got infected, had a malicious process named winupgro.exe. norton antivirus doesn't load itself. says it's not valid in win32. only after using malwarebytes i managed to activate combofix. this is the log: ComboFix 08-12-26.03 - Yosef 12/28/2008 0:27:34.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1255.1.1037.18.2030.1711 [GMT 2:00] Running from: c:\documents and settings\Yosef\שולחן העבודה\cohnig.exe AV: Norton AntiVirus 2005 *On-access scanning disabled* (Updated) FW: Norton Internet Worm Protection *enabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Yosef\Application Data\drivers\downld c:\documents and settings\Yosef\Application Data\drivers\downld\1072750.exe c:\documents and settings\Yosef\Application Data\drivers\downld\1073750.exe c:\documents and settings\Yosef\Application Data\drivers\downld\1074171.exe c:\documents and settings\Yosef\Application Data\drivers\downld\40796.exe c:\documents and settings\Yosef\Application Data\drivers\downld\40828.exe c:\documents and settings\Yosef\Application Data\drivers\downld\42828.exe c:\documents and settings\Yosef\Application Data\drivers\downld\42843.exe c:\documents and settings\Yosef\Application Data\drivers\downld\44390.exe c:\documents and settings\Yosef\Application Data\drivers\downld\52187.exe c:\documents and settings\Yosef\Application Data\drivers\downld\57546.exe c:\documents and settings\Yosef\Application Data\drivers\downld\61281.exe c:\documents and settings\Yosef\Application Data\drivers\downld\825234.exe c:\documents and settings\Yosef\Application Data\drivers\downld\825765.exe c:\documents and settings\Yosef\Application Data\drivers\srosa.sys c:\documents and settings\Yosef\Application Data\drivers\winupgro.exe c:\program files\Intel Audio Studio\IntelAudioStudio.exe c:\windows\Downloaded Program Files\launcher.ocx c:\windows\g32.txt c:\windows\system32\ban_list.txt c:\windows\system32\lsprst7.dll c:\windows\system32\ssprs.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_SROSA -------\Legacy_SROSA -------\Legacy_ASPIMGR -------\Legacy_SK9OU0S ((((((((((((((((((((((((( Files Created from 2008-11-27 to 2008-12-27 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-27 22:29 --------- d-----w c:\program files\Intel Audio Studio 2008-12-27 22:28 --------- d--h--w c:\documents and settings\Yosef\Application Data\drivers 2008-12-27 22:06 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-12-27 20:42 --------- d-----w c:\documents and settings\Yosef\Application Data\Malwarebytes 2008-12-27 20:42 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-27 20:14 --------- d-----w c:\program files\Symantec 2008-12-27 19:21 --------- d-----w c:\program files\eMule 2008-12-25 07:45 --------- d-----w c:\documents and settings\Yosef\Application Data\Vso 2008-12-25 01:30 --------- d-----w c:\documents and settings\Yosef\Application Data\VSO_HWE 2008-12-19 14:56 --------- d-----w c:\program files\Java 2008-12-10 22:40 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-12-10 19:09 --------- d-----w c:\documents and settings\Yosef\Application Data\Image Zone Express 2008-12-03 17:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-03 17:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-12-01 09:53 --------- d-----w c:\program files\DOSBox-0.72 2008-11-22 12:59 64,496 ----a-w c:\documents and settings\Yosef\Application Data\GDIPFONTCACHEV1.DAT 2008-11-14 14:13 --------- d-----w c:\documents and settings\Yosef\Application Data\uTorrent 2008-11-10 13:29 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2008-10-31 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\Minnetonka Audio Software 2007-12-21 18:01 22 ----a-w c:\documents and settings\Yosef\catchme.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [03/02/2006 02:00 PM 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gainward"="c:\windows\TBPanel.exe" [06/23/2006 03:29 PM 2146304] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [06/01/2006 11:22 AM 7618560] "NetLimiter"="c:\program files\NetLimiter\NetLimiter.exe" [03/31/2004 03:23 PM 823296] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [07/09/2001 10:50 AM 155648] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [09/01/2006 03:57 PM 282624] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [12/15/2005 11:18 AM 49152] "Babylon Client"="c:\program files\Babylon\Babylon.exe" [06/27/2005 04:36 PM 2433086] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM 39792] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [12/27/2008 11:44 PM 58984] "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [01/09/2008 10:35 PM 100056] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [12/19/2008 04:56 PM 136600] "nwiz"="nwiz.exe" [06/01/2006 11:22 AM 1519616 c:\windows\system32\nwiz.exe] "NvMediaCenter"="NvMCTray.dll" [06/01/2006 11:22 AM 86016 c:\windows\system32\nvmctray.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.exe" [03/02/2006 02:00 PM 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [03/02/2006 02:00 PM 44544] c:\documents and settings\Yosef\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-10 108544] c:\documents and settings\All Users\š”˜‰ˆ „š‡Œ„\š…‹‰…š\„”’Œ„\ Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-10 108544] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.exe [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.CDVC"= cdvccodc.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "17652:UDP"= 17652:UDP:emule [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1326597a-4f1f-11dd-b021-001676c90877}] \Shell\AutoRun\command - G:\LaunchU3.exe -a [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e6cbd12-8e1b-11dd-b032-001676c90877}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [08/29/2006 02:21 PM] 2008-12-26 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Yosef.job - c:\progra~1\NORTON~1\Navw32.exe [12/27/2008 11:45 PM] . - - - - ORPHANS REMOVED - - - - HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe HKLM-Run-RegistryMechanic - (no file) HKLM-Run-SigmatelSysTrayApp - sttray.exe . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: &יצא ל- Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 LSP: c:\program files\NetLimiter\nl_lsp.dll - c:\windows\Downloaded Program Files\ScriptX.inf c:\windows\Downloaded Program Files\launcher.ocx - O16 -: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} hxxp://www.tapuz.co.il/irc/main/launcher.cab c:\windows\Downloaded Program Files\CONFLICT.1\launcher.ocx - O16 -: {F59AB0C4-3443-4551-A78F-C101F9DE0215} hxxp://irc.nana10.co.il/Cabs/launcher39.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-28 00:31:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(744) c:\windows\system32\COMRes.dll - - - - - - - > 'lsass.exe'(808) c:\program files\NetLimiter\nl_lsp.dll c:\windows\system32\nl_msgc.dll . r Running Proce . c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\rundll32.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\rundll32.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\taskmgr.exe . ************************************************************************** . Completion time: 12/28/2008 0:37:36 - machine was rebooted [Yosef] ComboFix-quarantined-files.txt 2008-12-27 22:37:34 Pre-Run: 12,409,950,208 bytes free Post-Run: 13,355,012,096 bytes free 177 --- E O F --- 2008-10-16 01:03:05 please tell me what should i do. i'll be thankful for your help. tales.

Just a reminder to other posters, do not run the tools recommended for other posters as they can render your computer useless in a single click, especially Combofix, SDFix, Hijack This and many others. Also we need the info from the scans to determine what version of the baddies you have so we will know what procedure to use to remove them. We just need to know what problems you are having. Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: http://www.majorgeeks.com/ATF_Cleaner_d4949.html Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Run an online scan with Kaspersky from the following link: Kaspersky Online Scanner Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. 3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. 4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. 5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. 6. Click View scan report at the bottom. 7. Click the Save Report As... button. 8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. **Note** To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

thanks for your response. i'm having troubles while trying to run kaspersky online scanner. i'm getting a microsoft JScript compilation error: ';' required. i've uninstalled the former kaspersky online scanner from add/remove programs. also uninstalled and reinstalled java. what should i do? was my combofix log clean...? tales.

Yes, your combofix log looked ok. Try this scanner. Please run Esets online scanner from this link: ESET 1. Note: You will need to use Internet explorer for this scan 2. Tick the box next to YES, I accept the Terms of Use. 3. Click Start 4. When asked, allow the activex control to install 5. Click Start 6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked 7. Click Scan 8. Wait for the scan to finish 9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 10. Copy and paste that log in your next reply.

ok, here is the esetonlinescanner log: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3719 (20081227) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=27fe8d00a3e41446bc0197f2c40b12ed # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-12-28 05:28:07 # local_time=2008-12-28 07:28:07 (+0200, # country="Israel" # osver=5.1.2600 NT Service Pack 2 # scanned=691945 # found=2 # scan_time=3417 C:\Qoobox\Quarantine\C\Documents and Settings\Yosef\Application Data\drivers\_srosa_.sys.zip Win32/Bagle.QH worm 8EADD9E686431E234356AC1F964C506C C:\Qoobox\Quarantine\C\Documents and Settings\Yosef\Application Data\drivers\_srosa_.sys.zip »ZIP »srosa.sys Win32/Bagle.QH worm 00000000000000000000000000000000 waiting for further instructions. thank you, tales.

Those items found by Kaspersky are in Combofix's quarantine folder and can be deleted. You computer appears to be clean. Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run. Go to start> control panel> add/remove programs and uninstall these programs: Hijack This Malwarebytes Eset You should keep AFT Cleaner and run it weekly. You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version. How is the computer operating?

sorry for the delay. computer seems to be operating fine, though i tried reinstalling the norton av and couldn't activate it. i have some repairs going on in my appartment, so i'll try again later. thanks a lot for your help. tales.