winupgro.exe removal

Turbo-x / N/A
December 23, 2008 at 14:56:56
Specs: WinXP Pro, P4 2.6GHz/1Gb Ram
Greetings.
It seems I got infected with winupgro.exe. NOD32 is disabled as well as my audio and TV tuner drivers... I have read a couple of previous relevant posts and it seems the solution lies in Combofix... I have downloaded it but when I try to install it I get an error message that it is not a valid Win32 application. Could you please assist? Your input would be greatly appreciated!


See More: winupgro.exe removal

Report •


#1
December 23, 2008 at 17:53:50
I don't think Combofix install but run this uninstaller just in case.

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Rename the setup file, ComboFix, before you download it. To do that once the "enter name of file to save to" box appears as the download begins, in the filename box rename ComboFix to tool.exe> click save.

Please download tool.exe to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#2
December 24, 2008 at 09:32:01
Thanks for your support!
Below is the log that combofix prouced:

ComboFix 08-12-23.01 - John 2008-12-24 18:28:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1033.18.1023.777 [GMT 2:00]
Running from: c:\documents and settings\John\Desktop\tool.exe
* Created a new restore point
* Resident AV is active


[COLOR=RED][B]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/B][/COLOR]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\John\Application Data\drivers\downld
c:\documents and settings\John\Application Data\drivers\downld\104031.exe
c:\documents and settings\John\Application Data\drivers\downld\104062.exe
c:\documents and settings\John\Application Data\drivers\downld\104718.exe
c:\documents and settings\John\Application Data\drivers\downld\107906.exe
c:\documents and settings\John\Application Data\drivers\downld\109578.exe
c:\documents and settings\John\Application Data\drivers\downld\110765.exe
c:\documents and settings\John\Application Data\drivers\downld\111484.exe
c:\documents and settings\John\Application Data\drivers\downld\111828.exe
c:\documents and settings\John\Application Data\drivers\downld\113156.exe
c:\documents and settings\John\Application Data\drivers\downld\113640.exe
c:\documents and settings\John\Application Data\drivers\downld\117734.exe
c:\documents and settings\John\Application Data\drivers\downld\118781.exe
c:\documents and settings\John\Application Data\drivers\downld\118812.exe
c:\documents and settings\John\Application Data\drivers\downld\122734.exe
c:\documents and settings\John\Application Data\drivers\downld\126187.exe
c:\documents and settings\John\Application Data\drivers\downld\126859.exe
c:\documents and settings\John\Application Data\drivers\downld\128000.exe
c:\documents and settings\John\Application Data\drivers\downld\128468.exe
c:\documents and settings\John\Application Data\drivers\downld\128562.exe
c:\documents and settings\John\Application Data\drivers\downld\130750.exe
c:\documents and settings\John\Application Data\drivers\downld\131328.exe
c:\documents and settings\John\Application Data\drivers\downld\131796.exe
c:\documents and settings\John\Application Data\drivers\downld\133203.exe
c:\documents and settings\John\Application Data\drivers\downld\134640.exe
c:\documents and settings\John\Application Data\drivers\downld\136203.exe
c:\documents and settings\John\Application Data\drivers\downld\136875.exe
c:\documents and settings\John\Application Data\drivers\downld\147296.exe
c:\documents and settings\John\Application Data\drivers\downld\148875.exe
c:\documents and settings\John\Application Data\drivers\downld\149531.exe
c:\documents and settings\John\Application Data\drivers\downld\150578.exe
c:\documents and settings\John\Application Data\drivers\downld\151093.exe
c:\documents and settings\John\Application Data\drivers\downld\153968.exe
c:\documents and settings\John\Application Data\drivers\downld\158343.exe
c:\documents and settings\John\Application Data\drivers\downld\159750.exe
c:\documents and settings\John\Application Data\drivers\downld\171296.exe
c:\documents and settings\John\Application Data\drivers\downld\175859.exe
c:\documents and settings\John\Application Data\drivers\downld\178687.exe
c:\documents and settings\John\Application Data\drivers\downld\179453.exe
c:\documents and settings\John\Application Data\drivers\downld\179609.exe
c:\documents and settings\John\Application Data\drivers\downld\189968.exe
c:\documents and settings\John\Application Data\drivers\downld\190859.exe
c:\documents and settings\John\Application Data\drivers\downld\190968.exe
c:\documents and settings\John\Application Data\drivers\downld\193046.exe
c:\documents and settings\John\Application Data\drivers\downld\194343.exe
c:\documents and settings\John\Application Data\drivers\downld\194750.exe
c:\documents and settings\John\Application Data\drivers\downld\195671.exe
c:\documents and settings\John\Application Data\drivers\downld\196593.exe
c:\documents and settings\John\Application Data\drivers\downld\196953.exe
c:\documents and settings\John\Application Data\drivers\downld\197500.exe
c:\documents and settings\John\Application Data\drivers\downld\198718.exe
c:\documents and settings\John\Application Data\drivers\downld\204359.exe
c:\documents and settings\John\Application Data\drivers\downld\205750.exe
c:\documents and settings\John\Application Data\drivers\downld\206234.exe
c:\documents and settings\John\Application Data\drivers\downld\207000.exe
c:\documents and settings\John\Application Data\drivers\downld\207734.exe
c:\documents and settings\John\Application Data\drivers\downld\207750.exe
c:\documents and settings\John\Application Data\drivers\downld\208203.exe
c:\documents and settings\John\Application Data\drivers\downld\208812.exe
c:\documents and settings\John\Application Data\drivers\downld\208921.exe
c:\documents and settings\John\Application Data\drivers\downld\216171.exe
c:\documents and settings\John\Application Data\drivers\downld\217031.exe
c:\documents and settings\John\Application Data\drivers\downld\217140.exe
c:\documents and settings\John\Application Data\drivers\downld\219453.exe
c:\documents and settings\John\Application Data\drivers\downld\223562.exe
c:\documents and settings\John\Application Data\drivers\downld\224875.exe
c:\documents and settings\John\Application Data\drivers\downld\225453.exe
c:\documents and settings\John\Application Data\drivers\downld\228453.exe
c:\documents and settings\John\Application Data\drivers\downld\229359.exe
c:\documents and settings\John\Application Data\drivers\downld\229875.exe
c:\documents and settings\John\Application Data\drivers\downld\231859.exe
c:\documents and settings\John\Application Data\drivers\downld\233171.exe
c:\documents and settings\John\Application Data\drivers\downld\233687.exe
c:\documents and settings\John\Application Data\drivers\downld\234453.exe
c:\documents and settings\John\Application Data\drivers\downld\234953.exe
c:\documents and settings\John\Application Data\drivers\downld\235187.exe
c:\documents and settings\John\Application Data\drivers\downld\235687.exe
c:\documents and settings\John\Application Data\drivers\downld\235718.exe
c:\documents and settings\John\Application Data\drivers\downld\235812.exe
c:\documents and settings\John\Application Data\drivers\downld\237765.exe
c:\documents and settings\John\Application Data\drivers\downld\238281.exe
c:\documents and settings\John\Application Data\drivers\downld\240296.exe
c:\documents and settings\John\Application Data\drivers\downld\240812.exe
c:\documents and settings\John\Application Data\drivers\downld\248921.exe
c:\documents and settings\John\Application Data\drivers\downld\250203.exe
c:\documents and settings\John\Application Data\drivers\downld\250703.exe
c:\documents and settings\John\Application Data\drivers\downld\251531.exe
c:\documents and settings\John\Application Data\drivers\downld\252296.exe
c:\documents and settings\John\Application Data\drivers\downld\252781.exe
c:\documents and settings\John\Application Data\drivers\downld\256062.exe
c:\documents and settings\John\Application Data\drivers\downld\256906.exe
c:\documents and settings\John\Application Data\drivers\downld\257359.exe
c:\documents and settings\John\Application Data\drivers\downld\259921.exe
c:\documents and settings\John\Application Data\drivers\downld\260812.exe
c:\documents and settings\John\Application Data\drivers\downld\261000.exe
c:\documents and settings\John\Application Data\drivers\downld\262234.exe
c:\documents and settings\John\Application Data\drivers\downld\267187.exe
c:\documents and settings\John\Application Data\drivers\downld\269250.exe
c:\documents and settings\John\Application Data\drivers\downld\274671.exe
c:\documents and settings\John\Application Data\drivers\downld\276062.exe
c:\documents and settings\John\Application Data\drivers\downld\276234.exe
c:\documents and settings\John\Application Data\drivers\downld\276546.exe
c:\documents and settings\John\Application Data\drivers\downld\277546.exe
c:\documents and settings\John\Application Data\drivers\downld\278015.exe
c:\documents and settings\John\Application Data\drivers\downld\278750.exe
c:\documents and settings\John\Application Data\drivers\downld\278781.exe
c:\documents and settings\John\Application Data\drivers\downld\279515.exe
c:\documents and settings\John\Application Data\drivers\downld\279578.exe
c:\documents and settings\John\Application Data\drivers\downld\279703.exe
c:\documents and settings\John\Application Data\drivers\downld\280015.exe
c:\documents and settings\John\Application Data\drivers\downld\285656.exe
c:\documents and settings\John\Application Data\drivers\downld\286609.exe
c:\documents and settings\John\Application Data\drivers\downld\287562.exe
c:\documents and settings\John\Application Data\drivers\downld\288031.exe
c:\documents and settings\John\Application Data\drivers\downld\299921.exe
c:\documents and settings\John\Application Data\drivers\downld\300937.exe
c:\documents and settings\John\Application Data\drivers\downld\301468.exe
c:\documents and settings\John\Application Data\drivers\downld\310671.exe
c:\documents and settings\John\Application Data\drivers\downld\312171.exe
c:\documents and settings\John\Application Data\drivers\downld\312671.exe
c:\documents and settings\John\Application Data\drivers\downld\312828.exe
c:\documents and settings\John\Application Data\drivers\downld\313796.exe
c:\documents and settings\John\Application Data\drivers\downld\316031.exe
c:\documents and settings\John\Application Data\drivers\downld\321875.exe
c:\documents and settings\John\Application Data\drivers\downld\323828.exe
c:\documents and settings\John\Application Data\drivers\downld\324046.exe
c:\documents and settings\John\Application Data\drivers\downld\324359.exe
c:\documents and settings\John\Application Data\drivers\downld\324953.exe
c:\documents and settings\John\Application Data\drivers\downld\325093.exe
c:\documents and settings\John\Application Data\drivers\downld\330953.exe
c:\documents and settings\John\Application Data\drivers\downld\333250.exe
c:\documents and settings\John\Application Data\drivers\downld\333500.exe
c:\documents and settings\John\Application Data\drivers\downld\364171.exe
c:\documents and settings\John\Application Data\drivers\downld\365093.exe
c:\documents and settings\John\Application Data\drivers\downld\365203.exe
c:\documents and settings\John\Application Data\drivers\downld\70656.exe
c:\documents and settings\John\Application Data\drivers\downld\71937.exe
c:\documents and settings\John\Application Data\drivers\downld\78656.exe
c:\documents and settings\John\Application Data\drivers\downld\78671.exe
c:\documents and settings\John\Application Data\drivers\downld\85328.exe
c:\documents and settings\John\Application Data\drivers\downld\85343.exe
c:\documents and settings\John\Application Data\drivers\downld\90609.exe
c:\documents and settings\John\Application Data\drivers\downld\92078.exe
c:\documents and settings\John\Application Data\drivers\downld\93765.exe
c:\documents and settings\John\Application Data\drivers\downld\94359.exe
c:\documents and settings\John\Application Data\drivers\downld\96406.exe
c:\documents and settings\John\Application Data\drivers\downld\96484.exe
c:\documents and settings\John\Application Data\drivers\srosa.sys
c:\documents and settings\John\Application Data\drivers\srosa2.sys
c:\documents and settings\John\Application Data\drivers\winupgro.exe
c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\Config.ini
c:\windows\system32\lsprst7.dll
c:\windows\system32\prsgrc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SROSA
-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-24 01:15 . 2008-12-24 01:15 <DIR> d-------- c:\program files\Realtek Sound Manager
2008-12-24 01:11 . 2000-03-29 08:17 5,824 --a------ c:\windows\system32\drivers\ASUSHWIO.SYS
2008-12-24 01:11 . 2008-12-24 01:11 2,533 --a------ c:\windows\Ascd_tmp.ini
2008-12-24 00:30 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-24 00:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-24 00:30 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-24 00:30 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-23 23:33 . 2008-12-23 23:33 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-23 23:33 . 2008-12-23 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP
2008-12-23 01:16 . 2008-12-23 01:42 8 --a------ C:\temp.dat
2008-12-23 01:04 . 2006-02-25 19:49 12,416 --a------ c:\windows\system32\drivers\avwebcam.sys
2008-12-23 01:01 . 2008-12-24 18:31 <DIR> d--h----- c:\documents and settings\John\Application Data\drivers
2008-12-01 20:26 . 2008-12-01 20:26 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-27 00:07 . 2008-11-27 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-27 00:04 . 2008-11-27 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2008-11-27 00:00 . 2008-11-27 00:00 <DIR> d-------- c:\program files\Adobe Media Player
2008-11-26 23:58 . 2008-11-26 23:58 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-26 23:52 . 2008-11-26 23:52 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-26 22:09 . 2008-11-26 23:03 <DIR> d-------- c:\documents and settings\John\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 14:50 --------- d-----w c:\program files\eMule
2008-12-23 23:15 --------- d-----w c:\program files\AvRack
2008-12-23 23:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-21 17:56 --------- d-----w c:\documents and settings\John\Application Data\uTorrent
2008-12-01 18:26 --------- d-----w c:\program files\Java
2008-11-26 22:02 --------- d-----w c:\program files\Common Files\Adobe
2008-11-16 22:35 --------- d-----w c:\program files\Camfrog
2008-10-31 22:25 --------- d-----w c:\documents and settings\John\Application Data\Camfrog
2008-10-25 11:08 18,675 ----a-w C:\[u]0[/u]xf9.exe
2008-10-16 12:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 12:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 12:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 12:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 12:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 12:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 12:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 12:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-03-22 10:36 22,328 ----a-w c:\documents and settings\John\Application Data\PnkBstrK.sys
2007-05-01 09:38 2,753 ----a-w c:\documents and settings\John\Application Data\SAS7_000.DAT
2005-01-17 14:44 1,804,800 ----a-w c:\program files\PcSetup.exe
2000-11-07 15:36 1,044,480 ----a-w c:\program files\ROBOEX32.DLL
2000-08-04 13:25 49,152 ----a-w c:\program files\Inetwh32.dll
2008-12-16 12:28 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-16 12:28 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-16 12:28 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-16 12:28 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-16 12:28 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\progra~1\MSNMES~1\MsnMsgr.Exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"pdfSaver3"="c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-09-05 380928]
"eMuleAutoStart"="c:\program files\eMule\emule.exe" [2008-08-01 5480448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2003-12-29 159744]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-10 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-08 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-08 600896]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-12-24 917504]
"MMReminderService"="c:\program files\Mindjet\MindManager 6\MMReminderService.exe" [2005-09-13 28672]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\John\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-12-26 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Palo Alto Software Update Manager 8.0.lnk - c:\program files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe [2006-03-08 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault(tm)\\mohpa.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional 2005.SR1\\sandra.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional 2005.SR1\\RpcSandraSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional 2005.SR1\\RpcDataSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"d:\\Stuff\\Archive\\Software\\utorrent.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=
"c:\\Documents and Settings\\John\\Desktop\\SkypePortable\\App\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-06 35328]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2005-07-20 76373]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2005-07-20 32631]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kxbar.sys [2005-07-20 10005]
R3 kbdcap;kbdcap;c:\windows\system32\drivers\kbdcap.sys [2007-03-10 109440]
S0 FsUdf;FsUdf; []
S0 fvdscsi;fvdscsi;c:\windows\system32\DRIVERS\fvdscsi.sys []
S2 AVWEBCAM;AVWebCam, WDM Video Capture;c:\windows\system32\DRIVERS\avwebcam.sys [2008-12-23 12416]
S2 BestSyncSvc;BestSync Service;"c:\program files\BestSync\BestSyncSvc.exe" []
S3 lgusbsmodem;LGE Mobile USB Modem;c:\windows\system32\DRIVERS\lgusbsmodem.sys [2008-01-11 23680]
S3 SaiNtSub;SaiNtSub;c:\windows\system32\DRIVERS\SaiNtSub.sys [2005-11-29 19200]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S3 VICHW00;VICHW00;\??\c:\windows\SYSTEM32\DRIVERS\VICHW00.SYS []
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [2005-07-20 9510]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c286f221-5ecd-11da-b5d7-000a481c2a06}]
\Shell\AutoRun\command - E:\SETUP.EXE
\Shell\configure\command - E:\SETUP.EXE
\Shell\install\command - E:\SETUP.EXE

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\User_Feed_Synchronization-{C6DE1A12-78F6-4D71-B0A7-C09C1990FF41}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe
HKCU-Run-Photozig Albums Media Detector - c:\program files\Photozig Albums\pzAlbumsDetect.exe
HKLM-Run-pdfSaver3 - (no file)
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer Enterprise\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer Enterprise\Add_AllO.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Save Flash - c:\program files\Flash Saving Plugin\FlashSButton.dll/210
LSP: imon.dll

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\887qqk68.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\component.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 18:33:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\srosa]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(648)
c:\windows\system32\imon.dll
.
Completion time: 2008-12-24 18:34:58
ComboFix-quarantined-files.txt 2008-12-24 16:34:31

Pre-Run: 7,455,420,416 bytes free
Post-Run: 9,068,240,896 bytes free

361


Report •

#3
December 24, 2008 at 17:32:09
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\[u]0[/u]xf9.exe

Folder::
C:\[u]0[/u]xf9.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

Related Solutions

#4
December 25, 2008 at 15:39:41
OK, I have done all that...
Below is the Kaspersky log:

----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 25, 2008 16:58:12
Records in database: 1514269
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\

Scan statistics:
Files scanned: 158235
Threat name: 15
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 03:34:44


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10930CA2.exe Infected: Trojan.Win32.Delf.ut 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17715EAD.tmp Infected: Trojan.Java.ClassLoader.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D8F375B.tmp Infected: Trojan.Java.ClassLoader.Dummy.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1EC54C06.tmp Infected: Email-Worm.Win32.Bagle.gen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\40DF73DD.tmp Infected: Trojan-Downloader.Java.OpenStream.v 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42B058F7.tmp Infected: Exploit.Java.ByteVerify 1
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\31\6abdaa1f-2a06122c Infected: Trojan.Java.ClassLoader.i 1
C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\6.0\31\6abdaa1f-2a06122c Infected: Trojan.Java.ClassLoader.k 2
C:\Program Files\eMule\Incoming\AV Webcam Morpher 2.0.28.zip Infected: Trojan-Downloader.Win32.Bagle.aic 1
C:\Program Files\eMule\Incoming\AV Webcam Morpher Pro 2.0.09\key_generator.exe Infected: Trojan-Downloader.Win32.Bagle.aic 1
C:\Program Files\eMule\Incoming\AV Webcam Morpher Pro 2.0.09.zip Infected: Trojan-Downloader.Win32.Bagle.aic 1
C:\Program Files\ESET\infected\4H0BD5BA.NQF Infected: Trojan-Downloader.Win32.VB.gva 1
C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\drivers\winupgro.exe.vir Infected: Trojan-Downloader.Win32.Bagle.aic 1
C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\drivers\_srosa_.sys.zip Infected: Trojan-Downloader.Win32.Bagle.afl 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe.vir Infected: Trojan-Downloader.Win32.Bagle.aic 1
C:\WINDOWS\system\smss.Vexe Infected: Trojan-Proxy.Win32.Horst.pg 1
C:\WINDOWS\system\smssb.exe Infected: Trojan-Proxy.Win32.Horst.pg 1
C:\WINDOWS\system32\KTKbdHk3.dll Infected: not-a-virus:Monitor.Win32.KeyLogger.o 1
D:\Stuff\Archive\Funny\snow.exe Infected: Trojan-Downloader.Win32.Small.abuk 1
D:\Stuff\Work\New24\Dragon Naturally Speaking 9 Preffered Multilanguage Eng-Ger-Dutch-FR\Dragon Naturally Speaking 9.0 CRACK + SERIAL KEYGEN.rar Infected: Trojan-Proxy.Win32.Horst.ic 1

The selected area was scanned.


Report •

#5
December 25, 2008 at 16:44:06
Set up the computer to view hidden files:
To show hidden files do the following:
Click Start > My Computer
On the Tools menu, click Folder Options.
Click the View tab.
Uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files.
Under the Hidden files folder, locate and check Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply > OK.

Navigate to and delete the contents of this folder and not the folder itself:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

Go to start> control panel> java> Temporary internet files> settings> delete files> ok.

Navigate to and delete these files if found.

C:\Program Files\ESET\infected\4H0BD5BA.NQF

C:\WINDOWS\system\smss.Vexe

C:\WINDOWS\system\smssb.exe

C:\WINDOWS\system32\KTKbdHk3.dll

D:\Stuff\Archive\Funny\snow.exe

These cracks are infected and will need to be deleted:

C:\Program Files\eMule\Incoming\AV Webcam Morpher Pro 2.0.09\key_generator.exe

D:\Stuff\Work\New24\Dragon Naturally Speaking 9 Preffered Multilanguage Eng-Ger-Dutch-FR\Dragon Naturally Speaking 9.0 CRACK + SERIAL KEYGEN.rar

Run the Kaspersky scan again and post its log. You will most likely need to go to start> control panel> add/remove programs and uninstall "Kaspersky" before you can download the scanner again.


Report •

#6
December 26, 2008 at 08:35:51
This is the 2nd Kaspersky log:

----------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 26, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 26, 2008 09:04:16
Records in database: 1516718
----------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\

Scan statistics:
Files scanned: 157906
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 03:41:20


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\drivers\winupgro.exe.vir Infected: Trojan-Downloader.Win32.Bagle.aic 1
C:\Qoobox\Quarantine\C\Documents and Settings\John\Application Data\drivers\_srosa_.sys.zip Infected: Trojan-Downloader.Win32.Bagle.afl 1
C:\Qoobox\Quarantine\C\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe.vir Infected: Trojan-Downloader.Win32.Bagle.aic 1

The selected area was scanned.


Report •

#7
December 26, 2008 at 08:42:31
You computer appears to be clean.

Rehide you hidden files by reversing the process in response #5

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

How is the computer operating?


Report •

#8
December 27, 2008 at 06:26:21
It seems everything is back to normal!
Your help has been valuable!
I will definately recommend your site to my friends.
Have a great new year and many thanks for your support!

Report •

#9
December 27, 2008 at 12:21:22
Glad we could help.

Report •

#10
February 12, 2009 at 16:10:25
Had the same problem. Following this guide helped me remove/disable the rootkit.
Running procmon.exe (www.sysinternals.com) i see that everything is back to a peaceful idle.

Many thanks!


Report •


Ask Question