Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


codec infection may be a rootkit

  • This topic is locked This topic is locked
30 replies to this topic

#1 alessandrocancian


  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 11 January 2009 - 04:56 PM

Hi there, I was redirected here from the section "Am I infected", hafter trying to solve the following problem. I'm using Vista, and since a couple of days Explorer opens new pages. When I search by the address bar, instead of google a strange url-search.com opens up the page. What can I do to get rid ot that, as I tried with NOD, Adaware, SAS, etc? May the following HJT log be of any help?

Best regards


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22.55.22, on 11/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Quran_AR\Quran_AR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://libero.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Quran_AR] C:\Program Files\Quran_AR\Quran_AR.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [VoipCheapCom] "C:\Program Files\VoipCheapCom\VoipCheapCom.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [qcuyy] "c:\users\oveis\appdata\local\qcuyy.exe" qcuyy
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIZIO DI RETE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: MultiFrame.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resou...NPUpldit-it.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{033E70EF-ABC8-4319-80E8-D13ADC7EDC82}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\..\{033E70EF-ABC8-4319-80E8-D13ADC7EDC82}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\..\{033E70EF-ABC8-4319-80E8-D13ADC7EDC82}: NameServer =,
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

End of file - 10398 bytes

BC AdBot (Login to Remove)


#2 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:16 AM

Posted 19 January 2009 - 02:48 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files before we run OTScanIt. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
  • If you use any other browsers, select them appropriately from the top and empty all items.
Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Click the Extras button under "Additional Scans".
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the OTScanIt log (attached)
-the GMER log (pasted directly into your reply)

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 alessandrocancian

  • Topic Starter

  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 20 January 2009 - 05:25 AM

Many thanks indeed.

I try to perform the scan with OTS, but an error message pops up: Win 32 error, code: 23.

Ma you help?



#4 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:16 AM

Posted 20 January 2009 - 12:01 PM


Let's try OTViewIt then.

Download and Run OTViewIt
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop. If you are using Windows Vista, right click the icon and select Run as Administrator.
  • Check both the Scan All Users and Use Whitelist checkboxes. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized. A new Extra.txt will not be created if one exists already.
Copy and Paste the logs into your next reply.

With Regards,
The Panda

#5 alessandrocancian

  • Topic Starter

  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 22 January 2009 - 03:49 AM

Many thanks again,
this also gives the same problem and cannot perform the scan!



#6 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:16 AM

Posted 22 January 2009 - 03:37 PM

Hello Alessandro.

Let's try DDS.

Download and Run DDS
Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Also run GMER.

With Regards,
The Panda

#7 alessandrocancian

  • Topic Starter

  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 22 January 2009 - 03:53 PM

Thanks Panda,
here the relevant dds logs, but can't even open gmer...


DDS (Ver_09-01-19.01) - NTFSx86
Run by Oveis at 21.42.16,15 on 22/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.39.1040.18.1007.111 [GMT 1:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\PowerForPhone\PowerForPhone\PowerForPhone.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Quran_AR\Quran_AR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ASUS\Asus MultiFrame\MultiFrame.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://libero.it/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [VoipBuster] "c:\program files\voipbuster.com\voipbuster\VoipBuster.exe" -nosplash -minimized
uRun: [VoipCheapCom] "c:\program files\voipcheapcom\VoipCheapCom.exe" -nosplash -minimized
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ATnotes.exe] c:\program files\atnotes\ATnotes.exe
uRun: [mwkseuu] "c:\users\oveis\appdata\local\mwkseuu.exe" mwkseuu
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [PowerForPhone] c:\program files\powerforphone\powerforphone\PowerForPhone.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Quran_AR] c:\program files\quran_ar\Quran_AR.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Athan] c:\program files\athan\Athan.exe
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
StartupFolder: c:\users\oveis\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenote 2007 screen clipper and launcher.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\multif~1.lnk - c:\program files\asus\asus multiframe\MultiFrame.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: dialoguefoundation.org
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/VistaMSNPUpldit-it.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {033E70EF-ABC8-4319-80E8-D13ADC7EDC82} =,
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-7-18 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 WCPU;WCPU;c:\program files\p4g\WCPU.sys [2007-2-13 11120]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\common files\bcl technologies\nitropdf5\bepldr.exe [2008-2-11 151552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]

=============== Created Last 30 ================

2009-01-20 10:07 <DIR> --d----- c:\users\oveis\OTScanIt2
2009-01-14 07:43 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-11 22:50 <DIR> --d----- c:\program files\Trend Micro
2009-01-11 11:04 <DIR> --d----- c:\users\oveis\appdata\roaming\SUPERAntiSpyware.com
2009-01-09 07:08 <DIR> --d----- c:\users\oveis\appdata\roaming\Malwarebytes
2009-01-09 07:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-09 07:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-09 07:08 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-09 07:08 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-09 07:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-08 22:48 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-01-08 22:48 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-01-08 22:46 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-08 13:01 <DIR> --d----- c:\program files\Bonjour
2009-01-08 13:00 <DIR> --d----- c:\programdata\Apple

==================== Find3M ====================

2009-01-22 09:05 45,056 a------- c:\windows\system32\acovcnt.exe
2009-01-21 13:06 662,846 a------- c:\windows\system32\perfh010.dat
2009-01-21 13:06 120,326 a------- c:\windows\system32\perfc010.dat
2008-12-01 15:11 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-20 16:02 86,016 a------- c:\windows\inf\infstor.dat
2008-11-20 16:02 51,200 a------- c:\windows\inf\infpub.dat
2008-11-20 16:02 86,016 a------- c:\windows\inf\infstrng.dat
2008-11-09 09:51 56 a---h--- c:\programdata\ezsidmv.dat
2008-11-09 09:51 56 a---h--- c:\progra~2\ezsidmv.dat
2008-11-01 04:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 04:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 04:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 04:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 04:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-11-01 04:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-11-01 02:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 07:29 2,927,104 a------- c:\windows\explorer.exe
2008-07-06 18:47 174 a--sh--- c:\program files\desktop.ini
2008-07-06 18:33 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-04 23:06 32 a------- c:\programdata\ezsid.dat
2008-03-04 23:06 32 a------- c:\progra~2\ezsid.dat
2007-08-09 18:19 0 a------- c:\program files\Global.sw
2007-01-10 20:01 331,172 a------- c:\windows\inf\perflib\0410\perfi.dat
2007-01-10 20:01 331,172 a------- c:\windows\inf\perflib\0410\perfh.dat
2007-01-10 20:01 36,614 a------- c:\windows\inf\perflib\0410\perfd.dat
2007-01-10 20:01 36,614 a------- c:\windows\inf\perflib\0410\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
1999-04-24 07:22 68,871 a--shr-- c:\windows\configsetroot\DRVSPACE.BIN
1999-04-24 07:22 222,390 a--shr-- c:\windows\configsetroot\IO.SYS
1999-05-06 07:22 1,026 a--shr-- c:\windows\configsetroot\MSDOS.SYS
2000-06-21 21:22 0 a--sh--- c:\windows\configsetroot\dos\EBD.SYS

============= FINISH: 21.43.52,52 ===============

Attached Files

#8 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:16 AM

Posted 22 January 2009 - 04:05 PM

Hello alessandrocancian.

There is definately an infection. It seems to be stopping our tools from running properly.

Let's see if ComboFix will work.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable ESET (NOD32):
Look beside your clock for this icon Posted Image, click it and select [img=http://i94.photobucket.com/albums/l84/SillyGerman/BleepingComputer/nod32_quit.png[/img]. Say OK when prompted.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

When asked, select Save as. Choose to save it as "ComboFixCF.exe"
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Also try running GMER again. If still no go, rename to GMER123.exe.

With Regards,
The Panda

#9 alessandrocancian

  • Topic Starter

  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 22 January 2009 - 04:13 PM

Many thanks,
it's night here, I will be doing it all tomorrow and come back to you with the results.



#10 alessandrocancian

  • Topic Starter

  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 23 January 2009 - 03:35 AM

Dear Panda,
I did it. Attached please find the .txt files I found in the ComboFix folder in C:


Edited by PropagandaPanda, 23 January 2009 - 05:21 PM.

#11 alessandrocancian

  • Topic Starter

  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 23 January 2009 - 03:38 AM

....and gmer doesn't work even renamed


#12 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:16 AM

Posted 23 January 2009 - 11:59 AM

Hello Alessandro.

Looks like ComboFix didn't finish its run.

Please tell me how far it got. Did it install the Recovery Console?

Let's try something else.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download The Avenger and Run Script
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Right click and extract avenger.exe to your desktop If it does not open, rename to Avenger123.exe
  • Start the Avenger by clicking on its icon on your desktop.
  • Copy all the text contained in the qoute box below to your Clipboard by highlighting it, right clicking and selecting Copy:
    Drivers to disable:
  • Click Posted Image to paste the script from the clipboard.
  • Check the "Disable Rootkit automatically when found box".
  • Click the Execute button
  • Answer Yes twice when prompted.
The process is completely automatic. Do not touch your computer until a log file opens.

The Avenger will do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", the Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt (considering your operating drive is C:). Post back with it in your next reply.

Try running ComboFix again after.

With Regards,
The Panda

#13 alessandrocancian

  • Topic Starter

  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 23 January 2009 - 04:11 PM

Thank you again Panda,
here the avenger's log:

Avenger Pre-Processor log

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Fri Jan 23 22:02:28 2009

22:02:28: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


Logfile of The Avenger Version 2.0, © by Swandog46

Platform: Windows Vista


Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not open driver "tdssserv"
Disablement of driver "tdssserv" failed!
--> the object does not exist

Error: could not open driver "tdssserv.sys"
Disablement of driver "tdssserv.sys" failed!
--> the object does not exist

Completed script processing.


Finished! Terminate.

#14 alessandrocancian

  • Topic Starter

  • Members
  • 67 posts
  • Local time:02:16 AM

Posted 23 January 2009 - 04:31 PM

...and here the ComboFix Log...

ComboFix 09-01-21.04 - Oveis 2009-01-23 22:14:25.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1040.18.1007.288 [GMT 1:00]
Eseguito da: c:\users\Oveis\Desktop\ComboFixCF.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated)

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Creati Da 2008-12-23 al 2009-01-23 )))))))))))))))))))))))))))))))))))

2009-01-23 21:31 . 2009-01-23 21:32 <DIR> d-------- c:\program files\ERUNT
2009-01-20 10:07 . 2009-01-20 10:07 <DIR> d-------- c:\users\Oveis\OTScanIt2
2009-01-14 07:43 . 2008-12-16 03:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-11 22:50 . 2009-01-11 22:50 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 11:04 . 2009-01-11 11:04 <DIR> d-------- c:\users\Oveis\AppData\Roaming\SUPERAntiSpyware.com
2009-01-09 07:08 . 2009-01-09 07:08 <DIR> d-------- c:\users\Oveis\AppData\Roaming\Malwarebytes
2009-01-09 07:08 . 2009-01-09 07:08 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-09 07:08 . 2009-01-09 07:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-09 07:08 . 2009-01-04 18:41 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-09 07:08 . 2009-01-04 18:41 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-08 22:48 . 2009-01-08 22:48 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-01-08 22:46 . 2009-01-11 11:04 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-08 13:03 . 2009-01-08 13:03 <DIR> d-------- c:\users\Oveis\AppData\Roaming\Apple Computer
2009-01-08 13:02 . 2009-01-08 13:03 <DIR> d-------- c:\program files\Safari
2009-01-08 13:01 . 2009-01-08 13:01 <DIR> d-------- c:\program files\Bonjour
2009-01-08 13:00 . 2009-01-08 13:00 <DIR> d-------- c:\programdata\Apple
2009-01-08 13:00 . 2009-01-08 13:00 <DIR> d-------- c:\program files\Apple Software Update

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
2009-01-23 20:24 --------- d-----w c:\users\Oveis\AppData\Roaming\Skype
2009-01-23 15:07 --------- d-----w c:\users\Oveis\AppData\Roaming\skypePM
2009-01-23 13:08 --------- d-----w c:\programdata\Google Updater
2009-01-15 06:57 --------- d-----w c:\programdata\Microsoft Help
2009-01-15 06:57 --------- d-----w c:\program files\Windows Mail
2009-01-13 10:27 --------- d-----w c:\program files\Google
2009-01-11 10:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-07 16:16 --------- d-----w c:\program files\Eset
2009-01-04 20:29 --------- d-----w c:\program files\eMule
2008-12-03 19:52 --------- d-----w c:\users\Oveis\AppData\Roaming\dvdcss
2008-12-01 14:11 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-12-01 14:10 --------- d-----w c:\program files\Java
2008-11-24 17:23 --------- d-----w c:\users\Oveis\AppData\Roaming\Nitro PDF
2008-11-24 17:21 --------- d-----w c:\programdata\Nitro PDF
2008-11-24 17:21 --------- d-----w c:\program files\Nitro PDF
2008-11-24 17:21 --------- d-----w c:\program files\Common Files\Nitro PDF
2008-11-24 17:21 --------- d-----w c:\program files\Common Files\BCL Technologies
2008-11-24 17:06 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-24 17:06 --------- d-----w c:\program files\Global Graphics
2008-11-24 16:59 --------- d-----w c:\program files\Foxit Software
2008-11-24 16:55 --------- d-----w c:\users\Oveis\AppData\Roaming\Investintech
2008-11-24 16:52 --------- d-----w c:\program files\Investintech.com Inc
2008-11-24 16:43 --------- d-----w c:\program files\MicroAdobe
2008-11-24 10:36 --------- d-----w c:\program files\Yahoo!
2008-11-24 09:38 --------- d-----w c:\programdata\Lavasoft
2008-11-24 09:31 --------- d-----w c:\program files\Lavasoft
2008-11-24 09:23 --------- d-----w c:\programdata\WindowsSearch
2008-11-24 09:18 --------- d-----w c:\users\Oveis\AppData\Roaming\Yahoo!
2008-11-24 09:18 --------- d-----w c:\program files\IObit
2008-11-24 08:56 --------- d-----w c:\program files\Calendarscope
2008-11-09 08:51 56 ---ha-w c:\programdata\ezsidmv.dat
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-07-06 17:47 174 --sha-w c:\program files\desktop.ini
2008-03-04 22:06 32 ----a-w c:\programdata\ezsid.dat
2007-08-09 17:19 0 ----a-w c:\program files\Global.sw

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-22 68856]
"ATnotes.exe"="c:\program files\ATnotes\ATnotes.exe" [2005-01-05 1015808]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 815104]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"PowerForPhone"="c:\program files\PowerForPhone\PowerForPhone\PowerForPhone.exe" [2006-09-08 778240]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-07-18 950664]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"Quran_AR"="c:\program files\Quran_AR\Quran_AR.exe" [2007-10-05 327680]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-30 185896]
"Athan"="c:\program files\Athan\Athan.exe" [2005-09-12 937984]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-11-02 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-03-26 210208]

c:\users\Oveis\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-09 113664]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2007-11-06 118784]
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2008-03-22 125624]
MultiFrame.lnk - c:\program files\ASUS\Asus MultiFrame\MultiFrame.exe [2007-02-13 991600]

"EnableUIADesktopToggle"= 0 (0x0)

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"TCP Query User{40A7FA4C-DBC6-4F41-BAC5-361464559369}c:\\users\\oveis\\appdata\\local\\temp\\mmbplayer\\pdf_edit.exe"= UDP:c:\users\oveis\appdata\local\temp\mmbplayer\pdf_edit.exe:pdf_edit.exe
"UDP Query User{3143F818-0B01-4EA8-A4AB-B2A3CDAF0649}c:\\users\\oveis\\appdata\\local\\temp\\mmbplayer\\pdf_edit.exe"= TCP:c:\users\oveis\appdata\local\temp\mmbplayer\pdf_edit.exe:pdf_edit.exe
"TCP Query User{F2316E94-B997-470D-9882-336E77008B07}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule
"UDP Query User{8F66C3BC-05DA-4063-871D-C2D10BACB2FB}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule
"{A7072E93-9808-440E-BD02-2A5A516457EC}"= UDP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:VoipBuster
"{C5937B96-837B-4DCA-9F56-0F0E7D0D3A56}"= TCP:c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe:VoipBuster
"{F241E3CC-BB0B-43D4-B731-F4F57ADBC800}"= UDP:c:\program files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"{662895F1-B03D-4ED7-8C87-32F5112F1F9B}"= TCP:c:\program files\VoipCheapCom\VoipCheapCom.exe:VoipCheapCom
"TCP Query User{05DCCF39-384E-4EDF-A37E-521A254B2DCA}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{E0ECB319-BF1F-49FD-A251-764AB1EF84B9}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{F1E68A3D-5D38-47D9-9BAC-E27AAF179DEA}c:\\program files\\sjphone 1.65\\sjphone.exe"= UDP:c:\program files\sjphone 1.65\sjphone.exe:SJphone 1.65
"UDP Query User{AAE5B128-61AC-41E5-B456-B2D1EEFF1D0F}c:\\program files\\sjphone 1.65\\sjphone.exe"= TCP:c:\program files\sjphone 1.65\sjphone.exe:SJphone 1.65
"{88902603-262D-4DE4-A29A-F5E336563DA4}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{6098C44C-3450-4C14-9F10-93DBE8B82834}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B9F274EB-4157-422C-8940-413A04C3BE5C}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{82292B22-2CDC-42D9-A47F-E845CC28C45D}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{4945B453-F372-4567-87A0-77F034640595}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F6EC3579-D583-4D02-8FC4-AF4EBC836769}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3B0F530C-F2AF-4927-8621-79F814518C28}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{26AEFD1E-BDB3-4D2C-9779-7DA4A95D985D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

R1 nod32drv;nod32drv;c:\windows\System32\drivers\nod32drv.sys [2007-07-18 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 WCPU;WCPU;c:\program files\P4G\WCPU.sys [2007-02-13 11120]
S3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [2008-02-11 151552]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
Contenuto della cartella 'Scheduled Tasks'

2009-01-23 c:\windows\Tasks\User_Feed_Synchronization-{EF2A117E-7CAB-4CC2-9FBA-42E2F546FA55}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 08:33]

HKCU-Run-VoipBuster - c:\program files\VoipBuster.com\VoipBuster\VoipBuster.exe
HKCU-Run-VoipCheapCom - c:\program files\VoipCheapCom\VoipCheapCom.exe
HKCU-Run-mwkseuu - c:\users\oveis\appdata\local\mwkseuu.exe

------- Scansione supplementare -------
uStart Page = hxxp://libero.it/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
Trusted Zone: dialoguefoundation.org
TCP: {033E70EF-ABC8-4319-80E8-D13ADC7EDC82} =,


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 22:20:24
Windows 6.0.6001 Service Pack 1 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

Ora fine scansione: 2009-01-23 22:23:11
ComboFix-quarantined-files.txt 2009-01-23 21:23:08

Pre-Run: 15,315,296,256 byte disponibili
Post-Run: 16,017,633,280 byte disponibili

188 --- E O F --- 2009-01-23 06:23:48

#15 PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • Gender:Male
  • Local time:03:16 AM

Posted 23 January 2009 - 05:22 PM


I think there still may be a rootkit hidding around.

Can you run GMER now?

If not, try Avira antirootkit.

Download and Run Avira AntiRootkit
Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop. Right click it and select Extract All. Delete the .zip file after extraction.
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe, then Next.
  • Highlight the radio button to accept the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish You may now also delete the folder with the extracted files from the zip archive).
You successfully installed Avira AntiRootkit
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run. Be patient and the scan finishes.
  • Click View report and copy the entire contents into your next reply.
Do not choose to rename any items found yet. There may be false positives.

With Regards,
The Panda

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users