Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need your suggestions!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need your suggestions!

Unread postby vakar » February 6th, 2008, 4:16 pm

Hello,
when I make a search in google and click one of the searches it automaticly directs to this site "http://89.149.227.101/click.php?c=136d644f037ea413b90629693c01"
I made all the searches using antispywares and malwares but couldn't overcome the problem. I hope you'll understand my problem and help me. Here is my Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:38:28, on 06.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Privacy Guard\ThePrivacyGuard.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {58FEE910-23BF-4EA9-8303-F371C2BB5EA1} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\Program Files\The Privacy Guard\ThePrivacyGuard.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: GammaTray.lnk = ?
O8 - Extra context menu item: &FlashGet ile indir - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Tümünü FlashGet ile indir - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: SWF Capture tool - C:\Program Files\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: OneNote'a Gönder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote'a G&önder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O16 - DPF: {3AEECF42-EFE4-4AC8-AE9E-83C031EC09AB} (GamyunNetToolbar) - http://server.gamyun.net/plugin/GamyunIeToolbar.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://reporteokul.meb.gov.tr/crystalre ... viewer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8720 bytes
vakar
Active Member
 
Posts: 12
Joined: February 6th, 2008, 3:48 pm
Advertisement
Register to Remove

Re: Need your suggestions!

Unread postby chryssi2001 » February 7th, 2008, 12:58 pm

Hello vakar,

I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need your suggestions!

Unread postby chryssi2001 » February 7th, 2008, 3:09 pm

Hello vakar,

OPTIONAL
The unregistered version of FlashGet serves up Ads in Internet Explorer that are downloaded from Cydoor servers. I would suggest removing it if it is this version. The registered version supposedly does not... so it should be ok. I usually recommend Leechget. Please uninstall FlashGet in the Start > Control Panel > Add/Remove programs.
----------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\davcln.dll

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------
Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
----------------------------------------
Post back:
Jotti results.
Combofix report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need your suggestions!

Unread postby vakar » February 7th, 2008, 10:35 pm

Thanks for your help Chryssi2001

Here is my Jotti report

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:BHO-KD
AVG Antivirus Found nothing
BitDefender Found Trojan.Spy.Bzub.NGP (probable variant)
ClamAV Found Trojan.Bzub-309
CPsecure Found nothing
Dr.Web Found Trojan.DownLoader.46255
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Delf.emb
Fortinet Found nothing
Ikarus Found Trojan-PWS.Win32.Lmir
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.emb
NOD32 Found nothing
Norman Virus Control Found W32/Delf.BJUR
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Behav-187
VirusBuster Found nothing
VBA32 Found nothing

...........................
And this is Combofix log file

ComboFix 08-02.05.3 - KRBK 2008-02-08 4:21:00.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.1514 [GMT 2:00]
Running from: C:\Documents and Settings\KRBK\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-08 04:06 . 19,584 C:\WINDOWS\system32\drivers\swxvpsqf.dat
2008-02-08 03:54 . 2004-08-04 09:45 387,584 --a------ C:\kmd.exe
2008-02-07 04:25 . 2008-02-07 04:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-07 04:22 . 2008-02-07 04:24 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-07 03:09 . 2008-02-07 03:09 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Locktime
2008-02-07 03:08 . 2008-02-07 03:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-02-06 13:26 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 11:32 . 2008-02-06 11:32 16,855,552 --a------ C:\WINDOWS\181.tmp
2008-02-06 11:22 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gdeydjhjsxcb.sys
2008-02-06 11:11 . 2008-02-06 13:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 11:11 . 2008-02-06 13:25 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 11:11 . 2008-02-06 13:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 11:11 . 2008-02-06 13:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 11:04 . 2008-02-06 11:04 <DIR> d-------- C:\Program Files\CCleaner
2008-01-28 13:27 . 2008-02-08 03:43 <DIR> d-------- C:\Program Files\The Privacy Guard
2008-01-28 05:42 . 2008-01-30 01:32 32 --a------ C:\WINDOWS\go
2008-01-27 00:00 . 2008-01-27 00:00 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Program Files\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-26 23:30 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-01-26 23:30 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-26 23:30 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-26 23:30 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-26 23:30 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-26 21:49 . 2008-01-26 21:49 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 03:12 . 2008-01-25 03:14 <DIR> d-------- C:\Documents and Settings\Administrator\Sık Kullanılanlar
2008-01-25 03:12 . 2007-12-25 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Belgelerim
2008-01-25 01:20 . 2008-01-25 01:20 <DIR> d-------- C:\NVIDIA
2008-01-25 01:20 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-25 01:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 00:56 . 2008-01-25 00:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-25 00:50 . 2008-01-25 00:58 127,254 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-25 00:50 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-25 00:50 . 2007-06-29 00:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-23 00:40 . 2008-02-06 13:37 <DIR> d-------- C:\Program Files\MagicTune Premium
2008-01-23 00:40 . 2007-11-23 19:19 13,056 --a------ C:\WINDOWS\system32\drivers\MTiCtwl.sys
2008-01-23 00:39 . 2008-01-23 00:39 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\InstallShield
2008-01-19 04:02 . 2008-02-06 13:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-19 04:02 . 2008-01-19 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-19 02:49 . 2008-01-19 02:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-19 02:20 . 2008-02-06 13:34 <DIR> d-------- C:\Program Files\Bonjour
2008-01-19 02:12 . 2008-01-19 02:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-18 00:19 . 2008-01-18 00:19 <DIR> d-------- C:\Program Files\Business Objects
2008-01-16 03:42 . 2008-02-06 13:32 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-13 02:55 . 2008-01-13 02:55 <DIR> d-------- C:\Program Files\Avira
2008-01-13 02:55 . 2008-01-13 02:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 02:25 . 2008-01-13 02:25 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-01-13 02:25 . 2007-01-26 16:48 12,028,032 --a------ C:\WINDOWS\system32\drivers\snp2sxp.sys
2008-01-13 02:25 . 2006-09-15 13:21 675,840 --a------ C:\WINDOWS\vsnp2std.exe
2008-01-13 02:25 . 2006-10-03 14:35 249,856 --a------ C:\WINDOWS\system32\vsnp2std.dll
2008-01-13 02:25 . 2007-02-05 15:25 151,552 --a------ C:\WINDOWS\system32\rsnp2std.dll
2008-01-13 02:25 . 2006-11-16 15:57 77,824 --a------ C:\WINDOWS\system32\csnp2std.dll
2008-01-13 02:25 . 2007-01-25 18:48 25,472 --a------ C:\WINDOWS\system32\drivers\sncamd.sys
2008-01-13 02:25 . 2007-02-12 14:50 20,480 --a------ C:\WINDOWS\FixCamera.exe
2008-01-13 02:25 . 2004-12-09 17:23 15,497 --a------ C:\WINDOWS\snp2std.ini
2008-01-13 02:25 . 2004-12-09 17:23 13,022 --a------ C:\WINDOWS\snp2std.src
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-13 02:20 . 2008-02-07 13:55 <DIR> d-------- C:\Documents and Settings\KRBK\Shared
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-13 00:25 . 2008-02-06 13:53 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\SUPERAntiSpyware.com
2008-01-12 23:32 . 2008-01-12 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-12 03:01 . 2008-01-12 03:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 03:01 . 2008-01-12 03:01 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Lavasoft
2008-01-12 03:00 . 2008-01-12 03:00 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\TrojanHunter
2008-01-12 02:37 . 2008-02-06 11:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-01-11 17:09 . 2008-01-11 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-11 16:59 . 2008-02-07 14:14 <DIR> d-------- C:\Documents and Settings\KRBK\Incomplete
2008-01-11 16:59 . 2008-02-07 13:55 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\LimeWire
2008-01-11 16:55 . 2008-01-25 01:09 <DIR> d-------- C:\Program Files\Java
2008-01-11 16:52 . 2008-01-11 16:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-11 00:50 . 2004-08-04 09:45 84,480 --a------ C:\WINDOWS\system32\davcln.dll
2008-01-09 08:41 . 2008-01-09 08:41 <DIR> d-------- C:\Documents and Settings\KRBK\System
2008-01-09 08:41 . 2008-01-09 08:52 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\SmartDraw
2008-01-09 08:21 . 2008-01-09 08:41 <DIR> d-------- C:\Program Files\SmartDraw 2008
2008-01-08 23:40 . 2008-01-08 23:40 54 --a------ C:\WINDOWS\GECKOS.INI
2008-01-08 22:55 . 2008-01-08 22:55 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Eltima Software
2008-01-08 21:42 . 2003-10-02 16:09 180,224 --a------ C:\WINDOWS\system32\xwsindex.exe
2008-01-08 21:41 . 2008-01-08 21:41 <DIR> d-------- C:\WINDOWS\system32\Xara
2008-01-08 21:41 . 2008-01-08 21:41 <DIR> d-------- C:\Program Files\Xara
2008-01-08 21:41 . 2008-01-08 21:41 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Xara
2008-01-08 21:41 . 2003-10-17 14:03 876,544 --a------ C:\WINDOWS\system32\XaraDocG.dll
2008-01-08 21:41 . 2003-10-14 15:49 253,952 --a------ C:\WINDOWS\system32\TemplOp.dll
2008-01-08 21:41 . 2003-10-01 14:49 131,072 --a------ C:\WINDOWS\system32\BmpImporter.dll
2008-01-08 21:41 . 2003-10-17 14:03 126,976 --a------ C:\WINDOWS\system32\TemplMan.dll
2008-01-08 21:41 . 2003-11-13 12:13 118,784 --a------ C:\WINDOWS\system32\XMUpload.dll
2008-01-08 21:41 . 2000-05-21 23:00 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-08 21:41 . 2002-01-10 03:01 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-01-08 21:41 . 2003-05-19 16:18 86,016 --a------ C:\WINDOWS\system32\BinCoder.dll
2008-01-08 21:41 . 2003-10-06 14:45 23,552 --a------ C:\WINDOWS\system32\XFontMan.dll
2008-01-08 18:03 . 2008-01-08 18:03 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Thinstall
2008-01-08 18:01 . 2008-01-08 18:01 <DIR> d-------- C:\Program Files\Eltima Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 01:42 --------- d-----w C:\Program Files\FlashGet
2008-02-06 11:38 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 09:32 --------- d-----w C:\Program Files\BatchPhoto
2008-01-22 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-14 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-11 14:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-04 02:09 --------- d-----w C:\Program Files\GVZ
2008-01-04 01:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-03 00:14 --------- d-----w C:\Program Files\iFoxSoft
2008-01-02 21:59 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-02 21:58 --------- d-----w C:\Program Files\Macromedia
2007-12-30 00:38 --------- d-----w C:\Program Files\Winamp
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2007-12-30 00:11 --------- d-----w C:\Program Files\SRS Labs
2007-12-29 23:56 --------- d-----w C:\Program Files\Acon Digital Media
2007-12-29 21:03 --------- d-----w C:\Documents and Settings\KRBK\Application Data\Nero
2007-12-29 21:02 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-29 21:01 --------- d-----w C:\Program Files\Nero
2007-12-29 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-29 15:21 --------- d-----w C:\Documents and Settings\KRBK\Application Data\AdobeUM
2007-12-29 15:08 --------- d-----w C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2007-12-29 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ABBYY
2007-12-29 02:02 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-27 22:07 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-27 22:06 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-27 21:50 --------- d-----w C:\Program Files\Microsoft Games
2007-12-26 22:40 --------- d-----w C:\Program Files\DIFX
2007-12-26 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-26 09:23 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-25 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-25 20:33 --------- d-----w C:\Program Files\MSBuild
2007-12-25 20:33 --------- d-----w C:\Program Files\Microsoft Works
2007-12-25 20:11 155,995 ----a-w C:\WINDOWS\java\Packages\MJ9FLB1B.ZIP
2007-12-25 20:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-25 20:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-25 19:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 19:46 --------- d-----w C:\Program Files\Realtek
2007-12-25 19:26 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-13 17:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 00:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-04 23:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-04 23:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-04 23:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-04 23:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-04 23:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-04 23:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-04 23:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-04 23:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-12-04 23:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-04 23:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-12-04 23:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-04 23:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-04 23:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-04 23:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-04 23:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-04 23:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-04 23:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-04 23:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-12-04 23:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-12-04 23:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-12-04 23:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-12-04 23:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-12-04 23:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-12-04 23:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-12-04 23:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-12-04 23:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-12-04 23:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-12-04 23:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-12-04 23:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-04 23:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-04 23:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-12-04 23:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-12-04 23:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-12-04 23:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-12-04 23:41 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-12-04 23:41 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27D87037-E9C5-4E6C-B05A-C325AB0F3E11}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A324CDE-971B-4EEB-B7CF-914B51A0E44C}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58FEE910-23BF-4EA9-8303-F371C2BB5EA1}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6049A6DF-B161-4C3F-BF2D-2F2BDF69C9BA}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A40E78E9-4CB3-4EFC-8067-3C4E7FB41B0E}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A56A07BF-2723-454B-B421-0E46581CCA8B}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:45 15360]
"ThePrivacyGuard"="C:\Program Files\The Privacy Guard\ThePrivacyGuard.exe" [2007-03-06 10:56 1512448]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"Camfrog"="C:\Program Files\Common Files\Microsoft Shared\EURO\muro\Camfrog Video Chat\CamfrogNet.exe" [2003-09-29 08:22 36352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-13 02:59 249896]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21 675840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:45 15360]

C:\Documents and Settings\All Users\Start Menu\Programlar\BaŸlang‡\
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [2008-01-23 00:40:06 36864]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Adobe Reader Hızlı Çalıştırma.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^Adobe Gamma.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2006-11-20 06:00 116096 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a------ 2004-12-17 00:38 290816 C:\Program Files\ABBYY FineReader 7.0 Professional Edition\ABBYYNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
--a------ 2007-02-12 14:50 20480 C:\WINDOWS\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:57 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2006-09-15 13:21 675840 C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-01-26 16:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cfec42e-b4c8-11dc-b53e-00508d9e577f}]
\Shell\AutoRun\command - F:\setup.exe /autorun

*Newly Created Service* - RZJGVNAF
.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 23:09:24 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
"2008-01-28 00:00:01 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 04:21:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 4:22:06
ComboFix2.txt 2008-02-08 01:55:41
......................................................................................
Lastly here is the new hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:29:36, on 08.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Hijack\Analyze.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27D87037-E9C5-4E6C-B05A-C325AB0F3E11} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: (no name) - {2A324CDE-971B-4EEB-B7CF-914B51A0E44C} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {58FEE910-23BF-4EA9-8303-F371C2BB5EA1} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: (no name) - {6049A6DF-B161-4C3F-BF2D-2F2BDF69C9BA} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A40E78E9-4CB3-4EFC-8067-3C4E7FB41B0E} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: (no name) - {A56A07BF-2723-454B-B421-0E46581CCA8B} - C:\WINDOWS\system32\davcln.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\Program Files\The Privacy Guard\ThePrivacyGuard.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Camfrog] "C:\Program Files\Common Files\Microsoft Shared\EURO\muro\Camfrog Video Chat\CamfrogNet.exe" 1 C:\Program Files\Common Files\Microsoft Shared\EURO\muro\Camfrog Video Chat\Camfrog Video Chat.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: GammaTray.lnk = ?
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: SWF Capture tool - C:\Program Files\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: OneNote'a Gönder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote'a G&önder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O16 - DPF: {3AEECF42-EFE4-4AC8-AE9E-83C031EC09AB} (GamyunNetToolbar) - http://server.gamyun.net/plugin/GamyunIeToolbar.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://reporteokul.meb.gov.tr/crystalre ... viewer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8617 bytes
vakar
Active Member
 
Posts: 12
Joined: February 6th, 2008, 3:48 pm

Re: Need your suggestions!

Unread postby vakar » February 7th, 2008, 10:35 pm

Thanks for your help Chryssi2001

Here is my Jotti report

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:BHO-KD
AVG Antivirus Found nothing
BitDefender Found Trojan.Spy.Bzub.NGP (probable variant)
ClamAV Found Trojan.Bzub-309
CPsecure Found nothing
Dr.Web Found Trojan.DownLoader.46255
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Delf.emb
Fortinet Found nothing
Ikarus Found Trojan-PWS.Win32.Lmir
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.emb
NOD32 Found nothing
Norman Virus Control Found W32/Delf.BJUR
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Behav-187
VirusBuster Found nothing
VBA32 Found nothing

...........................
And this is Combofix log file

ComboFix 08-02.05.3 - KRBK 2008-02-08 4:21:00.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.1514 [GMT 2:00]
Running from: C:\Documents and Settings\KRBK\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.

2008-02-08 04:06 . 19,584 C:\WINDOWS\system32\drivers\swxvpsqf.dat
2008-02-08 03:54 . 2004-08-04 09:45 387,584 --a------ C:\kmd.exe
2008-02-07 04:25 . 2008-02-07 04:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-02-07 04:22 . 2008-02-07 04:24 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-07 03:09 . 2008-02-07 03:09 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Locktime
2008-02-07 03:08 . 2008-02-07 03:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-02-06 13:26 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 11:32 . 2008-02-06 11:32 16,855,552 --a------ C:\WINDOWS\181.tmp
2008-02-06 11:22 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gdeydjhjsxcb.sys
2008-02-06 11:11 . 2008-02-06 13:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 11:11 . 2008-02-06 13:25 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 11:11 . 2008-02-06 13:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 11:11 . 2008-02-06 13:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 11:04 . 2008-02-06 11:04 <DIR> d-------- C:\Program Files\CCleaner
2008-01-28 13:27 . 2008-02-08 03:43 <DIR> d-------- C:\Program Files\The Privacy Guard
2008-01-28 05:42 . 2008-01-30 01:32 32 --a------ C:\WINDOWS\go
2008-01-27 00:00 . 2008-01-27 00:00 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Program Files\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-26 23:30 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-01-26 23:30 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-26 23:30 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-26 23:30 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-26 23:30 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-26 21:49 . 2008-01-26 21:49 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 03:12 . 2008-01-25 03:14 <DIR> d-------- C:\Documents and Settings\Administrator\Sık Kullanılanlar
2008-01-25 03:12 . 2007-12-25 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Belgelerim
2008-01-25 01:20 . 2008-01-25 01:20 <DIR> d-------- C:\NVIDIA
2008-01-25 01:20 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-25 01:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 00:56 . 2008-01-25 00:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-25 00:50 . 2008-01-25 00:58 127,254 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-25 00:50 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-25 00:50 . 2007-06-29 00:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-23 00:40 . 2008-02-06 13:37 <DIR> d-------- C:\Program Files\MagicTune Premium
2008-01-23 00:40 . 2007-11-23 19:19 13,056 --a------ C:\WINDOWS\system32\drivers\MTiCtwl.sys
2008-01-23 00:39 . 2008-01-23 00:39 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\InstallShield
2008-01-19 04:02 . 2008-02-06 13:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-19 04:02 . 2008-01-19 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-19 02:49 . 2008-01-19 02:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-19 02:20 . 2008-02-06 13:34 <DIR> d-------- C:\Program Files\Bonjour
2008-01-19 02:12 . 2008-01-19 02:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-18 00:19 . 2008-01-18 00:19 <DIR> d-------- C:\Program Files\Business Objects
2008-01-16 03:42 . 2008-02-06 13:32 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-13 02:55 . 2008-01-13 02:55 <DIR> d-------- C:\Program Files\Avira
2008-01-13 02:55 . 2008-01-13 02:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 02:25 . 2008-01-13 02:25 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-01-13 02:25 . 2007-01-26 16:48 12,028,032 --a------ C:\WINDOWS\system32\drivers\snp2sxp.sys
2008-01-13 02:25 . 2006-09-15 13:21 675,840 --a------ C:\WINDOWS\vsnp2std.exe
2008-01-13 02:25 . 2006-10-03 14:35 249,856 --a------ C:\WINDOWS\system32\vsnp2std.dll
2008-01-13 02:25 . 2007-02-05 15:25 151,552 --a------ C:\WINDOWS\system32\rsnp2std.dll
2008-01-13 02:25 . 2006-11-16 15:57 77,824 --a------ C:\WINDOWS\system32\csnp2std.dll
2008-01-13 02:25 . 2007-01-25 18:48 25,472 --a------ C:\WINDOWS\system32\drivers\sncamd.sys
2008-01-13 02:25 . 2007-02-12 14:50 20,480 --a------ C:\WINDOWS\FixCamera.exe
2008-01-13 02:25 . 2004-12-09 17:23 15,497 --a------ C:\WINDOWS\snp2std.ini
2008-01-13 02:25 . 2004-12-09 17:23 13,022 --a------ C:\WINDOWS\snp2std.src
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-13 02:20 . 2008-02-07 13:55 <DIR> d-------- C:\Documents and Settings\KRBK\Shared
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-13 00:25 . 2008-02-06 13:53 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\SUPERAntiSpyware.com
2008-01-12 23:32 . 2008-01-12 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-12 03:01 . 2008-01-12 03:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 03:01 . 2008-01-12 03:01 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Lavasoft
2008-01-12 03:00 . 2008-01-12 03:00 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\TrojanHunter
2008-01-12 02:37 . 2008-02-06 11:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-01-11 17:09 . 2008-01-11 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-11 16:59 . 2008-02-07 14:14 <DIR> d-------- C:\Documents and Settings\KRBK\Incomplete
2008-01-11 16:59 . 2008-02-07 13:55 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\LimeWire
2008-01-11 16:55 . 2008-01-25 01:09 <DIR> d-------- C:\Program Files\Java
2008-01-11 16:52 . 2008-01-11 16:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-11 00:50 . 2004-08-04 09:45 84,480 --a------ C:\WINDOWS\system32\davcln.dll
2008-01-09 08:41 . 2008-01-09 08:41 <DIR> d-------- C:\Documents and Settings\KRBK\System
2008-01-09 08:41 . 2008-01-09 08:52 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\SmartDraw
2008-01-09 08:21 . 2008-01-09 08:41 <DIR> d-------- C:\Program Files\SmartDraw 2008
2008-01-08 23:40 . 2008-01-08 23:40 54 --a------ C:\WINDOWS\GECKOS.INI
2008-01-08 22:55 . 2008-01-08 22:55 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Eltima Software
2008-01-08 21:42 . 2003-10-02 16:09 180,224 --a------ C:\WINDOWS\system32\xwsindex.exe
2008-01-08 21:41 . 2008-01-08 21:41 <DIR> d-------- C:\WINDOWS\system32\Xara
2008-01-08 21:41 . 2008-01-08 21:41 <DIR> d-------- C:\Program Files\Xara
2008-01-08 21:41 . 2008-01-08 21:41 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Xara
2008-01-08 21:41 . 2003-10-17 14:03 876,544 --a------ C:\WINDOWS\system32\XaraDocG.dll
2008-01-08 21:41 . 2003-10-14 15:49 253,952 --a------ C:\WINDOWS\system32\TemplOp.dll
2008-01-08 21:41 . 2003-10-01 14:49 131,072 --a------ C:\WINDOWS\system32\BmpImporter.dll
2008-01-08 21:41 . 2003-10-17 14:03 126,976 --a------ C:\WINDOWS\system32\TemplMan.dll
2008-01-08 21:41 . 2003-11-13 12:13 118,784 --a------ C:\WINDOWS\system32\XMUpload.dll
2008-01-08 21:41 . 2000-05-21 23:00 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-08 21:41 . 2002-01-10 03:01 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-01-08 21:41 . 2003-05-19 16:18 86,016 --a------ C:\WINDOWS\system32\BinCoder.dll
2008-01-08 21:41 . 2003-10-06 14:45 23,552 --a------ C:\WINDOWS\system32\XFontMan.dll
2008-01-08 18:03 . 2008-01-08 18:03 <DIR> d-------- C:\Documents and Settings\KRBK\Application Data\Thinstall
2008-01-08 18:01 . 2008-01-08 18:01 <DIR> d-------- C:\Program Files\Eltima Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 01:42 --------- d-----w C:\Program Files\FlashGet
2008-02-06 11:38 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 09:32 --------- d-----w C:\Program Files\BatchPhoto
2008-01-22 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-14 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-11 14:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-04 02:09 --------- d-----w C:\Program Files\GVZ
2008-01-04 01:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-03 00:14 --------- d-----w C:\Program Files\iFoxSoft
2008-01-02 21:59 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-02 21:58 --------- d-----w C:\Program Files\Macromedia
2007-12-30 00:38 --------- d-----w C:\Program Files\Winamp
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2007-12-30 00:11 --------- d-----w C:\Program Files\SRS Labs
2007-12-29 23:56 --------- d-----w C:\Program Files\Acon Digital Media
2007-12-29 21:03 --------- d-----w C:\Documents and Settings\KRBK\Application Data\Nero
2007-12-29 21:02 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-29 21:01 --------- d-----w C:\Program Files\Nero
2007-12-29 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-29 15:21 --------- d-----w C:\Documents and Settings\KRBK\Application Data\AdobeUM
2007-12-29 15:08 --------- d-----w C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2007-12-29 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ABBYY
2007-12-29 02:02 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-27 22:07 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-27 22:06 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-27 21:50 --------- d-----w C:\Program Files\Microsoft Games
2007-12-26 22:40 --------- d-----w C:\Program Files\DIFX
2007-12-26 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-26 09:23 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-25 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-25 20:33 --------- d-----w C:\Program Files\MSBuild
2007-12-25 20:33 --------- d-----w C:\Program Files\Microsoft Works
2007-12-25 20:11 155,995 ----a-w C:\WINDOWS\java\Packages\MJ9FLB1B.ZIP
2007-12-25 20:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-25 20:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-25 19:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 19:46 --------- d-----w C:\Program Files\Realtek
2007-12-25 19:26 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-13 17:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 00:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-04 23:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-04 23:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-04 23:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-04 23:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-04 23:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-04 23:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-04 23:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-04 23:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-12-04 23:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-04 23:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-12-04 23:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-04 23:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-04 23:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-04 23:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-04 23:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-04 23:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-04 23:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-04 23:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-12-04 23:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-12-04 23:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-12-04 23:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-12-04 23:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-12-04 23:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-12-04 23:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-12-04 23:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-12-04 23:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-12-04 23:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-12-04 23:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-12-04 23:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-04 23:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-04 23:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-12-04 23:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-12-04 23:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-12-04 23:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-12-04 23:41 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-12-04 23:41 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27D87037-E9C5-4E6C-B05A-C325AB0F3E11}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A324CDE-971B-4EEB-B7CF-914B51A0E44C}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58FEE910-23BF-4EA9-8303-F371C2BB5EA1}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6049A6DF-B161-4C3F-BF2D-2F2BDF69C9BA}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A40E78E9-4CB3-4EFC-8067-3C4E7FB41B0E}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A56A07BF-2723-454B-B421-0E46581CCA8B}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:45 15360]
"ThePrivacyGuard"="C:\Program Files\The Privacy Guard\ThePrivacyGuard.exe" [2007-03-06 10:56 1512448]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"Camfrog"="C:\Program Files\Common Files\Microsoft Shared\EURO\muro\Camfrog Video Chat\CamfrogNet.exe" [2003-09-29 08:22 36352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-13 02:59 249896]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21 675840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:45 15360]

C:\Documents and Settings\All Users\Start Menu\Programlar\BaŸlang‡\
GammaTray.lnk - C:\Program Files\MagicTune Premium\GammaTray.exe [2008-01-23 00:40:06 36864]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Adobe Reader Hızlı Çalıştırma.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^Adobe Gamma.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2006-11-20 06:00 116096 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a------ 2004-12-17 00:38 290816 C:\Program Files\ABBYY FineReader 7.0 Professional Edition\ABBYYNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
--a------ 2007-02-12 14:50 20480 C:\WINDOWS\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:57 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2006-09-15 13:21 675840 C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-01-26 16:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cfec42e-b4c8-11dc-b53e-00508d9e577f}]
\Shell\AutoRun\command - F:\setup.exe /autorun

*Newly Created Service* - RZJGVNAF
.
Contents of the 'Scheduled Tasks' folder
"2008-02-07 23:09:24 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
"2008-01-28 00:00:01 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 04:21:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-08 4:22:06
ComboFix2.txt 2008-02-08 01:55:41
......................................................................................
Lastly here is the new hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:29:36, on 08.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Hijack\Analyze.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27D87037-E9C5-4E6C-B05A-C325AB0F3E11} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: (no name) - {2A324CDE-971B-4EEB-B7CF-914B51A0E44C} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {58FEE910-23BF-4EA9-8303-F371C2BB5EA1} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: (no name) - {6049A6DF-B161-4C3F-BF2D-2F2BDF69C9BA} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A40E78E9-4CB3-4EFC-8067-3C4E7FB41B0E} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: (no name) - {A56A07BF-2723-454B-B421-0E46581CCA8B} - C:\WINDOWS\system32\davcln.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\Program Files\The Privacy Guard\ThePrivacyGuard.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Camfrog] "C:\Program Files\Common Files\Microsoft Shared\EURO\muro\Camfrog Video Chat\CamfrogNet.exe" 1 C:\Program Files\Common Files\Microsoft Shared\EURO\muro\Camfrog Video Chat\Camfrog Video Chat.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: GammaTray.lnk = ?
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: SWF Capture tool - C:\Program Files\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: OneNote'a Gönder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote'a G&önder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O16 - DPF: {3AEECF42-EFE4-4AC8-AE9E-83C031EC09AB} (GamyunNetToolbar) - http://server.gamyun.net/plugin/GamyunIeToolbar.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://reporteokul.meb.gov.tr/crystalre ... viewer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8617 bytes
vakar
Active Member
 
Posts: 12
Joined: February 6th, 2008, 3:48 pm

Re: Need your suggestions!

Unread postby chryssi2001 » February 8th, 2008, 8:54 am

Hi vakar, thanks for the reports. I need some time to check them and be back. :)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need your suggestions!

Unread postby chryssi2001 » February 8th, 2008, 3:11 pm

Hello vakar,

How comes and you renamed HijackThis.exe and moved Hijackthis to it's own folder?
I see some lines missing from your previous HijackThis log.
Do you get help elsewhere?
-------------------------------------------------
I need some information from you.

C:\Documents and Settings\Administrator\Sik Kullanilanlar
C:\Documents and Settings\Administrator\Belgelerim

Can you tell me in English, what are the above programs/folders? I suppose they are in your own language.

C:\WINDOWS\java\Packages\MJ9FLB1B.ZIP

I also can't find any information about this zip file, which is in java packages.
Did you download it yourself? Do you know what is it?
-------------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\drivers\swxvpsqf.dat

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Do the same for this file too:
C:\WINDOWS\system32\drivers\gdeydjhjsxcb.sys

-------------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {3AEECF42-EFE4-4AC8-AE9E-83C031EC09AB} (GamyunNetToolbar) - http://server.gamyun.net/plugin/GamyunIeToolbar.cab


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
-------------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=27663
    
    File::
    C:\WINDOWS\181.tmp
    
    Collect:: 
    C:\WINDOWS\system32\davcln.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27D87037-E9C5-4E6C-B05A-C325AB0F3E11}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A324CDE-971B-4EEB-B7CF-914B51A0E44C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58FEE910-23BF-4EA9-8303-F371C2BB5EA1}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6049A6DF-B161-4C3F-BF2D-2F2BDF69C9BA}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A40E78E9-4CB3-4EFC-8067-3C4E7FB41B0E}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A56A07BF-2723-454B-B421-0E46581CCA8B}]
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
-------------------------------------------------
Post back:
Answer if you are getting help elsewhere.
Jotti results for the 2 files.
Information about:
Programs in your language, and MJ9FLB1B.ZIP
Combofix report.
A new HijackThis log.
Is the pc running better?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need your suggestions!

Unread postby vakar » February 11th, 2008, 6:49 pm

Hi Chryssi2001,
thanks for your priceless suggestions and helps. I think I solved it by doing everything you told me. You are marvellous.
And here are my replies to what u asked me to do.

1. I renamed Hijackthis, because while I was serching in the internet I came across some information telling that if I renamed the hijackthis the malwares won't notice the program. Otherwise malwares can notice and try to stop it. That's why I renamed it. (Is that true. It seemed to be logical to me.) :roll:

2. - For the file C:\WINDOWS\system32\drivers\swxvpsqf.dat Jotti result is this message:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
- For the file C:\WINDOWS\system32\drivers\gdeydjhjsxcb.sys Jotti reult was found nothing. It was clean

3. I am Turkish. Sik kullanılanlar = favourites and
Belgelerim = My documents These are Turkish words.

4. Here is my new combofix log file:
ComboFix 08-02.05.3 - KRBLK 2008-02-12 0:00:36.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.1539 [GMT 2:00]
Running from: C:\Documents and Settings\KRBLK\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KRBLK\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\181.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\181.tmp
C:\WINDOWS\system32\davcln.dll . . . . failed to delete
H:\RECYCLER\desktop.ini
C:\WINDOWS\system32\davcln.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
.

2008-02-11 14:01 . 2008-02-11 14:01 <DIR> d---s---- C:\Documents and Settings\KRBLK\UserData
2008-02-10 13:20 . 2008-02-11 03:14 <DIR> d-------- C:\Documents and Settings\KRBLK\Contacts
2008-02-10 12:40 . 2004-08-04 09:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-10 12:39 . 2008-02-11 02:49 <DIR> d-------- C:\Documents and Settings\KRBLK\Sk Kullanlanlar
2008-02-10 12:39 . 2008-02-11 02:49 <DIR> d-------- C:\Documents and Settings\KRBLK\Belgelerim
2008-02-10 04:50 . 2008-02-10 04:50 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-08 04:29 . 2008-02-11 23:54 <DIR> d-------- C:\Hijack
2008-02-08 04:20 . 2004-08-04 09:45 387,584 --a------ C:\kmd.exe
2008-02-08 04:06 . 19,584 C:\WINDOWS\system32\drivers\swxvpsqf.dat
2008-02-07 03:08 . 2008-02-07 03:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-02-06 13:26 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 11:22 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gdeydjhjsxcb.sys
2008-02-06 11:11 . 2008-02-06 13:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 11:11 . 2008-02-06 13:25 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 11:11 . 2008-02-06 13:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 11:11 . 2008-02-06 13:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 11:04 . 2008-02-06 11:04 <DIR> d-------- C:\Program Files\CCleaner
2008-01-28 13:27 . 2008-02-08 03:43 <DIR> d-------- C:\Program Files\The Privacy Guard
2008-01-28 05:42 . 2008-01-30 01:32 32 --a------ C:\WINDOWS\go
2008-01-27 00:00 . 2008-01-27 00:00 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Program Files\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-26 23:30 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-01-26 23:30 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-26 23:30 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-26 23:30 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-26 23:30 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-26 21:49 . 2008-01-26 21:49 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 03:12 . 2008-01-25 03:14 <DIR> d-------- C:\Documents and Settings\Administrator\Sk Kullanlanlar
2008-01-25 03:12 . 2007-12-25 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Belgelerim
2008-01-25 01:20 . 2008-01-25 01:20 <DIR> d-------- C:\NVIDIA
2008-01-25 01:20 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-25 01:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 00:56 . 2008-01-25 00:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-25 00:50 . 2008-01-25 00:58 127,254 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-25 00:50 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-25 00:50 . 2007-06-29 00:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-23 00:40 . 2008-02-06 13:37 <DIR> d-------- C:\Program Files\MagicTune Premium
2008-01-23 00:40 . 2007-11-23 19:19 13,056 --a------ C:\WINDOWS\system32\drivers\MTiCtwl.sys
2008-01-19 04:02 . 2008-02-06 13:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-19 04:02 . 2008-02-11 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-19 02:49 . 2008-01-19 02:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-19 02:20 . 2008-02-06 13:34 <DIR> d-------- C:\Program Files\Bonjour
2008-01-19 02:12 . 2008-01-19 02:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-18 00:19 . 2008-01-18 00:19 <DIR> d-------- C:\Program Files\Business Objects
2008-01-16 03:42 . 2008-02-06 13:32 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-13 02:55 . 2008-01-13 02:55 <DIR> d-------- C:\Program Files\Avira
2008-01-13 02:55 . 2008-01-13 02:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 02:25 . 2008-01-13 02:25 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-01-13 02:25 . 2007-01-26 16:48 12,028,032 --a------ C:\WINDOWS\system32\drivers\snp2sxp.sys
2008-01-13 02:25 . 2006-09-15 13:21 675,840 --a------ C:\WINDOWS\vsnp2std.exe
2008-01-13 02:25 . 2006-10-03 14:35 249,856 --a------ C:\WINDOWS\system32\vsnp2std.dll
2008-01-13 02:25 . 2007-02-05 15:25 151,552 --a------ C:\WINDOWS\system32\rsnp2std.dll
2008-01-13 02:25 . 2006-11-16 15:57 77,824 --a------ C:\WINDOWS\system32\csnp2std.dll
2008-01-13 02:25 . 2007-01-25 18:48 25,472 --a------ C:\WINDOWS\system32\drivers\sncamd.sys
2008-01-13 02:25 . 2007-02-12 14:50 20,480 --a------ C:\WINDOWS\FixCamera.exe
2008-01-13 02:25 . 2004-12-09 17:23 15,497 --a------ C:\WINDOWS\snp2std.ini
2008-01-13 02:25 . 2004-12-09 17:23 13,022 --a------ C:\WINDOWS\snp2std.src
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 23:32 . 2008-01-12 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-12 03:01 . 2008-01-12 03:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 02:37 . 2008-02-06 11:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2008-01-11 17:09 . 2008-01-11 17:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-11 16:55 . 2008-01-25 01:09 <DIR> d-------- C:\Program Files\Java
2008-01-11 16:52 . 2008-01-11 16:52 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-11 00:50 . 2004-08-04 09:45 84,480 --a------ C:\WINDOWS\system32\davcln.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 01:42 --------- d-----w C:\Program Files\FlashGet
2008-02-06 11:38 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 09:32 --------- d-----w C:\Program Files\BatchPhoto
2008-01-22 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-14 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-11 14:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-09 06:41 --------- d-----w C:\Program Files\SmartDraw 2008
2008-01-08 19:41 --------- d-----w C:\Program Files\Xara
2008-01-08 16:01 --------- d-----w C:\Program Files\Eltima Software
2008-01-04 02:09 --------- d-----w C:\Program Files\GVZ
2008-01-04 01:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-03 00:14 --------- d-----w C:\Program Files\iFoxSoft
2008-01-02 21:59 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-02 21:58 --------- d-----w C:\Program Files\Macromedia
2007-12-30 00:38 --------- d-----w C:\Program Files\Winamp
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2007-12-30 00:11 --------- d-----w C:\Program Files\SRS Labs
2007-12-29 23:56 --------- d-----w C:\Program Files\Acon Digital Media
2007-12-29 21:02 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-29 21:01 --------- d-----w C:\Program Files\Nero
2007-12-29 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-29 15:08 --------- d-----w C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2007-12-29 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ABBYY
2007-12-29 02:02 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-27 22:07 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-27 22:06 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-27 21:50 --------- d-----w C:\Program Files\Microsoft Games
2007-12-26 22:40 --------- d-----w C:\Program Files\DIFX
2007-12-26 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-26 09:23 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-25 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-25 20:33 --------- d-----w C:\Program Files\MSBuild
2007-12-25 20:33 --------- d-----w C:\Program Files\Microsoft Works
2007-12-25 20:11 155,995 ----a-w C:\WINDOWS\java\Packages\MJ9FLB1B.ZIP
2007-12-25 20:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-25 20:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-25 19:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 19:46 --------- d-----w C:\Program Files\Realtek
2007-12-25 19:26 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-13 17:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 00:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-04 23:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-04 23:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-04 23:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-04 23:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-04 23:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-04 23:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-04 23:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-04 23:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-12-04 23:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-04 23:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-12-04 23:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-04 23:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-04 23:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-04 23:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-04 23:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-04 23:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-04 23:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-04 23:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-12-04 23:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-12-04 23:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-12-04 23:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-12-04 23:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-12-04 23:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-12-04 23:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-12-04 23:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-12-04 23:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-12-04 23:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-12-04 23:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-12-04 23:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-04 23:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-04 23:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-12-04 23:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-12-04 23:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-12-04 23:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-12-04 23:41 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27D87037-E9C5-4E6C-B05A-C325AB0F3E11}]
2004-08-04 09:45 84480 --a------ C:\WINDOWS\system32\davcln.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:45 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-13 02:59 249896]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21 675840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:45 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Adobe Reader Hızlı Çalıştırma.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^Adobe Gamma.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2006-11-20 06:00 116096 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a------ 2004-12-17 00:38 290816 C:\Program Files\ABBYY FineReader 7.0 Professional Edition\ABBYYNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
--a------ 2007-02-12 14:50 20480 C:\WINDOWS\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:57 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2006-09-15 13:21 675840 C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

R0 rzjgvnaf;rzjgvnaf;C:\WINDOWS\system32\drivers\swxvpsqf.dat []
R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-01-26 16:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-11 22:02:47 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
"2008-01-28 00:00:01 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 00:02:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-02-12 0:04:45 - machine was rebooted [KRBLK]
ComboFix-quarantined-files.txt 2008-02-11 22:04:42
ComboFix2.txt 2008-02-08 02:22:07
ComboFix3.txt 2008-02-08 01:55:41
----------------------------------------------------------------------------------------------------------
5. Here is my new Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:45:38, on 12.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijack\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27D87037-E9C5-4E6C-B05A-C325AB0F3E11} - C:\WINDOWS\system32\davcln.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: GammaTray.lnk = ?
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: OneNote'a Gönder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote'a G&önder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://reporteokul.meb.gov.tr/crystalre ... viewer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7281 bytes


6. Lastly I did everything you told me. I think the problem has gone. I made a few searches but the problem didn't exist.
Thank you so much. If it repeats I will write you again. Best wishes.
vakar
Active Member
 
Posts: 12
Joined: February 6th, 2008, 3:48 pm

Re: Need your suggestions!

Unread postby vakar » February 11th, 2008, 7:04 pm

Hello again

Chryssi when I open a page or start a program Avira Antivir warns me. I attached the file. Is the computer still infected. What can we do else. Thanks.
You do not have the required permissions to view the files attached to this post.
vakar
Active Member
 
Posts: 12
Joined: February 6th, 2008, 3:48 pm

Re: Need your suggestions!

Unread postby chryssi2001 » February 12th, 2008, 2:14 am

Hello vakar,

Yes the file is still there. It looks is stubborn. Hang on and we'll remove it.

I need sometime to review your reports. Meanwhile tell me if you know what is this zip file:
C:\WINDOWS\java\Packages\MJ9FLB1B.ZIP

I also can't find any information about this zip file, which is in java packages.
Did you download it yourself? Do you know what is it?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need your suggestions!

Unread postby chryssi2001 » February 12th, 2008, 8:44 am

Hello vakar,

I renamed Hijackthis, because while I was serching in the internet I came across some information telling that if I renamed the hijackthis the malwares won't notice the program. Otherwise malwares can notice and try to stop it. That's why I renamed it. (Is that true. It seemed to be logical to me.)

It is logical and sometimes needed, but it wasn't this time and i was surprised because i didn't ask you to do it.
-------------------------------------------------
Please don't forget to let me know what is the zip file below and if you intentionally install it on your pc:

C:\WINDOWS\java\Packages\MJ9FLB1B.ZIP
-------------------------------------------------
We need to repeat some steps to remove that stubborn infected file now.
Please stay with me after the infected file is gone untill i give you the all clean.
-------------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {27D87037-E9C5-4E6C-B05A-C325AB0F3E11} - C:\WINDOWS\system32\davcln.dll


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
-------------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=27663
    
    Collect::
    C:\WINDOWS\system32\davcln.dll
    C:\WINDOWS\system32\drivers\swxvpsqf.dat
    
    Driver::
    rzjgvnaf
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27D87037-E9C5-4E6C-B05A-C325AB0F3E11}]
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
-------------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Tell me if the pc runs better now.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need your suggestions!

Unread postby vakar » February 12th, 2008, 8:10 pm

Hİ Chryssi2001
you are very fast working. Thanks a lot. I made a few search in google and when I open a new window the Antivir doesn't warn me. I think this time it's OK. :cheers:

1. Here is new combofix report:

ComboFix 08-02.05.3 - KRBLK 2008-02-13 1:46:30.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.1580 [GMT 2:00]
Running from: C:\Documents and Settings\KRBLK\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KRBLK\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\davcln.dll
C:\WINDOWS\system32\drivers\swxvpsqf.dat . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RZJGVNAF
-------\rzjgvnaf


((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-12 21:56 . 2008-02-12 21:56 <DIR> d-------- C:\Program Files\Ares
2008-02-12 21:30 . 2008-02-12 21:30 <DIR> d-------- C:\Documents and Settings\KRBLK\Application Data\Nero
2008-02-11 23:55 . 2004-08-04 09:45 387,584 --a------ C:\kmd.exe
2008-02-11 14:01 . 2008-02-11 14:01 <DIR> d---s---- C:\Documents and Settings\KRBLK\UserData
2008-02-10 13:20 . 2008-02-12 22:29 <DIR> d-------- C:\Documents and Settings\KRBLK\Contacts
2008-02-10 12:40 . 2004-08-04 09:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-10 12:39 . 2008-02-12 01:13 <DIR> d-------- C:\Documents and Settings\KRBLK\Sk Kullanlanlar
2008-02-10 12:39 . 2008-02-11 02:49 <DIR> d-------- C:\Documents and Settings\KRBLK\Belgelerim
2008-02-10 04:50 . 2008-02-10 04:50 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-08 04:29 . 2008-02-13 01:40 <DIR> d-------- C:\Hijack
2008-02-08 04:06 . 2008-02-08 04:06 19,584 --a------ C:\WINDOWS\system32\drivers\swxvpsqf.dat
2008-02-07 03:08 . 2008-02-07 03:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-02-06 13:26 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 11:22 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gdeydjhjsxcb.sys
2008-02-06 11:11 . 2008-02-06 13:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 11:11 . 2008-02-06 13:25 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 11:11 . 2008-02-06 13:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 11:11 . 2008-02-06 13:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 11:04 . 2008-02-06 11:04 <DIR> d-------- C:\Program Files\CCleaner
2008-01-28 13:27 . 2008-02-08 03:43 <DIR> d-------- C:\Program Files\The Privacy Guard
2008-01-28 05:42 . 2008-01-30 01:32 32 --a------ C:\WINDOWS\go
2008-01-27 00:00 . 2008-01-27 00:00 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Program Files\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-26 23:30 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-01-26 23:30 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-26 23:30 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-26 23:30 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-26 23:30 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-26 21:49 . 2008-01-26 21:49 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 03:12 . 2008-01-25 03:14 <DIR> d-------- C:\Documents and Settings\Administrator\Sk Kullanlanlar
2008-01-25 03:12 . 2007-12-25 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Belgelerim
2008-01-25 01:20 . 2008-01-25 01:20 <DIR> d-------- C:\NVIDIA
2008-01-25 01:20 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-25 01:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 00:56 . 2008-01-25 00:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-25 00:50 . 2008-01-25 00:58 127,254 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-25 00:50 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-25 00:50 . 2007-06-29 00:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-23 00:40 . 2008-02-06 13:37 <DIR> d-------- C:\Program Files\MagicTune Premium
2008-01-23 00:40 . 2007-11-23 19:19 13,056 --a------ C:\WINDOWS\system32\drivers\MTiCtwl.sys
2008-01-19 04:02 . 2008-02-06 13:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-19 04:02 . 2008-02-11 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-19 02:49 . 2008-01-19 02:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-19 02:20 . 2008-02-06 13:34 <DIR> d-------- C:\Program Files\Bonjour
2008-01-19 02:12 . 2008-01-19 02:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-18 00:19 . 2008-01-18 00:19 <DIR> d-------- C:\Program Files\Business Objects
2008-01-16 03:42 . 2008-02-06 13:32 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-13 02:55 . 2008-01-13 02:55 <DIR> d-------- C:\Program Files\Avira
2008-01-13 02:55 . 2008-01-13 02:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 02:25 . 2008-01-13 02:25 <DIR> d-------- C:\Program Files\Common Files\snp2std
2008-01-13 02:25 . 2007-01-26 16:48 12,028,032 --a------ C:\WINDOWS\system32\drivers\snp2sxp.sys
2008-01-13 02:25 . 2006-09-15 13:21 675,840 --a------ C:\WINDOWS\vsnp2std.exe
2008-01-13 02:25 . 2006-10-03 14:35 249,856 --a------ C:\WINDOWS\system32\vsnp2std.dll
2008-01-13 02:25 . 2007-02-05 15:25 151,552 --a------ C:\WINDOWS\system32\rsnp2std.dll
2008-01-13 02:25 . 2006-11-16 15:57 77,824 --a------ C:\WINDOWS\system32\csnp2std.dll
2008-01-13 02:25 . 2007-01-25 18:48 25,472 --a------ C:\WINDOWS\system32\drivers\sncamd.sys
2008-01-13 02:25 . 2007-02-12 14:50 20,480 --a------ C:\WINDOWS\FixCamera.exe
2008-01-13 02:25 . 2004-12-09 17:23 15,497 --a------ C:\WINDOWS\snp2std.ini
2008-01-13 02:25 . 2004-12-09 17:23 13,022 --a------ C:\WINDOWS\snp2std.src
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 02:20 . 2008-01-13 02:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 23:32 . 2008-01-12 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-12 03:01 . 2008-01-12 03:01 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-12 02:37 . 2008-02-06 11:32 <DIR> d-------- C:\Program Files\TrojanHunter 5.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 01:42 --------- d-----w C:\Program Files\FlashGet
2008-02-06 11:38 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 09:32 --------- d-----w C:\Program Files\BatchPhoto
2008-01-24 23:09 --------- d-----w C:\Program Files\Java
2008-01-22 22:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-19 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-14 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-11 15:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-11 14:52 --------- d-----w C:\Program Files\Common Files\Java
2008-01-11 14:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-09 06:41 --------- d-----w C:\Program Files\SmartDraw 2008
2008-01-08 19:41 --------- d-----w C:\Program Files\Xara
2008-01-08 16:01 --------- d-----w C:\Program Files\Eltima Software
2008-01-04 02:09 --------- d-----w C:\Program Files\GVZ
2008-01-04 01:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-03 00:14 --------- d-----w C:\Program Files\iFoxSoft
2008-01-02 21:59 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-02 21:58 --------- d-----w C:\Program Files\Macromedia
2007-12-30 00:38 --------- d-----w C:\Program Files\Winamp
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2007-12-30 00:11 --------- d-----w C:\Program Files\SRS Labs
2007-12-29 23:56 --------- d-----w C:\Program Files\Acon Digital Media
2007-12-29 21:02 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-29 21:01 --------- d-----w C:\Program Files\Nero
2007-12-29 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-29 15:08 --------- d-----w C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2007-12-29 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ABBYY
2007-12-29 02:02 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-27 22:07 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-27 22:06 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-27 21:50 --------- d-----w C:\Program Files\Microsoft Games
2007-12-26 22:40 --------- d-----w C:\Program Files\DIFX
2007-12-26 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-26 09:23 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-25 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-25 20:33 --------- d-----w C:\Program Files\MSBuild
2007-12-25 20:33 --------- d-----w C:\Program Files\Microsoft Works
2007-12-25 20:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-25 20:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-25 19:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 19:46 --------- d-----w C:\Program Files\Realtek
2007-12-25 19:26 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-13 17:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 00:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-04 23:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-04 23:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-04 23:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-04 23:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-04 23:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-04 23:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-04 23:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-04 23:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-12-04 23:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-04 23:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-12-04 23:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-04 23:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-04 23:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-04 23:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-04 23:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-04 23:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-04 23:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-04 23:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-12-04 23:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-12-04 23:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-12-04 23:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-12-04 23:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-12-04 23:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-12-04 23:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-12-04 23:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-12-04 23:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-12-04 23:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-12-04 23:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-12-04 23:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-12-04 23:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-12-04 23:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-04 23:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-04 23:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-12-04 23:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-12-04 23:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-12-04 23:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-12-04 23:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-12-04 23:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-12-04 23:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-12-04 23:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-12-04 23:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:45 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 19:10 1688872]
"ares"="C:\Program Files\Ares\Ares.exe" [2007-12-31 16:29 962560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-13 02:59 249896]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21 675840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:45 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Adobe Reader Hızlı Çalıştırma.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^Adobe Gamma.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2006-11-20 06:00 116096 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a------ 2004-12-17 00:38 290816 C:\Program Files\ABBYY FineReader 7.0 Professional Edition\ABBYYNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
--a------ 2007-02-12 14:50 20480 C:\WINDOWS\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:57 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2006-09-15 13:21 675840 C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

R3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-01-26 16:48]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-12 23:49:08 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
"2008-01-28 00:00:01 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 01:49:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-02-13 1:51:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 23:51:02
ComboFix2.txt 2008-02-11 22:04:46
ComboFix3.txt 2008-02-08 02:22:07
ComboFix4.txt 2008-02-08 01:55:41

========================================================================================

2. Here is the new Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:53:47, on 13.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijack\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: GammaTray.lnk = ?
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: OneNote'a Gönder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote'a G&önder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://reporteokul.meb.gov.tr/crystalre ... viewer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7125 bytes


I can frankly say that by the help of you my computer is working wihout the malware disturbing. It is all up to you. Thank you. I hope after you study on the report you will give the good news

Chryssi2001 after all you did I want to ask you a question. (But please answer my quesitons if you have time. I don't want to waste your priceless time.) Here is my quesiton.
I wish I could understand the commands that you asked me to copy and past in the CFScript notepad. Can you interpret a little to me. Take care
vakar
Active Member
 
Posts: 12
Joined: February 6th, 2008, 3:48 pm

Re: Need your suggestions!

Unread postby chryssi2001 » February 13th, 2008, 8:36 am

Hello vakar,

I wish I could understand the commands that you asked me to copy and past in the CFScript notepad. Can you interpret a little to me.

I can't go into much details about this.

You must understand firstly that Combofix is a very powerfull tool and shouldn't be used without the guidance from an expert. CFScript should be created from an expert too who know the commands and how to use them.
The CFScript i gave you was to remove the bad infected files, and remove an infected registry item.
Please do not use Combofix without guidance.

If you are interested in fighting malware and learning how to use tools to do it and be an authorised helper, you can sign in Malware Removal University for training.
You can have a read and apply here:
http://www.malwareremoval.com/forum/viewtopic.php?t=233

Now let's try to finish cleaning your pc. ;)
----------------------------------------------------
Reminder
Please don't forget to let me know what is the zip file below and if you intentionally install it on your pc:

C:\WINDOWS\java\Packages\MJ9FLB1B.ZIP
----------------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Ares

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------------
Please double-click on Combofix.exe (On your desktop) and run the tool once more without Script this time.
Post back the report.
----------------------------------------------------
Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
----------------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Kaspersky report.
Information about: C:\WINDOWS\java\Packages\MJ9FLB1B.ZIP
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Need your suggestions!

Unread postby vakar » February 16th, 2008, 10:44 pm

Hi again Chryssi
how are you doing? I hope everything is OK. Thanks for your sincere advices.
Well, I really don't know what the file MJ9FLB1B.ZIP is. I scaned it with some antivirus programs but they detected nothing so I deleted the file.
And about P2Ps, my little sister uses it to find some videos or songs. I don't really use them.

Yes, I am intersted in fighting with malwares. I see many people around having problems wiht malwares. But they don't know English to ask for help. So they often come to me and ask me. I want to help them. That is why I asked about your directings. I also know that fighting with malwares needs to be an expert.

Here is my recent combofix log:

ComboFix 08-02-17.2 - KRBLK 2008-02-17 4:24:23.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.1495 [GMT 2:00]
Running from: C:\Documents and Settings\KRBLK\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 )))))))))))))))))))))))))))))))
.

2008-02-17 01:12 . 2008-02-17 01:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-17 01:12 . 2008-02-17 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-16 23:07 . 2008-02-17 01:12 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-16 23:07 . 2008-02-16 23:42 <DIR> d-------- C:\Program Files\AirTies
2008-02-16 23:07 . 2008-02-16 23:07 <DIR> d-------- C:\Documents and Settings\KRBLK\Application Data\InstallShield
2008-02-16 23:07 . 2007-03-16 12:53 450,944 --a------ C:\WINDOWS\system32\drivers\TUSB1150.sys
2008-02-16 23:07 . 2006-12-04 15:42 97,388 --a------ C:\WINDOWS\system32\drivers\Fwusb1b.bin
2008-02-16 23:07 . 2007-03-16 14:42 69,632 --a------ C:\WINDOWS\system32\TnetWCoInst.dll
2008-02-12 21:56 . 2008-02-12 21:56 <DIR> d-------- C:\Program Files\Ares
2008-02-12 21:30 . 2008-02-12 21:30 <DIR> d-------- C:\Documents and Settings\KRBLK\Application Data\Nero
2008-02-11 14:01 . 2008-02-11 14:01 <DIR> d---s---- C:\Documents and Settings\KRBLK\UserData
2008-02-10 13:20 . 2008-02-13 02:18 <DIR> d-------- C:\Documents and Settings\KRBLK\Contacts
2008-02-10 12:40 . 2004-08-04 09:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-10 12:39 . 2008-02-14 01:00 <DIR> d-------- C:\Documents and Settings\KRBLK\Sık Kullanılanlar
2008-02-10 12:39 . 2008-02-14 23:00 <DIR> d-------- C:\Documents and Settings\KRBLK\Belgelerim
2008-02-10 04:50 . 2008-02-10 04:50 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-02-08 04:29 . 2008-02-13 01:53 <DIR> d-------- C:\Hijack
2008-02-08 04:06 . 2008-02-08 04:06 19,584 --a------ C:\WINDOWS\system32\drivers\swxvpsqf.dat
2008-02-07 03:08 . 2008-02-07 03:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Locktime
2008-02-06 13:26 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-06 11:22 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gdeydjhjsxcb.sys
2008-02-06 11:11 . 2008-02-06 13:43 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-06 11:11 . 2008-02-06 13:25 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-06 11:11 . 2008-02-06 13:25 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-06 11:11 . 2008-02-06 13:25 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-06 11:04 . 2008-02-06 11:04 <DIR> d-------- C:\Program Files\CCleaner
2008-01-28 13:27 . 2008-02-08 03:43 <DIR> d-------- C:\Program Files\The Privacy Guard
2008-01-28 05:42 . 2008-01-30 01:32 32 --a------ C:\WINDOWS\go
2008-01-27 00:00 . 2008-01-27 00:00 <DIR> d-------- C:\WINDOWS\Sun
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Program Files\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-26 23:30 . 2008-01-26 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-26 23:30 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-01-26 23:30 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-26 23:30 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-26 23:30 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-26 23:30 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-26 21:49 . 2008-01-26 21:49 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 03:12 . 2008-01-25 03:14 <DIR> d-------- C:\Documents and Settings\Administrator\Sık Kullanılanlar
2008-01-25 03:12 . 2007-12-25 21:57 <DIR> d-------- C:\Documents and Settings\Administrator\Belgelerim
2008-01-25 01:20 . 2008-01-25 01:20 <DIR> d-------- C:\NVIDIA
2008-01-25 01:20 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-25 01:09 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 00:56 . 2008-01-25 00:56 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-25 00:50 . 2008-01-25 00:58 127,254 --a------ C:\WINDOWS\system32\nvapps.xml
2008-01-25 00:50 . 2007-12-05 01:41 17,737 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-01-25 00:50 . 2007-06-29 00:43 17,254 --a------ C:\WINDOWS\system32\nvwsapps.xml
2008-01-23 00:40 . 2008-02-06 13:37 <DIR> d-------- C:\Program Files\MagicTune Premium
2008-01-23 00:40 . 2007-11-23 19:19 13,056 --a------ C:\WINDOWS\system32\drivers\MTiCtwl.sys
2008-01-19 04:02 . 2008-02-06 13:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-19 04:02 . 2008-02-11 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-19 02:49 . 2008-01-19 02:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-19 02:20 . 2008-02-06 13:34 <DIR> d-------- C:\Program Files\Bonjour
2008-01-19 02:12 . 2008-01-19 02:12 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-01-18 00:19 . 2008-01-18 00:19 <DIR> d-------- C:\Program Files\Business Objects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-08 01:42 --------- d-----w C:\Program Files\FlashGet
2008-02-06 11:38 --------- d-----w C:\Program Files\MSN Messenger
2008-02-06 11:32 --------- d-----w C:\Program Files\a-squared Anti-Malware
2008-02-06 09:32 --------- d-----w C:\Program Files\TrojanHunter 5.0
2008-02-06 09:32 --------- d-----w C:\Program Files\BatchPhoto
2008-01-24 23:09 --------- d-----w C:\Program Files\Java
2008-01-19 00:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-14 23:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-13 00:55 --------- d-----w C:\Program Files\Avira
2008-01-13 00:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-01-13 00:25 --------- d-----w C:\Program Files\Common Files\snp2std
2008-01-13 00:20 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-01-13 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 00:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-12 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-12 01:01 --------- d-----w C:\Program Files\Lavasoft
2008-01-11 15:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-11 14:52 --------- d-----w C:\Program Files\Common Files\Java
2008-01-11 14:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-09 06:41 --------- d-----w C:\Program Files\SmartDraw 2008
2008-01-08 19:41 --------- d-----w C:\Program Files\Xara
2008-01-08 16:01 --------- d-----w C:\Program Files\Eltima Software
2008-01-04 02:09 --------- d-----w C:\Program Files\GVZ
2008-01-04 01:53 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-03 00:14 --------- d-----w C:\Program Files\iFoxSoft
2008-01-02 21:59 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-02 21:58 --------- d-----w C:\Program Files\Macromedia
2007-12-30 00:38 --------- d-----w C:\Program Files\Winamp
2007-12-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2007-12-30 00:11 --------- d-----w C:\Program Files\SRS Labs
2007-12-29 23:56 --------- d-----w C:\Program Files\Acon Digital Media
2007-12-29 21:02 --------- d-----w C:\Program Files\Common Files\Nero
2007-12-29 21:01 --------- d-----w C:\Program Files\Nero
2007-12-29 21:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-12-29 15:08 --------- d-----w C:\Program Files\ABBYY FineReader 7.0 Professional Edition
2007-12-29 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\ABBYY
2007-12-29 02:02 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-27 22:07 --------- d-----w C:\Program Files\Alcohol Soft
2007-12-27 22:06 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-27 21:50 --------- d-----w C:\Program Files\Microsoft Games
2007-12-26 22:40 --------- d-----w C:\Program Files\DIFX
2007-12-26 12:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2007-12-26 09:23 --------- d-----w C:\Program Files\Common Files\SWF Studio
2007-12-25 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-25 20:33 --------- d-----w C:\Program Files\MSBuild
2007-12-25 20:33 --------- d-----w C:\Program Files\Microsoft Works
2007-12-25 20:10 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-12-25 20:10 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-25 19:46 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 19:46 --------- d-----w C:\Program Files\Realtek
2007-12-25 19:26 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-13 17:09 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-12-05 00:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-04 07:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-12-03 16:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-06 10:50 16855552 C:\WINDOWS\RTHDCPL.exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-13 02:59 249896]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 09:45 33280 C:\WINDOWS\system32\rundll32.exe]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21 675840]
"AirTiesWUS-300"="C:\Program Files\AirTies\AirTiesWUS-300\WUS300.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 09:45 159232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 09:45 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^Adobe Reader Hızlı Çalıştırma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\Adobe Reader Hızlı Çalıştırma.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hızlı Çalıştırma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programlar^Başlangıç^GammaTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programlar\Başlangıç\GammaTray.lnk
backup=C:\WINDOWS\pss\GammaTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^Adobe Gamma.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^KRBK^Start Menu^Programlar^Başlangıç^OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk]
path=C:\Documents and Settings\KRBK\Start Menu\Programlar\Başlangıç\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Ekran Kırpıcı ve Başlatıcı.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2006-11-20 06:00 116096 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2007-12-31 16:29 962560 C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a------ 2004-12-17 00:38 290816 C:\Program Files\ABBYY FineReader 7.0 Professional Edition\ABBYYNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
--a------ 2007-02-12 14:50 20480 C:\WINDOWS\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 00:57 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2std]
--a------ 2006-09-15 13:21 675840 C:\WINDOWS\vsnp2std.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnp2std]
C:\WINDOWS\tsnp2std.exe

R3 TUSB1150;Airties WUS-300 USB Wireless Adapter (TNETW1450);C:\WINDOWS\system32\DRIVERS\tusb1150.sys [2007-03-16 12:53]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2007-01-26 16:48]

*Newly Created Service* - HTTPFILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-02-16 21:01:46 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
"2008-01-28 00:00:01 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- C:\
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 04:25:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-17 4:26:13
ComboFix-quarantined-files.txt 2008-02-17 02:26:10
ComboFix2.txt 2008-02-12 23:51:05
ComboFix3.txt 2008-02-11 22:04:46
ComboFix4.txt 2008-02-08 02:22:07
ComboFix5.txt 2008-02-08 01:55:41

==========================================================================================


Here is my recent Hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:40:15, on 17.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AirTies\ADSL Hizmet Programı\AirTies_util3.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Hijack\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [AirTiesWUS-300] C:\Program Files\AirTies\AirTiesWUS-300\WUS300.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AirTies ADSL Hizmet Programı.lnk = ?
O8 - Extra context menu item: Microsoft Excel'e &Ver - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: OneNote'a Gönder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: OneNote'a G&önder - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O16 - DPF: {6F0892F7-0D44-41C3-BF07-7599873FAA04} (Crystal ActiveX Report Viewer Control 11.5) - http://reporteokul.meb.gov.tr/crystalre ... viewer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7318 bytes
============================================================================================

And finaly here is my Karspesky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 17, 2008 4:19:22 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/02/2008
Kaspersky Anti-Virus database records: 569531
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 119083
Number of viruses found: 9
Number of infected objects: 231
Number of suspicious objects: 0
Duration of the scan process: 02:02:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\KRBK1\Desktop\davcln.dll Infected: Trojan.Win32.Pakes.cdw skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\525e95cf1897386e7b855260b2418dd4_02bfd050-1b7e-459d-a3d7-5b9d8e893fd7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6da6eea72eb23442f488b08faaa028bd_02bfd050-1b7e-459d-a3d7-5b9d8e893fd7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b713a22cd213e29d456565d28e20a944_02bfd050-1b7e-459d-a3d7-5b9d8e893fd7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\OnlineServices\usagestats.bin Object is locked skipped
C:\Documents and Settings\KRBK\Local Settings\Temp\pbquvxlz.dat Object is locked skipped
C:\Documents and Settings\KRBLK\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\History\History.IE5\MSHist012008021720080218\index.dat Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\Temp\hsperfdata_KRBLK\848 Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\KRBLK\Local Settings\Temporary Internet Files\Content.IE5\WLID61KB\hope_jck_728x90_121907[1].swf Object is locked skipped
C:\Documents and Settings\KRBLK\ntuser.dat Object is locked skipped
C:\Documents and Settings\KRBLK\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-02-16.23-01-56.log Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\QooBox\Quarantine\catchme2008-02-13_ 14910.42.zip/swxvpsqf.dat Infected: Rootkit.Win32.Agent.aap skipped
C:\QooBox\Quarantine\catchme2008-02-13_ 14910.42.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BD7DE5B0-3D3B-4CEC-B1F9-02ACD7017FF6}\RP14\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\swxvpsqf.dat Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\1 VAHAP\DOWNLOADS\şUBAT08\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\1 VAHAP\DOWNLOADS\şUBAT08\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\1 VAHAP\DOWNLOADS\şUBAT08\SmitfraudFix.exe RarSFX: infected - 2 skipped
D:\1 VAHAP\DOWNLOADS\şUBAT08\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\1 VAHAP\DOWNLOADS\şUBAT08\SmitfraudFix.zip ZIP: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP22\A0005879.exe/AutoPlay/Docs/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP22\A0005879.exe/AutoPlay/Docs/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP22\A0005879.exe/AutoPlay/Docs/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP22\A0005879.exe/AutoPlay/Docs/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP22\A0005879.exe ZIP: infected - 4 skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP47\A0007843.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP47\A0007843.exe 7-Zip: infected - 1 skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026423.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026424.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026425.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026426.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026427.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026428.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026429.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026430.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026431.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026432.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026433.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026434.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026435.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026436.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026437.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026438.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026439.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026440.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026441.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026442.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026443.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026444.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026445.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026446.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026447.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026448.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026449.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026450.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026451.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026452.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026453.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026454.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026455.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026456.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026457.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026458.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026459.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026460.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026461.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026462.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026463.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026464.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026465.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026466.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026467.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026468.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026469.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026470.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026471.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026472.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026473.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026474.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026475.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026476.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026477.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026478.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026479.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026480.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026481.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026482.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026483.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026484.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026485.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026486.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026487.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026488.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026489.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026490.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026491.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026492.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026493.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026494.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026495.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026496.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026497.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026498.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026499.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026500.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026501.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026502.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026503.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026504.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026505.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026506.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026507.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026508.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026509.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026510.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026511.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026512.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026513.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026514.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026515.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026516.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026517.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026518.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026519.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026520.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026521.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026522.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026523.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026524.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026525.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026526.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026527.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026528.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026529.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026530.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026531.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026532.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026533.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026534.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026535.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026536.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026537.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026538.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026539.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026540.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026541.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026542.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026543.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026544.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026545.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026546.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026547.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026548.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026549.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026550.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026551.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026552.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026553.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026554.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026555.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026556.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026557.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026558.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026559.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026560.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026561.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026562.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026563.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026564.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026565.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026566.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026567.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026568.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026569.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026570.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026571.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026572.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026573.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026574.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026575.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026576.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026577.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026578.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026579.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026580.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026581.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026582.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026583.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026584.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026585.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026586.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026587.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026588.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026589.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026590.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026591.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026592.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026593.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026594.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026595.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026596.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026597.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026598.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026599.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026600.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026601.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026602.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026603.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026604.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026605.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026606.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026607.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026608.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026609.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026610.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026611.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026612.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026613.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026614.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026615.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026616.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026617.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026618.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026619.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026620.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026742.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026743.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026744.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026745.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{AB7B25E1-829A-473E-8BCE-10804EB26E19}\RP69\A0026746.exe Infected: Email-Worm.Win32.Zhelatin.pd skipped
D:\System Volume Information\_restore{BD7DE5B0-3D3B-4CEC-B1F9-02ACD7017FF6}\RP14\change.log Object is locked skipped

Scan process completed.

Thanks for your help. wiht my best wishes
vakar
Active Member
 
Posts: 12
Joined: February 6th, 2008, 3:48 pm

Re: Need your suggestions!

Unread postby chryssi2001 » February 17th, 2008, 4:51 pm

Hello vakar,

And about P2Ps, my little sister uses it to find some videos or songs. I don't really use them.

The are very often the cause of infections. Most probably that's how you got infected.
------------------------------------------------
Yes, I am intersted in fighting with malwares. I see many people around having problems wiht malwares. But they don't know English to ask for help. So they often come to me and ask me. I want to help them. That is why I asked about your directings. I also know that fighting with malwares needs to be an expert.

You can apply from the link i provided in my previous post.
------------------------------------------------
Now let's try to finish cleaning your pc. We will use HijackThis and Combofix-Script in Safe Mode.

Safe Mode

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.
Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
------------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
------------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\WINDOWS\system32\drivers\swxvpsqf.dat
    C:\WINDOWS\system32\drivers\gdeydjhjsxcb.sys
    C:\Documents and Settings\KRBK\Local Settings\Temp\pbquvxlz.dat
    C:\Documents and Settings\Administrator\Desktop\KRBK1\Desktop\davcln.dll
    D:\1 VAHAP\DOWNLOADS\sUBAT08\SmitfraudFix.exe
    D:\1 VAHAP\DOWNLOADS\sUBAT08\SmitfraudFix.zip
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
------------------------------------------------
In normal mode, run Kaspersky again.
------------------------------------------------
Post back:
Combofix report.
Kaspersky report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware