PDA

View Full Version : Pop up windows. Directs to "Spyware-Secure"


alobarn
2007-07-17, 15:26
I did all the preliminary steps (spybot in safe mode, avast virus scan on start up) they don't report any problem but as soon as i open a browser (both firefox and explorer) i keep getting those pop ups. That my system is not safe and that i have to download their stuff... And more annoying than the pop up (and probably more dangerous) is the fact that Tea Timer keeps blocking (at a rate of 2/sec) a System Startup Global Entry for *something* called "gmexbmg". I searched Google for that process and found nothing. I see a couple of worrying entries in the HJT log, but I certainly am no expert and I don't want to mess things more than they already are. So I came to you for help.

The online virus check (e-trust i think) reports five viruses.

Here is the report:

Scan Results: 34448 files scanned. 5 viruses were detected.

File Infection Status Path
EEA9BD0Dd01 Win32/Skintrim!generic infected C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\q04jwy6r.default\Cache\
Dc287.exe Win32/Skintrim!generic infected C:\RECYCLER\S-1-5-21-823518204-308236825-682003330-1004\
Dc288.exe Win32/Skintrim!generic infected C:\RECYCLER\S-1-5-21-823518204-308236825-682003330-1004\
Dc296.exe Win32/Skintrim!generic infected C:\RECYCLER\S-1-5-21-823518204-308236825-682003330-1004\
Dc297.exe Win32/Skintrim!generic infected C:\RECYCLER\S-1-5-21-823518204-308236825-682003330-1004\

And here is the HJT report:

Logfile of HijackThis v1.99.1
Scan saved at 4:10:36 μμ, on 17/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Please HELP!!!
Blade81
2007-07-19, 16:09
Hi


Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop. Don't run ATF yet. Will do it a bit later.


Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Uninstall Spyware-secure thru add/remove programs (if it exists).

Start hjt, click do a system scan only, check (if found):
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe

Close browsers and other windows. Click fix checked.

Delete following folder (if found):
C:\Program Files\Spyware-Secure


Running temp cleaner & AVG Anti-Spyware
---------------------------------------



Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Don't Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot.


Post AVG Anti-Spyware log & a fresh HJT log.
alobarn
2007-07-20, 15:53
AVG Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:47:40 μμ 20/7/2007

+ Scan result:



Nothing found.



::Report end


HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:51:10 μμ, on 20/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

The virus scan didn't find anything... the entries from HJT where removed... but the pop up is still there... after the last reboot and just before posting this reply I got it again...
Blade81
2007-07-20, 16:14
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
tashi
2007-07-28, 07:01
This topic has been archived due to lack of a response. :scratch:

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
tashi
2007-08-20, 18:29
Re-opened upon request.
alobarn
2007-08-21, 08:57
Hi Blade81

I was away on vacation and the last days before I left were a bit hectic, so I totally forgot to tell you that I would be away...

Sorry.

About the pop-ups now...

I run ComboFix and will post the log just now, but when it finished running -and i didn't even touch the keyboard or the mouse- i got the "program stopped" windows warning -the one where you are given a chance to "send a report/don't send" to microsoft- for a program called catchme.cfexe which i gather is ComboFix... So it probably did stall even if I didn't even move the mouse... The pop-ups are still there... And I still have TeaTimer turned off, so that process which was blocked is probably still running loose...


ComboFix log:

ComboFix 07-07-30.2 - "User" 2007-08-20 10:06:49.2 [GMT 3:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1032.18.€ΆžŸβ


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\sqtvzxxgf.dat
C:\WINDOWS\system32\sqtvzxxgf.exe
C:\WINDOWS\system32\sqtvzxxgf_nav.dat
C:\WINDOWS\system32\sqtvzxxgf_navps.dat


((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))


2007-08-20 09:51 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-01 15:10 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 16:08 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-20 09:56 --------- d-------- C:\DOCUME~1\User\APPLIC~1\OpenOffice.org2
2007-08-02 13:26 --------- d-------- C:\Program Files\Folding@Home
2007-07-28 01:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-28 01:02 94416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 01:02 92848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 01:00 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-28 00:59 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-28 00:58 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-28 00:57 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-07-19 15:21 --------- d-------- C:\Program Files\Project64 1.6
2007-07-13 16:57 --------- d-------- C:\Program Files\Trend Micro
2007-07-13 09:32 86886 --a------ C:\WINDOWS\system32\perfc008.dat
2007-07-13 09:32 508990 --a------ C:\WINDOWS\system32\perfh008.dat
2007-07-02 14:56 --------- d-------- C:\Program Files\PartyGaming
2007-07-02 11:08 --------- d-------- C:\Program Files\Joost
2007-06-29 14:17 --------- d-------- C:\Program Files\InternetGameBox
2007-06-28 10:11 --------- d-------- C:\Program Files\Yahoo!
2007-06-28 10:10 --------- d-------- C:\DOCUME~1\User\APPLIC~1\Joost
2007-06-26 09:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 16:30 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 16:22 1037824 --a------ C:\WINDOWS\explorer.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 10:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-17 11:04 C:\WINDOWS\SkyTel.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 01:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 15:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-03-09 00:56]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

C:\Documents and Settings\All Users\Start Menu\¨¦š¨α££˜«˜\„΅΅ε€ž©ž\
108Mbps Wireless LAN Adapter Configuration Utility.lnk - C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe [2007-03-05 00:28:39]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26]
Reg.lnk - C:\Program Files\108Mbps Wireless LAN Adapter\Reg.exe [2007-03-05 00:28:39]

R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys


Contents of the 'Scheduled Tasks' folder
2007-08-03 09:00:00 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job - C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 10:08:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\xa0\3\x391\3\x38f\3\xb5\3\x390\3\x389\3\xbb\3\xb5\3\xb3\3\x38c\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"="",,,,,,,,,,,,,""
"\x9a\3\x389\3\xbd\3\x38f\3\x39d\3\x38c\3\xb5\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"=""C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,""
"\x2020\3\x393\3\x390\3\x391\3\x38f\3 ?3?\x201d\3"=""C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,""
"\xa7\3\xad\3\x391\3\x389\3\xb1\3 ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\xa7\3\xad\3\x391\3\x389\3\xb1\3 ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"\x201d\3\xb5\3\x389\3\xbd\3\x39c\3\x393\3\xb1\3\x395\3\x391\3\x38f\3\x392\3"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"\xa0\3\x391\3\x38f\3\xb7\3\xb3\3\x38f\3\x39d\3\x38c\3\xb5\3\xbd\3\x38f\3 ?\x38c\3\x38f\3\xbd\3\x394\3\xad\3\xbb\3\x38f\3"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\xa3\3\x39d\3\xbd\3\x388\3\xb5\3\x393\3\xb7\3"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\x9c\3\xb5\3\xb3\3\xad\3\x388\3\x395\3\xbd\3\x393\3\xb7\3"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"\xa0\3\xb1\3\x391\3\xb1\3\xbb\3\xbb\3\xb1\3\xb3\3\xad\3\x392\3"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
"\x9c\3\x390\3\x391\3\x38f\3\x39d\3\x394\3\xb6\3\x389\3\xbd\3\x38f\3 ?3?\x201d\3"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\x9c\3\xb1\3\x39d\3\x391\3\xb1\3 ?W?i?n?d?o?w?s? ?"="C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur"
"\x9c\3\xb1\3\x39d\3\x391\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur"
"\x9c\3\xb1\3\x39d\3\x391\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\x390\3\x38f\3\xbb\3\x39d\3 ?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur"
"\x2018\3\xbd\3\x394\3\xb5\3\x393\3\x394\3\x391\3\xb1\3\x38c\3\x38c\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s?"="C:\WINDOWS\cursors\arrow_i.cur,C:\WINDOWS\cursors\help_i.cur,C:\WINDOWS\cursors\wait_i.cur,C:\WINDOWS\cursors\busy_i.cur,C:\WINDOWS\cursors\cross_i.cur,C:\WINDOWS\cursors\beam_i.cur,C:\WINDOWS\cursors\pen_i.cur,C:\WINDOWS\cursors\no_i.cur,C:\WINDOWS\cursors\size4_i.cur,C:\WINDOWS\cursors\size3_i.cur,C:\WINDOWS\cursors\size2_i.cur,C:\WINDOWS\cursors\size1_i.cur,C:\WINDOWS\cursors\move_i.cur,C:\WINDOWS\cursors\up_i.cur"
"\x2018\3\xbd\3\x394\3\xb5\3\x393\3\x394\3\x391\3\xb1\3\x38c\3\x38c\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_im.cur,C:\WINDOWS\cursors\help_im.cur,C:\WINDOWS\cursors\wait_im.cur,C:\WINDOWS\cursors\busy_im.cur,C:\WINDOWS\cursors\cross_im.cur,C:\WINDOWS\cursors\beam_im.cur,C:\WINDOWS\cursors\pen_im.cur,C:\WINDOWS\cursors\no_im.cur,C:\WINDOWS\cursors\size4_im.cur,C:\WINDOWS\cursors\size3_im.cur,C:\WINDOWS\cursors\size2_im.cur,C:\WINDOWS\cursors\size1_im.cur,C:\WINDOWS\cursors\move_im.cur,C:\WINDOWS\cursors\up_im.cur"
"\x2018\3\xbd\3\x394\3\xb5\3\x393\3\x394\3\x391\3\xb1\3\x38c\3\x38c\3\xad\3\xbd\3\xb1\3 ?W?i?n?d?o?w?s? ?(?\x390\3\x38f\3\xbb\3\x39d\3 ?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_il.cur,C:\WINDOWS\cursors\help_il.cur,C:\WINDOWS\cursors\wait_il.cur,C:\WINDOWS\cursors\busy_il.cur,C:\WINDOWS\cursors\cross_il.cur,C:\WINDOWS\cursors\beam_il.cur,C:\WINDOWS\cursors\pen_il.cur,C:\WINDOWS\cursors\no_il.cur,C:\WINDOWS\cursors\size4_il.cur,C:\WINDOWS\cursors\size3_il.cur,C:\WINDOWS\cursors\size2_il.cur,C:\WINDOWS\cursors\size1_il.cur,C:\WINDOWS\cursors\move_il.cur,C:\WINDOWS\cursors\up_il.cur"
"\xa4\3\x395\3\x390\3\x389\3\x38a\3\xac\3 ?W?i?n?d?o?w?s? ?(?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_m.cur,C:\WINDOWS\cursors\help_m.cur,C:\WINDOWS\cursors\wait_m.cur,C:\WINDOWS\cursors\busy_m.cur,C:\WINDOWS\cursors\cross_m.cur,C:\WINDOWS\cursors\beam_m.cur,C:\WINDOWS\cursors\pen_m.cur,C:\WINDOWS\cursors\no_m.cur,C:\WINDOWS\cursors\size4_m.cur,C:\WINDOWS\cursors\size3_m.cur,C:\WINDOWS\cursors\size2_m.cur,C:\WINDOWS\cursors\size1_m.cur,C:\WINDOWS\cursors\move_m.cur,C:\WINDOWS\cursors\up_m.cur"
"\xa4\3\x395\3\x390\3\x389\3\x38a\3\xac\3 ?W?i?n?d?o?w?s? ?(?\x390\3\x38f\3\xbb\3\x39d\3 ?\x38c\3\xb5\3\xb3\3\xac\3\xbb\3\xb1\3)?"="C:\WINDOWS\cursors\arrow_l.cur,C:\WINDOWS\cursors\help_l.cur,C:\WINDOWS\cursors\wait_l.cur,C:\WINDOWS\cursors\busy_l.cur,C:\WINDOWS\cursors\cross_l.cur,C:\WINDOWS\cursors\beam_l.cur,C:\WINDOWS\cursors\pen_l.cur,C:\WINDOWS\cursors\no_l.cur,C:\WINDOWS\cursors\size4_l.cur,C:\WINDOWS\cursors\size3_l.cur,C:\WINDOWS\cursors\size2_l.cur,C:\WINDOWS\cursors\size1_l.cur,C:\WINDOWS\cursors\move_l.cur,C:\WINDOWS\cursors\up_l.cur"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\\x9a\3\xb1\3\x394\3\xac\3\x391\3\xb3\3\xb7\3\x393\3\xb7\3 ]
@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
"Description"="\x391\x3c5\x3c4\x3ac \x3c4\x3b1 \x3b1\x3c1\x3c7\x3b5\x3af\x3b1 \x3b5\x3af\x3bd\x3b1\x3b9 \x3b1\x3c0\x3b1\x3c1\x3b1\x3af\x3c4\x3b7\x3c4\x3b1, \x3b5\x3ac\x3bd \x3b8\x3ad\x3bb\x3b5\x3c4\x3b5 \x3bd\x3b1 \x3ba\x3b1\x3c4\x3b1\x3c1\x3b3\x3ae\x3c3\x3b5\x3c4\x3b5 \x3c4\x3b7\x3bd \x3b5\x3b3\x3ba\x3b1\x3c4\x3ac\x3c3\x3c4\x3b1\x3c3\x3b7 \x3b1\x3c5\x3c4\x3ae\x3c2 \x3c4\x3b7\x3c2 \x3ad\x3ba\x3b4\x3bf\x3c3\x3b7\x3c2 \x3c4\x3c9\x3bd Windows \x3ba\x3b1\x3b9 \x3bd\x3b1 \x3b5\x3c0\x3b9\x3c3\x3c4\x3c1\x3ad\x3c8\x3b5\x3c4\x3b5 \x3c3\x3c4\x3bf \x3c0\x3c1\x3bf\x3b7\x3b3\x3bf\x3cd\x3bc\x3b5\x3bd\x3bf \x3bb\x3b5\x3b9\x3c4\x3bf\x3c5\x3c1\x3b3\x3b9\x3ba\x3cc \x3c3\x3b1\x3c2 \x3c3\x3cd\x3c3\x3c4\x3b7\x3bc\x3b1."
"Display"="\x391\x3bd\x3c4\x3af\x3b3\x3c1\x3b1\x3c6\x3b1 \x3b1\x3c3\x3c6\x3b1\x3bb\x3b5\x3af\x3b1\x3c2 \x3b3\x3b9\x3b1 \x3c0\x3c1\x3bf\x3b7\x3b3\x3bf\x3cd\x3bc\x3b5\x3bd\x3bf \x3bb\x3b5\x3b9\x3c4\x3bf\x3c5\x3c1\x3b3\x3b9\x3ba\x3cc \x3c3\x3cd\x3c3\x3c4\x3b7\x3bc\x3b1"
"IconPath"=str(2):"scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-20 10:09:31
C:\ComboFix-quarantined-files.txt ... 2007-08-20 10:08
C:\ComboFix2.txt ... 2007-08-01 15:16

--- E O F ---
alobarn
2007-08-21, 08:58
HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:38 πμ, on 21/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Blade81
2007-08-21, 16:43
Hi

Launch AVG Anti-Spyware.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Don't run AVG yet. Will do it a bit later.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.


Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Don't select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the
Save Scan Report
button before you did hit the
Apply all Actions
button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot.


Post
-AVG Anti-Spyware log
-a fresh HJT log.
alobarn
2007-08-22, 09:48
still AVG finds nothing...

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:17:26 πμ 22/8/2007

+ Scan result:



Nothing found.



::Report end

and the new HJT log..

Logfile of HijackThis v1.99.1
Scan saved at 10:46:13 πμ, on 22/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Blade81
2007-08-22, 10:11
Hi

Well.. the logs look clear. Do you still get popups? If yes do they appear randomly or when surfing on some specific sites?
alobarn
2007-08-24, 09:47
It looks ok.

No pop ups for some time now...

just one question.. I turned on TeaTimer again, and it started asking me if I want to keep some changes to the registry.. I gather those are the changes that were made when we deleted the malware stuff, and it just compares the active registry with the last copy that it had while infected, right? I allowed the change that said "secure systems/value deleted". I hope i didn't turn the pop ups on again, did I?

Thank for all your help!!!
Blade81
2007-08-25, 02:18
Well, you can post fresh hjt log and then we'll check if popups are still gone :)
alobarn
2007-08-28, 14:23
i haven't seen any pop ups lately... it should be ok... thought i see in the HJT log the "spyware-secure" thing... here is the log

Logfile of HijackThis v1.99.1
Scan saved at 3:24:13 μμ, on 28/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
alobarn
2007-08-28, 14:33
i checked the path for that "spyware-secure" thing (C\Program Files\Spyware-Secure\Spyware-Secure-trial.exe) and it doesn' exist.

Maybe it's me with the TeaTimer thing I did.... And it's back in the registry but it points to nowhere...

I also made a search for the file and I only found some zip files in the Spybot recovery folder.
Blade81
2007-08-28, 21:09
Hi

Okay. Let's disable TeaTimer temporarily again


Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Then check & fix these with hjt:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe


Reboot and post a fresh hjt log.
alobarn
2007-09-05, 08:50
pop ups are back... and a new symptom now. I keep receiving "mail delivery return" e-mails in my outlook inbox for addresses that i never tried sending any e-mail to... one of them said something about a virus being detected in an attachment.

here is the body of that mail:

Hi. This is the qmail-send program at mx135.newtthk.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<sales@gammaelectronics.com.hk>:
The users mailfolder is over the allowed quota (size).

--- Below this line is a copy of the message.

Return-Path: <info@kfghellas.com>
Received: (qmail 18181 invoked from network); 31 Aug 2007 09:41:02 -0000
Received: from avas.wharftthk.com (HELO mirapoint.wharftthk.com) ([202.130.97.138])
(envelope-sender <info@kfghellas.com>)
by mx135.newtthk.com (qmail-ldap-1.03) with SMTP
for <sales@gammaelectronics.com.hk>; 31 Aug 2007 09:41:02 -0000
Received: from gammaelectronics.com.hk (nakosae.static.otenet.gr [62.103.25.42])
by mirapoint.wharftthk.com (MOS 3.7.3a-GA)
with ESMTP id BDL55391;
Fri, 31 Aug 2007 17:40:56 +0800 (HKT)
Message-Id: <200708310940.BDL55391@mirapoint.wharftthk.com>
From: info@kfghellas.com
To: sales@gammaelectronics.com.hk
Subject: Mail Delivery (failure sales@gammaelectronics.com.hk)
Date: Fri, 31 Aug 2007 12:39:58 +0300
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
Content-Type: multipart/mixed; boundary="MIRAPOINT_PART1_46d7e22e"
X-Mirapoint-Virus: VIRUSDELETED;
host=mirapoint.wharftthk.com;
attachment=[2.1.2];
virus=Mal/Iframe-E
X-Mirapoint-Virus: VIRUSDELETED;
host=mirapoint.wharftthk.com;
attachment=[2.2];
virus=W32/Netsky-P
X-Junkmail-Status: score=35/50, host=mirapoint.wharftthk.com
X-Junkmail-SD-Raw: score=suspect(0),
refid=str=0001.0A090202.46D7E22E.0036,ss=2,fgs=0,
ip=62.103.25.42,
so=2005-12-15 23:46:19,
dmn=5.3.14/2007-05-31

This is a multi-part message in MIME format.

--MIRAPOINT_PART1_46d7e22e
Content-Type: text/plain; charset=UTF-8
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

--MIRAPOINT_PART1_46d7e22e
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_001B_01C0CA80.6B015D10"

------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_001C_01C0CA80.6B015D10"

------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_001_001C_01C0CA80.6B015D10
Content-Type: text/plain

VIRUS WARNING Message (from mirapoint.wharftthk.com)

The virus Mal/Iframe-E was detected in email attachment [2.1.2] . The infected attachment has been deleted.

------=_NextPart_001_001C_01C0CA80.6B015D10--

------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: text/plain

VIRUS WARNING Message (from mirapoint.wharftthk.com)

The virus W32/Netsky-P was detected in email attachment [2.2] message.scr. The infected attachment has been deleted.

------=_NextPart_000_001B_01C0CA80.6B015D10--

--MIRAPOINT_PART1_46d7e22e--


as for the HJT log, here it is.

Logfile of HijackThis v1.99.1
Scan saved at 09:44, on 2007-09-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Folding@Home\FahCore_80.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Blade81
2007-09-05, 20:50
Hi

Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.


Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
alobarn
2007-09-17, 08:54
Hi Blade81.

Sorry for the delay...

here is the GMER log part1:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-17 09:53:08
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\system32\csrss.exe[572] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\csrss.exe[572] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\csrss.exe[572] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\csrss.exe[572] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\services.exe[644] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\services.exe[644] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\services.exe[644] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\services.exe[644] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00CD200E
.text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00CD1DAF
.text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00CD1CF2
.text C:\WINDOWS\system32\Ati2evxx.exe[808] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00CD191B
.text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\System32\svchost.exe[932] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Documents and Settings\User\Επιφάνεια εργασίας\gmer.exe[1000] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Documents and Settings\User\Επιφάνεια εργασίας\gmer.exe[1000] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Documents and Settings\User\Επιφάνεια εργασίας\gmer.exe[1000] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Documents and Settings\User\Επιφάνεια εργασίας\gmer.exe[1000] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1008] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1008] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1008] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1008] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1172] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1172] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1172] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1172] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\Ati2evxx.exe[1220] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00E1200E
.text C:\WINDOWS\system32\Ati2evxx.exe[1220] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00E11DAF
.text C:\WINDOWS\system32\Ati2evxx.exe[1220] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00E11CF2
.text C:\WINDOWS\system32\Ati2evxx.exe[1220] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00E1191B
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1324] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1324] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1324] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1324] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\spoolsv.exe[1508] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\spoolsv.exe[1508] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\spoolsv.exe[1508] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\spoolsv.exe[1508] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1684] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 0070200E
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1684] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00701DAF
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1684] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00701CF2
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1684] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 0070191B
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1752] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1752] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1752] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1752] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1896] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1896] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1896] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[1896] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\Explorer.EXE[1904] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 01D7200E
.text C:\WINDOWS\Explorer.EXE[1904] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 01D71DAF
.text C:\WINDOWS\Explorer.EXE[1904] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 01D71CF2
.text C:\WINDOWS\Explorer.EXE[1904] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 01D7191B
.text C:\WINDOWS\RTHDCPL.EXE[2256] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\RTHDCPL.EXE[2256] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\RTHDCPL.EXE[2256] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\RTHDCPL.EXE[2256] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\System32\svchost.exe[2264] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\System32\svchost.exe[2264] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\System32\svchost.exe[2264] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\System32\svchost.exe[2264] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2296] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 008F200E
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2296] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 008F1DAF
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2296] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 008F1CF2
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2296] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 008F191B
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2328] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2328] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2328] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[2328] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2344] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2344] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2344] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2344] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2364] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2364] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2364] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2364] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\windows\system32\huyvoxnqt.exe[2420] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\windows\system32\huyvoxnqt.exe[2420] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\windows\system32\huyvoxnqt.exe[2420] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\windows\system32\huyvoxnqt.exe[2420] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
alobarn
2007-09-17, 09:00
GMER log part 2:

.text C:\WINDOWS\system32\ctfmon.exe[2500] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\ctfmon.exe[2500] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\ctfmon.exe[2500] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\ctfmon.exe[2500] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\NCLAUNCH.EXe[2548] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\NCLAUNCH.EXe[2548] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\NCLAUNCH.EXe[2548] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\NCLAUNCH.EXe[2548] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2608] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2608] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2608] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[2608] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2628] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2628] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2628] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[2628] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2740] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 00F1200E
.text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2740] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 00F11DAF
.text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2740] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 00F11CF2
.text C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe[2740] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 00F1191B
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2784] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2784] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2784] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe[2784] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Mozilla Firefox\firefox.exe[2796] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Mozilla Firefox\firefox.exe[2796] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Mozilla Firefox\firefox.exe[2796] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Mozilla Firefox\firefox.exe[2796] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Mozilla Firefox\firefox.exe[2796] WS2_32.dll!send 719D428A 5 Bytes JMP 100030E6
.text C:\Program Files\Mozilla Firefox\firefox.exe[2796] WS2_32.dll!WSARecv 719D4318 5 Bytes JMP 100032CC
.text C:\Program Files\Mozilla Firefox\firefox.exe[2796] WS2_32.dll!closesocket 719D9639 5 Bytes JMP 100035BC
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2808] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2808] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2808] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2808] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Folding@Home\winFAH.exe[2844] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Folding@Home\winFAH.exe[2844] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Folding@Home\winFAH.exe[2844] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Folding@Home\winFAH.exe[2844] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2920] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2920] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2920] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.exe[2920] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[3008] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[3008] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[3008] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN[3008] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Folding@Home\FahCore_80.exe[3160] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Folding@Home\FahCore_80.exe[3160] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Folding@Home\FahCore_80.exe[3160] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Folding@Home\FahCore_80.exe[3160] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3376] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3376] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3376] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3376] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3428] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3428] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3428] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3428] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\wuauclt.exe[3492] ntdll.dll!NtEnumerateKey 7C91D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\wuauclt.exe[3492] ntdll.dll!NtEnumerateValueKey 7C91D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\wuauclt.exe[3492] ntdll.dll!NtQueryDirectoryFile 7C91DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\wuauclt.exe[3492] ntdll.dll!NtQuerySystemInformation 7C91E1AA 5 Bytes JMP 1000191B
alobarn
2007-09-17, 09:03
GMER log part3:

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F02E9F76] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F02E8812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F02E8812] aswMon2.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F78F02C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F78F02C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F78F02C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F78F02C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F78F08E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F78F08E6] aswTdi.SYS

---- Processes - GMER 1.0.13 ----

Process C:\windows\system32\huyvoxnqt.exe (*** hidden *** ) 2420
Library C:\windows\system32\huyvoxnqt.exe (*** hidden *** ) @ C:\windows\system32\huyvoxnqt.exe [2420] 0x00400000
alobarn
2007-09-17, 09:04
GMER log part 4:


---- Registry - GMER 1.0.13 ----

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@huyvoxnqt c:\windows\system32\huyvoxnqt.exe huyvoxnqt
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@huyvoxnqt c:\windows\system32\huyvoxnqt.exe huyvoxnqt

---- Files - GMER 1.0.13 ----

File C:\WINDOWS\Prefetch\HUYVOXNQT.EXE-27ED6F8E.pf
File C:\WINDOWS\system32\huyvoxnqt.dat
File C:\WINDOWS\system32\huyvoxnqt.exe
File C:\WINDOWS\system32\huyvoxnqt_nav.dat
File C:\WINDOWS\system32\huyvoxnqt_navps.dat

---- EOF - GMER 1.0.13 ----
alobarn
2007-09-17, 09:05
I will come back with the DSS log in a few hours..
alobarn
2007-09-17, 14:40
back with the DSS logs.

main.txt:

Deckard's System Scanner v20070905.67
Run by User on 2007-09-17 15:35:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
37: 2007-09-17 12:31:58 UTC - RP96 - Deckard's System Scanner Restore Point
36: 2007-09-17 06:39:30 UTC - RP95 - Software Distribution Service 3.0
35: 2007-08-31 15:40:27 UTC - RP94 - Software Distribution Service 3.0
34: 2007-08-20 06:51:04 UTC - RP93 - Software Distribution Service 3.0
33: 2007-08-20 06:45:33 UTC - RP92 - Installed Java(TM) 6 Update 2


-- First Restore Point --
1: 2007-04-16 07:26:06 UTC - RP60 - Σημείο ελέγχου συστήματος


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 446 MiB (512 MiB recommended).


-- HijackThis (run as User.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-17 15:36:42
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16512)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Documents and Settings\User\Επιφάνεια εργασίας\dss.exe
C:\HJT\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [SkyTel] SkyTel.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Folding@Home 5.03.lnk = C:\Program Files\Folding@Home\winFAH.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Reg.lnk = C:\Program Files\108Mbps Wireless LAN Adapter\Reg.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


-- HijackThis Fixed Entries (C:\HJT\backups\) ----------------------------------

backup-20070720-162116-367 O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
backup-20070720-162116-971 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
backup-20070905-093925-439 O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
backup-20070905-093925-543 O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R3 AR5211 (Wireless LAN Adapter) - c:\windows\system32\drivers\ar5211.sys <Not Verified; ; Wireless Network Adapter>

S3 catchme - c:\docume~1\user\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-09-17 12:00:00 364 --a------ C:\WINDOWS\Tasks\HPpromotions journeysoftware.job


-- Files created between 2007-08-17 and 2007-09-17 -----------------------------

Nothing created in this timespan.


-- Find3M Report ---------------------------------------------------------------

2007-09-17 15:34:20 0 d-------- C:\Documents and Settings\User\Application Data\OpenOffice.org2
2007-09-14 09:24:34 0 d-------- C:\Program Files\Folding@Home
2007-08-29 09:54:19 0 d-------- C:\Program Files\PartyGaming
2007-08-20 09:48:31 0 d-------- C:\Program Files\Java
2007-07-20 16:08:47 0 d-------- C:\Documents and Settings\User\Application Data\Grisoft
2007-07-19 15:21:09 0 d-------- C:\Program Files\Project64 1.6
2007-07-13 09:32:04 508990 --a------ C:\WINDOWS\system32\perfh008.dat
2007-07-13 09:32:04 86886 --a------ C:\WINDOWS\system32\perfc008.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 10:21 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-17 11:04 C:\WINDOWS\SkyTel.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 13:06]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"Alcmtr"="ALCMTR.EXE" [2005-05-04 11:43 C:\WINDOWS\Alcmtr.exe]
"Spyware-Secure"="C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe" []
"huyvoxnqt"="c:\windows\system32\huyvoxnqt.exe" [2007-09-05 10:12]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 15:00]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-03-09 00:56]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"@"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

C:\Documents and Settings\User\Start Menu\¨¦š¨α££˜«˜\„΅΅ε€ž©ž\
Folding@Home 5.03.lnk - C:\Program Files\Folding@Home\winFAH.exe [2007-05-23 10:39:40]
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

C:\Documents and Settings\All Users\Start Menu\¨¦š¨α££˜«˜\„΅΅ε€ž©ž\
108Mbps Wireless LAN Adapter Configuration Utility.lnk - C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe [2007-03-05 00:28:39]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26]
Reg.lnk - C:\Program Files\108Mbps Wireless LAN Adapter\Reg.exe [2007-03-05 00:28:39]

*Newly Created Service* - GMER



-- End of Deckard's System Scanner: finished at 2007-09-17 15:38:47 ------------
alobarn
2007-09-17, 14:41
extra.txt 1/2:

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: Other (0408) - see http://preview.tinyurl.com/mhhp6

CPU 0: Intel(R) Pentium(R) D CPU 2.66GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.66GHz
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 445.56 MiB / 113.22 MiB
Pagefile Memory (total/avail): 1052.96 MiB / 654.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1959.57 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 149.04 GiB total, 141.27 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-00NCB1 - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Σύστημα αρχείων προς εγκατάσταση - 149.04 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.

AV: avast! antivirus 4.7.1043 [VPS 000775-0] v4.7.1043 (ALWIL Software)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\User\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\User
LOGONSERVER=\\PC1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\User\LOCALS~1\Temp
TMP=C:\DOCUME~1\User\LOCALS~1\Temp
USERDOMAIN=PC1
USERNAME=User
USERPROFILE=C:\Documents and Settings\User
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

User (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Πακέτο βασικής υπηρεσίας παροχής κρυπτογράφησης έξυπνων καρτών της Microsoft --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB896424) --> "C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB912919) --> "C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB917422) --> "C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB928090) --> "C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Ενημέρωση ασφαλείας για Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB911164) -->
Ενημέρωση για Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB925876) --> "C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB929338) --> "C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Ενημέρωση για Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Ενημερωμένη έκδοση ασφαλείας για Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Επείγουσα επιδιόρθωση για Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Επείγουσα επιδιόρθωση για Windows XP (KB935448) --> "C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
108Mbps Wireless LAN Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94E4FBD6-540C-4DB6-A469-B1FA248DA33E}\setup.exe" -l0x9
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Animated Water Scenes --> C:\WINDOWS\unins000.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Folding@Home --> C:\WINDOWS\system32\GKSUI18.EXE C:\Program Files\Folding@Home\UninstallEFAB.DAT
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 1.99.1 --> C:\HJT\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Deskjet 5900 series --> C:\Program Files\HP\Digital Imaging\{79546A5F-AE7C-4693-8670-A3401B43ABD2}\setup\hpzscr01.exe -datfile hpfscr05.dat
HP Extended Capabilities 5.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 5.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
InternetGameBox --> C:\Program Files\InternetGameBox\uninst.exe
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Joost (tm) 0.10.7 --> C:\Program Files\Joost\uninst.exe
LimeWire 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130408-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.2) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
OpenOffice.org 2.2 --> MsiExec.exe /I{A1C8D94A-4303-4489-B585-4B6E6CD408CB}
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
REALTEK GbE & FE Ethernet PCI NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe" -l0x8 -removeonly
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x8 -removeonly
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
VideoLAN VLC media player 0.8.6a --> C:\Program Files\VideoLAN\VLC\uninstall.exe
ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Άμεση επιδιόρθωση για Windows XP - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Άμεση επιδιόρθωση για Windows XP - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Άμεση επιδιόρθωση για Windows XP - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Άμεση επιδιόρθωση για Windows XP - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Άμεση επιδιόρθωση για Windows XP - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Άμεση επιδιόρθωση για Windows XP - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Άμεση επιδιόρθωση για Windows XP - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Άμεση επιδιόρθωση για Windows XP - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1015 / Error
Event Submitted/Written: 09/17/2007 03:33:47 PM
Event ID/Source: 1000 / Application Error
Event Description:
Ελαττωματική εφαρμογή dss.exe, έκδοση 3.2.4.9, ελαττωματική λειτουργική μονάδα msvcrt.dll, έκδοση 7.0.2600.2180, ελαττωματική διεύθυνση 0x00037fd4.
Επεξεργασία συμβάντος μέσου για [dss.exe!ws!]

Event Record #/Type1014 / Error
Event Submitted/Written: 09/17/2007 03:33:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Ελαττωματική εφαρμογή user.exe, έκδοση 1.99.0.1, ελαττωματική λειτουργική μονάδα msvcrt.dll, έκδοση 7.0.2600.2180, ελαττωματική διεύθυνση 0x00037fd4.
Επεξεργασία συμβάντος μέσου για [user.exe!ws!]

Event Record #/Type1008 / Error
Event Submitted/Written: 09/14/2007 09:25:18 AM
Event ID/Source: 1000 / .NET Runtime 2.0 Error Reporting
Event Description:
Faulting application ccc.exe, version 2.0.0.0, stamp 451d264f, faulting module mscorwks.dll, version 2.0.50727.832, stamp 461f2e2a, debug? 0, fault address 0x0006adba.

Event Record #/Type1005 / Error
Event Submitted/Written: 09/13/2007 09:29:32 AM
Event ID/Source: 2001 / Microsoft Office 11
Event Description:
Rejected Safe Mode action : Microsoft Office Outlook.

Event Record #/Type1004 / Error
Event Submitted/Written: 09/13/2007 09:29:19 AM
Event ID/Source: 1000 / Microsoft Office 11
Event Description:
Faulting application outlook.exe, version 11.0.5510.0, stamp 3f1380f0, faulting module outllib.dll, version 11.0.5608.0, stamp 3f35d24e, debug? 0, fault address 0x0023e0c0.
alobarn
2007-09-17, 14:42
extra.txt 2/2:



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12713 / Warning
Event Submitted/Written: 09/13/2007 02:53:20 PM
Event ID/Source: 1073 / USER32
Event Description:
Η προσπάθεια για Άγνωστο PC1 απέτυχε

Event Record #/Type12651 / Warning
Event Submitted/Written: 09/11/2007 02:37:47 PM
Event ID/Source: 8021 / BROWSER
Event Description:
Το πρόγραμμα περιήγησης δεν ήταν δυνατό να ανακτήσει μια λίστα διακομιστών από το κύριο πρόγραμμα περιήγησης \\PC2 στο δίκτυο \Device\NetBT_Tcpip_{F4B5D9B2-151A-40EA-A5D6-64482BDC7D58}.
Τα δεδομένα βρίσκονται στον κώδικα σφάλματος.

Event Record #/Type12009 / Warning
Event Submitted/Written: 08/29/2007 05:15:55 PM
Event ID/Source: 8021 / BROWSER
Event Description:
Το πρόγραμμα περιήγησης δεν ήταν δυνατό να ανακτήσει μια λίστα διακομιστών από το κύριο πρόγραμμα περιήγησης \\PC2 στο δίκτυο \Device\NetBT_Tcpip_{F4B5D9B2-151A-40EA-A5D6-64482BDC7D58}.
Τα δεδομένα βρίσκονται στον κώδικα σφάλματος.

Event Record #/Type12008 / Warning
Event Submitted/Written: 08/29/2007 05:15:20 PM
Event ID/Source: 8021 / BROWSER
Event Description:
Το πρόγραμμα περιήγησης δεν ήταν δυνατό να ανακτήσει μια λίστα διακομιστών από το κύριο πρόγραμμα περιήγησης \\PC2 στο δίκτυο \Device\NetBT_Tcpip_{F4B5D9B2-151A-40EA-A5D6-64482BDC7D58}.
Τα δεδομένα βρίσκονται στον κώδικα σφάλματος.

Event Record #/Type11969 / Warning
Event Submitted/Written: 08/28/2007 04:40:50 PM
Event ID/Source: 8021 / BROWSER
Event Description:
Το πρόγραμμα περιήγησης δεν ήταν δυνατό να ανακτήσει μια λίστα διακομιστών από το κύριο πρόγραμμα περιήγησης \\PC2 στο δίκτυο \Device\NetBT_Tcpip_{F4B5D9B2-151A-40EA-A5D6-64482BDC7D58}.
Τα δεδομένα βρίσκονται στον κώδικα σφάλματος.



-- End of Deckard's System Scanner: finished at 2007-09-17 15:38:47 ------------
Blade81
2007-09-17, 17:29
Hi

Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip


* Extract its contents to the desktop.
* Double click on navilog1.exe to install it on your computer.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time)
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.


The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)
alobarn
2007-09-19, 09:58
the NAVILOG log:

Search Navipromo version 3.0.4 began on 2007-09-19 at 10:54:13.68

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 16.09.2007 at 13h00 by IL-MAFIOSO

Microsoft Windows XP [λ΅›¦©ž 5.1.2600]
Version Internet Explorer : 7.0.5730.11

Done in normal mode

*** Searching for installed Software ***


InternetGameBox


*** Search folders in C:\WINDOWS ***



*** Search folders in C:\Program Files ***

C:\Program Files\InternetGameBox found !


*** Search folders in C:\Documents and Settings\All Users\Application Data ***




*** Search folders in C:\Documents and Settings\User\Application Data ***


*** Search with BlackLight Engine/F-secure ***
BlackLight Engine is a product of F-secure, for more info:
http://www.f-secure.com/blacklight/blacklight_help.html

Hidden(s) file(s) in C:\WINDOWS\system32 :

c:\WINDOWS\system32\huyvoxnqt.dat
C:\windows\system32\huyvoxnqt.exe
c:\WINDOWS\system32\huyvoxnqt_nav.dat
c:\WINDOWS\system32\huyvoxnqt_navps.dat

Hidden(s) Process in C:\WINDOWS\system32 :

C:\windows\system32\huyvoxnqt.exe


*** Search with GenericNaviSearch ***
!!! Possibility of legitims files in the result !!!
!!! To be always checked before manually deleting !!!

* Scan C:\WINDOWS\system32 *

Files found :

huyvoxnqt.exe found !

Suspicious Files :

No Suspicious File found !



*** Search files ***


C:\DOCUME~1\User\6808~1\InternetGameBox.lnk found !
C:\WINDOWS\pack.epk found !
C:\WINDOWS\system32\nvs2.inf found !
C:\WINDOWS\prefetch\INTERNETGAMEBOX.EXE-1EE9EDEF.pf found !


*** Search registry keys ***

HKEY_CURRENT_USER\Software\Lanconfig found !
HKEY_USERS\S-1-5-21-823518204-308236825-682003330-1004\Software\Lanconfig found !


*** Complementary Search ***
(Search specifics files)

1)Search known files:

2)Heuristic Search :

C:\WINDOWS\system32\huyvoxnqt.dat found !
C:\WINDOWS\system32\huyvoxnqt_navps.dat found !





3)Certificates Search :

Certificate Egroup found !


*** Search completed on 2007-09-19 at 10:59:55.70 ***
Blade81
2007-09-19, 18:58
Hi

* Double click on Navilog1 shortcut icon on your desktop to run it.
* Press E for English from the language Menu.
* Type 2 in the next Menu and press Enter.
* The tool will then advise you that it will restart your computer.
* Close all open windows and save personnal documents, if open, too.
* If your computer doesn't restart automatically, restart it manually.
* Choose your usual session.
* Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time)
* A new document will be produced.
* Please copy/paste the contents of this report in your next reply with a fresh hjt log.
* Your desktop will now appear.


Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)
alobarn
2007-09-24, 08:31
hi.

Navilog log after clean up:

Navipromo Removal version 3.0.4 started on 2007-09-24 at 9:28:59.34

Fix running from C:\Program Files\navilog1
echo Updated on 16.09.2007 at 13h00 by IL-MAFIOSO


Microsoft Windows XP [λ΅›¦©ž 5.1.2600]
Internet Explorer : 7.0.5730.11

echo Automatic removal


*** Creating backups for files found by Blacklight

Copy to "C:\Program Files\navilog1\Backupnavi"


*** Deleting files found with Blacklight ***

c:\WINDOWS\system32\huyvoxnqt.dat deleted !
C:\windows\system32\huyvoxnqt.exe deleted !
c:\WINDOWS\system32\huyvoxnqt_nav.dat deleted !
c:\WINDOWS\system32\huyvoxnqt_navps.dat deleted !

** Second pass **

C:\WINDOWS\system32\huyvoxnqt.exe not found !
C:\WINDOWS\system32\huyvoxnqt.dat not found !
C:\WINDOWS\system32\huyvoxnqt_nav.dat not found !
C:\WINDOWS\system32\huyvoxnqt_navps.dat not found !
C:\WINDOWS\system32\huyvoxnqt_navup.dat not found !
C:\WINDOWS\system32\huyvoxnqt_navtmp.dat not found !
C:\WINDOWS\system32\huyvoxnqt_m2s.xml not found !


C:\WINDOWS\prefetch\huyvoxnqt*.pf found !
Copy C:\WINDOWS\prefetch\huyvoxnqt*.pf done !
C:\WINDOWS\prefetch\huyvoxnqt*.pf deleted !

*** Deleting with Backups results GenericNaviSearch ***

* Scan C:\WINDOWS\system32 *



*** Deleting folders in C:\WINDOWS ***


*** Deleting folders in C:\Program Files ***

C:\Program Files\InternetGameBox ...deleting...
C:\Program Files\InternetGameBox deleted !


*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***


*** Deleting folders in C:\Documents and Settings\User\Application Data ***



*** Deleting files ***

C:\DOCUME~1\User\6808~1\InternetGameBox.lnk deleted !
C:\WINDOWS\pack.epk deleted !
C:\WINDOWS\system32\nvs2.inf deleted !
C:\WINDOWS\INTERNETGAMEBOX.EXE-1EE9EDEF.pf deleted !

*** Deleting temporary files ***

Cleanning C:\WINDOWS\Temp done !
Cleanning C:\Documents and Settings\User\Local Settings\Temp done !

*** Complementary Search ***
(Search specifics files)

1)Search known files:





2)Searching and deleting Heuristics :


*** Copy registry to Backupnavi folder ***

Backing up registry done !

*** Clean registry ***

Registry cleaned


*** Certificates ***

Egroup Certificate deleted !

*** Cleaning stage complete 2007-09-24 at 9:31:51.39 ***
Blade81
2007-09-24, 10:47
How about that fresh hjt log? :)
alobarn
2007-10-01, 16:44
you can tell that i am not really using my computer that much.. can't you?

sorry for the big delay again.. i had LOADS of work these last two weeks..

anyway... here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 17:34, on 2007-10-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Spyware-Secure] C:\Program Files\Spyware-Secure\Spyware-Secure_trial.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapter Configuration Utility.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Reg.lnk = ?
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Blade81
2007-10-01, 19:22
Hi

Looks like those two hjt entries are still there. Did you try to check & fix them having TeaTimer disabled first?


Anyway, TeaTimer must be disabled until fixing process is successfully finished or we won't be able to fix those two entries.


Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer



Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=-
"Spyware-Secure"=-


It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Post a fresh hjt log & GMER log.
tashi
2007-10-11, 20:57
Still with us alobarn?
tashi
2007-10-16, 01:04
:scratch:

This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.