [11] - - \Device\Harddisk0\D.

Or is it gibberish?

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbsup:
In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 Firubat

Firubat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 03 January 2009 - 06:12 AM

Hello!
It is not Gibberish, its Hebrew. it means something like: "the device manager identified a controller error in-" (both of them).

for some reason it didn't prompt me to install this Recovery Console, although i am using XP, and in the log it says that it's not installed :) hope it didn't do any trouble.

The ComboFix log seemed awfully long so i zipped and attached it instead of posting it. can you tell from it if it cleaned it all? i think i will run the kaspersky test again just to make sure.
I have to ask what do you mean by:

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

?
if i have the same problem, shouldn't i use the combofix? it will surely save some time...

Thanks for the help! :thumbsup:

Attached Files

  • Attached File  log.zip   25.74KB   2 downloads


#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:16 PM

Posted 03 January 2009 - 11:04 AM

Hello, Firubat

Hehe... our machines must be using different character sets. On my machine, it looks like a bunch of garbage:
Posted Image

if i have the same problem, shouldn't i use the combofix? it will surely save some time...

Not really. The most important part of CF is not the actions it takes; rather it is the log it produces.

If you don't have someone read the log then you could be masking the problem rather than dealing with it. And if it's masking a backdoor that CF missed or something along those lines, then you're just asking for identity theft or worse :thumbsup:

Case in point. CF removed a lot, but it didn't get everything. For that reason,

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    file::
    c:\windows\system32\274535665.dat
    driver::
    dump_wmimmc
    XDva145
    XDva152
    XDva164
    XDva165
    XDva168
    XDva170
    XDva177
    XDva178
    XDva181
    XDva189
    folder::
    c:\nexon
    C:\rsit
    DDS::
    Trusted Zone: *.internet
    Trusted Zone: *.mcafee.com
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Firubat

Firubat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 04 January 2009 - 07:33 AM

Hello Billy
here is the Combofix log:


ComboFix 09-01-02.01 - Owner 2009-01-04 12:20:09.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1255.1.1037.18.510.247 [GMT 2:00]
Running from: c:\documents and settings\Owner\שולחן העבודה\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\שולחן העבודה\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\274535665.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\nexon
c:\nexon\MapleStory Beginner Version\Base.wz
c:\nexon\MapleStory Beginner Version\Canvas.dll
c:\nexon\MapleStory Beginner Version\Character.wz
c:\nexon\MapleStory Beginner Version\Effect.wz
c:\nexon\MapleStory Beginner Version\Etc.wz
c:\nexon\MapleStory Beginner Version\GameGuard.des
c:\nexon\MapleStory Beginner Version\GameGuard\0npgg.erl
c:\nexon\MapleStory Beginner Version\GameGuard\0npgl.erl
c:\nexon\MapleStory Beginner Version\GameGuard\0npgm.erl
c:\nexon\MapleStory Beginner Version\GameGuard\0npgmup.erl
c:\nexon\MapleStory Beginner Version\GameGuard\0npsc.erl
c:\nexon\MapleStory Beginner Version\GameGuard\GameGuard.des
c:\nexon\MapleStory Beginner Version\GameGuard\GameGuard.ver
c:\nexon\MapleStory Beginner Version\GameGuard\GameMon.des
c:\nexon\MapleStory Beginner Version\GameGuard\ggscan.des
c:\nexon\MapleStory Beginner Version\GameGuard\MapleStoryUSSimple.ini
c:\nexon\MapleStory Beginner Version\GameGuard\npgg.erl
c:\nexon\MapleStory Beginner Version\GameGuard\npgg9x.des
c:\nexon\MapleStory Beginner Version\GameGuard\npggNT.des
c:\nexon\MapleStory Beginner Version\GameGuard\npgl.erl
c:\nexon\MapleStory Beginner Version\GameGuard\npgm.erl
c:\nexon\MapleStory Beginner Version\GameGuard\npgmup.des
c:\nexon\MapleStory Beginner Version\GameGuard\npgmup.erl
c:\nexon\MapleStory Beginner Version\GameGuard\npsc.des
c:\nexon\MapleStory Beginner Version\GameGuard\npsc.erl
c:\nexon\MapleStory Beginner Version\GameGuard\Splash.jpg
c:\nexon\MapleStory Beginner Version\Gr2D_DX8.dll
c:\nexon\MapleStory Beginner Version\ijl15.dll
c:\nexon\MapleStory Beginner Version\Item.wz
c:\nexon\MapleStory Beginner Version\l3codeca.acm
c:\nexon\MapleStory Beginner Version\List.wz
c:\nexon\MapleStory Beginner Version\Map.wz
c:\nexon\MapleStory Beginner Version\MapleStoryS.exe
c:\nexon\MapleStory Beginner Version\MapleStoryUSSimple.ini
c:\nexon\MapleStory Beginner Version\Mob.wz
c:\nexon\MapleStory Beginner Version\Morph.wz
c:\nexon\MapleStory Beginner Version\NameSpace.dll
c:\nexon\MapleStory Beginner Version\Npc.wz
c:\nexon\MapleStory Beginner Version\npkcrypt.dll
c:\nexon\MapleStory Beginner Version\npkcrypt.sys
c:\nexon\MapleStory Beginner Version\npkcrypt.vxd
c:\nexon\MapleStory Beginner Version\npkcusb.sys
c:\nexon\MapleStory Beginner Version\npkpdb.dll
c:\nexon\MapleStory Beginner Version\Patcher.exe
c:\nexon\MapleStory Beginner Version\PCOM.dll
c:\nexon\MapleStory Beginner Version\Quest.wz
c:\nexon\MapleStory Beginner Version\Reactor.wz
c:\nexon\MapleStory Beginner Version\ResMan.dll
c:\nexon\MapleStory Beginner Version\Setup.exe
c:\nexon\MapleStory Beginner Version\Shape2D.dll
c:\nexon\MapleStory Beginner Version\Skill.wz
c:\nexon\MapleStory Beginner Version\Sound.wz
c:\nexon\MapleStory Beginner Version\Sound_DX8.dll
c:\nexon\MapleStory Beginner Version\String.wz
c:\nexon\MapleStory Beginner Version\TamingMob.wz
c:\nexon\MapleStory Beginner Version\UI.wz
c:\nexon\MapleStory Beginner Version\WzFlashRenderer.dll
c:\nexon\MapleStory Beginner Version\WzMss.dll
c:\nexon\MapleStory Beginner Version\ZLZ.dll
C:\rsit
c:\rsit\info.txt
c:\rsit\log.txt
c:\windows\system32\274535665.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DUMP_WMIMMC
-------\Legacy_XDVA145
-------\Legacy_XDVA152
-------\Legacy_XDVA164
-------\Legacy_XDVA165
-------\Legacy_XDVA168
-------\Legacy_XDVA170
-------\Legacy_XDVA177
-------\Legacy_XDVA178
-------\Legacy_XDVA181
-------\Legacy_XDVA189
-------\Service_dump_wmimmc
-------\Service_XDva145
-------\Service_XDva152
-------\Service_XDva164
-------\Service_XDva165
-------\Service_XDva168
-------\Service_XDva170
-------\Service_XDva177
-------\Service_XDva178
-------\Service_XDva181
-------\Service_XDva189


((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2008-12-31 08:37 . 2008-12-31 08:37 <DIR> d-------- c:\program files\Hebrew Crossword
2008-12-28 10:25 . 2008-12-28 10:25 <DIR> d--hs---- C:\FOUND.005
2008-12-25 18:07 . 2008-12-25 18:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\ATI
2008-12-25 18:07 . 2008-12-25 18:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
2008-12-25 18:06 . 2008-12-25 18:06 0 --a------ c:\windows\ativpsrm.bin
2008-12-25 18:04 . 2008-12-25 18:04 <DIR> d-------- c:\program files\ATI
2008-12-21 17:43 . 2008-12-21 17:43 <DIR> d-------- c:\program files\InfraRecorder
2008-12-21 17:43 . 2008-12-21 17:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\InfraRecorder
2008-12-21 15:01 . 2008-12-31 17:53 664 --a------ c:\windows\system32\d3d9caps.dat
2008-12-21 13:52 . 2008-12-21 13:52 <DIR> d-------- c:\program files\winMd5Sum
2008-12-20 17:28 . 2008-12-20 17:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-20 17:28 . 2008-12-20 17:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-20 17:28 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-20 17:28 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-20 16:13 . 2008-12-20 16:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\McAfee
2008-12-20 16:02 . 2008-12-20 16:02 <DIR> d-------- c:\program files\trend micro
2008-12-16 09:58 . 2008-12-16 09:58 <DIR> d-------- c:\documents and settings\Owner\Application Data\COWON
2008-12-16 09:29 . 2008-12-16 09:29 <DIR> d-------- c:\program files\JetAudio
2008-12-16 09:29 . 2008-12-16 09:29 <DIR> d-------- c:\program files\Common Files\COWON
2008-12-11 17:12 . 2008-12-11 17:12 <DIR> d-------- c:\program files\MP3 Player Utilities 4.05
2008-12-05 10:58 . 2008-12-05 10:58 <DIR> d-------- c:\documents and settings\Owner\Application Data\Download Manager
2008-12-04 06:18 . 2008-12-04 06:18 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 06:38 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-03 08:15 --------- d-----w c:\program files\GOV.IL
2008-12-03 08:15 --------- d-----w c:\program files\agat
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\dllcache\ati2mtag.sys
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-12-01 12:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-11-18 17:05 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-21 18:51 118,784 ----a-w c:\windows\system32\atibrtmon.exe
2008-10-16 13:12 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 12:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 12:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:37 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2008-10-14 15:02 21,840 ----a-w c:\windows\system32\SIntfNT.dll
2008-10-14 15:02 17,212 ----a-w c:\windows\system32\SIntf32.dll
2008-10-14 15:02 12,067 ----a-w c:\windows\system32\SIntf16.dll
2008-10-14 14:46 94,208 ----a-w c:\windows\DIIUnin.exe
2008-10-14 14:46 2,829 ----a-w c:\windows\DIIUnin.pif
2006-11-19 10:07 0 ----a-w c:\documents and settings\Owner\ignorelist.dat
2006-09-13 17:02 0 ----a-w c:\documents and settings\Owner\WoW-1.11.2.5464-to-0.12.0.5496-enGB-patch.exe
2005-05-25 16:44 774,144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-03_12.54.40.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-08 15:01:46 70,968 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-04 05:43:56 70,968 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-08 15:01:46 70,952 ----a-w c:\windows\system32\perfc00d.dat
+ 2009-01-04 05:43:56 70,952 ----a-w c:\windows\system32\perfc00d.dat
- 2008-11-08 15:01:46 439,264 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-04 05:43:56 439,264 ----a-w c:\windows\system32\perfh009.dat
- 2008-11-08 15:01:46 352,542 ----a-w c:\windows\system32\perfh00d.dat
+ 2009-01-04 05:43:56 352,542 ----a-w c:\windows\system32\perfh00d.dat
+ 2008-12-01 19:53:08 45,056 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\amdcalcl.dll
+ 2008-12-01 19:50:38 3,252,224 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\Amdcaldd.dll
+ 2008-12-01 19:53:18 45,056 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\amdcalrt.dll
+ 2008-12-01 19:57:34 48,640 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\amdpcom32.dll
+ 2008-12-01 19:52:14 86,016 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\atiadlxx.dll
+ 2008-10-21 18:51:44 118,784 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\atibrtmon.exe
+ 2008-12-01 20:52:52 425,984 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\ATIDEMGX.dll
+ 2008-12-01 19:53:38 401,408 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\atikvmag.dll
+ 2008-12-01 19:50:54 286,720 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\atiok3x2.dll
+ 2008-12-01 20:11:22 3,107,788 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\ativva5x.dat
+ 2008-12-01 20:11:22 887,724 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\ativva6x.dat
+ 2008-12-01 20:11:22 3,107,788 ----a-w c:\windows\system32\ReinstallBackups\0002\DriverFiles\ativvaxx.dat
+ 2008-12-01 19:53:08 45,056 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\amdcalcl.dll
+ 2008-12-01 19:50:38 3,252,224 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\Amdcaldd.dll
+ 2008-12-01 19:53:18 45,056 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\amdcalrt.dll
+ 2008-12-01 19:57:34 48,640 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\amdpcom32.dll
+ 2008-12-01 19:52:14 86,016 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\atiadlxx.dll
+ 2008-10-21 18:51:44 118,784 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\atibrtmon.exe
+ 2008-12-01 20:52:52 425,984 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\ATIDEMGX.dll
+ 2008-12-01 19:53:38 401,408 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\atikvmag.dll
+ 2008-12-01 19:50:54 286,720 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\atiok3x2.dll
+ 2008-12-01 20:11:22 3,107,788 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\ativva5x.dat
+ 2008-12-01 20:11:22 887,724 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\ativva6x.dat
+ 2008-12-01 20:11:22 3,107,788 ----a-w c:\windows\system32\ReinstallBackups\0003\DriverFiles\ativvaxx.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"ZSSnp211"="c:\windows\ZSSnp211.exe" [2007-04-06 57344]
"Domino"="c:\windows\Domino.exe" [2006-08-18 49152]
"ShStatEXE"="c:\program files\mcafee\virusscan enterprise\\SHSTAT.EXE" [2006-11-30 112216]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Owner\ \\\
PowerReg Scheduler V3.exe [2005-06-16 225280]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\תפריט התחלה\תוכניות\הפעלה\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^תפריט התחלה^תוכניות^הפעלה^RaConfig2500.lnk]
path=c:\documents and settings\All Users\תפריט התחלה\תוכניות\הפעלה\RaConfig2500.lnk
backup=c:\windows\pss\RaConfig2500.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^תפריט התחלה^תוכניות^הפעלה^Xfire.lnk]
path=c:\documents and settings\Owner\תפריט התחלה\תוכניות\הפעלה\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-01-19 21:40 339968 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 17:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-06-03 15:08 21718312 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-11-09 15:07 49263 c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-15 18:16 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-09-23 15:44 57344 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-09-24 12:06 2559488 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\קיצור דרך לעמוד המאפיינים של High Definition Audio]
--------- 2004-03-17 15:10 61952 c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Soldat\\Soldat.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\הד\\eMule0.48a\\emule.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-20 38496]
S3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys [2008-11-03 480128]
S3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\ZS211.sys [2008-11-03 1537024]
S4 InstallTest;InstallTest;"c:\program files\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe" /test --> c:\program files\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe [?]
S4 Metric Conversion Calculator Installer;Metric Conversion Calculator Installer;"c:\program files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE" /update --> c:\program files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{466a85af-a58b-11dd-b7cc-000e2e3fd28b}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ebbf61ba-76ab-11dd-b756-001111956c7e}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-12-31 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 04:18]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~2.DLL


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.05\AMVConverter\grab.html
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.05\MediaManager\grab.html
Trusted Zone: *.internet
Trusted Zone: *.mcafee.com

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ua6b8ryv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?mkt=he-il&FORM=MICPHU&q=
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 12:24:12
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*NULL*, J*NULL*P*NULL*G*NULL*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*NULL*, J*NULL*P*NULL*G*NULL*\OpenWithList]
@Class="Shell"
"a"="mspaint.exe"
"MRUList"="abdc"
"b"="shimgvw.dll"
"c"="msmsgs.exe"
"d"="ImageReady.exe"

[HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*NULL*, J*NULL*P*NULL*G*NULL*\OpenWithProgids]
"?JPG_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*NULL*, J*NULL*P*NULL*G*NULL*]
"0"=hex:2d,20,33,00,31,00,2c,20,41,00,5f,00,2d,20,30,00,30,00,33,00,34,00,2e,\
00,2c,20,4a,00,50,00,47,00,00,00,64,00,36,00,00,00,00,00,00,00,00,00,00,00,\
2d,20,33,00,31,00,2c,20,41,00,5f,00,2d,20,30,00,30,00,33,00,34,00,2e,00,6c,\
00,6e,00,6b,00,00,00,36,00,03,00,04,00,ef,be,00,00,00,00,00,00,00,00,14,00,\
00,00,2d,20,33,00,31,00,2c,20,41,00,5f,00,2d,20,30,00,30,00,33,00,34,00,2e,\
00,6c,00,6e,00,6b,00,00,00,2e,00,00,00
"MRUListEx"=hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff
"1"=hex:2d,20,33,00,32,00,2c,20,41,00,5f,00,2d,20,30,00,30,00,33,00,35,00,2e,\
00,2c,20,4a,00,50,00,47,00,00,00,64,00,36,00,00,00,00,00,00,00,00,00,00,00,\
2d,20,33,00,32,00,2c,20,41,00,5f,00,2d,20,30,00,30,00,33,00,35,00,2e,00,6c,\
00,6e,00,6b,00,00,00,36,00,03,00,04,00,ef,be,00,00,00,00,00,00,00,00,14,00,\
00,00,2d,20,33,00,32,00,2c,20,41,00,5f,00,2d,20,30,00,30,00,33,00,35,00,2e,\
00,6c,00,6e,00,6b,00,00,00,2e,00,00,00

[HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\Software\Microsoft\  M*NULL*i*NULL*c*NULL*r*NULL*o*NULL*s*NULL*o*NULL*f*NULL*t*NULL* *NULL*M*NULL*a*NULL*n*NULL*a*NULL*g*NULL*e*NULL*m*NULL*e*NULL*n*NULL*t*NULL* *NULL*C*NULL*o*NULL*n*NULL*s*NULL*o*NULL*l*NULL*e*NULL*\Recent File List]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"File1"="c:\\windows\\system32\\devmgmt.msc"
"File2"="c:\\windows\\system32\\services.msc"
"File3"="c:\\WINDOWS\\system32\\compmgmt.msc"
"File4"="c:\\WINDOWS\\system32\\perfmon.msc"

[HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\ּQ[*NULL*ּQ[*NULL*w*NULL*a*NULL*r*NULL*e*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Classes\.*NULL*, J*NULL*P*NULL*G*NULL*]
@="?JPG_auto_file"

[HKEY_LOCAL_MACHINE\software\Classes\ךׁאך *NULL*י *NULL*M*NULL*i*NULL*c*NULL*r*NULL*o*NULL*s*NULL*o*NULL*f*NULL*t*NULL* *NULL*O*NULL*f*NULL*f*NULL*i*NULL*c*NULL*e*NULL* *NULL*P*NULL*o*NULL*w*NULL*e*NULL*r*NULL*P*NULL*o*NULL*i*NULL*n*NULL*t*NULL* *NULL*2*NULL*0*NULL*0*NULL*7*NULL* ]
@Allowed: (Read) (Administrators)
@="{048EB43E-2059-422F-95E0-557DA96038AF}"

[HKEY_LOCAL_MACHINE\software\Classes\, J*NULL*P*NULL*G*NULL*_*NULL*a*NULL*u*NULL*t*NULL*o*NULL*_*NULL*f*NULL*i*NULL*l*NULL*e*NULL*]
@=""

[HKEY_LOCAL_MACHINE\software\Classes\, J*NULL*P*NULL*G*NULL*_*NULL*a*NULL*u*NULL*t*NULL*o*NULL*_*NULL*f*NULL*i*NULL*l*NULL*e*NULL*\shell\open]
"MuiVerb"="@shimgvw.dll,-550"

[HKEY_LOCAL_MACHINE\software\Classes\, J*NULL*P*NULL*G*NULL*_*NULL*a*NULL*u*NULL*t*NULL*o*NULL*_*NULL*f*NULL*i*NULL*l*NULL*e*NULL*\shell\open\command]
@=expand:"rundll32.exe %SystemRoot%\\system32\\shimgvw.dll,ImageView_Fullscreen %1"

[HKEY_LOCAL_MACHINE\software\Classes\, J*NULL*P*NULL*G*NULL*_*NULL*a*NULL*u*NULL*t*NULL*o*NULL*_*NULL*f*NULL*i*NULL*l*NULL*e*NULL*\shell\open\DropTarget]
"Clsid"="{e84fda7c-1d6a-45f6-b725-cb260c236066}"

[HKEY_LOCAL_MACHINE\software\Classes\, J*NULL*P*NULL*G*NULL*_*NULL*a*NULL*u*NULL*t*NULL*o*NULL*_*NULL*f*NULL*i*NULL*l*NULL*e*NULL*\shell\print\command]
@=expand:"rundll32.exe %SystemRoot%\\system32\\shimgvw.dll,ImageView_Fullscreen %1"

[HKEY_LOCAL_MACHINE\software\Classes\, J*NULL*P*NULL*G*NULL*_*NULL*a*NULL*u*NULL*t*NULL*o*NULL*_*NULL*f*NULL*i*NULL*l*NULL*e*NULL*\shell\print\DropTarget]
"Clsid"="{60fd46de-f830-4894-a628-6fa81bc0190d}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\MCAFEE\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
c:\program files\MCAFEE\VIRUSSCAN ENTERPRISE\MCSHIELD.EXE
c:\program files\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE
c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\STK018_V2.01\STK018M.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2009-01-04 12:29:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 10:29:10
ComboFix2.txt 2009-01-03 10:55:36

Pre-Run: 20,605,272,064 bytes free
Post-Run: 20,617,756,672 bytes free

449 --- E O F --- 2008-12-18 08:19:38

Why did it delete all these Maplestory files? i don't think anyone uses it, but is it a danger?
and the ESET Online scan log:


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3734 (20090103)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=95d12d7e28a22b449218926e2409dcfb
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-04 12:23:08
# local_time=2009-01-04 02:23:08 )
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=515267
# found=12
# scan_time=6240
C:\System Volume Information\_restore{A4A18B84-A45A-46C3-823B-B21D5BFA8181}\RP2\A0000033.dll Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{A4A18B84-A45A-46C3-823B-B21D5BFA8181}\RP2\A0000035.exe Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{A4A18B84-A45A-46C3-823B-B21D5BFA8181}\RP2\A0000036.exe Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{A4A18B84-A45A-46C3-823B-B21D5BFA8181}\RP2\A0000037.exe Win32/Adware.Toolbar.Shopper application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{A4A18B84-A45A-46C3-823B-B21D5BFA8181}\RP2\A0000037.exe NSIS ShprRprt.dll Win32/Adware.Toolbar.Shopper application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{A4A18B84-A45A-46C3-823B-B21D5BFA8181}\RP2\A0000038.dll Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\HbTools\Bin\4.6.2.0\dBenderC.dll.vir Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\HbTools\Bin\4.6.2.0\HbtSrv.exe.vir Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\HbTools\Bin\4.6.2.0\HbtWeatherOnTray.exe.vir Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\HbTools\Bin\4.6.2.0\ShprRprtHbt.exe.vir Win32/Adware.Toolbar.Shopper application (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\HbTools\Bin\4.6.2.0\ShprRprtHbt.exe.vir NSIS ShprRprt.dll Win32/Adware.Toolbar.Shopper application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\HbTools\Bin\4.7.0.0\dBenderC.dll.vir Win32/Adware.HotBar application (unable to clean - deleted) 00000000000000000000000000000000


These things are hard to get rid of aren't they?

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:16 PM

Posted 04 January 2009 - 11:05 AM

Hello, Firubat
I put the Nexon folder in the script because I have seen it associated with this before:
http://www.systemlookup.com/O23/4083-iWinG...taller_exe.html

However, it's not an exact match. Given how dangerous that one is though, I tried to be safe with it.

If you're comfortable that it's fine, maybe give the installer a whirl through http://virustotal.com , and reinstall it.

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Firubat

Firubat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 05 January 2009 - 07:25 AM

:) my dear helper, i'm sorry to disappoint you but the fight is not over yet :)
i ran a few tests to check if i'm truly clean, and discovered it is not the case:
Kaspersky shows i'm infected with:
C:\Program Files\STK018_V2.01\STK018M.exe/C:\Program Files\STK018_V2.01\STK018M.exe Infected: not-a-virus:AdWare.Win32.Cres 1
C:\Program Files\STK018_V2.01\STK018D.exe Infected: not-a-virus:AdWare.Win32.Cres.a 1
C:\Program Files\STK018_V2.01\STK018M.exe Infected: not-a-virus:AdWare.Win32.Cres

And norton security scan says there's much more: (it doesn't produce a pasteable log so i just copy the names of the threats)
Adware.WebBar
Adware.Hotbar
Trojan.Malscript!html
W32.Spybot.Worm
Adware.NDotNet
Tracking Cookie

The problem is that these two does not provide cleaning services (unless i pay).
The purchased anti-virus i have is Mc-Afee VirusScan Enterprise and it does not recognize any threat. So does the free Malwarebyters' Anti-Malware. :thumbsup:

I can at least say that we ARE making progress, since the previous kaspersky scan i did showed more maleware, i guess they were removed.

What do i do now?

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:16 PM

Posted 05 January 2009 - 11:33 PM

Hello, Firubat
Does norton list files or registry keys involved?
Your logs should have shown sign of those infections, but they dont. And to be honest, I don't trust Norton as far as I can throw it.
Sorry.. just too many horror stories.

If you can get a list of files/registry keys though we can remove what Norton is complaining about.




The kaspersky file didn't appear in your earlier logs. I think it's dormant / unused. We'll nuke it anyway if you want.

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Program Files\STK018_V2.01
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
In your next reply, please include the following:
  • OTMoveIt3's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 Firubat

Firubat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 06 January 2009 - 07:17 AM

And to be honest, I don't trust Norton as far as I can throw it.
Sorry.. just too many horror stories.

I'd love to hear some of these stories :)

this is the OTMoveIt3 log:


========== FILES ==========
Folder move failed. C:\Program Files\STK018_V2.01 scheduled to be moved on reboot.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01062009_134914

Files moved on Reboot...
C:\Program Files\STK018_V2.01 moved successfully.


The file appeared in the kaspersky log i posted in the first post, but what the hell... it's gone now right?

Now, as i said the norton doesn't let me do copy/pasy, and i can't copy manually 115 entries, so i put a few examples of each threat. Symantec offers solutions - but some of them can be done only with the purchased program. i put the links. should i just follow the instructions for the ones that don't require the purchased program ?


Threat Name: Tracking cookie
Target Name: Cookie:owner@pro-market.net
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@ehg-eset.hitbox.com
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@imrworldwide.com/cgi-bin
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@bs.serving-sys.com
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@ccbill.com
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@atdmt.com
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@msnportal.112.2o7.net
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@hitbox.com
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@doubleclick.net
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@ad.yieldmanager.com
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@serving-sys.com
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@pro-market.net
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@
Target Type: cookie

Threat Name: Tracking cookie
Target Name: Cookie:owner@
Target Type: cookie

symantec solution

Threat Name:Adware.NDot.net
Target Name:c:\program files\mozilla firfox\extensions\{af8637b0-18e3-44d3-86b7-55e09d9c4261}\install.rdf
Target Type: file

Threat Name: Adware.ndotNet
Target Name: HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\Softawre\Mozilla\Firefox
Target Type: registry

symantec solution

Threat Name:Adware.WebBar
Target Name:HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\Softawre\internet explorer\main->Default_Search_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=isearch
Target Type:registry

Threat Name:Adware.WebBar
Target Name:c:\Program files\stk018_v2.01\stk018d.exe
Target Type:file

symantec solution

Threat Name: Adware.Hotbar
Target Name: c:\qoobox\quarantine\c\documents and settings\owner\application data\hbtoos\v3.0\hbtools\static\1\country.exe.vir
Target Type:infection
Threat Name:

Target Name: Adware.Hotbar
Target Name:HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\System
Target Type: registry

symantec solution

Threat Name:Trojan.Malscript!html
Target Name:c:\qoobox\quarantine\c\documents and settings\owner\application data\hbtoos\v3.0\hbtools\dynamic\tooltipxml\97741.vir
Target Type:infection
symantec solution

Threat Name:W32.Spybot.Worm
Target Name: c:\documents and settings\Owner\local settings\temp\1.reg
Target Type: file

Threat Name:W32.Spybot.Worm
Target Name:c:\ Mygames\rebound infinity\googlestubinst.exe
Target Type:infection

Threat Name:W32.Spybot.Worm
Target Name:HKEY_USERS\S-1-5-21-19\software\microsoft\windows\currentversion\RunServices\->Firewall controls
Target Type:

symantec solution


Hope i'm not driving you mad... :thumbsup:

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:16 PM

Posted 06 January 2009 - 08:30 PM

Hello, Firubat

I'd love to hear some of these stories smile.gif

Most of them are similar to "Norton couldn't detect / remove malware XXXX which just shutdown Norton. Now my internet doesn't work. Remove malware. Norton still busted. Internet still busted. Norton uninstall fails because it's busted. Internet still busted. Format." :)

The other one is "Norton detected hundreds of things and deleted them and now everything's broken and the files are gone...."

But by far the most common is:
"My system ran half as fast after installing norton...."

Free and better scanners are available, such as the excellent Avira: http://free-av.com , It's faster, more effective, and free.

The "Tracking Cookies" aren't malware. They can track that broswer as it travels from page to page, but many malware tools don't even bother to look for them because they don't personally identify you, and don't contain executable code. They're just text files.

Threat Name:Adware.WebBar
Target Name:HKEY_USERS\S-1-5-21-1256799619-2154702590-596957751-1003\Softawre\internet explorer\main->Default_Search_URL:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=isearch
Target Type:registry

Note what I hilighted in bold? Doesn't look bad to me :thumbsup: Another horror story of norton....

Threat Name:W32.Spybot.Worm
Target Name:c:\ Mygames\rebound infinity\googlestubinst.exe
Target Type:infection

Threat Name:W32.Spybot.Worm
Target Name:HKEY_USERS\S-1-5-21-19\software\microsoft\windows\currentversion\RunServices\->Firewall controls

I seriously mistrust Norton's judgement here. The runservices key is empty anyway. We can remove the key if you like but I'd leave it alone.
Go ahead and feed the file c:\ Mygames\rebound infinity\googlestubinst.exe into virustotal http://virustotal.com/ if you don't believe me. And if it does come back with stuff, you can simply delete the file manually.


Everything else is already in quarentines of other tools. Uninstall combofix and run the cleanup button inside of OTMI and those should disappear.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 Firubat

Firubat
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 08 January 2009 - 06:38 AM

Thank you so much!
i deleted the file cause in virustotal 5/39 scans identified it as malicious...
I hope all the protection will be enough and that i won't have to do all this again!

Firubat

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:16 PM

Posted 08 January 2009 - 04:34 PM

Hello, Firubat
You're welcome :thumbsup:

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users