View Full Version : Pop up problem.. (is it Vundo?)
Hi.
I've been having, for about a week now, a problem with a pop up window whenever I use firefox 2.0.0.3 or windows internet explorer. This window is trying to load various pages, but mostly it wants to go to "go.winantivirus.com".
From what I have gathered by looking into the posts in forums I believe that it is a case of the "Vunod trojan" that is at work in my system. But, although I am certainly no expert -that's why I turn to you-, I can't find anything really suspicious in my "HJT log", or the "startuplist" log...
Logfile of HijackThis v1.99.1
Scan saved at 11:00:40 πμ, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User2\Επιφάνεια εργασίας\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1273B5-CE83-482E-8DAC-2C73D2285D4C}: NameServer = 195.170.0.1,195.170.2.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
------------------------------------------------
StartupList report, 11/4/2007, 10:25:07 πμ
StartupList version: 1.52.2
Started from : C:\Documents and Settings\User2\Επιφάνεια εργασίας\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Documents and Settings\User2\Επιφάνεια εργασίας\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\User2\Start Menu\Προγράμματα\Εκκίνηση]
Folding@Home 5.03.lnk = ?
OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση]
108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
Reg.lnk = ?
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RTHDCPL = RTHDCPL.EXE
SkyTel = SkyTel.EXE
Alcmtr = ALCMTR.EXE
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SpybotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
NCLaunch = C:\WINDOWS\NCLAUNCH.EXe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
eMuleAutoStart = C:\Program Files\eMule\emule.exe -AutoStart
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssbezier.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
--------------------------------------------------
Enumerating Download Program Files:
[{31435657-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Config.Msi\f204b.rbf||C:\Config.Msi\f2085.rbf||C:\Config.Msi\f212d.rbf||C:\Config.Msi\f2168.rbf||C:\Config.Msi\f2210.rbf|||s
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
End of report, 6.092 bytes
Report generated in 0,047 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
I was about to run the Vundo removal tool, but most posts recommend NOT running it unless one is SURE that he has been infected. That's why I am looking for your opinion.
Any help would be greatly appreciated...
Thanks in advance.
Just one clarification, just in case anybody gets confused.. This is on a Greek language installation of Windows, so if some system folder names in the log files seem Greek to you, well.. that's because it is!!
Hello and welcome to the Forums :)
Sorry for the delay...
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
here is the GMER log.
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-16 15:25:31
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\DRIVERS\update.sys
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[216] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[216] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[216] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[216] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[224] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[224] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[224] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[224] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\ctfmon.exe[232] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\ctfmon.exe[232] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\ctfmon.exe[232] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\ctfmon.exe[232] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\NCLAUNCH.EXe[304] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\NCLAUNCH.EXe[304] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\NCLAUNCH.EXe[304] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\NCLAUNCH.EXe[304] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[332] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[332] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[332] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[332] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\eMule\emule.exe[420] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\eMule\emule.exe[420] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\eMule\emule.exe[420] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\eMule\emule.exe[420] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\explorer.exe[488] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\explorer.exe[488] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\explorer.exe[488] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\explorer.exe[488] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\csrss.exe[536] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\csrss.exe[536] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\csrss.exe[536] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\csrss.exe[536] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\services.exe[608] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[740] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[740] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[740] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[740] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00CD200E
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00CD1DAF
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00CD1CF2
.text C:\WINDOWS\system32\ati2evxx.exe[780] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00CD191B
.text C:\WINDOWS\system32\svchost.exe[800] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[800] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[800] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[800] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\acs.exe[944] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 010F200E
.text C:\WINDOWS\system32\acs.exe[944] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 010F1DAF
.text C:\WINDOWS\system32\acs.exe[944] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 010F1CF2
.text C:\WINDOWS\system32\acs.exe[944] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 010F191B
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1148] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1148] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1148] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1148] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\ati2evxx.exe[1184] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 008D200E
.text C:\WINDOWS\system32\ati2evxx.exe[1184] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 008D1DAF
.text C:\WINDOWS\system32\ati2evxx.exe[1184] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 008D1CF2
.text C:\WINDOWS\system32\ati2evxx.exe[1184] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 008D191B
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1300] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1300] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1300] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1300] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Mozilla Firefox\firefox.exe[1604] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Mozilla Firefox\firefox.exe[1604] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Mozilla Firefox\firefox.exe[1604] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Mozilla Firefox\firefox.exe[1604] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Mozilla Firefox\firefox.exe[1604] WS2_32.dll!send 719D428A 5 Bytes JMP 100030E6
.text C:\Program Files\Mozilla Firefox\firefox.exe[1604] WS2_32.dll!WSARecv 719D4318 5 Bytes JMP 100032CC
.text C:\Program Files\Mozilla Firefox\firefox.exe[1604] WS2_32.dll!closesocket 719D9639 5 Bytes JMP 100035BC
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1800] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1800] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1800] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1800] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[1824] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[1824] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[1824] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\NetLimiter 2 Pro\nlsvc.exe[1824] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\NetLimiter 2 Pro\NLClient.exe[1924] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 015E200E
.text C:\Program Files\NetLimiter 2 Pro\NLClient.exe[1924] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 015E1DAF
.text C:\Program Files\NetLimiter 2 Pro\NLClient.exe[1924] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 015E1CF2
.text C:\Program Files\NetLimiter 2 Pro\NLClient.exe[1924] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 015E191B
.text C:\WINDOWS\RTHDCPL.exe[1956] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\RTHDCPL.exe[1956] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\RTHDCPL.exe[1956] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\RTHDCPL.exe[1956] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1996] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1996] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1996] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1996] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\QuickTime\qttask.exe[2004] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\QuickTime\qttask.exe[2004] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\QuickTime\qttask.exe[2004] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\QuickTime\qttask.exe[2004] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\wktgdelv.exe[2016] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 0210200E
.text C:\WINDOWS\system32\wktgdelv.exe[2016] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 02101DAF
.text C:\WINDOWS\system32\wktgdelv.exe[2016] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 02101CF2
.text C:\WINDOWS\system32\wktgdelv.exe[2016] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 0210191B
.text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2388] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00F1200E
.text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2388] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00F11DAF
.text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2388] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00F11CF2
.text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2388] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00F1191B
.text C:\Program Files\Folding@Home\winFAH.exe[2512] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Folding@Home\winFAH.exe[2512] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Folding@Home\winFAH.exe[2512] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Folding@Home\winFAH.exe[2512] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2716] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2716] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2716] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2716] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[3096] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[3096] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[3096] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[3096] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\WinRAR\WinRAR.exe[3116] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\WinRAR\WinRAR.exe[3116] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\WinRAR\WinRAR.exe[3116] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\WinRAR\WinRAR.exe[3116] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Folding@Home\FahCore_78.exe[3260] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Folding@Home\FahCore_78.exe[3260] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Folding@Home\FahCore_78.exe[3260] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Folding@Home\FahCore_78.exe[3260] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\HJT\gmer.exe[4060] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\HJT\gmer.exe[4060] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\HJT\gmer.exe[4060] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\HJT\gmer.exe[4060] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
---- Processes - GMER 1.0.12 ----
Process C:\WINDOWS\system32\wktgdelv.exe (*** hidden *** ) 2016
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@wktgdelv c:\windows\system32\wktgdelv.exe wktgdelv
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@wktgdelv c:\windows\system32\wktgdelv.exe wktgdelv
---- Files - GMER 1.0.12 ----
File C:\WINDOWS\system32\wktgdelv.dat
File C:\WINDOWS\system32\wktgdelv.exe
File C:\WINDOWS\system32\wktgdelv_nav.dat
File C:\WINDOWS\system32\wktgdelv_navps.dat
---- EOF - GMER 1.0.12 ----
is it that wktgelv the problem? i can't find anything about a file named like that on the net...
Hello :)
Yes that wktgdelv is the problem...
Run a new rootkit scan with GMER.
When you see the following process(es) on the list:
Process C:\WINDOWS\system32\wktgdelv.exe (*** hidden *** ) 2016
Rigthclick it with your mouse and a menu will open. Choose "Kill Process" from the list.
When you see the following files on the list:
File C:\WINDOWS\system32\wktgdelv.dat
File C:\WINDOWS\system32\wktgdelv.exe
File C:\WINDOWS\system32\wktgdelv_nav.dat
File C:\WINDOWS\system32\wktgdelv_navps.dat
Rigthclick those with your mouse and a menu will open. Choose "Delete file" from the list. You need to do this one by one.
If GMER asks for a reboot allow it to do it.
Then close GMER.
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE (http://metallica.geekstogo.com/EGDACCESS.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select EGDACCESS.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Restart your computer.
Run a new scan with GMER but don't use your computer during the scan.
When the scan has finished please copy/upload the results to me along with a fresh HijackThis log.
:bigthumb:
Run everything as requested.
and here are the HJT and GMER logs. (is GMER supposed to be empty?)
HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:01:26 πμ, on 17/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Folding@Home\FahCore_78.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wktgdelv] c:\windows\system32\wktgdelv.exe wktgdelv
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1273B5-CE83-482E-8DAC-2C73D2285D4C}: NameServer = 195.170.0.1,195.170.2.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
---------------------------------------------------------------
GMER Log
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-17 10:00:46
Windows 5.1.2600 Service Pack 2
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\DRIVERS\update.sys
---- EOF - GMER 1.0.12 ----
So far I haven't seen any pop ups, so most probably the pc is clean!!!!
Thank you verry much!! most upricated!!!
Looks beter but you're not clean yet.
Generate a HijackThis Startup list:
Open HijackThis: Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log": List also minor sections (Full)
List empty sections (Complete)
Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here
:bigthumb:
StartupList report, 18/4/2007, 9:27:45 πμ
StartupList version: 1.52.2
Started from : C:\Documents and Settings\User2\Επιφάνεια εργασίας\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User2\Επιφάνεια εργασίας\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\User2\Start Menu\Προγράμματα\Εκκίνηση]
Folding@Home 5.03.lnk = ?
OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση]
108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
Reg.lnk = ?
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RTHDCPL = RTHDCPL.EXE
SkyTel = SkyTel.EXE
Alcmtr = ALCMTR.EXE
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
wktgdelv = c:\windows\system32\wktgdelv.exe wktgdelv
SpybotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
NetLimiter = C:\Program Files\NetLimiter\NetLimiter.exe /s
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
NCLaunch = C:\WINDOWS\NCLAUNCH.EXe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
eMuleAutoStart = C:\Program Files\eMule\emule.exe -AutoStart
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssbezier.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Επεξεργαστής Μητρώου'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[{31435657-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
[Java Plug-in 1.6.0_01]
InProcServer32 = C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #2: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #3: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #4: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #5: C:\Program Files\NetLimiter\nl_lsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\rsvpsp.dll
Protocol #10: C:\WINDOWS\system32\rsvpsp.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\Program Files\NetLimiter\nl_lsp.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
Πρόγραμμα οδήγησης ACPI της Microsoft: system32\DRIVERS\ACPI.sys (system)
Atheros Configuration Service: C:\WINDOWS\system32\acs.exe (autostart)
Ακυρωτής ακουστικής ηχούς πυρήνα της Microsoft: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Υπηρεσία ειδοποίησης: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Υπηρεσία πύλης επιπέδου εφαρμογής: %SystemRoot%\System32\alg.exe (manual start)
Διαχείριση εφαρμογών: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Wireless LAN Adapter: system32\DRIVERS\ar5211.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
Πρόγραμμα οδήγησης ασύγχρονων μέσων αποθήκευσης RAS: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
Πρωτόκολλο προγράμματος-πελάτη ATM ARP: system32\DRIVERS\atmarpc.sys (manual start)
Ήχος των Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Πρόγραμμα οδήγησης αποκόμματος ήχου: system32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Υπηρεσία έξυπνης μεταφοράς στο παρασκήνιο: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Αναζήτηση υπολογιστή: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Πρόγραμμα οδήγησης CD-ROM: system32\DRIVERS\cdrom.sys (system)
Υπηρεσία ευρετηρίου: %SystemRoot%\system32\cisvc.exe (manual start)
Πρόχειρες σελίδες: %SystemRoot%\system32\clipsrv.exe (disabled)
.NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
Eφαρμογή συστήματος COM+: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Υπηρεσίες κρυπτογράφησης: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Εκκινητής διεργασίας εξυπηρετητή DCOM: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Πρόγραμμα-πελάτης DHCP: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Πρόγραμμα οδήγησης δίσκου: system32\DRIVERS\disk.sys (system)
Υπηρεσία διαχείρισης λογικών δίσκων: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Διαχείριση λογικού δίσκου: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Synthesizer: system32\drivers\DMusic.sys (manual start)
Πρόγραμμα-πελάτης DNS: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Αποπεριπλέκτης ήχου DRM πυρήνα της Microsoft: system32\drivers\drmkaud.sys (manual start)
Υπηρεσία αναφοράς σφαλμάτων: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Καταγραφή συμβάντων: %SystemRoot%\system32\services.exe (autostart)
Σύστημα συμβάντων COM+: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Συμβατότητα Fast User Switching: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Πρόγραμμα οδήγησης ελεγκτή δισκέτας: system32\DRIVERS\fdc.sys (manual start)
Πρόγραμμα οδήγησης δισκέτας: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Πρόγραμμα οδήγησης διαχείρισης έντασης: system32\DRIVERS\ftdisk.sys (system)
gmer: System32\DRIVERS\gmer.sys (manual start)
Ταξινόμηση πακέτων γενικού τύπου: system32\DRIVERS\msgpc.sys (manual start)
Microsoft UAA Bus Driver for High Definition Audio: system32\DRIVERS\HDAudBus.sys (manual start)
Βοήθεια και υποστήριξη: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Πρόσβαση συσκευής διασύνδεσης χρήστη: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Πρόγραμμα οδήγησης HID της Microsoft: system32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
Πρόγραμμα οδήγησης φίλτρου εγγραφής CD: system32\DRIVERS\imapi.sys (system)
Υπηρεσία IMAPI CD-Burning COM: C:\WINDOWS\system32\imapi.exe (manual start)
Service for Realtek HD Audio (WDM): system32\drivers\RtkHDAud.sys (manual start)
Οδηγός επεξεργαστή Intel: system32\DRIVERS\intelppm.sys (system)
Πρόγραμμα οδήγησης τείχους προστασίας IPv6 των Windows: system32\DRIVERS\Ip6Fw.sys (manual start)
Πρόγραμμα οδήγησης φίλτρου κυκλοφορίας IP: system32\DRIVERS\ipfltdrv.sys (manual start)
Πρόγραμμα οδήγησης διοχέτευσης IP σε IP: system32\DRIVERS\ipinip.sys (manual start)
Μεταφραστής διεύθυνσης δικτύου IP: system32\DRIVERS\ipnat.sys (manual start)
Πρόγραμμα οδήγησης IPSEC: system32\DRIVERS\ipsec.sys (system)
Υπηρεσία απαρίθμησης IR: system32\DRIVERS\irenum.sys (manual start)
Πρόγραμμα οδήγησης διαύλου PnP ISA/EISA: system32\DRIVERS\isapnp.sys (system)
Πρόγραμμα οδήγησης κλάσης πληκτρολογίου: system32\DRIVERS\kbdclass.sys (system)
Μίξη κυματομορφής ήχου πυρήνα της Microsoft: system32\drivers\kmixer.sys (manual start)
Διακομιστής: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Σταθμός εργασίας: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Πρόγραμμα βοήθειας TCP/IP NetBIOS: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
AEGIS Protocol (IEEE 802.1x) v2.3.1.9: system32\DRIVERS\mdc8021x.sys (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
Υπηρεσία Μηνυμάτων: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Πρόγραμμα οδήγησης κλάσης ποντικιού: system32\DRIVERS\mouclass.sys (system)
Ανακατεύθυνση πελάτη WebDav: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Συντονισμός κατανεμημένων συναλλαγών: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Μεσολάβηση υπηρεσίας ροής της Microsoft: system32\drivers\MSKSSRV.sys (manual start)
Μεσολάβηση ρολογιού ροής της Microsoft: system32\drivers\MSPCLOCK.sys (manual start)
Μεσολάβηση διαχείρισης ποιότητας ροής της Microsoft: system32\drivers\MSPQM.sys (manual start)
Οδηγός BIOS διαχείρισης συστήματος Microsoft: system32\DRIVERS\mssmbios.sys (manual start)
Πρόγραμμα οδήγησης απομακρυσμένης πρόσβασης NDIS TAPI: system32\DRIVERS\ndistapi.sys (manual start)
Πρωτόκολλο εισόδου/εξόδου κατάστασης λειτουργίας χρήστη NDIS: system32\DRIVERS\ndisuio.sys (manual start)
Πρόγραμμα οδήγησης απομακρυσμένης πρόσβασης NDIS WAN: system32\DRIVERS\ndiswan.sys (manual start)
Διασύνδεση NetBIOS: system32\DRIVERS\netbios.sys (system)
NetBios σε Tcpip: system32\DRIVERS\netbt.sys (system)
Δίκτυο DDE: %SystemRoot%\system32\netdde.exe (disabled)
Δίκτυο DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Σύνδεση δικτύου: %SystemRoot%\system32\lsass.exe (manual start)
Συνδέσεις δικτύου: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Υπηρεσία παροχής υποστήριξης ασφάλειας LM NT: %SystemRoot%\system32\lsass.exe (manual start)
Αφαιρούμενα μέσα αποθήκευσης: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Πρόγραμμα οδήγησης φίλτρου κυκλοφορίας IPX: system32\DRIVERS\nwlnkflt.sys (manual start)
Πρόγραμμα οδήγησης προώθησης κυκλοφορίας IPX: system32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Πρόγραμμα οδήγησης παράλληλης θύρας: system32\DRIVERS\parport.sys (manual start)
Πρόγραμμα οδήγησης διαύλου PCI: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Τοποθέτηση και Άμεση Λειτουργία: %SystemRoot%\system32\services.exe (autostart)
Υπηρεσίες IPSEC: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Προστατευμένος χώρος αποθήκευσης: %SystemRoot%\system32\lsass.exe (autostart)
Πακέτο χρονοδιαγράμματος QoS: system32\DRIVERS\psched.sys (manual start)
Πρόγραμμα οδήγησης Απευθείας σύνδεσης παράλληλων θυρών: system32\DRIVERS\ptilink.sys (manual start)
Πρόγραμμα οδήγησης αυτόματης σύνδεσης απομακρυσμένης πρόσβασης: system32\DRIVERS\rasacd.sys (system)
Διαχείριση αυτόματης σύνδεσης απομακρυσμένης πρόσβασης: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Διαχείριση σύνδεσης απομακρυσμένης πρόσβασης: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Πρόγραμμα οδήγησης PPPOE απομακρυσμένης πρόσβασης: system32\DRIVERS\raspppoe.sys (manual start)
Απευθείας παράλληλη: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Διαχείριση περιόδου λειτουργίας της Βοήθειας απομακρυσμένης επιφάνειας εργασίας: C:\WINDOWS\system32\sessmgr.exe (manual start)
Πρόγραμμα οδήγησης φίλτρου αναπαραγωγής ψηφιακού CD: system32\DRIVERS\redbook.sys (system)
Δρομολόγηση και απομακρυσμένη πρόσβαση: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Πρόγραμμα εντοπισμού Κλήσης απομακρ. διαδικασίας (RPC): %SystemRoot%\system32\locator.exe (manual start)
Κλήση απομακρυσμένης διαδικασίας (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Πρόγραμμα οδήγησης προσαρμογέα Realtek RTL8139(A/B/C)-based PCI Fast Ethernet των NT: system32\DRIVERS\RTL8139.SYS (manual start)
Διαχείριση λογαριασμών ασφαλείας: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Χρονοδιάγραμμα εργασιών: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Δευτερεύουσα Σύνδεση: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Ειδοποίηση συμβάντος συστήματος: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Πρόγραμμα οδήγησης φίλτρου Serenum: system32\DRIVERS\serenum.sys (manual start)
Πρόγραμμα οδήγησης σειριακής θύρας: system32\DRIVERS\serial.sys (system)
Τείχος προστασίας των Windows / Κοινόχρηστη σύνδεση στο Internet (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Ανίχνευση υλικού από το κέλυφος: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Διαχωριστικό ήχου πυρήνα της Microsoft: system32\drivers\splitter.sys (manual start)
Ουρά εκτύπωσης: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
Υπηρεσία επαναφοράς συστήματος: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
Υπηρεσία εντοπισμού SSDP: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Λήψη εικόνας των Windows (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (manual start)
Πρόγραμμα οδήγησης διαύλου προγραμμάτων: system32\DRIVERS\swenum.sys (manual start)
Kernel GS Wavetable Synthesizer της Microsoft: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{A6E0CF1D-1638-4C35-9EDC-B5FB52AD420A} (manual start)
Συσκευή ήχου συστήματος πυρήνα της Microsoft: system32\drivers\sysaudio.sys (manual start)
Αρχεία καταγραφής επιδόσεων και ειδοποιήσεις: %SystemRoot%\system32\smlogsvc.exe (manual start)
Τηλεφωνία: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Πρόγραμμα οδήγησης πρωτοκόλλου TCP/IP: system32\DRIVERS\tcpip.sys (system)
Πρόγραμμα οδήγησης συσκευής τερματικού: system32\DRIVERS\termdd.sys (system)
Υπηρεσίες τερματικού: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Θέματα: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Πρόγραμμα-πελάτης παρακολούθησης κατανεμημένης σύνδεσης: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Πρόγραμμα οδήγησης ενημέρωσης Microcode: system32\DRIVERS\update.sys (manual start)
Κεντρικός υπολογιστής συσκευών Τοποθέτησης και Άμεσης Λειτουργίας γενικής χρήσης: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Αδιάλειπτη Παροχή Ενέργειας: %SystemRoot%\System32\ups.exe (manual start)
Γενικό γονικό πρόγραμμα οδήγησης USB της Microsoft: system32\DRIVERS\usbccgp.sys (manual start)
Πρόγραμμα οδήγησης USB 2.0-προηγμένου κεντρικού ελεγκτή Miniport της Microsoft: system32\DRIVERS\usbehci.sys (manual start)
Διανομέας με δυνατότητα USB2: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Κλάση εκτυπωτών Microsoft USB: system32\DRIVERS\usbprint.sys (manual start)
Πρόγραμμα οδήγησης μαζικής αποθήκευσης USB: system32\DRIVERS\USBSTOR.SYS (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Σκιώδες αντίγραφο τόμου: %SystemRoot%\System32\vssvc.exe (manual start)
Υπηρεσία ώρας των Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Πρόγραμμα οδήγησης απομακρυσμένης πρόσβασης IP ARP: system32\DRIVERS\wanarp.sys (manual start)
Συμβατό πρόγραμμα οδήγησης ήχων WINMM WDM της Microsoft: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Όργανα Διαχείρισης των Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Υπηρεσία αριθμού σειράς φορητού στοιχείου πολυμέσων: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Προσαρμογέας επιδόσεων WMI: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Περιβάλλον υποστήριξης της υπηρεσίας παροχής Non-IFS για το Windows Socket 2.0: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Κέντρο ασφάλειας: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Αυτόματες ενημερώσεις: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Αρχική ρύθμιση παραμέτρων ασύρματης επικοινωνίας: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Υπηρεσία παροχής δικτύου: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 34.497 bytes
Report generated in 0,375 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hi again, we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
[wktgdelv] c:\windows\system32\wktgdelv.exe
Restart the computer.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
================
When you're ready, please post the following logs to here:
- Kaspersky's report
- a fresh HijackThis log
sorry for the delay...
i can't seem to be able to delete this entry:
O4 - HKLM\..\Run: [wktgdelv] c:\windows\system32\wktgdelv.exe wktgdelv
SpyBot S&D comes up and tells me that i can't change it. i even tried manually with "regedit.exe" but still no luck... TeaTimer comes up and stops me. Even turning it off doesn't work. When i start it up again it restores it.
I think the problem is that i must have told TeaTimer to allow the initial change to the registry (made by the malware that put it there), and now it's protecting it from change... I tried finding the list of registry entries in SpyBot S&D but i can't find it anywhere...
Anyway here are the log files from HJT and Kaspersky logs. There seem to be a few viruses still there...
------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:45:18 μμ, on 19/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\User2\Επιφάνεια εργασίας\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [wktgdelv] c:\windows\system32\wktgdelv.exe wktgdelv
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1273B5-CE83-482E-8DAC-2C73D2285D4C}: NameServer = 195.170.0.1,195.170.2.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 19, 2007 5:07:19 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/04/2007
Kaspersky Anti-Virus database records: 299245
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 47327
Number of viruses found: 7
Number of infected objects: 35 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:55:55
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User2\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\cert8.db Object is locked skipped
C:\Documents and Settings\User2\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\history.dat Object is locked skipped
C:\Documents and Settings\User2\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\key3.db Object is locked skipped
C:\Documents and Settings\User2\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\parent.lock Object is locked skipped
C:\Documents and Settings\User2\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\search.sqlite Object is locked skipped
C:\Documents and Settings\User2\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\User2\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User2\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User2\Local Settings\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\User2\Local Settings\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\User2\Local Settings\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\User2\Local Settings\Application Data\Mozilla\Firefox\Profiles\sx2ufav7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\User2\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User2\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User2\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User2\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\eMule\Temp\003.part Object is locked skipped
C:\Program Files\eMule\Temp\007.part Object is locked skipped
C:\Program Files\eMule\Temp\012.part Object is locked skipped
C:\Program Files\eMule\Temp\015.part Object is locked skipped
C:\Program Files\Folding@Home\FAHlog.txt Object is locked skipped
C:\Program Files\Folding@Home\work\logfile_01.txt Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_01.arc Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_01.bed Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_01.goe Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_01.log Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_01.sas Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_01.xtc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP100\A0012312.exe Infected: Trojan-Downloader.Win32.Zlob.awu skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP101\A0012382.exe Infected: Trojan-Downloader.Win32.Zlob.awu skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP104\A0012701.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.gen skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP111\A0015031.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.gen skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP136\A0018680.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.gen skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP136\A0018887.exe Infected: Trojan-Downloader.Win32.VB.ft skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP136\A0018891.dll Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP136\A0018892.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP137\change.log Object is locked skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011012.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011013.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011014.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011015.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011016.exe/WISE0044.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011016.exe/WISE0046.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011016.exe/WISE0047.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011016.exe/WISE0049.BIN Infected: Trojan-Downloader.Win32.Agent.avz skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011016.exe/WISE0050.BIN Infected: Trojan-Downloader.Win32.Agent.avz skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011016.exe/WISE0051.BIN Infected: Trojan-Downloader.Win32.Agent.avz skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011016.exe WiseSFX: infected - 6 skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011016.exe WiseSFX Dropper: infected - 6 skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011018.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011019.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011020.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011021.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011022.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011023.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011024.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011025.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011026.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011030.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011033.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011040.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011041.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011042.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\System Volume Information\_restore{39BC9712-192B-4EFE-8D87-6C03B94AFE3F}\RP83\A0011043.exe Infected: not-a-virus:Porn-Downloader.Win32.HotTV.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9E5AB74B-E016-4BCC-9E55-B6C52A9E86F7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\unp252932191.tmp Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Looks pretty good :)
Ok we'll disable Spybot temporarily...
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
Now fix these with HijackThis:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [wktgdelv] c:\windows\system32\wktgdelv.exe wktgdelv
Restart the computer and post a fresh HijackThis log.
Let me know how the computer runs :bigthumb:
Sorry for the delay.. long weekend...
I still can't seem to delete that entry..
O4 - HKLM\..\Run: [wktgdelv] c:\windows\system32\wktgdelv.exe wktgdelv
It keeps reapearing.
Logfile of HijackThis v1.99.1
Scan saved at 9:14:42 πμ, on 24/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\eMule\emule.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User2\Επιφάνεια εργασίας\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [wktgdelv] c:\windows\system32\wktgdelv.exe wktgdelv
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1273B5-CE83-482E-8DAC-2C73D2285D4C}: NameServer = 195.170.0.1,195.170.2.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
ok.. managed to find the black list in TeaTimer and finally deleted the entry...
Here is a fresh HJT log..
Logfile of HijackThis v1.99.1
Scan saved at 9:34:34 πμ, on 24/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\eMule\emule.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\User2\Επιφάνεια εργασίας\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD1273B5-CE83-482E-8DAC-2C73D2285D4C}: NameServer = 195.170.0.1,195.170.2.2
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
Apart from that everything else seems to be working ok... The pop ups have disappeard even before deleting that entry.
Thank you very much for your help!!!:present:
Hi again, it is looking clean now :)
You don't seem to have a third-party firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Comodo (http://www.personalfirewall.comodo.com)
Now you can enable Spybot S&D Teatimer again.
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)