1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

How To Remove Trojan-Downloader.Agent!sd5 (Win32.Almanahe.B)

Discussion in 'Malware and Virus Removal Archive' started by staspinar, 2007/08/05.

Page 2 of 2
  1. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    As you said this is Client Service for NetWare service and It's in Turkish Language.
     
    staspinar,
    #21
  2. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    GMER log - I

    GMER 1.0.13.12551 - http://www.gmer.net
    Rootkit scan 2007-08-07 08:06:21
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.13 ----

    SSDT 8238DB48 ZwAllocateVirtualMemory
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwClose
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwCreateKey
    SSDT 823D0AF8 ZwCreateProcess
    SSDT 823A81E8 ZwCreateProcessEx
    SSDT 8238DE18 ZwCreateThread
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwDeleteKey
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwDeleteValueKey
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwEnumerateKey
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwEnumerateValueKey
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwFlushKey
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwLoadKey
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdfsdrv.sys ZwOpenFile
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwOpenKey
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwQueryKey
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwQueryValueKey
    SSDT 8238DBC0 ZwQueueApcThread
    SSDT 8238DA58 ZwReadVirtualMemory
    SSDT 823AC1C8 ZwRenameKey
    SSDT 8238DCB0 ZwSetContextThread
    SSDT 823E5708 ZwSetInformationKey
    SSDT 823AB1E8 ZwSetInformationProcess
    SSDT 8238DD28 ZwSetInformationThread
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwSetValueKey
    SSDT 823D15A8 ZwSuspendProcess
    SSDT 8238DC38 ZwSuspendThread
    SSDT 823D2020 ZwTerminateProcess
    SSDT 8238DDA0 ZwTerminateThread
    SSDT \??\C:\Program Files\Softwin\BitDefender8\bdrsdrv.sys ZwUnloadKey
    SSDT 8238DAD0 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.13 ----

    .text ntoskrnl.exe!_abnormal_termination + 108 804E2764 1 Byte [ F8 ]
    .text ntoskrnl.exe!_abnormal_termination + 10A 804E2766 6 Bytes [ 3D, 82, E8, 81, 3A, 82 ]
    .text ntoskrnl.exe!_abnormal_termination + 168 804E27C4 1 Byte [ 6A ]
    .text ntoskrnl.exe!_abnormal_termination + 16A 804E27C6 2 Bytes [ 54, F5 ]
    ? ComboFix.sys Sistem belirtilen dosyayý bulamýyor.
    ? C:\DOCUME~1\kemal\LOCALS~1\Temp\catchme.sys Sistem belirtilen dosyayý bulamýyor.

    ---- User code sections - GMER 1.0.13 ----

    .text C:\WINDOWS\System32\alg.exe[356] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\System32\sockspy.dll
    .text C:\WINDOWS\System32\alg.exe[356] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\System32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00983090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 00982D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 00982CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 00983020 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!connect 71AA406A 5 Bytes JMP 00982DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!send 71AA428A 5 Bytes JMP 00982AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 00982D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 00982A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 00983060 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe[448] WS2_32.dll!accept 71AB1028 5 Bytes JMP 00982F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe[488] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00693090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009A3090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 009A2D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 009A2CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 009A3020 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!connect 71AA406A 5 Bytes JMP 009A2DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!send 71AA428A 5 Bytes JMP 009A2AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 009A2D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 009A2A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 009A3060 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe[516] WS2_32.dll!accept 71AB1028 5 Bytes JMP 009A2F30 C:\WINDOWS\system32\sockspy.dll
     
    staspinar,
    #22


  3. to hide this advert.

  4. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    GMER log - II

    .text C:\WINDOWS\system32\winlogon.exe[700] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\ctfmon.exe[868] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Softwin\BitDefender8\bdoesrv.exe[1112] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[1164] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\RunDll32.exe[1208] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] ntdll.dll!KiUserExceptionDispatcher + 9 7C8FEAF5 5 Bytes JMP 00016B10 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 000129B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00012AB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 000129B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 50763090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00012A60 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!VirtualFree 7C809AE4 5 Bytes JMP 00012A90 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 8F, FF, C3, 83 ]
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Winamp\winampa.exe[1368] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 003C3090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 003C2D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 003C2CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 003C3020 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!connect 71AA406A 5 Bytes JMP 003C2DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!send 71AA428A 5 Bytes JMP 003C2AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 003C2D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 003C2A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 003C3060 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!accept 71AB1028 5 Bytes JMP 003C2F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ F7, FB, C3, 83 ]
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Documents and Settings\kemal\Desktop\gmer.exe[3684] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll

    ---- Kernel IAT/EAT - GMER 1.0.13 ----
     
    staspinar,
    #23
  5. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    GMER log - III

    .text C:\WINDOWS\system32\winlogon.exe[700] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\winlogon.exe[700] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\services.exe[744] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\ctfmon.exe[868] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Softwin\BitDefender8\bdoesrv.exe[1112] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[1164] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\system32\RunDll32.exe[1208] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] ntdll.dll!KiUserExceptionDispatcher + 9 7C8FEAF5 5 Bytes JMP 00016B10 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 000129B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00012AB0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 000129B0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 50763090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00012A60 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[1284] kernel32.dll!VirtualFree 7C809AE4 5 Bytes JMP 00012A90 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 8F, FF, C3, 83 ]
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[1352] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Winamp\winampa.exe[1368] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
    .text C:\WINDOWS\Explorer.EXE[1404] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 003C3090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 003C2D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 003C2CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 003C3020 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!connect 71AA406A 5 Bytes JMP 003C2DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!send 71AA428A 5 Bytes JMP 003C2AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 003C2D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 003C2A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 003C3060 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe[1700] WS2_32.dll!accept 71AB1028 5 Bytes JMP 003C2F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ F7, FB, C3, 83 ]
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!sendto 71AA2C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!recvfrom 71AA2D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!bind 71AA3E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!connect 71AA406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!send 71AA428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!gethostbyname 71AA4FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!listen 71AA88D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!closesocket 71AA9639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll
    .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1868] WS2_32.dll!accept 71AB1028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll
    .text C:\Documents and Settings\kemal\Desktop\gmer.exe[3684] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll

    ---- Kernel IAT/EAT - GMER 1.0.13 ----
     
    staspinar,
    #24
  6. 2007/08/07
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Thanks for verification.

    Please click Start>Run and type (or copy and paste) the following commands, one at a time, hitting enter after each.

    sc stop nvmini
    sc delete nvmini

    Let me know if you receive any message.

    Now, open regedit and navigate to
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and see if the nvmini subkey exists.

    Reboot and check for the key again.
     
    noahdfear,
    #25
  7. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    GMER log - IV

    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 82396848
    IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 82396848
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 82396848
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 82396848
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 82396848
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\system32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] 82396848
    IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] 82396848
    IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8238D978
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 82396848

    ---- Devices - GMER 1.0.13 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F8558E40] SSFS0BB8.SYS

    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 82249830
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 822A9988
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 822197B8
    Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 82235710
    Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 822C5298
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 82089E58
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 820B7AE0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 8213BCC0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 8227B848
    Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 822C6520
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 82113370
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 821191E0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 820CC548
    Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 821C0AA0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 82160760
    Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 8227B1A0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 821BF0F0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 8208C1C8
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 82123530
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 82153488
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 8211D490
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 8211CC70
    Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 8216A660
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 82163F00
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 82148490
    Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 820C5B38
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 82138B38
    Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 821F5240
     
    staspinar,
    #26
  8. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    GMER log - V

    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 82249830
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 822A9988
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 822197B8
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 82235710
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 822C5298
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 82089E58
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 820B7AE0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 8213BCC0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 8227B848
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 822C6520
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 82113370
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 821191E0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 820CC548
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 821C0AA0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 82160760
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 8227B1A0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 821BF0F0
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 8208C1C8
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 82123530
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 82153488
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 8211D490
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 8211CC70
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 8216A660
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 82163F00
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 82148490
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 820C5B38
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 82138B38
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 821F5240
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 82249830
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 822A9988
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 822197B8
    Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 82235710
    Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 822C5298
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 82089E58
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 820B7AE0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 8213BCC0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 8227B848
    Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 822C6520
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 82113370
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 821191E0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 820CC548
    Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 821C0AA0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 82160760
    Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL 8227B1A0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 821BF0F0
    Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 8208C1C8
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 82123530
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 82153488
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 8211D490
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 8211CC70
    Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 8216A660
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 82163F00
    Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 82148490
    Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 820C5B38
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 82138B38
    Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 821F5240
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 82249830
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 822A9988
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 822197B8
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 82235710
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 822C5298
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 82089E58
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 820B7AE0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 8213BCC0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 8227B848
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 822C6520
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 82113370
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 821191E0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 820CC548
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 821C0AA0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 82160760
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL 8227B1A0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 821BF0F0
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 8208C1C8
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 82123530
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 82153488
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 8211D490
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 8211CC70
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 8216A660
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 82163F00
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 82148490
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 820C5B38
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 82138B38
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 821F5240
     
    staspinar,
    #27
  9. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    GMER log - VI

    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 82249830
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 822A9988
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 822197B8
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 82235710
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 822C5298
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 82089E58
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 820B7AE0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 8213BCC0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 8227B848
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 822C6520
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 82113370
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 821191E0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 820CC548
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 821C0AA0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 82160760
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL 8227B1A0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 821BF0F0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 8208C1C8
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 82123530
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 82153488
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 8211D490
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 8211CC70
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 8216A660
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 82163F00
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 82148490
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 820C5B38
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 82138B38
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 821F5240

    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F8558E40] SSFS0BB8.SYS
    AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F8558E40] SSFS0BB8.SYS

    ---- Files - GMER 1.0.13 ----

    ADS C:\Documents and Settings\soforler\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\01\10-{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}-v1-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
    ADS C:\Documents and Settings\soforler\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
    ADS C:\Documents and Settings\soforler\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
    ADS C:\Documents and Settings\soforler\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-{153E13D6-C32C-40B7-8E98-EC2950CDBB3F}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
    ADS C:\Documents and Settings\suruculer\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\01\10-{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}-v1-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
    ADS C:\Documents and Settings\suruculer\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
    ADS C:\Documents and Settings\suruculer\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
    ADS C:\Documents and Settings\suruculer\Local Settings\Application Data\Microsoft\Messenger\serdar.avci@hotmail.com\SharingMetadata\kardelenler078@hotmail.com\DFSR\Staging\CS{230D6C70-E9A8-5B08-BF3B-EDC9B7A47A44}\11\11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-{77BD7B1C-0BB7-40F0-8E94-7D9DB830382A}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

    ---- EOF - GMER 1.0.13 ----
     
    staspinar,
    #28
  10. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    USB Status

    I've Plug the USB device in again and now there is no infection issue with USB.
     
    staspinar,
    #29
  11. 2007/08/07
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That's great! :)

    Just want to make sure you saw my reply in post #25 above. ;)
     
    noahdfear,
    #30
  12. 2007/08/07
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    It's very late. I'll check back in tomorrow.
     
    noahdfear,
    #31
  13. 2007/08/07
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    I've run the commands and no message has been received.

    There is no nvmini subkey under Windows Services Registry Entries before and after the reboot process.
     
    staspinar,
    #32
  14. 2007/08/07
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    That's good news. :)

    I feel it would be a good idea to check the other network computers. The virus spreads via network shares as well as usb. Run the Flash_Disinfector tool on all usb storage devices as well. Post back if you have questions or need further assistance.
     
    noahdfear,
    #33
  15. 2007/08/09
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    Win32.Almanahe.B still alive

    We found two more computers like this one and we done the same process to clean rootkit.

    One of them is still connected to the network but can not run any win32 executable from shared directory.

    After we connected another one to the network, the virus appeared again and tried to infect

    C:\Windows\System32\mshta.exe
    C:\Windows\Sytem32\ie4uinit.exe

    Bitdefender avoid the virus to infect the files above but the virus still can copy itself to shared directories on the network...

    Sorry for the long delay...
     
    Last edited: 2007/08/09
    staspinar,
    #34
  16. 2007/08/09
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    Upgrade To Bitdefender Plus V10

    We installed Bitdefender Plus V10 to infected machine and we found a new virus named BehavesLike:Win32.ExplorerHijack.
     
    staspinar,
    #35
  17. 2007/08/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Was there a file identified? Email attachment?
     
    noahdfear,
    #36
  18. 2007/08/10
    staspinar

    staspinar Inactive Thread Starter

    Joined:
    2007/08/05
    Messages:
    26
    Likes Received:
    0
    Files Infected By BehavesLike:Win32.ExplorerHijack

    Files quarantined by Bitdefender:

    C:\Program Files\Internet Explorer\iedw.exe
    C:\WINDOWS\system32\dllcache\iedw.exe
    C:\WINDOWS\system32\ieudinit.exe
    C:\WINDOWS\system32\msfeedssync.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\WinFxDocObj.exe
     
    staspinar,
    #37
  19. 2007/08/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I would definitely send those to Bitdefender for analysis. Just doesn't fit the profile for that particular infection and may well be false positives.
     
    noahdfear,
    #38
Page 2 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...