Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

i think it's a bagle worm


  • This topic is locked This topic is locked
13 replies to this topic

#1 udi

udi

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 30 March 2009 - 09:08 AM

hi guys,
i was stupid enough to double click on a exe file i downloaded via emule.
at start it disabled my antivirus and i couldn't run Ccleaner and other programs, the error message was
somthing like "the apllication is not a valide Win32 program". every time i tryied to scan the computer online i got a blue screen.
i reinstalled a antivirus and ran some anti-malware programs in safe mode, the blue screen stoped but the computer is still infected one of the startup items is "drvsyskit" which is associated with Bagle!!!
i do not know how to clean the worm.
thanks from advanced.


DDS (Ver_09-03-16.01) - NTFSx86
Run by udi at 16:47:11.10 on Mon 03/30/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.1811 [GMT 3:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)
FW: ESET Personal firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\conime.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\udi\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = proxy.netvision.net.il:8080
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {54B02808-B60E-44CD-A72D-9865117E4E62} - No File
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - c:\program files\agat\agform\AGFormsHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - c:\program files\agat\agform\AGForms.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AsioReg] REGSVR32 /S CTASIO.DLL
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.mrw.interscience.wiley.com/wfplayer/tdserver.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.ims.tau.ac.il/Inc/ScriptX.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]
S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2007-5-1 132232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-03-29 15:33 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-03-20 13:15 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-20 13:15 268,288 a------- c:\windows\system32\schannel.dll
2009-03-20 13:14 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-20 13:14 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-20 13:14 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-20 13:14 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-20 13:12 428,544 a------- c:\windows\system32\EncDec.dll
2009-03-20 13:12 217,088 a------- c:\windows\system32\psisrndr.ax
2009-03-20 13:12 293,376 a------- c:\windows\system32\psisdecd.dll
2009-03-20 13:12 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-03-20 13:12 80,896 a------- c:\windows\system32\MSNP.ax
2009-03-15 22:01 158 a------- c:\windows\matlab.ini
2009-03-15 22:00 <DIR> --d----- c:\users\udi\appdata\roaming\MathWorks
2009-03-15 21:53 203,976 a------- c:\windows\system32\RICHTX32.OCX
2009-03-15 21:53 407,104 a------- c:\windows\system32\MSHFLXGD.OCX
2009-03-15 21:53 647,872 a------- c:\windows\system32\mscomct2.ocx
2009-03-15 21:53 2,362 a------- c:\windows\system32\mscomct2.dep
2009-03-15 21:53 645,120 a------- c:\windows\system32\config.gms
2009-03-15 21:40 <DIR> --d----- c:\program files\MATLAB
2009-03-13 19:20 <DIR> --d----- c:\program files\Perl Express
2009-03-13 19:17 <DIR> --d----- C:\Perl
2009-03-01 14:41 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-03-01 14:41 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-01 14:41 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-03-01 01:02 510 a------- c:\windows\WORDPAD.INI

==================== Find3M ====================

2009-03-25 20:50 361,798 a------- c:\windows\system32\perfh00D.dat
2009-03-25 20:50 69,332 a------- c:\windows\system32\perfc00D.dat
2009-03-13 19:20 724,992 a------- c:\windows\iun6002.exe
2009-02-27 19:12 143,360 a------- c:\windows\inf\infstrng.dat
2009-02-27 19:12 86,016 a------- c:\windows\inf\infstor.dat
2009-02-27 19:12 51,200 a------- c:\windows\inf\infpub.dat
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-02 16:37 176,598 a------- c:\windows\hpwins19.dat
2009-01-16 18:02 319,456 a------- c:\windows\DIFxAPI.dll
2009-01-15 16:55 16,608 a------- c:\windows\gdrv.sys
2009-01-15 09:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-15 03:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-06 20:29 965,664 a------- c:\windows\system32\RtkPgExt.dll
2009-01-06 20:29 44,064 a------- c:\windows\system32\RtkCoInst.dll
2009-01-06 20:29 322,080 a------- c:\windows\system32\RtkApoApi.dll
2009-01-06 20:29 2,510,368 a------- c:\windows\system32\RtkAPO.dll
2008-07-14 00:14 225,844 a------- c:\windows\inf\perflib\040d\perfi.dat
2008-07-14 00:14 225,844 a------- c:\windows\inf\perflib\040d\perfh.dat
2008-07-14 00:14 31,198 a------- c:\windows\inf\perflib\040d\perfd.dat
2008-07-14 00:14 31,198 a------- c:\windows\inf\perflib\040d\perfc.dat
2008-07-03 13:24 174 a------- c:\program files\desktop.ini
2008-07-03 13:16 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 15:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 15:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 16:48:29.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:24 PM

Posted 07 April 2009 - 10:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 udi

udi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 08 April 2009 - 03:05 AM

Thanks a lot.
the problem is the same as before.

"i was stupid enough to double click on a exe file i downloaded via emule.
at start it disabled my antivirus and i couldn't run Ccleaner and other programs, the error message was
somthing like "the apllication is not a valide Win32 program". every time i tryied to scan the computer online i got a blue screen.
i reinstalled a antivirus and ran some anti-malware programs in safe mode, the blue screen stoped but the computer is still infected one of the startup items is "drvsyskit" which is associated with Bagle!!!
i do not know how to clean the worm."


DDS (Ver_09-03-16.01) - NTFSx86
Run by udi at 10:59:58.33 on Wed 04/08/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.1852 [GMT 3:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Outdated)
FW: ESET Personal firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\conime.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Users\udi\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = proxy.netvision.net.il:8080
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {54B02808-B60E-44CD-A72D-9865117E4E62} - No File
BHO: AGFormHelperObj Class: {6620e618-1ab9-4eb2-aca4-cbbe9066dbe6} - c:\program files\agat\agform\AGFormsHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AGForms: {ed2e7de7-07db-4941-a06d-f780b93ba730} - c:\program files\agat\agform\AGForms.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AsioReg] REGSVR32 /S CTASIO.DLL
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.mrw.interscience.wiley.com/wfplayer/tdserver.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.ims.tau.ac.il/Inc/ScriptX.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]
S3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2007-5-1 132232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-04-07 10:24 <DIR> --d----- c:\program files\Activision
2009-04-07 10:18 <DIR> --dsh--- c:\windows\ftpcache
2009-04-06 21:43 <DIR> --d----- c:\program files\Bethesda Softworks
2009-04-06 21:43 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2009-04-06 21:43 507,400 a------- c:\windows\system32\XAudio2_1.dll
2009-04-06 21:43 467,984 a------- c:\windows\system32\d3dx10_38.dll
2009-04-06 21:43 238,088 a------- c:\windows\system32\xactengine3_1.dll
2009-04-06 21:43 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2009-04-06 21:43 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2009-04-06 21:43 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-04-06 21:41 <DIR> --d----- c:\windows\system32\xlive
2009-03-29 15:33 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-03-20 13:15 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-20 13:15 268,288 a------- c:\windows\system32\schannel.dll
2009-03-20 13:14 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-20 13:14 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-20 13:14 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-20 13:14 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-20 13:12 428,544 a------- c:\windows\system32\EncDec.dll
2009-03-20 13:12 217,088 a------- c:\windows\system32\psisrndr.ax
2009-03-20 13:12 293,376 a------- c:\windows\system32\psisdecd.dll
2009-03-20 13:12 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-03-20 13:12 80,896 a------- c:\windows\system32\MSNP.ax
2009-03-15 22:01 158 a------- c:\windows\matlab.ini
2009-03-15 22:00 <DIR> --d----- c:\users\udi\appdata\roaming\MathWorks
2009-03-15 21:53 203,976 a------- c:\windows\system32\RICHTX32.OCX
2009-03-15 21:53 407,104 a------- c:\windows\system32\MSHFLXGD.OCX
2009-03-15 21:53 647,872 a------- c:\windows\system32\mscomct2.ocx
2009-03-15 21:53 2,362 a------- c:\windows\system32\mscomct2.dep
2009-03-15 21:53 645,120 a------- c:\windows\system32\config.gms
2009-03-15 21:40 <DIR> --d----- c:\program files\MATLAB
2009-03-13 19:20 <DIR> --d----- c:\program files\Perl Express
2009-03-13 19:17 <DIR> --d----- C:\Perl

==================== Find3M ====================

2009-04-06 21:43 361,798 a------- c:\windows\system32\perfh00D.dat
2009-04-06 21:43 69,332 a------- c:\windows\system32\perfc00D.dat
2009-03-13 19:20 724,992 a------- c:\windows\iun6002.exe
2009-02-27 19:12 143,360 a------- c:\windows\inf\infstrng.dat
2009-02-27 19:12 86,016 a------- c:\windows\inf\infstor.dat
2009-02-27 19:12 51,200 a------- c:\windows\inf\infpub.dat
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-02 16:37 176,598 a------- c:\windows\hpwins19.dat
2009-01-16 18:02 319,456 a------- c:\windows\DIFxAPI.dll
2009-01-15 16:55 16,608 a------- c:\windows\gdrv.sys
2009-01-15 09:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-15 03:30 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-14 00:14 225,844 a------- c:\windows\inf\perflib\040d\perfi.dat
2008-07-14 00:14 225,844 a------- c:\windows\inf\perflib\040d\perfh.dat
2008-07-14 00:14 31,198 a------- c:\windows\inf\perflib\040d\perfd.dat
2008-07-14 00:14 31,198 a------- c:\windows\inf\perflib\040d\perfc.dat
2008-07-03 13:24 174 a------- c:\program files\desktop.ini
2008-07-03 13:16 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 15:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 15:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 12:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 12:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:01:15.86 ===============

Attached Files



#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:24 PM

Posted 09 April 2009 - 06:47 AM

Hello, udi

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Seems rootkit related. Let's try this:

Gmer

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 udi

udi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 10 April 2009 - 10:04 AM

Hi Jat,
Thanks for the help!!!

"GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-10 17:56:24
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

INT 0x52 ? 86D4BBF8
INT 0x52 ? 86D4BBF8
INT 0x52 ? 86D4BBF8
INT 0x52 ? 86D4BBF8
INT 0x62 ? 86D4BBF8
INT 0x72 ? 85BCBBF8
INT 0x82 ? 85BCBBF8
INT 0x92 ? 85BCBBF8
INT 0x92 ? 85BCBBF8
INT 0x92 ? 85BCABF8
INT 0x92 ? 86D4BBF8
INT 0x92 ? 85BCBBF8
INT 0xA2 ? 86D4BBF8
INT 0xA2 ? 86D4BBF8
INT 0xB3 ? 86D4BBF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spne.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8B17346F 5 Bytes JMP 86D4B1D8
.text a9z6ow3o.SYS 82F9B000 22 Bytes [26, 22, 5C, 82, 10, 21, 5C, ...]
.text a9z6ow3o.SYS 82F9B017 159 Bytes [00, 32, 47, 79, 80, 3D, 45, ...]
.text a9z6ow3o.SYS 82F9B0B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a9z6ow3o.SYS 82F9B0CE 80 Bytes [00, 00, 26, 00, 00, 00, E0, ...]
.text a9z6ow3o.SYS 82F9B11F 194 Bytes [7E, 38, 40, 39, 82, 3B, C4, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1308] kernel32.dll!SetUnhandledExceptionFilter 765F6E2D 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8068B6D2] \SystemRoot\System32\Drivers\spne.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8068B040] \SystemRoot\System32\Drivers\spne.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8068B7FC] \SystemRoot\System32\Drivers\spne.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8068B0BE] \SystemRoot\System32\Drivers\spne.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8068B13C] \SystemRoot\System32\Drivers\spne.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8069B048] \SystemRoot\System32\Drivers\spne.sys
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortCompleteRequest] 91642446
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortMoveMemory] 7E3982FA
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] C7077528
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 91902846
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 468B82FA
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortReadPortUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7468016A
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\a9z6ow3o.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746C7BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [747098C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [746CD3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746BF527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746C7599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746BE43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [746FB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [746CD68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746C012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746C0095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746B71F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7474D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [746E75E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746BDAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746B668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746B66BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[512] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [746C1E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85BD11F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\volmgr \Device\VolMgrControl 85BCD1F8
Device \Driver\usbuhci \Device\USBPDO-0 86B621F8
Device \Driver\usbuhci \Device\USBPDO-1 86B621F8
Device \Driver\sptd \Device\1306901333 spne.sys
Device \Driver\usbuhci \Device\USBPDO-2 86B621F8
Device \Driver\netbt \Device\NetBT_Tcpip_{36ADC187-276C-45CE-9E25-7D15191DDA0B} 87149500
Device \Driver\usbehci \Device\USBPDO-3 86AE41F8
Device \Driver\usbuhci \Device\USBPDO-4 86B621F8

AttachedDevice \Driver\tdx \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBPDO-5 86B621F8
Device \Driver\usbuhci \Device\USBPDO-6 86B621F8
Device \Driver\volmgr \Device\HarddiskVolume1 85BCD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 86AE41F8
Device \Driver\PCI_PNP1323 \Device\00000058 spne.sys
Device \Driver\volmgr \Device\HarddiskVolume2 85BCD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 86AD91F8
Device \Driver\atapi \Device\Ide\IdePort0 85BCF1F8
Device \Driver\atapi \Device\Ide\IdePort1 85BCF1F8
Device \Driver\atapi \Device\Ide\IdePort2 85BCF1F8
Device \Driver\atapi \Device\Ide\IdePort3 85BCF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 85BCF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-2 85BCF1F8
Device \Driver\cdrom \Device\CdRom1 86AD91F8
Device \Driver\netbt \Device\NetBt_Wins_Export 87149500
Device \Driver\Smb \Device\NetbiosSmb 873151F8
Device \Driver\iScsiPrt \Device\RaidPort0 86C801F8

AttachedDevice \Driver\tdx \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\tdx \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

Device \Driver\usbuhci \Device\USBFDO-0 86B621F8
Device \Driver\usbuhci \Device\USBFDO-1 86B621F8
Device \Driver\usbuhci \Device\USBFDO-2 86B621F8
Device \Driver\usbehci \Device\USBFDO-3 86AE41F8
Device \Driver\usbuhci \Device\USBFDO-4 86B621F8
Device \Driver\usbuhci \Device\USBFDO-5 86B621F8
Device \Driver\usbuhci \Device\USBFDO-6 86B621F8
Device \Driver\usbehci \Device\USBFDO-7 86AE41F8
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 85BD01F8
Device \Driver\JRAID \Device\Scsi\JRAID1 85BD01F8
Device \Driver\a9z6ow3o \Device\Scsi\a9z6ow3o1Port6Path0Target0Lun0 86BD91F8
Device \Driver\a9z6ow3o \Device\Scsi\a9z6ow3o1 86BD91F8
Device \FileSystem\cdfs \Cdfs 855B71F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x38 0x2E 0xF6 0x99 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3B 0x16 0x9E 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEB 0xF1 0x5D 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA2 0xE8 0x44 0xFD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x38 0x2E 0xF6 0x99 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3B 0x16 0x9E 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEB 0xF1 0x5D 0xBB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA2 0xE8 0x44 0xFD ...

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\LogFiles\Scm\SCM.EVM (size mismatch) 262144/196608 bytes
File C:\Windows\System32\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}\{ceaac633-bc1c-4bca-a35b-fbd09401aa8e}\krundown.etl (size mismatch) 2228224/0 bytes

---- EOF - GMER 1.0.15 ----

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:24 PM

Posted 10 April 2009 - 10:10 AM

Hello,

Let's proceed with a fix.

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 udi

udi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 10 April 2009 - 11:58 AM

Hi Jat,
i ran Combofix and when it reboot i got a blue screen, and then the computer wouldn't start.
i had to do startup recovery from the DVD.

ComboFix 09-04-04.01 - udi 2009-04-10 19:31:12.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3326.1753 [GMT 3:00]
Running from: c:\users\udi\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Administrator\AppData\Roaming\drivers\downld
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\print.htm
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_AgatUserImage.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_Animated.htm
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_attachEmpty.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_attachFull.bmp
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_ban_moin.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_blue_bot_lft.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_bot_lft.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_bot_lft_dis.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_bot_rt.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_bot_rt_dis.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_bullet.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_bullet_blue.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_bullet_blue_eng.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_but_asher.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_but_close.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_but_remove.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_but_sgor.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_corner_topLft.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_crnr_bot_left.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_crnr_bot_right.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_crnr_top_left.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_crnr_top_right.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_del_small.GIF
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_deleteSign.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_displayAttach.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_displaySignedForm.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_displaySignerDetails.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_displaySignerStatus.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_dot.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_dotted_line.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_drop2.GIF
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_englishBackgroundPopup.jpg
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_englishContent.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_exit.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_form_bg_bottom_stretch.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_form_bg_corner_left.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_form_bg_corner_right.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_form_bg_left_stretch.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_form_bg_right_stretch.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_form1_main_bw.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_hebrewBackgroundPopup.jpg
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_hebrewContent.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_id_card.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_ikon_files.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_ikon_help.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_ikon_tohen.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_layout_an_send_end.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_left_grey.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_left2.GIF
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_leftTop.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_line.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_line_dis.jpg
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_line_gray.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_line_stretch_across.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_line_stretch_down.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_logo_israel.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_logo_israel1.jpeg
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_lookUpWindow.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_lookUpWindowReadonly.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_main_left.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_main_left1.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_main_semel.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_main_seperator.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_mashov.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_pay_button1.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_print.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_print11.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_printnush.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_right_grey.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_right2.GIF
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_rightTop.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_sand_clock3.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_saveAllAttachments.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_saveAllAttachmentsENG.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_saveAttach.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_SaveToFile.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_saveToFileEach.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_shadow_bottom.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_shadow_bottom_dis.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_shadow_Rt.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_shadow_Rt_dis.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_sign.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_sign_unverified.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_signGrey.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_SignInQuestion.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_signYellow.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_square.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_star.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_status_Animated.htm
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_statusBar.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_subtitle_corner_left.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_subtitle_with_line.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_title_corner_left.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_title_corner_lft.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_title_with_line.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_titleBG.bmp
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_ToolbarP.png
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_top_lft.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_top_lft_dis.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_top_rt.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_top_rt_dis.gif
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_trash.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsImg_verifySignature.ico
c:\users\udi\AppData\Local\Microsoft\Windows\Temporary Internet Files\tfsStatusBar.gif
c:\users\udi\AppData\Roaming\drivers\downld

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SK9OU0S


((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 13:45 . 2009-04-10 19:46 756,087,121 --a------ c:\windows\MEMORY.DMP
2009-04-09 17:54 . 2009-04-09 17:54 <DIR> d-------- C:\gmer
2009-04-07 10:24 . 2009-04-07 10:24 <DIR> d-------- c:\program files\Activision
2009-04-07 10:18 . 2009-04-07 10:18 <DIR> d--hs---- c:\windows\ftpcache
2009-04-06 21:43 . 2009-04-06 21:43 <DIR> d-------- c:\program files\Bethesda Softworks
2009-04-06 21:43 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\System32\D3DX9_38.dll
2009-04-06 21:43 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\System32\D3DCompiler_38.dll
2009-04-06 21:43 . 2008-05-30 14:19 507,400 --a------ c:\windows\System32\XAudio2_1.dll
2009-04-06 21:43 . 2008-05-30 14:11 467,984 --a------ c:\windows\System32\d3dx10_38.dll
2009-04-06 21:43 . 2008-05-30 14:18 238,088 --a------ c:\windows\System32\xactengine3_1.dll
2009-04-06 21:43 . 2008-05-30 14:17 65,032 --a------ c:\windows\System32\XAPOFX1_0.dll
2009-04-06 21:43 . 2008-05-30 14:17 25,608 --a------ c:\windows\System32\X3DAudio1_4.dll
2009-04-06 21:41 . 2009-04-06 21:41 <DIR> d-------- c:\windows\System32\xlive
2009-03-29 15:33 . 2009-03-29 15:33 56 --ah----- c:\windows\System32\ezsidmv.dat
2009-03-20 13:15 . 2009-02-09 06:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-20 13:15 . 2008-11-27 07:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-20 13:14 . 2008-12-16 06:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-20 13:14 . 2008-12-16 08:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-20 13:14 . 2008-12-16 08:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-20 13:14 . 2008-12-16 08:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-20 13:12 . 2008-12-05 07:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-03-20 13:12 . 2008-12-05 07:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-03-20 13:12 . 2008-12-05 07:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-03-20 13:12 . 2008-12-05 07:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-03-20 13:12 . 2008-12-05 07:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-03-15 22:01 . 2009-04-02 14:38 158 --a------ c:\windows\matlab.ini
2009-03-15 22:00 . 2009-03-15 22:00 <DIR> d-------- c:\users\udi\AppData\Roaming\MathWorks
2009-03-15 21:53 . 2002-02-14 13:26 647,872 --a------ c:\windows\System32\mscomct2.ocx
2009-03-15 21:53 . 2009-03-15 21:53 645,120 --a------ c:\windows\System32\config.gms
2009-03-15 21:53 . 2004-03-02 01:05 407,104 --a------ c:\windows\System32\MSHFLXGD.OCX
2009-03-15 21:53 . 2004-02-11 17:37 203,976 --a------ c:\windows\System32\RICHTX32.OCX
2009-03-15 21:53 . 2002-02-13 13:20 2,362 --a------ c:\windows\System32\mscomct2.dep
2009-03-15 21:40 . 2009-03-15 21:40 <DIR> d-------- c:\program files\MATLAB
2009-03-13 19:20 . 2009-03-13 19:21 <DIR> d-------- c:\program files\Perl Express
2009-03-13 19:17 . 2009-03-13 19:20 <DIR> d-------- C:\Perl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 16:31 --------- d--h--w c:\users\udi\AppData\Roaming\drivers
2009-04-10 16:31 --------- d--h--w c:\users\Administrator\AppData\Roaming\drivers
2009-04-07 07:44 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-07 07:18 --------- d-----w c:\users\udi\AppData\Roaming\uTorrent
2009-04-06 16:52 --------- d-----w c:\program files\eMule
2009-03-31 06:13 --------- d-----w c:\program files\Windows Mail
2009-03-29 12:35 --------- d-----w c:\users\udi\AppData\Roaming\Skype
2009-03-29 12:33 --------- d-----w c:\users\udi\AppData\Roaming\skypePM
2009-03-13 16:20 724,992 ----a-w c:\windows\iun6002.exe
2009-03-01 11:58 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-03-01 11:41 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-27 16:12 --------- d-----w c:\program files\ESET
2009-02-26 00:40 --------- d-----w c:\program files\Trend Micro
2009-02-25 15:10 --------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-02-25 15:09 --------- d-----w c:\users\udi\AppData\Roaming\SUPERAntiSpyware.com
2009-02-25 15:09 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-25 15:09 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 14:27 --------- d-----w c:\users\udi\AppData\Roaming\Malwarebytes
2009-02-25 14:27 --------- d-----w c:\programdata\Malwarebytes
2009-02-25 14:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-24 19:29 --------- d-----w c:\program files\Creative
2009-02-24 19:20 --------- d-----w c:\program files\Panda Security
2009-02-23 07:14 --------- d-----w c:\program files\Winamp
2009-02-11 08:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 08:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-16 15:02 319,456 ----a-w c:\windows\DIFxAPI.dll
2009-01-15 13:55 16,608 ----a-w c:\windows\gdrv.sys
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-15 00:30 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-07-03 10:24 174 ----a-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-15 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"AsioReg"="CTASIO.DLL" [2007-04-09 c:\windows\System32\ctasio.dll]

c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microtek Scanner Finder.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk
backup=c:\windows\pss\Microtek Scanner Finder.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 03:08 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 13:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-09-18 00:55 92704 c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProfilerU]
--a------ 2007-10-02 10:10 233472 c:\program files\Saitek\SD6\Software\ProfilerU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2009-01-06 20:29 6707744 c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
--a------ 2007-10-02 10:10 131072 c:\program files\Saitek\SD6\Software\SaiMfd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-02-17 12:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 17:45 313472 c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 02:02 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2007-04-09 12:32 19456 c:\windows\System32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2007-04-09 12:32 19968 c:\windows\System32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1403182228-2341876748-2366999171-1000]
"EnableNotificationsRef"=dword:00000003

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C8D49773-4C40-4F98-AAE9-98DFBF88ADED}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{F9B6EE7A-0FA0-4FBF-A5EC-4AE7847812CC}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{D8C099C9-7971-4D68-8E64-06D68AB1CF41}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{2FBA298B-FE77-4C31-9C80-C6A17EE29AF9}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{893A147D-030B-4054-A5E3-130FCC977789}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{834D2D2A-FD2B-4B56-81FD-0CEFC3C6F615}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C6927721-C18D-4855-80D1-79A66FB8F01F}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{9039C8E7-6020-4C8D-B4C4-50F01A821AA3}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{22B53B5B-C317-46F6-8522-04F98CB2A6CF}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{22EDB5B6-2DE6-4453-8C74-10DAF4AD23B0}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{3A8EE9D9-C135-448D-85C7-893215269DED}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1038C064-A732-4DE4-8E90-A807BB673C22}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{45B165A8-34C8-4894-B104-4D9033982108}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{14FF6501-1CC2-4212-BCDF-8EFAEABCB12F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-06-10 468224]
S3 SaiH075C;SaiH075C;c:\windows\System32\drivers\SaiH075C.sys [2007-05-01 132232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - sptd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c37e68a-1538-11de-8a65-001a4d4b7c1d}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b3bf519-eba0-11dd-a44d-001a4d4b7c1d}]
\shell\AutoRun\command - f:\wd_windows_tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8636f47f-430b-11dd-919c-001a4d4b7c1d}]
\shell\AutoRun\command - f:\setup\rsrc\Autorun.exe
\shell\dinstall\command - f:\directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99f50703-b7ed-11dc-89e0-001a4d4b7c1d}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a25e3f1a-7209-11dd-b27b-001a4d4b7c1d}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3ca1e4b-3f39-11dd-afdd-806e6f6e6963}]
\shell\AutoRun\command - H:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da0e3efa-b7eb-11dc-8507-806e6f6e6963}]
\shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1403182228-2341876748-2366999171-1000.job
- c:\users\udi\AppData\Local\Google\Update\GoogleUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-drvsyskit - c:\users\udi\AppData\Roaming\drivers\winupgro.exe
MSConfigStartUp-Google Update - c:\users\udi\AppData\Local\Google\Update\GoogleUpdate.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = proxy.netvision.net.il:8080
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 19:50:58
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\System32\conime.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\System32\taskmgr.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-04-10 19:53:46 - machine was rebooted [udi]
ComboFix-quarantined-files.txt 2009-04-10 16:53:44

Pre-Run: 31,316,865,024 bytes free
Post-Run: 31,002,968,064 bytes free

364 --- E O F --- 2009-03-31 06:13:31

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:24 PM

Posted 10 April 2009 - 12:41 PM

Hello,

Its unusual for that to happen :thumbup2: . Although your logs look fine, how is your pc now?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 udi

udi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 12 April 2009 - 05:48 PM

It looks ok.
I'll have to give it a few days to be sure.
Thanks for all the help, Jat!!!!!!

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:24 PM

Posted 13 April 2009 - 05:49 AM

Hello,

Let's make sure:

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 udi

udi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 13 April 2009 - 08:34 AM

i scaned the computer with east online scaner, here is the log:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4004 (20090413)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=0dc040fe5a27f9419600ebcdbe5cd227
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-04-13 01:20:14
# local_time=2009-04-13 04:20:14 (+0200, Jerusalem Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=899554
# found=2
# scan_time=5068
# nod_component=V3 Build:0x30000000 ()
C:\Program Files\eMule\incoming\VBA Password Recovery Master 1.0.0.3 (Crack).zip Win32/Bagle.QX worm 46BA8CE03D15CEECFCC036B75CA456E3
C:\Program Files\eMule\incoming\VBA Password Recovery Master 1.0.0.3 (Crack).zip »ZIP »setup.exe Win32/Bagle.QX worm 00000000000000000000000000000000


The VBA Password Recovery Master 1.0.0.3 (Crack).zip is the where my problems started a month.
i unzipped it and double clicked on the exe file. (stupid me!)
when i realized it's a worm i deleted the files, after a few days i downloaded the file againe just to be able to identifay the worm, and forgot to delet the file.
i'v now deleted the file!!!
do you think it's all ok now???
Thanks
udi

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:24 PM

Posted 13 April 2009 - 08:48 AM

Hello,

Yes it should be ok now, we have cleared the damage it did.

Congratulations you are now clean! :thumbup2:

We should tidy up our mess though.

Uninstall ComboFix
  • Go to Start, then click Run
  • In the box, type: Combofix /u
  • Press Enter or click ok, and ComboFix will uninstall. Refer to the picture below if unsure.
Posted Image

Uninstall Gmer

Go to Start --> Run and copy/paste C:\WINDOWS\gmer_uninstall.cmd into the run window, click Okay. When that process completes, please reboot your computer.

Other Deletions

Locate where you saved DDS.exe, right click the file and select Delete.



Take a read of this excellent tutorial:

Simple and easy ways to keep your computer safe and secure on the Internet


Disable and Enable System Restore.

You should disable and re-enable system restore to make sure there are no infected files found in a restore point. You should now create a new restore point, since your system is clean.

You can find instructions on how to disable and re-enable system restore here:

Windows XP System Restore Guide

Visit Microsoft's Windows Update Site Frequently
  • It is important that you visit http://www.windowsupdate.com regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
System still slow?

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

Next, I would recommend the download and installation of some (I would say two is enough) of the following programs:

Spybot© - Search and Destroy
  • This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with program on a regular basis just as you would an anti virus software.
SUPERAntiSpyware
  • You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
  • Each antispyware product has different detection rates for different infections, using different products therefore increases your chances of finding and killing most malware.
MalwareBytes' Anti-Malware
  • Malwarebytes' Anti-Malware can detect and remove malware that even the most well known anti-virus and anti-malware applications fail to detect.
  • Ability to perform full scans for all drives.
  • The "Quick Scan" option lets the user scan the computer quickly checking for the most damaging threats and completing in usually under 10 minutes.
Javacools© SpywareBlaster
  • SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Glad I could Help :)
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 udi

udi
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 13 April 2009 - 10:10 AM

cleaned up all the programs!!!!
Thanks again for all the help!!!
I'll be carfull from now on!!!
good bye
udi

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:07:24 PM

Posted 13 April 2009 - 10:17 AM

Good to know, no problem :thumbup2:

Since the problem appears to be resolved, this topic is now Closed. Glad I could help.
If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users