How To Remove Trojan-Downloader.Agent!sd5 (Win32.Almanahe.B)

I've found a virus in my system but I'm not able to detect and remove it which is called Trojan-Downloader.Agent!sd5 (Spyware Doctor) or Win32.Almanahe.B according to other antivirus antispyware programs.

I have run Bitdefender, Superspyware, spyware doctor and adaware.But I could not detect anything.

I have used pv. And the logs are as below:


Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1044480 C:\WINDOWS\Explorer.EXE 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Gezgini
ntdll.dll 7c8f0000 716800 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Katmaný DLL’si
kernel32.dll 7c800000 978944 C:\WINDOWS\system32\kernel32.dll 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) Win32 Kernel çekirdek bileþeni
msvcrt.dll 77c00000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
ADVAPI32.dll 77dc0000 700416 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Geliþmiþ Windows 32 Tabanlý API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) GDI Client DLL
USER32.dll 7e360000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) Windows XP USER API Ãstemci DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3121 (xpsp_sp2_gdr.070418-1302) Kabuk Hafif Hizmet Programý Kitaplýðý
SHELL32.dll 7c9b0000 8478720 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) Windows Shell Ortak Dll'li
ole32.dll 774d0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Windows için Microsoft OLE
OLEAUT32.dll 77110000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180
BROWSEUI.dll 75f60000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.3121 (xpsp_sp2_gdr.070418-1302) Kabuk Tarayýcýsý KA Kitaplýðý
SHDOCVW.dll 7e1e0000 1503232 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.3121 (xpsp_sp2_gdr.070418-1302) Kabuk Belgesi Nesne ve Denetim Kitaplýðý
CRYPT32.dll 77a70000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Þifreleme API32
MSASN1.dll 77b10000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
CRYPTUI.dll 754a0000 520192 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Trust Kullanýcý Arayüzü Saðlayýcýsý
WINTRUST.dll 76c20000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Güven Doðrulama API'leri
IMAGEHLP.dll 76c80000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
NETAPI32.dll 6ff90000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) Net Win32 API DLL
WININET.dll 435f0000 847872 C:\WINDOWS\system32\WININET.dll 7.00.6000.16473 (vista_gdr.070420-1500) Internet Extensions for Win32
Normaliz.dll 71660000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5243.0 (vbl_ux_partners_ie.051011-1845) Unicode Normalization DLL
iertutil.dll 43370000 282624 C:\WINDOWS\system32\iertutil.dll 7.00.6000.16473 (vista_gdr.070420-1500) Run time utility for Internet Explorer
WLDAP32.dll 76f50000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
VERSION.dll 77bf0000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
UxTheme.dll 5b2a0000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Microsoft UxTheme Kitaplýðý
ShimEng.dll 5d0a0000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Shim Engine DLL
AcGenral.DLL 5a780000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Compatibility DLL
WINMM.dll 76b30000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
MSACM32.dll 77bd0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft ACM Ses Süzgeci
USERENV.dll 769b0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
IMM32.DLL 76370000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
comctl32.dll 773c0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0 (xpsp.060825-0040) User Experience Controls Library
comctl32.dll 5d5e0000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.060825-0040) Common Controls Library
msctfime.ime 75470000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Text Frame Work Service IME
appHelp.dll 77b30000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Application Compatibility Client Library
CLBCATQ.DLL 76fc0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308
COMRes.dll 77040000 798720 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258
cscui.dll 77a10000 344064 C:\WINDOWS\System32\cscui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Ãstemci Tarafýndaki Önbellek Ara Birimi
CSCDLL.dll 765e0000 118784 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Çevrimdýþý Að Aracýsý
themeui.dll 69cb0000 462848 C:\WINDOWS\system32\themeui.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Windows Tema API
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
MSIMG32.dll 76360000 20480 C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) GDIEXT Client DLL
xpsp2res.dll 20000000 2924544 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Ãletileri
actxprxy.dll 71d30000 114688 C:\WINDOWS\system32\actxprxy.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) ActiveX Interface Marshaling Library
msutb.dll 60160000 208896 C:\WINDOWS\system32\msutb.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSUTB Server DLL
MSCTF.dll 746f0000 307200 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MSCTF Server DLL
wmpband.dll 13420000 106496 C:\Program Files\Windows Media Player\wmpband.dll 11.0.5721.5145 (WMP_11.061018-2006) Windows Media Player Deskband
MPR.dll 71b10000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Çoklu Saðlayýcý Yönlendirici DLL
WS2_32.dll 71aa0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a90000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT için Windows Socket 2.0 Yardýmcýsý
sfc.dll 76ba0000 20480 C:\WINDOWS\system32\sfc.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows File Protection
sfc_os.dll 76c50000 172032 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Dosya Korumasý
linkinfo.dll 76970000 32768 C:\WINDOWS\system32\linkinfo.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
ntshrui.dll 76980000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Paylaþým için kabuk uzantýlarý
ATL.DLL 76b10000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
psapi.dll 76be0000 45056 C:\WINDOWS\system32\psapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Process Status Helper
nwprovau.dll 5f630000 159744 C:\WINDOWS\System32\nwprovau.dll 5.1.2600.3015 (xpsp_sp2_gdr.061013-0145) Client Service for NetWare Saðlayýcýsý ve Kimlik Denetimi Paketi DLL'si
drprov.dll 75f40000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Terminal Server Network Provider
ntlanman.dll 71c00000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Lan Manager
NETUI0.dll 71cc0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Ortak Kod - GUI Sýnýflarý
NETUI1.dll 71c80000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT LM UI Common Code - Networking classes
NETRAP.dll 71c70000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Net Remote Admin Protocol DLL
SAMLIB.dll 71be0000 77824 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SAM Library DLL
davclnt.dll 75f50000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Web DAV Ãstemci DLL
urlmon.dll 436d0000 1196032 C:\WINDOWS\system32\urlmon.dll 7.00.6000.16473 (vista_gdr.070420-1500) OLE32 Extensions for Win32
ieframe.dll 438d0000 6074368 C:\WINDOWS\system32\ieframe.dll 7.00.6000.16473 (vista_gdr.070420-1500) Internet Explorer
bdoe.dll 15d0000 151552 C:\Program Files\Softwin\BitDefender8\bdoe.dll 8, 1, 0, 0 bdoe.dll Link Library
XCOMM.dll 1600000 86016 C:\WINDOWS\system32\XCOMM.dll 1, 8, 11, 0 BitDefender Communicator
MSVCR71.dll 7c340000 352256 C:\WINDOWS\system32\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
msi.dll 7d1d0000 2875392 C:\WINDOWS\system32\msi.dll 3.1.4000.4039 Windows Installer
rsaenh.dll ffd0000 163840 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.2161 (xpsp.040706-1629) Microsoft Enhanced Cryptographic Provider
WINSTA.dll 76340000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Winstation Library
webcheck.dll 43820000 245760 C:\WINDOWS\system32\webcheck.dll 7.00.6000.16473 (vista_gdr.070420-1500) Web Site Monitor
stobject.dll 76210000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Systray shell service object
BatMeter.dll 74ac0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Battery Meter Helper DLL
POWRPROF.dll 74aa0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Power Profile Helper DLL
SETUPAPI.dll 77910000 999424 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Kur API
WTSAPI32.dll 76f40000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Terminal Server SDK APIs
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4c0000 360448 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows HTTP Services
mydocs.dll 72400000 106496 C:\WINDOWS\system32\mydocs.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Belgelerim Klasörü UI
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
wdmaud.drv 72cf0000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) WDM Audio driver mapper
msacm32.drv 72ce0000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Ses Eþleþtiricisi
midimap.dll 77bc0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Ses Eþleþtiricisi
NETSHELL.dll 763e0000 1728512 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Að Baðlantýlar Kabuðu
rtutils.dll 76e70000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
credui.dll 76bf0000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Kimlik Bilgisi Yöneticisi Kullanýcý Arabirimi
iphlpapi.dll 76d50000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) IP Yardýmcýsý API
SXS.DLL 75e70000 720896 C:\WINDOWS\system32\SXS.DLL 5.1.2600.3019 (xpsp_sp2_gdr.061019-0414) Fusion 2.5
browselc.dll 15a0000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Kabuk Tarayýcýsý KA Kitaplýðý
AcroIEHelper.dll ac0000 57344 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll 7.0.5.2005092300 Adobe Acrobat IE Helper Version 7.0 for ActiveX
SDHelper.dll 2290000 872448 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 4, 0, 0 Bad download blocker
olepro32.dll 5f320000 94208 C:\WINDOWS\system32\olepro32.dll 5.1.2600.2180
DUSER.dll 6c750000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows DirectUser Engine
msohev.dll 325c0000 73728 C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
PDFShell.dll 27b0000 114688 C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll 7.0.0.0 PDF Shell Extension
SASSEH.DLL 25d0000 81920 C:\Program Files\SUPERAntiSpyware\SASSEH.DLL 1, 0, 0, 1008 ShellExecuteHook
MSISIP.DLL 60980000 28672 C:\WINDOWS\system32\MSISIP.DLL 3.1.4000.1823 MSI Signature SIP Provider
wshext.dll 74e70000 65536 C:\WINDOWS\system32\wshext.dll 5.6.0.8820 Microsoft (r) Shell Extension for Windows Script Host
MFC42.DLL 73da0000 1040384 C:\WINDOWS\system32\MFC42.DLL 6.02.4131.0 MFCDLL Shared Library - Retail Version
comdlg32.dll 76390000 299008 C:\WINDOWS\system32\comdlg32.dll 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) Ortak iletiþim DLL
MFC42LOC.DLL 61ef0000 53248 C:\WINDOWS\system32\MFC42LOC.DLL 6.00.8665.0 MFC Dile Özel Kaynaklar
wshTR.DLL 58f20000 57344 C:\WINDOWS\system32\wshTR.DLL 5.6.0.6626 Microsoft (r) Windows Kod Merkezi Uluslararasý Kaynaklar
MCPS.DLL 36d30000 102400 C:\PROGRA~1\MICROS~3\OFFICE11\MCPS.DLL 11.0.5510 Media Catalog Proxy/Stub

 

Internet Dll's

Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 634880 C:\Program Files\Internet Explorer\IEXPLORE.EXE 7.00.6000.16473 (vista_gdr.070420-1500) Internet Explorer
ntdll.dll 7c8f0000 716800 C:\WINDOWS\system32\ntdll.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) NT Katmaný DLL’si
kernel32.dll 7c800000 978944 C:\WINDOWS\system32\kernel32.dll 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) Win32 Kernel çekirdek bileþeni
ADVAPI32.dll 77dc0000 700416 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Geliþmiþ Windows 32 Tabanlý API
RPCRT4.dll 77e70000 593920 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Procedure Call Runtime
GDI32.dll 77f10000 290816 C:\WINDOWS\system32\GDI32.dll 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) GDI Client DLL
USER32.dll 7e360000 589824 C:\WINDOWS\system32\USER32.dll 5.1.2600.3099 (xpsp_sp2_gdr.070308-0222) Windows XP USER API Ãstemci DLL
msvcrt.dll 77c00000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT CRT DLL
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.3121 (xpsp_sp2_gdr.070418-1302) Kabuk Hafif Hizmet Programý Kitaplýðý
SHELL32.dll 7c9b0000 8478720 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.3051 (xpsp_sp2_gdr.061219-0316) Windows Shell Ortak Dll'li
ole32.dll 774d0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.2726 (xpsp_sp2_gdr.050725-1528) Windows için Microsoft OLE
urlmon.dll 436d0000 1196032 C:\WINDOWS\system32\urlmon.dll 7.00.6000.16473 (vista_gdr.070420-1500) OLE32 Extensions for Win32
OLEAUT32.dll 77110000 573440 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.2180
iertutil.dll 43370000 282624 C:\WINDOWS\system32\iertutil.dll 7.00.6000.16473 (vista_gdr.070420-1500) Run time utility for Internet Explorer
VERSION.dll 77bf0000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Version Checking and File Installation Libraries
IMM32.DLL 76370000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows XP IMM32 API Client DLL
sockspy.dll 10000000 221184 C:\WINDOWS\system32\sockspy.dll
comctl32.dll 773c0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 6.0 (xpsp.060825-0040) User Experience Controls Library
comctl32.dll 5d5e0000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.060825-0040) Common Controls Library
LINKINFO.dll a00000 61440 C:\WINDOWS\LINKINFO.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
WS2_32.dll 71aa0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a90000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT için Windows Socket 2.0 Yardýmcýsý
MPR.dll 71b10000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Çoklu Saðlayýcý Yönlendirici DLL
sfc.dll 76ba0000 20480 C:\WINDOWS\system32\sfc.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows File Protection
sfc_os.dll 76c50000 172032 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Dosya Korumasý
WINTRUST.dll 76c20000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Güven Doðrulama API'leri
CRYPT32.dll 77a70000 606208 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.2180 (xpsp_sp2_rtm.040803-2158) Þifreleme API32
MSASN1.dll 77b10000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) ASN.1 Runtime APIs
IMAGEHLP.dll 76c80000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows NT Image Helper
linkinfo.dll 76970000 32768 C:\WINDOWS\system32\linkinfo.dll 5.1.2600.2751 (xpsp_sp2_gdr.050831-1520) Windows Volume Tracking
ntshrui.dll 76980000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Paylaþým için kabuk uzantýlarý
ATL.DLL 76b10000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
NETAPI32.dll 6ff90000 344064 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.2976 (xpsp_sp2_gdr.060817-0106) Net Win32 API DLL
USERENV.dll 769b0000 733184 C:\WINDOWS\system32\USERENV.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Userenv
WININET.dll 435f0000 847872 C:\WINDOWS\system32\WININET.dll 7.00.6000.16473 (vista_gdr.070420-1500) Internet Extensions for Win32
Normaliz.dll 71660000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5243.0 (vbl_ux_partners_ie.051011-1845) Unicode Normalization DLL
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Security Support Provider Interface
RASAPI32.dll 76ed0000 245760 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Uzaktan Eriþim API
rasman.dll 76e80000 73728 C:\WINDOWS\system32\rasman.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Remote Access Connection Manager
TAPI32.dll 76ea0000 192512 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft® Windows(TM) Telefon API Ãstemci DLL
rtutils.dll 76e70000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Routing Utilities
WINMM.dll 76b30000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) MCI API DLL
msv1_0.dll 77c60000 143360 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Authentication Package v1.0
iphlpapi.dll 76d50000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2912 (xpsp_sp2_gdr.060519-0003) IP Yardýmcýsý API
sensapi.dll 722a0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) SENS Connectivity API DLL
mswsock.dll 71a40000 258048 C:\WINDOWS\System32\mswsock.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Microsoft Windows Sockets 2.0 Servis Saðlayýcý
DNSAPI.dll 76f10000 159744 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) DNS Client API DLL
winrnr.dll 76fa0000 32768 C:\WINDOWS\System32\winrnr.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) LDAP RnR Provider DLL
WLDAP32.dll 76f50000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Win32 LDAP API DLL
rasadhlp.dll 76fb0000 24576 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.2938 (xpsp_sp2_gdr.060626-0020) Remote Access AutoDial Helper
hnetcfg.dll 698d0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Ev Aðý Yapýlandýrma Yöneticisi
wshtcpip.dll 71a80000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) Windows Sockets Helper DLL
jsproxy.dll 43560000 40960 C:\WINDOWS\system32\jsproxy.dll 7.00.6000.16473 (vista_gdr.070420-1500) JScript Proxy Auto-Configuration
CLBCATQ.DLL 76fc0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.308
COMRes.dll 77040000 798720 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.258
xpsp2res.dll 20000000 2924544 C:\WINDOWS\system32\xpsp2res.dll 5.1.26002180 (xpsp_sp2_rtm.040803-2158) Service Pack 2 Ãletileri

 

Welcome to WindowsBBS staspinar

Wow, haven't seen a pv log in a long time. Sorry to say it didn't reveal anything. Let's see if another tool will give us a better look at things.

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

If you have HijackThis, it will use it to create a HijackThis log. If you do not, it will automatically download and install HijackThis. Please keep your internet connection active and allow access through your firewall if applicable.


BTW, what language is your operating system?

 

Content of main.txt

Deckard's System Scanner v20070804.61
Run by kemal on 2007-08-05 at 21:38:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-08-05 18:38:34 UTC - RP1 - Sistem Denetleme Noktasý


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-05 21:39:40
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16473)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kemal\Desktop\dss\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Baðlantýlar
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKEY_LOCAL_MACHINE\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
O4 - HKEY_LOCAL_MACHINE\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Hýzlý Çalýþtýrma.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Araþtýr - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\winrnr.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\mswsock.dll
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = BIMTASSRV
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = BIMTASSRV
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = BIMTASSRV
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = BIMTASSRV
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - AppInit_DLLs: sockspy.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: crypt32chain - C:\WINDOWS\system32\crypt32.dll
O20 - Winlogon Notify: cryptnet - C:\WINDOWS\system32\cryptnet.dll
O20 - Winlogon Notify: cscdll - C:\WINDOWS\system32\cscdll.dll
O20 - Winlogon Notify: ScCertProp - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: Schedule - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: sclgntfy - C:\WINDOWS\system32\sclgntfy.dll
O20 - Winlogon Notify: SensLogn - C:\WINDOWS\system32\WlNotify.dll
O20 - Winlogon Notify: termsrv - C:\WINDOWS\system32\wlnotify.dll
O20 - Winlogon Notify: wlballoon - C:\WINDOWS\system32\wlnotify.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe "
O23 - Service: BitDefender Local Manager (BDLM) - SOFTWIN - "C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service
O23 - Service: Mantýksal Disk Yöneticisi Yönetim Hizmetleri (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: BitDefender Enterprise Update Service (LIVESRV_EM) - SOFTWIN S.R.L. - "C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - "C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 irda (IrDA Ãletiþim Kurallarý) - c:\windows\system32\drivers\irda.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NwlnkIpx (NWLink IPX/SPX/NetBIOS Uyumlu Aktarma Ãletiþim Kurallarý) - c:\windows\system32\drivers\nwlnkipx.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NwlnkNb (NWLink NetBIOS) - c:\windows\system32\drivers\nwlnknb.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 NwlnkSpx (NWLink SPX/SPXII Ãletiþim Kurallarý) - c:\windows\system32\drivers\nwlnkspx.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 irsir (Microsoft Seri Kýzýlötesi Sürücü) - c:\windows\system32\drivers\irsir.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S3 bdfdll - c:\program files\softwin\bitdefender9\bdfdll.sys (file missing)
S3 NWRDR (NetWare Rdr) - c:\windows\system32\drivers\nwrdr.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 BDLM (BitDefender Local Manager) - "c:\program files\common files\softwin\bitdefender local manager\bdlm.exe" /service <Not Verified; SOFTWIN; BitDefender Enterprise Manager>
R2 Irmon (Kýzýlötesi Monitör) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
R2 LIVESRV_EM (BitDefender Enterprise Update Service) - "c:\program files\common files\softwin\bitdefender enterprise update service\livesrv_em.exe" /service <Not Verified; SOFTWIN S.R.L.; BitDefender 9>

S2 NWCWorkstation (Netware için Ãstemci Hizmeti) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 usnsvc (Messenger Paylaþým USN Günlük Okuyucu hizmeti) - c:\windows\system32\svchost.exe -k usnsvc <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Denetleyicisi
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_31491849&REV_80\3&267A616A&0&78
Manufacturer:
Name: RAID Denetleyicisi
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_31491849&REV_80\3&267A616A&0&78
Service:


-- Scheduled Tasks -------------------------------------------------------------

2007-08-05 19:39:42 1510 --a------ C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job


-- Files created between 2007-07-05 and 2007-08-05 -----------------------------

2007-08-05 20:46:21 0 d-------- C:\Documents and Settings\Administrator.SÃœRÃœCÃœLER\Application Data\Webroot
2007-08-05 20:44:06 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-08-05 19:39:45 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-08-05 19:39:32 0 d-------- C:\Program Files\Webroot
2007-08-05 19:39:32 0 d-------- C:\Documents and Settings\kemal\Application Data\Webroot
2007-08-05 19:39:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-08-05 17:42:00 0 d-------- C:\Documents and Settings\Administrator.SÃœRÃœCÃœLER\Application Data\SUPERAntiSpyware.com
2007-08-05 17:31:41 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-05 17:31:36 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-08-05 17:31:35 0 d-------- C:\Documents and Settings\kerim\Application Data\SUPERAntiSpyware.com
2007-08-05 15:13:21 0 d-------- C:\Program Files\Winamp
2007-08-05 15:12:40 0 d-------- C:\Documents and Settings\kemal\Application Data\Macromedia
2007-08-05 15:08:18 0 d-------- C:\Program Files\Lavasoft
2007-08-05 15:08:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-08-05 15:01:46 0 d-------- C:\Program Files\MSBuild
2007-08-05 14:56:37 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-08-05 14:55:54 0 d-------- C:\Program Files\Reference Assemblies
2007-08-05 14:54:49 0 d-------- C:\56cb65ab832e8027d529c9f455566c
2007-08-05 14:53:49 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-05 14:52:27 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-05 14:52:27 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-05 14:51:57 0 d-------- C:\WINDOWS\system32\tr-tr
2007-08-05 14:51:36 0 d-------- C:\WINDOWS\network diagnostic
2007-08-05 14:47:44 0 d-------- C:\Software
2007-08-05 14:46:33 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-05 14:29:17 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-08-05 14:28:22 0 d-------- C:\WINDOWS\RegisteredPackages
2007-08-05 14:27:59 0 d-------- C:\Program Files\LiraConv
2007-08-05 14:10:02 0 d-------- C:\Documents and Settings\kemal\Application Data\Identities
2007-08-05 14:09:47 0 d--h----- C:\Documents and Settings\kemal\Templates
2007-08-05 14:09:47 0 dr------- C:\Documents and Settings\kemal\Start Menu
2007-08-05 14:09:47 0 dr------- C:\Documents and Settings\kemal\Sýk Kullanýlanlar
2007-08-05 14:09:47 0 dr-h----- C:\Documents and Settings\kemal\SendTo
2007-08-05 14:09:47 0 dr-h----- C:\Documents and Settings\kemal\Recent
2007-08-05 14:09:47 0 d--h----- C:\Documents and Settings\kemal\PrintHood
2007-08-05 14:09:47 1048576 --ah----- C:\Documents and Settings\kemal\NTUSER.DAT
2007-08-05 14:09:47 0 d--h----- C:\Documents and Settings\kemal\NetHood
2007-08-05 14:09:47 0 d--h----- C:\Documents and Settings\kemal\Local Settings
2007-08-05 14:09:47 0 d-------- C:\Documents and Settings\kemal\Desktop
2007-08-05 14:09:47 0 d--hs---- C:\Documents and Settings\kemal\Cookies
2007-08-05 14:09:47 0 dr------- C:\Documents and Settings\kemal\Belgelerim
2007-08-05 14:09:47 0 dr-h----- C:\Documents and Settings\kemal\Application Data
2007-08-05 13:45:45 0 d-------- C:\Documents and Settings\kerim\Application Data\Identities
2007-08-05 13:45:36 0 d--h----- C:\Documents and Settings\kerim\Templates
2007-08-05 13:45:36 0 dr------- C:\Documents and Settings\kerim\Start Menu
2007-08-05 13:45:36 0 dr------- C:\Documents and Settings\kerim\Sýk Kullanýlanlar
2007-08-05 13:45:36 0 dr-h----- C:\Documents and Settings\kerim\SendTo
2007-08-05 13:45:36 0 dr-h----- C:\Documents and Settings\kerim\Recent
2007-08-05 13:45:36 0 d--h----- C:\Documents and Settings\kerim\PrintHood
2007-08-05 13:45:36 786432 --ah----- C:\Documents and Settings\kerim\NTUSER.DAT
2007-08-05 13:45:36 0 d--h----- C:\Documents and Settings\kerim\NetHood
2007-08-05 13:45:36 0 d--h----- C:\Documents and Settings\kerim\Local Settings
2007-08-05 13:45:36 0 d-------- C:\Documents and Settings\kerim\Desktop
2007-08-05 13:45:36 0 d--hs---- C:\Documents and Settings\kerim\Cookies
2007-08-05 13:45:36 0 dr------- C:\Documents and Settings\kerim\Belgelerim
2007-08-05 13:45:36 0 dr-h----- C:\Documents and Settings\kerim\Application Data
2007-08-05 13:45:36 0 d---s---- C:\Documents and Settings\kerim\Application Data\Microsoft
2007-08-04 19:55:46 20480 --a------ C:\WINDOWS\system32\normaliz.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-08-04 19:41:29 0 d-------- C:\Documents and Settings\soforler.BIMTASSRV\Application Data\Identities
2007-08-04 19:41:21 0 d--h----- C:\Documents and Settings\soforler.BIMTASSRV\Templates
2007-08-04 19:41:21 0 dr------- C:\Documents and Settings\soforler.BIMTASSRV\Start Menu
2007-08-04 19:41:21 0 dr------- C:\Documents and Settings\soforler.BIMTASSRV\Sýk Kullanýlanlar
2007-08-04 19:41:21 0 dr-h----- C:\Documents and Settings\soforler.BIMTASSRV\SendTo
2007-08-04 19:41:21 0 dr-h----- C:\Documents and Settings\soforler.BIMTASSRV\Recent
2007-08-04 19:41:21 0 d--h----- C:\Documents and Settings\soforler.BIMTASSRV\PrintHood
2007-08-04 19:41:21 524288 --ah----- C:\Documents and Settings\soforler.BIMTASSRV\NTUSER.DAT
2007-08-04 19:41:21 0 d--h----- C:\Documents and Settings\soforler.BIMTASSRV\NetHood
2007-08-04 19:41:21 0 d--h----- C:\Documents and Settings\soforler.BIMTASSRV\Local Settings
2007-08-04 19:41:21 0 d-------- C:\Documents and Settings\soforler.BIMTASSRV\Desktop
2007-08-04 19:41:21 0 d---s---- C:\Documents and Settings\soforler.BIMTASSRV\Cookies
2007-08-04 19:41:21 0 dr------- C:\Documents and Settings\soforler.BIMTASSRV\Belgelerim
2007-08-04 19:41:21 0 dr-h----- C:\Documents and Settings\soforler.BIMTASSRV\Application Data
2007-08-04 19:41:21 0 d---s---- C:\Documents and Settings\soforler.BIMTASSRV\Application Data\Microsoft
2007-08-04 19:39:10 0 d-------- C:\Documents and Settings\mensari\Application Data\Identities
2007-08-04 19:38:59 0 dr-h----- C:\Documents and Settings\mensari\Recent
2007-08-04 19:38:59 0 d--h----- C:\Documents and Settings\mensari\PrintHood
2007-08-04 19:38:59 0 d--h----- C:\Documents and Settings\mensari\NetHood
2007-08-04 19:38:59 0 d--h----- C:\Documents and Settings\mensari\Local Settings
2007-08-04 19:38:59 0 d-------- C:\Documents and Settings\mensari\Desktop
2007-08-04 19:38:59 0 d--hs---- C:\Documents and Settings\mensari\Cookies
2007-08-04 19:38:59 0 dr------- C:\Documents and Settings\mensari\Belgelerim
2007-08-04 19:38:59 0 dr-h----- C:\Documents and Settings\mensari\Application Data
2007-08-04 19:38:59 0 d---s---- C:\Documents and Settings\mensari\Application Data\Microsoft
2007-08-04 19:38:58 0 d--h----- C:\Documents and Settings\mensari\Templates
2007-08-04 19:38:58 0 dr------- C:\Documents and Settings\mensari\Start Menu
2007-08-04 19:38:58 0 dr------- C:\Documents and Settings\mensari\Sýk Kullanýlanlar
2007-08-04 19:38:58 0 dr-h----- C:\Documents and Settings\mensari\SendTo
2007-08-04 19:38:58 786432 --ah----- C:\Documents and Settings\mensari\NTUSER.DAT
2007-08-04 19:29:01 0 d-------- C:\WINDOWS\system32\URTTemp
2007-08-03 18:40:28 0 d-------- C:\Documents and Settings\Administrator.SÃœRÃœCÃœLER\Application Data\Lavasoft
2007-08-03 15:37:35 0 d-------- C:\WINDOWS\Sun
2007-08-03 15:37:35 0 d-------- C:\Documents and Settings\Administrator.SÃœRÃœCÃœLER\Application Data\Sun
2007-08-02 08:11:05 0 d---s---- C:\Documents and Settings\Administrator.SÃœRÃœCÃœLER\UserData
2007-07-31 09:29:15 0 d-------- C:\Documents and Settings\soforler\Application Data\Talkback
2007-07-31 09:28:43 0 d-------- C:\Documents and Settings\soforler\Application Data\Mozilla
2007-07-30 16:41:23 0 d-------- C:\Documents and Settings\Administrator.SÃœRÃœCÃœLER\Application Data\Talkback
2007-07-30 16:41:19 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-30 16:41:15 0 d-------- C:\Documents and Settings\Administrator.SÃœRÃœCÃœLER\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2007-08-05 15:02:21 423344 --a------ C:\WINDOWS\system32\perfh01F.dat
2007-08-05 15:02:21 79898 --a------ C:\WINDOWS\system32\perfc01F.dat
2007-08-05 14:46:33 0 d-------- C:\Program Files\Common Files
2007-07-30 16:36:04 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-07-30 11:30:34 14 --a------ C:\WINDOWS\system32\getfile.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [07.09.2006 16:51]
"Cmaudio "= "cmicnfg.cpl" []
"BDNewsAgent "= "C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [09.05.2005 12:19]
"BDOESRV "= "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe" [11.03.2005 18:53]
"BDMCon "= "C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [06.04.2006 12:36]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [15.05.2007 01:22]
"SpySweeper "= "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [19.07.2007 22:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:45]

C:\Documents and Settings\All Users\Start Menu\Programlar\BaŸlang‡\
Adobe Reader Hzl €alŸtrma.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [24.09.2005 08:05:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20.12.2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc




-- End of Deckard's System Scanner: finished at 2007-08-05 at 21:40:13 ---------

 

Operating System Language

My Operating System Language is TURKISH.

 

Thanks!

The only things of concern to me in that report are the following 2 folders.

C:\WINDOWS\system32\LogFiles
C:\WINDOWS\system32\tr-tr

Please list the contents of each.

 

C:\WINDOWS\system32\LogFiles
--- an empty directory named WUDF


C:\WINDOWS\system32\tr-tr
--- mstsc.exe.mui
--- mstscax.dll.mui
--- PresentationHost.exe.mui
--- UIAutomationCore.dll.mui

 

I believe those directories were placed there by the IT department of the domain. They are no threat.

What exactly gave you the infection notice? Was it BitDefender or Spyware Doctor?

 

Win32.Almanahe.B virus uses shared directories on the network and USB. On the USB it creates an autorun file and infect some of executable windows 32 applications. On the other hand it copies itself to shared directories on win32 apps also.

I can't get any warning from the infected machine. But when I use USB on another machine which have Bitdefender installed. Bitdefender moves all infected win32 files to quarantine. But still autorun file exists on USB.

On another machine which have shared directory with win32 executable file, the virus copies itself to win32 executable files and we are getting the same action from Bitdefender as it was on USB.

The Spy Doctor program with Active Scan Process can prevent the virus to access C:\Windows\linkinfo.dll and gives a message that Trojan-Downloader tried to access the file above mentioned.

The question is How can I remove service that use link.info dll from the machine which is infected by Win32.Almanahe.B

Thank for your attention...

 

That's helpful info. Thank you.

Let's see if we can find linkinfo

Download GMER

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

And, let's get rid of that autorun.

Please download Flash_Disinfector by sUBs and save it to your desktop:

Plug in your USB flash drive.
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Your desktop will vanish for a while, and then reappear. This is normal.
Wait until the program has finished scanning, then please exit the program.

 

GMER log - I

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-06 08:26:58
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT 8236C1C8 ZwAllocateVirtualMemory
SSDT 81FC7D9C ZwClose
SSDT 81FC7DAE ZwDeleteKey
SSDT 81FC7DB4 ZwDeleteValueKey
SSDT 81FC7D96 ZwEnumerateKey
SSDT 81FC7D90 ZwLoadDriver
SSDT 81FC7DA2 ZwQueryDirectoryFile
SSDT 8236C240 ZwQueueApcThread
SSDT 8236B020 ZwReadVirtualMemory
SSDT 823B0600 ZwRenameKey
SSDT 81FC7DA8 ZwSaveKey
SSDT 82399020 ZwSetInformationKey
SSDT 8236C588 ZwSetInformationProcess
SSDT 8236C3A8 ZwSetInformationThread
SSDT 8236C510 ZwSuspendProcess
SSDT 8235E168 ZwTerminateProcess
SSDT 8236C420 ZwTerminateThread

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\Explorer.EXE[588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[964] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\RunDll32.exe[1068] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Softwin\BitDefender8\bdoesrv.exe[1120] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Winamp\winampa.exe[1196] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 8F, FF, C3, 83 ]
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1212] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\system32\ctfmon.exe[1236] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\System32\sockspy.dll
.text C:\WINDOWS\System32\alg.exe[1564] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\System32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2080] ntdll.dll!KiUserExceptionDispatcher + 9 7C8FEAF5 5 Bytes JMP 00016B10 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2080] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 000129B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2080] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00012AB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2080] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 000129B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2080] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 50763090 C:\WINDOWS\system32\sockspy.dll
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2080] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00012A60 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[2080] kernel32.dll!VirtualFree 7C809AE4 5 Bytes JMP 00012A90 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
.text C:\Documents and Settings\kemal\Desktop\gmer\gmer.exe[4060] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll

 

GMER log - II

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8236BEB0
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 8236BEB0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 8236BEB0
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 8236BEB0
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 8236BEB0
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] 8236BEB0
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] 8236BEB0
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8236BFA8
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 8236BEB0

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F8558E40] SSFS0BB8.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 822E5828
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 8221D780
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 821AF2B8
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 82243790
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 822464D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 821B84D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 8225C3C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 821B99F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 82219440
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 821C0970
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 82202FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 8220DFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 8220D138
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 821C4610
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 820581C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 82031120
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 820111C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 81FDF120
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 81FDC1C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 820151C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 820481C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 8203F120
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 8203C1C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 820351C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 8202E1C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 8202B120
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 8205E120
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 82055120

 

GMER log - III

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 822E5828
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 8221D780
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 821AF2B8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 82243790
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 822464D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 821B84D8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 8225C3C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 821B99F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 82219440
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 821C0970
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 82202FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 8220DFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 8220D138
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 821C4610
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 820581C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 82031120
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 820111C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 81FDF120
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 81FDC1C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 820151C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 820481C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 8203F120
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 8203C1C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 820351C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 8202E1C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 8202B120
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 8205E120
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 82055120
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 822E5828
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 8221D780
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 821AF2B8
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 82243790
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 822464D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 821B84D8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 8225C3C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 821B99F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 82219440
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 821C0970
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 82202FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 8220DFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 8220D138
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 821C4610
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 820581C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL 82031120
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 820111C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 81FDF120
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 81FDC1C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 820151C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 820481C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 8203F120
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 8203C1C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 820351C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 8202E1C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 8202B120
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 8205E120
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 82055120

 

GMER log - IV

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 822E5828
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 8221D780
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 821AF2B8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 82243790
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 822464D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 821B84D8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 8225C3C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 821B99F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 82219440
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 821C0970
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 82202FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 8220DFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 8220D138
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 821C4610
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 820581C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL 82031120
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 820111C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 81FDF120
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 81FDC1C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 820151C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 820481C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 8203F120
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 8203C1C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 820351C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 8202E1C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 8202B120
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 8205E120
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 82055120
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 822E5828
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 8221D780
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 821AF2B8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 82243790
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 822464D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 821B84D8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 8225C3C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 821B99F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 82219440
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 821C0970
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 82202FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 8220DFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 8220D138
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 821C4610
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 820581C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL 82031120
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 820111C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 81FDF120
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 81FDC1C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 820151C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 820481C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 8203F120
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 8203C1C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 820351C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 8202E1C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 8202B120
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 8205E120
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 82055120

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F8558E40] SSFS0BB8.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F8558E40] SSFS0BB8.SYS

 

GMER log - V

---- Processes - GMER 1.0.13 ----

Library C:\WINDOWS\system32\linkinfo.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [588] 0x76970000

---- Services - GMER 1.0.13 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] NWCWorkstation <-- ROOTKIT !!!

---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation@Type 32
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation@DisplayName Netware i?in ?stemci Hizmeti
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation@Group NetworkProvider
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation@Description NetWare a?lar?nda dosya veya yaz?c? kaynaklar?na eri?im sa?lar.
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation@Type 32
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation@DisplayName Netware i?in ?stemci Hizmeti
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation@Group NetworkProvider
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\NWCWorkstation@Description NetWare a?lar?nda dosya veya yaz?c? kaynaklar?na eri?im sa?lar.
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation@Type 32
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation@Start 2
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation@DisplayName Netware i?in ?stemci Hizmeti
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation@Group NetworkProvider
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation@ObjectName LocalSystem
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation@Description NetWare a?lar?nda dosya veya yaz?c? kaynaklar?na eri?im sa?lar.

---- Files - GMER 1.0.13 ----

ADS C:\Documents and Settings\soforler\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\01\10-{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}-v1-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\soforler\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\soforler\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\soforler\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\suruculer\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\01\10-{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}-v1-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\suruculer\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\suruculer\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\suruculer\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
File C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
File C:\WINDOWS\$NtUninstallKB900725$\linkinfo.dll
File C:\WINDOWS\linkinfo.dll
File C:\WINDOWS\system32\dllcache\linkinfo.dll
File C:\WINDOWS\system32\drivers\nvmini.sys <-- ROOTKIT !!!
File C:\WINDOWS\system32\linkinfo.dll

---- Services - GMER 1.0.13 ----

Service C:\WINDOWS\system32\DRIVERS\nvmini.sys [AUTO] nvmini <-- ROOTKIT !!!

---- EOF - GMER 1.0.13 ----

 

Flash_Disinfector

I've run Flash_Disinfector.exe. It's normally ended without any warning. But the GMER.EXE was been infected by Win32.Almanahe.B again...

 

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

Rootkit::
C:\WINDOWS\linkinfo.dll
C:\WINDOWS\system32\drivers\nvmini.sys 

Registry::
[-HKEY_LOCAL_MACHINE\LOCAL MACHINE\SYSTEM\CurrentControlset\Services\nvmini]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

 

log

I have finished this proceses , logs are below













ComboFix 07-08-04.3 - "kemal" 2007-08-06 17:49:44.1 [GMT 3:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1055.18.Do§ru
Command switches used :: C:\Documents and Settings\kemal\Desktop\combofix\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\linkinfo.dll
C:\WINDOWS\system32\drivers\nvmini.sys


((((((((((((((((((((((((( Files Created from 2007-07-06 to 2007-08-06 )))))))))))))))))))))))))))))))


2007-08-06 17:49 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 08:31 26,112 --a------ C:\WINDOWS\system32\nircmd.exe
2007-08-06 08:28 <DIR> d-------- C:\autorun.inf
2007-08-05 21:38 <DIR> d-------- C:\Deckard
2007-08-05 20:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1.SRC\APPLIC~1\Webroot
2007-08-05 20:44 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-08-05 19:39 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-08-05 19:39 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-08-05 19:39 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-08-05 19:39 163,128 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-08-05 19:39 1,521,464 --a------ C:\WINDOWS\WRSetup.dll
2007-08-05 19:39 <DIR> d-------- C:\Program Files\Webroot
2007-08-05 19:39 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-08-05 19:39 <DIR> d-------- C:\DOCUME~1\kemal\APPLIC~1\Webroot
2007-08-05 19:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-08-05 17:42 <DIR> d-------- C:\DOCUME~1\ADMINI~1.SRC\APPLIC~1\SUPERAntiSpyware.com
2007-08-05 17:31 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-05 17:31 <DIR> d-------- C:\DOCUME~1\kerim\APPLIC~1\SUPERAntiSpyware.com
2007-08-05 17:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-05 15:13 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-08-05 15:13 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-05 15:13 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-08-05 15:13 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-08-05 15:13 <DIR> d-------- C:\Program Files\Winamp
2007-08-05 15:08 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-05 15:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-05 15:01 <DIR> d-------- C:\Program Files\MSBuild
2007-08-05 14:56 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-05 14:55 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-08-05 14:55 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-05 14:54 <DIR> d-------- C:\56cb65ab832e8027d529c9f455566c
2007-08-05 14:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-05 14:52 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-05 14:52 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-05 14:51 <DIR> d-------- C:\WINDOWS\system32\tr-tr
2007-08-05 14:51 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-05 14:47 <DIR> d-------- C:\Software
2007-08-05 14:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-05 14:29 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2007-08-05 14:28 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-08-05 14:27 <DIR> d-------- C:\Program Files\LiraConv
2007-08-05 14:09 1,048,576 --ah----- C:\DOCUME~1\kemal\NTUSER.DAT
2007-08-05 14:09 <DIR> dr------- C:\DOCUME~1\kemal\Sk Kullanlanlar
2007-08-05 14:09 <DIR> dr------- C:\DOCUME~1\kemal\Belgelerim
2007-08-05 14:01 45,568 -----c--- C:\WINDOWS\system32\dllcache\mshta.exe
2007-08-05 14:01 45,568 --------- C:\WINDOWS\system32\mshta.exe
2007-08-05 14:00 69,120 -----c--- C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-05 14:00 625,152 -----c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-05 14:00 56,832 -----c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-05 13:45 786,432 --ah----- C:\DOCUME~1\kerim\NTUSER.DAT
2007-08-05 13:45 <DIR> dr------- C:\DOCUME~1\kerim\Sk Kullanlanlar
2007-08-05 13:45 <DIR> dr------- C:\DOCUME~1\kerim\Belgelerim
2007-08-04 19:55 20,480 --a------ C:\WINDOWS\system32\normaliz.dll
2007-08-04 19:41 524,288 --ah----- C:\DOCUME~1\SOFORL~1.BIM\NTUSER.DAT
2007-08-04 19:41 <DIR> dr------- C:\DOCUME~1\SOFORL~1.BIM\Sk Kullanlanlar
2007-08-04 19:41 <DIR> dr------- C:\DOCUME~1\SOFORL~1.BIM\Belgelerim
2007-08-04 19:38 786,432 --ah----- C:\DOCUME~1\mensari\NTUSER.DAT
2007-08-04 19:38 <DIR> dr------- C:\DOCUME~1\mensari\Sk Kullanlanlar
2007-08-04 19:38 <DIR> dr------- C:\DOCUME~1\mensari\Belgelerim
2007-08-04 19:29 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-08-03 18:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1.SRC\APPLIC~1\Lavasoft
2007-08-02 08:11 <DIR> d---s---- C:\DOCUME~1\ADMINI~1.SRC\UserData
2007-07-31 09:29 <DIR> d-------- C:\DOCUME~1\soforler\APPLIC~1\Talkback
2007-07-30 16:41 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-30 16:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1.SRC\APPLIC~1\Talkback


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 15:02 79898 --a------ C:\WINDOWS\system32\perfc01F.dat
2007-08-05 15:02 423344 --a------ C:\WINDOWS\system32\perfh01F.dat
2007-07-30 16:36 81984 --a------ C:\WINDOWS\system32\bdod.bin
2007-07-30 11:30 14 --a------ C:\WINDOWS\system32\getfile.dat
2007-05-16 18:14 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 18:14 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 18:13 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 18:13 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 18:13 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 18:13 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 11:56 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-03-16 16:13 461 --a------ C:\Program Files\INSTALL.LOG


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-09-07 16:51]
"Cmaudio "= "cmicnfg.cpl" []
"BDNewsAgent "= "C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [2005-05-09 12:19]
"BDOESRV "= "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe" [2005-03-11 18:53]
"BDMCon "= "C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2006-04-06 12:36]
"WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [2007-05-15 01:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45]

C:\Documents and Settings\All Users\Start Menu\Programlar\BaŸlang‡\
Adobe Reader Hzl €alŸtrma.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 nwprovau

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\system32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\system32\Drivers\SSIDRV.SYS
R0 uagp35;Microsoft AGPv3.5 Szgeci;C:\WINDOWS\system32\DRIVERS\uagp35.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R2 BDLM;BitDefender Local Manager; "C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service
R2 LIVESRV_EM;BitDefender Enterprise Update Service; "C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service
R3 BDRsDrv;BDRsDrv;\??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
R3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Srcs;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
R3 irsir;Microsoft Seri Kzlâ€tesi Src;C:\WINDOWS\system32\DRIVERS\irsir.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Srcs;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys
S2 nvmini;NVIDIA Compatible Windows Miniport Driver;C:\WINDOWS\system32\DRIVERS\nvmini.sys
S2 NWCWorkstation;Netware i‡in ˜stemci Hizmeti;C:\WINDOWS\system32\svchost.exe -k netsvcs
S3 idsvc;Windows CardSpace; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "
S3 NWRDR;NetWare Rdr;C:\WINDOWS\system32\DRIVERS\nwrdr.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


Contents of the 'Scheduled Tasks' folder
2007-08-05 23:00:02 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 17:52:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-06 17:55:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 17:55

--- E O F ---

 

Please post the ComboFix-quarantined-files.txt log located in C:

I believe the NWCWorkstation service gmer identified as a rootkit is the legitimate Client Service for NetWare service, though I can't interpret some of the values listed for it, such as;

DisplayName Netware i?in ?stemci Hizmeti
and
Description NetWare a?lar?nda dosya veya yaz?c? kaynaklar?na eri?im sa?lar

Or is that just jibberish? Can you confirm?

Please run gmer again and post the new log.

Plug the USB device in again and let me know if you get another infected warning.

 

Content of ComboFix-quarantined-files.txt

Code:

2007-08-04 20:00      46592    --a------    C:\Qoobox\Quarantine\C\WINDOWS\linkinfo.dll.vir
2007-08-06 17:51      17152    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\nvmini.sys.vir
2007-08-06 17:51      311    --a------    C:\Qoobox\Quarantine\catchme.log
2007-08-06 17:51      41237    --a------    C:\Qoobox\Quarantine\catchme2007-08-06_175251.18.zip


Klasâ€r PATH listesi
Birim Seri Numaras 30C1-86B9
C:\QOOBOX
\---Quarantine
    |   catchme.log
    |   catchme2007-08-06_175251.18.zip
    |   
    +---C
    |   \---WINDOWS
    |       |   linkinfo.dll.vir
    |       |   
    |       \---system32
    |           \---drivers
    |                   nvmini.sys.vir
    |                   
    \---Registry_backups