PDA

View Full Version : Virtumonde and more...


sonja
2008-04-28, 16:39
Hi, thanks in advance for your help! I have a problem with Virtumonde i suppose as it keeps bothering me even after i delete it with spybot. NOTE that as i followed your steps i couldn't get my PC to start in safe mode (with F8). Here are the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:37 μμ, on 28/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Επιφάνεια εργασίας\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [98c92e37] rundll32.exe "C:\WINDOWS\system32\uktseijh.dll",b
O4 - HKLM\..\Run: [BM9bfa1dab] Rundll32.exe "C:\WINDOWS\system32\yvabxiic.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Γρήγορη εκκίνηση Adobe Reader .lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Γρήγορη εκκίνηση HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8787 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 2:44:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 728705
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 117024
Number of viruses found: 16
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 01:21:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\cert8.db Object is locked skipped
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\history.dat Object is locked skipped
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\key3.db Object is locked skipped
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\parent.lock Object is locked skipped
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Messenger\disordergr@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Messenger\disordergr@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Messenger\disordergr@hotmail.com\SharingMetadata\Working\database_9C98_C955_98C9_2E98\dfsr.db Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Messenger\disordergr@hotmail.com\SharingMetadata\Working\database_9C98_C955_98C9_2E98\fsr.log Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Messenger\disordergr@hotmail.com\SharingMetadata\Working\database_9C98_C955_98C9_2E98\tmp.edb Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows Live Contacts\Disordergr@HOTMAIL.COM\real\members.stg Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Windows Live Contacts\Disordergr@HOTMAIL.COM\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\vyn2ln1o.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008042120080428\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\_hphtra07.log Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF3943.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF3AF0.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF3EA9.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF4E04.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF8E7B.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temp\~DF8E9E.tmp Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet files\Content.IE5\HP5CMDUJ\kriv[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qrh skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Admin\Local Settings\Temporary Internet files\Content.IE5\VLQHCY2N\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
C:\Documents and Settings\Admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP392\A0116434.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP392\A0116435.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.plw skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP392\A0116437.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qof skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP392\A0116438.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmt skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP393\A0116660.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP394\A0118694.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0118752.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qgr skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0118767.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0118770.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0118771.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0118772.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0118773.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0118778.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpx skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0118799.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0119869.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpb skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0119891.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0120948.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0120968.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qfq skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0120970.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpx skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0120971.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0120972.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0120973.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrh skipped
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mmf.sys Object is locked skipped
C:\WINDOWS\system32\pmnljihF.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pij skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\net.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.pko skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000001-00000000-00000006-00001102-00000008-10211102}.CDF Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
random/random
2008-04-28, 21:36
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post the combofix log and a new HijackThis log as a reply to this topic.
sonja
2008-04-29, 10:30
Thanks for your help random/random! Here are the logs you asked for.

ComboFix 08-04-28.2 - Admin 2008-04-29 11:01:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.1451 [GMT 3:00]
Running from: C:\Documents and Settings\Admin\Επιφάνεια εργασίας\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gfxflmfc.ini
C:\WINDOWS\system32\gwfqxlfj.ini
C:\WINDOWS\system32\hjiestku.ini
C:\WINDOWS\system32\IjkUwyay.ini
C:\WINDOWS\system32\IjkUwyay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ntoaacor.ini
C:\WINDOWS\system32\rtggbdom.ini
C:\WINDOWS\system32\Tstuwyay.ini
C:\WINDOWS\system32\Tstuwyay.ini2
C:\WINDOWS\system32\ulyhibmu.ini
C:\WINDOWS\system32\whwapnie.ini
C:\WINDOWS\system32\xornkqfv.ini
C:\WINDOWS\system32\yvabxiic.dll
C:\WINDOWS\system32\YxwFffii.ini
C:\WINDOWS\system32\YxwFffii.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-28 11:51 . 2008-04-28 11:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 11:51 . 2008-04-28 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-20 17:25 . 2008-04-21 18:58 534 --ahs---- C:\WINDOWS\system32\ptjqukyr.ini
2008-04-20 12:57 . 2008-04-26 12:32 557 --a------ C:\WINDOWS\wininit.ini
2008-04-20 11:13 . 2008-04-20 11:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-20 11:13 . 2008-04-20 11:13 2,540 --a------ C:\WINDOWS\unins000.dat
2008-04-19 15:08 . 2008-04-19 15:08 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-04-19 15:08 . 2008-04-19 15:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\teamspeak2
2008-04-19 15:08 . 2008-04-19 15:08 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-04-19 10:35 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-19 10:35 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-19 10:18 . 2008-04-19 10:18 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\InstallShield
2008-04-19 10:00 . 2008-04-28 17:34 109,785 --a------ C:\WINDOWS\BM9bfa1dab.xml
2008-04-18 19:05 . 2008-04-18 19:05 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-18 13:43 . 2008-04-24 16:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 13:43 . 2008-04-18 13:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 10:07 . 2008-04-18 10:07 37,888 --a------ C:\WINDOWS\system32\pmnljihF.dll
2008-04-15 17:27 . 2008-04-15 17:28 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:30 . 2008-04-09 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-08 20:34 . 2002-08-12 16:20 27,264 --a------ C:\WINDOWS\system32\drivers\rndismpk.sys
2008-04-08 20:34 . 2002-08-12 16:20 11,136 --a------ C:\WINDOWS\system32\drivers\usb8023k.sys
2008-04-08 20:30 . 2008-04-09 10:42 0 --a------ C:\uk_o.bmp
2008-04-08 20:30 . 2008-04-09 10:42 0 --a------ C:\uk_c.bmp
2008-04-08 20:20 . 2005-08-16 15:33 108,336 -ra------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\save_o-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\save_c-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\home_o-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\home_c-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\exit_o-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\exit_c-g.jpg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 10:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 09:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-26 09:38 --------- d-----w C:\Documents and Settings\Admin\Application Data\Lavasoft
2008-04-25 20:37 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-25 15:27 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-24 09:23 --------- d-----w C:\Program Files\Lineage II
2008-04-19 07:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 22:06 --------- d-----w C:\Program Files\2K Games
2008-04-15 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 08:33 --------- d-----w C:\Program Files\ESET
2008-04-08 14:22 --------- d-----w C:\Documents and Settings\Admin\Application Data\Bioshock
2008-03-20 08:06 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 12:58 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:33 46,080 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EB16ED2-119A-447C-8906-2AB9ABFF3D26}]
C:\WINDOWS\system32\iiffFwxY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE5A1465-1E73-4784-8F63-45983FDF0DB8}]
2008-04-18 10:07 37888 --a------ C:\WINDOWS\system32\pmnljihF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE834282-513C-431D-84FA-1FE4F6D58E2D}]
C:\WINDOWS\system32\yaywutsT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6D4F52-724B-455F-AAE5-AD0B1D2962E0}]
C:\WINDOWS\system32\yaywUkjI.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-20 11:07 385024]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25 49152]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25 49152]
"CTHelper"="CTHELPER.EXE" [2005-06-18 09:01 16384 C:\WINDOWS\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-09-08 15:28 7630848]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-03 20:38 462848]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 15:51 94208]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 20:35 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-09-08 15:28 86016]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-03-02 11:22 1115728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"98c92e37"="C:\WINDOWS\system32\uktseijh.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-04 06:45 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EE5A1465-1E73-4784-8F63-45983FDF0DB8}"= C:\WINDOWS\system32\pmnljihF.dll [2008-04-18 10:07 37888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnljihF]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.fraunhoferacm"= l3codecp.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\PES6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-12-17 15:41]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2006-11-24 19:00]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys []
S3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys []
S3 RTCore32;RTCore32;C:\Program Files\RMClock\RTCore32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deaae7df-2312-11db-a1fb-001731bf46b1}]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 14:25:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-28 17:00:01 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job"
- C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 11:16:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\pmnljihF.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-04-29 11:24:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 08:23:51

8 Κατάλογοι 11,933,011,968 διαθέσιμα byte
11 ‰˜«αΆ¦š¦ 24,295,706,624 › ˜Ÿβ© £˜ byte

194 --- E O F --- 2008-04-12 18:20:19


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:39 πμ, on 29/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Admin\Επιφάνεια εργασίας\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7EB16ED2-119A-447C-8906-2AB9ABFF3D26} - C:\WINDOWS\system32\iiffFwxY.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - C:\WINDOWS\system32\pmnljihF.dll
O2 - BHO: (no name) - {FE834282-513C-431D-84FA-1FE4F6D58E2D} - C:\WINDOWS\system32\yaywutsT.dll (file missing)
O2 - BHO: (no name) - {FF6D4F52-724B-455F-AAE5-AD0B1D2962E0} - C:\WINDOWS\system32\yaywUkjI.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [98c92e37] rundll32.exe "C:\WINDOWS\system32\uktseijh.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Γρήγορη εκκίνηση Adobe Reader .lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Γρήγορη εκκίνηση HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: pmnljihF - C:\WINDOWS\SYSTEM32\pmnljihF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9673 bytes
random/random
2008-04-29, 18:37
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

File::
C:\Documents and Settings\Admin\Local Settings\Temporary Internet files\Content.IE5\HP5CMDUJ\kriv[1]
C:\Documents and Settings\Admin\Local Settings\Temporary Internet files\Content.IE5\VLQHCY2N\idkfa[1]
C:\WINDOWS\system32\pmnljihF.dll
C:\WINDOWS\Temp\net.exe
C:\WINDOWS\system32\ptjqukyr.ini
C:\WINDOWS\BM9bfa1dab.xml
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EB16ED2-119A-447C-8906-2AB9ABFF3D26}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE5A1465-1E73-4784-8F63-45983FDF0DB8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE834282-513C-431D-84FA-1FE4F6D58E2D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6D4F52-724B-455F-AAE5-AD0B1D2962E0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"98c92e37"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EE5A1465-1E73-4784-8F63-45983FDF0DB8}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnljihF]

Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://images.malwareremoval.com/cfscript/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
sonja
2008-04-29, 19:06
ComboFix 08-04-28.2 - Admin 2008-04-29 19:47:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.1495 [GMT 3:00]
Running from: C:\Documents and Settings\Admin\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Επιφάνεια εργασίας\CFscript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Admin\Local Settings\Temporary Internet files\Content.IE5\HP5CMDUJ\kriv[1]
C:\Documents and Settings\Admin\Local Settings\Temporary Internet files\Content.IE5\VLQHCY2N\idkfa[1]
C:\WINDOWS\BM9bfa1dab.xml
C:\WINDOWS\system32\pmnljihF.dll
C:\WINDOWS\system32\ptjqukyr.ini
C:\WINDOWS\Temp\net.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM9bfa1dab.xml
C:\WINDOWS\system32\AyyGNXbc.ini
C:\WINDOWS\system32\AyyGNXbc.ini2
C:\WINDOWS\system32\cbXNGyyA.dll
C:\WINDOWS\system32\pmnljihF.dll
C:\WINDOWS\system32\ptjqukyr.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-28 11:51 . 2008-04-28 11:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-28 11:51 . 2008-04-28 11:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-20 12:57 . 2008-04-26 12:32 557 --a------ C:\WINDOWS\wininit.ini
2008-04-20 11:13 . 2008-04-20 11:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-20 11:13 . 2008-04-20 11:13 2,540 --a------ C:\WINDOWS\unins000.dat
2008-04-19 15:08 . 2008-04-19 15:08 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-04-19 15:08 . 2008-04-19 15:08 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\teamspeak2
2008-04-19 15:08 . 2008-04-19 15:08 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-04-19 10:35 . 2006-02-04 03:50 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-04-19 10:35 . 2006-02-04 03:50 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-04-19 10:18 . 2008-04-19 10:18 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\InstallShield
2008-04-18 19:05 . 2008-04-18 19:05 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-04-18 13:43 . 2008-04-24 16:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 13:43 . 2008-04-18 13:43 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 17:27 . 2008-04-15 17:28 <DIR> d-------- C:\Program Files\QuickTime
2008-04-09 11:30 . 2008-04-09 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-04-08 20:34 . 2002-08-12 16:20 27,264 --a------ C:\WINDOWS\system32\drivers\rndismpk.sys
2008-04-08 20:34 . 2002-08-12 16:20 11,136 --a------ C:\WINDOWS\system32\drivers\usb8023k.sys
2008-04-08 20:30 . 2008-04-09 10:42 0 --a------ C:\uk_o.bmp
2008-04-08 20:30 . 2008-04-09 10:42 0 --a------ C:\uk_c.bmp
2008-04-08 20:20 . 2005-08-16 15:33 108,336 -ra------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\save_o-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\save_c-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\home_o-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\home_c-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\exit_o-g.jpg
2008-04-08 20:20 . 2008-04-09 10:42 0 --a------ C:\exit_c-g.jpg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 10:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-26 09:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-26 09:38 --------- d-----w C:\Documents and Settings\Admin\Application Data\Lavasoft
2008-04-25 20:37 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-25 15:27 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-04-24 09:23 --------- d-----w C:\Program Files\Lineage II
2008-04-19 07:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 22:06 --------- d-----w C:\Program Files\2K Games
2008-04-15 14:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-09 08:33 --------- d-----w C:\Program Files\ESET
2008-04-08 14:22 --------- d-----w C:\Documents and Settings\Admin\Application Data\Bioshock
.

((((((((((((((((((((((((((((( snapshot@2008-04-29_11.23.13.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-29 08:15:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-29 16:55:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 06:45 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-20 11:07 385024]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"CTSysVol"="C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"RCSystem"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25 49152]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 18:25 49152]
"CTHelper"="CTHELPER.EXE" [2005-06-18 09:01 16384 C:\WINDOWS\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-09-08 15:28 7630848]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-08-03 20:38 462848]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GhostStartTrayApp"="C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe" [2003-12-17 15:51 94208]
"HPHUPD08"="C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 20:35 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-09-08 15:28 86016]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-03-02 11:22 1115728]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-04 06:45 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.fraunhoferacm"= l3codecp.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\PES6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\AeriaGames\\ProjectTorque\\ProjectTorque.bin"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R1 GhPciScan;GhostPciScanner;C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys [2003-12-17 15:41]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2006-11-24 19:00]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys []
S3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys []
S3 RTCore32;RTCore32;C:\Program Files\RMClock\RTCore32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deaae7df-2312-11db-a1fb-001731bf46b1}]
\Shell\AutoRun\command - G:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 14:25:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 17:00:01 C:\WINDOWS\Tasks\HPpromotions journeysoftware.job"
- C:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 19:56:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 2

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-04-29 20:02:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 17:02:24
ComboFix2.txt 2008-04-29 08:24:06

8 Κατάλογοι 24,434,368,512 διαθέσιμα byte
10 ‰˜«αΆ¦š¦ 24,420,802,560 › ˜Ÿβ© £˜ byte

173 --- E O F --- 2008-04-12 18:20:19


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:05 μμ, on 29/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Admin\Επιφάνεια εργασίας\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Γρήγορη εκκίνηση Adobe Reader .lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Γρήγορη εκκίνηση HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9125 bytes
random/random
2008-04-29, 19:37
Download GMER by GMER from here (http://gmer.net/gmer.zip)
Unzip it to a folder on your desktop
Double click on gmer.exe to launch GMER
If asked, allow the gmer.sys driver load
If it warns you about rootkit activity and asks if you want to run scan, click OK
If you don't get a warning then

Click the rootkit tab
Click Scan

Once the scan has finished, click copy
Paste the log into notepad using Ctrl+V
Save it to your desktop as gmerrk.txt
Click on the >>> tab
This will open up the rest of the tabs for you
Click on the Autostart tab
Click on Scan
Once the scan has finished, click copy
Paste the log into notepad using Ctrl+V
Save it to your desktop as gmerautos.txt
Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
sonja
2008-04-30, 10:05
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-30 10:58:27
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwConnectPort [0xB5D580D2]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateFile [0xB5D5A302]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreatePort [0xB5D5802C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateSection [0xB5D58AAE]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateThread [0xB5D57D12]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteFile [0xB5D59CB0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteKey [0xB5D58EC0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteValueKey [0xB5D58DDA]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwOpenProcess [0xB5D58B94]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwOpenSection [0xB5D589E0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwOpenThread [0xB5D58CB0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetContextThread [0xB5D57BB4]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetInformationFile [0xB5D59DE0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetValueKey [0xB5D5826A]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwShutdownSystem [0xB5D58FA0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwTerminateProcess [0xB5D57F66]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwWriteFile [0xB5D5A14A]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwWriteFileGather [0xB5D59FB4]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1764] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 4 Bytes [ C2, 04, 00, 00 ]
.text C:\Program Files\Comodo\Firewall\CPF.exe[2272] ntdll.dll!LdrLoadDll 7C9261CA 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Comodo\Firewall\CPF.exe[2272] ntdll.dll!LdrLoadDll + 4 7C9261CE 2 Bytes [ 05, 5F ]
.text C:\Program Files\Comodo\Firewall\CPF.exe[2272] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2340] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA93B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA93B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA93B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA93B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA93B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA93B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA93B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA93B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA93B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA93B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA93B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA93B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA93B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA93B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA93B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA93B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA93B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA93B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA93B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA93B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA93B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA93B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA93B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [BA93B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [BA93B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [BA93B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [BA93B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA93B910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA93B950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA93B6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA93B730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)

Device \Driver\USBSTOR \Device\0000009d 89DD1248

AttachedDevice \Driver\Tcpip \Device\Tcp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort2 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort3 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort4 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort5 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort6 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdePort7 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\USBSTOR \Device\000000a5 89DD1248

AttachedDevice \Driver\Tcpip \Device\Udp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Creative Tech\MixerName\PCI\VEN_1102&DEV_0008&SUBSYS_10211102@\x88\3\xbd\3Ä\3\xb1\3Ã\3\xb7\3 Volume
Reg HKLM\SYSTEM\CurrentControlSet\Control\Creative Tech\MixerName\PCI\VEN_1102&DEV_0008&SUBSYS_10211102@\xa3\3\x2015\3\xb3\3\xb1\3Ã\3\xb7\3 Mute
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xa0\3Á\3¿\3Ã\3\xb1\3Á\3¼\3¿\3\xb3\3\xad\3\xb1\3Â\3 \0\x384\3¹\3º\3Ä\3Í\3¿\3Å\3 \0001\0003\09\0004 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\x2018\3Ã\3Í\3\xb3\3Ç\3Á\3¿\3\xbd\3¿\3Â\3 \0À\3Á\3¿\3Ã\3\xb1\3Á\3¼\3¿\3\xb3\3\xad\3\xb1\3Â\3 \0R\0A\0S 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\x2018\3À\3µ\3Å\3¸\3µ\3\x2015\3\xb1\3Â\3 \0À\3\xb1\3Á\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xa0\3\xb1\3º\3\xad\3Ä\3¿\3 \0Ç\3Á\3¿\3\xbd\3¿\3\x384\3¹\3\xb1\3\xb3\3Á\3\xac\3¼\3¼\3\xb1\3Ä\3¿\3Â\3 \0M\0i\0n\0i\0p\0o\0r\0t 1?2?3?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\¥À·ÁµÃ¯±
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\¥À·ÁµÃ¯± @EventMessageFile %SystemRoot%\System32\NTMSEVT.DLL
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\¥À·ÁµÃ¯± @TypesSupported 7
Reg HKLM\SYSTEM\ControlSet002\Control\Creative Tech\MixerName\PCI\VEN_1102&DEV_0008&SUBSYS_10211102@\x88\3\xbd\3Ä\3\xb1\3Ã\3\xb7\3 Volume
Reg HKLM\SYSTEM\ControlSet002\Control\Creative Tech\MixerName\PCI\VEN_1102&DEV_0008&SUBSYS_10211102@\xa3\3\x2015\3\xb3\3\xb1\3Ã\3\xb7\3 Mute
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xa0\3Á\3¿\3Ã\3\xb1\3Á\3¼\3¿\3\xb3\3\xad\3\xb1\3Â\3 \0\x384\3¹\3º\3Ä\3Í\3¿\3Å\3 \0001\0003\09\0004 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\x2018\3Ã\3Í\3\xb3\3Ç\3Á\3¿\3\xbd\3¿\3Â\3 \0À\3Á\3¿\3Ã\3\xb1\3Á\3¼\3¿\3\xb3\3\xad\3\xb1\3Â\3 \0R\0A\0S 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\x2018\3À\3µ\3Å\3¸\3µ\3\x2015\3\xb1\3Â\3 \0À\3\xb1\3Á\3\xac\3\xbb\3\xbb\3\xb7\3\xbb\3\xb7\3 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xa0\3\xb1\3º\3\xad\3Ä\3¿\3 \0Ç\3Á\3¿\3\xbd\3¿\3\x384\3¹\3\xb1\3\xb3\3Á\3\xac\3¼\3¼\3\xb1\3Ä\3¿\3Â\3 \0M\0i\0n\0i\0p\0o\0r\0t 1?2?3?
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\¥À·ÁµÃ¯±
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\¥À·ÁµÃ¯± @EventMessageFile %SystemRoot%\System32\NTMSEVT.DLL
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\¥À·ÁµÃ¯± @TypesSupported 7
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\xa0\3Á\3¿\3µ\3À\3¹\3\xbb\3µ\3\xb3\3¼\3\xad\3\xbd\3\xb1\3 \0W\0i\0n\0d\0o\0w\0s ",,,,,,,,,,,,,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x9a\3¹\3\xbd\3¿\3Í\3¼\3µ\3\xbd\3\xb1\3 \0W\0i\0n\0d\0o\0w\0s "C:\WINDOWS\Cursors\rainbow.ani,,C:\WINDOWS\Cursors\appstart.ani,C:\WINDOWS\Cursors\hourglas.ani,C:\WINDOWS\Cursors\cross.cur,,,,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x2020\3Ã\3À\3Á\3¿\3 \0003\0\x201d\3 "C:\WINDOWS\Cursors\3dwarro.cur,,C:\WINDOWS\Cursors\appstar3.ani,C:\WINDOWS\Cursors\hourgla3.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dwno.cur,C:\WINDOWS\Cursors\3dwns.cur,C:\WINDOWS\Cursors\3dwwe.cur,C:\WINDOWS\Cursors\3dwnwse.cur,C:\WINDOWS\Cursors\3dwnesw.cur,C:\WINDOWS\Cursors\3dwmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\xa7\3\xad\3Á\3¹\3\xb1\3 \0001 "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\xa7\3\xad\3Á\3¹\3\xb1\3 \0002 "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x201d\3µ\3¹\3\xbd\3Ì\3Ã\3\xb1\3Å\3Á\3¿\3Â\3 "C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\xa0\3Á\3¿\3\xb7\3\xb3\3¿\3Í\3¼\3µ\3\xbd\3¿\3 \0¼\3¿\3\xbd\3Ä\3\xad\3\xbb\3¿\3 "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\xa3\3Í\3\xbd\3¸\3µ\3Ã\3\xb7\3 "C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x9c\3µ\3\xb3\3\xad\3¸\3Å\3\xbd\3Ã\3\xb7\3 "C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\xa0\3\xb1\3Á\3\xb1\3\xbb\3\xbb\3\xb1\3\xb3\3\xad\3Â\3 "C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x9c\3À\3Á\3¿\3Í\3Ä\3\xb6\3¹\3\xbd\3¿\3 \0003\0\x201d\3 "C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\appstar2.ani,C:\WINDOWS\Cursors\hourgla2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\3dgno.cur,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,"
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x9c\3\xb1\3Í\3Á\3\xb1\3 \0W\0i\0n\0d\0o\0w\0s\0 C:\WINDOWS\cursors\arrow_r.cur,C:\WINDOWS\cursors\help_r.cur,C:\WINDOWS\cursors\wait_r.cur,C:\WINDOWS\cursors\busy_r.cur,C:\WINDOWS\cursors\cross_r.cur,C:\WINDOWS\cursors\beam_r.cur,C:\WINDOWS\cursors\pen_r.cur,C:\WINDOWS\cursors\no_r.cur,C:\WINDOWS\cursors\size4_r.cur,C:\WINDOWS\cursors\size3_r.cur,C:\WINDOWS\cursors\size2_r.cur,C:\WINDOWS\cursors\size1_r.cur,C:\WINDOWS\cursors\move_r.cur,C:\WINDOWS\cursors\up_r.cur
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x9c\3\xb1\3Í\3Á\3\xb1\3 \0W\0i\0n\0d\0o\0w\0s\0 \0(\0¼\3µ\3\xb3\3\xac\3\xbb\3\xb1\3) C:\WINDOWS\cursors\arrow_rm.cur,C:\WINDOWS\cursors\help_rm.cur,C:\WINDOWS\cursors\wait_rm.cur,C:\WINDOWS\cursors\busy_rm.cur,C:\WINDOWS\cursors\cross_rm.cur,C:\WINDOWS\cursors\beam_rm.cur,C:\WINDOWS\cursors\pen_rm.cur,C:\WINDOWS\cursors\no_rm.cur,C:\WINDOWS\cursors\size4_rm.cur,C:\WINDOWS\cursors\size3_rm.cur,C:\WINDOWS\cursors\size2_rm.cur,C:\WINDOWS\cursors\size1_rm.cur,C:\WINDOWS\cursors\move_rm.cur,C:\WINDOWS\cursors\up_rm.cur
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x9c\3\xb1\3Í\3Á\3\xb1\3 \0W\0i\0n\0d\0o\0w\0s\0 \0(\0À\3¿\3\xbb\3Í\3 \0¼\3µ\3\xb3\3\xac\3\xbb\3\xb1\3) C:\WINDOWS\cursors\arrow_rl.cur,C:\WINDOWS\cursors\help_rl.cur,C:\WINDOWS\cursors\wait_rl.cur,C:\WINDOWS\cursors\busy_rl.cur,C:\WINDOWS\cursors\cross_rl.cur,C:\WINDOWS\cursors\beam_rl.cur,C:\WINDOWS\cursors\pen_rl.cur,C:\WINDOWS\cursors\no_rl.cur,C:\WINDOWS\cursors\size4_rl.cur,C:\WINDOWS\cursors\size3_rl.cur,C:\WINDOWS\cursors\size2_rl.cur,C:\WINDOWS\cursors\size1_rl.cur,C:\WINDOWS\cursors\move_rl.cur,C:\WINDOWS\cursors\up_rl.cur
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x2018\3\xbd\3Ä\3µ\3Ã\3Ä\3Á\3\xb1\3¼\3¼\3\xad\3\xbd\3\xb1\3 \0W\0i\0n\0d\0o\0w\0s C:\WINDOWS\cursors\arrow_i.cur,C:\WINDOWS\cursors\help_i.cur,C:\WINDOWS\cursors\wait_i.cur,C:\WINDOWS\cursors\busy_i.cur,C:\WINDOWS\cursors\cross_i.cur,C:\WINDOWS\cursors\beam_i.cur,C:\WINDOWS\cursors\pen_i.cur,C:\WINDOWS\cursors\no_i.cur,C:\WINDOWS\cursors\size4_i.cur,C:\WINDOWS\cursors\size3_i.cur,C:\WINDOWS\cursors\size2_i.cur,C:\WINDOWS\cursors\size1_i.cur,C:\WINDOWS\cursors\move_i.cur,C:\WINDOWS\cursors\up_i.cur
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x2018\3\xbd\3Ä\3µ\3Ã\3Ä\3Á\3\xb1\3¼\3¼\3\xad\3\xbd\3\xb1\3 \0W\0i\0n\0d\0o\0w\0s\0 \0(\0¼\3µ\3\xb3\3\xac\3\xbb\3\xb1\3) C:\WINDOWS\cursors\arrow_im.cur,C:\WINDOWS\cursors\help_im.cur,C:\WINDOWS\cursors\wait_im.cur,C:\WINDOWS\cursors\busy_im.cur,C:\WINDOWS\cursors\cross_im.cur,C:\WINDOWS\cursors\beam_im.cur,C:\WINDOWS\cursors\pen_im.cur,C:\WINDOWS\cursors\no_im.cur,C:\WINDOWS\cursors\size4_im.cur,C:\WINDOWS\cursors\size3_im.cur,C:\WINDOWS\cursors\size2_im.cur,C:\WINDOWS\cursors\size1_im.cur,C:\WINDOWS\cursors\move_im.cur,C:\WINDOWS\cursors\up_im.cur
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\x2018\3\xbd\3Ä\3µ\3Ã\3Ä\3Á\3\xb1\3¼\3¼\3\xad\3\xbd\3\xb1\3 \0W\0i\0n\0d\0o\0w\0s\0 \0(\0À\3¿\3\xbb\3Í\3 \0¼\3µ\3\xb3\3\xac\3\xbb\3\xb1\3) C:\WINDOWS\cursors\arrow_il.cur,C:\WINDOWS\cursors\help_il.cur,C:\WINDOWS\cursors\wait_il.cur,C:\WINDOWS\cursors\busy_il.cur,C:\WINDOWS\cursors\cross_il.cur,C:\WINDOWS\cursors\beam_il.cur,C:\WINDOWS\cursors\pen_il.cur,C:\WINDOWS\cursors\no_il.cur,C:\WINDOWS\cursors\size4_il.cur,C:\WINDOWS\cursors\size3_il.cur,C:\WINDOWS\cursors\size2_il.cur,C:\WINDOWS\cursors\size1_il.cur,C:\WINDOWS\cursors\move_il.cur,C:\WINDOWS\cursors\up_il.cur
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\xa4\3Å\3À\3¹\3º\3\xac\3 \0W\0i\0n\0d\0o\0w\0s\0 \0(\0¼\3µ\3\xb3\3\xac\3\xbb\3\xb1\3) C:\WINDOWS\cursors\arrow_m.cur,C:\WINDOWS\cursors\help_m.cur,C:\WINDOWS\cursors\wait_m.cur,C:\WINDOWS\cursors\busy_m.cur,C:\WINDOWS\cursors\cross_m.cur,C:\WINDOWS\cursors\beam_m.cur,C:\WINDOWS\cursors\pen_m.cur,C:\WINDOWS\cursors\no_m.cur,C:\WINDOWS\cursors\size4_m.cur,C:\WINDOWS\cursors\size3_m.cur,C:\WINDOWS\cursors\size2_m.cur,C:\WINDOWS\cursors\size1_m.cur,C:\WINDOWS\cursors\move_m.cur,C:\WINDOWS\cursors\up_m.cur
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes@\xa4\3Å\3À\3¹\3º\3\xac\3 \0W\0i\0n\0d\0o\0w\0s\0 \0(\0À\3¿\3\xbb\3Í\3 \0¼\3µ\3\xb3\3\xac\3\xbb\3\xb1\3) C:\WINDOWS\cursors\arrow_l.cur,C:\WINDOWS\cursors\help_l.cur,C:\WINDOWS\cursors\wait_l.cur,C:\WINDOWS\cursors\busy_l.cur,C:\WINDOWS\cursors\cross_l.cur,C:\WINDOWS\cursors\beam_l.cur,C:\WINDOWS\cursors\pen_l.cur,C:\WINDOWS\cursors\no_l.cur,C:\WINDOWS\cursors\size4_l.cur,C:\WINDOWS\cursors\size3_l.cur,C:\WINDOWS\cursors\size2_l.cur,C:\WINDOWS\cursors\size1_l.cur,C:\WINDOWS\cursors\move_l.cur,C:\WINDOWS\cursors\up_l.cur
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\š±Ä¬Á³·Ã·
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\š±Ä¬Á³·Ã· @ {67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\š±Ä¬Á³·Ã· @Description ???? ?? ?????? ????? ??????????, ??? ?????? ?? ??????????? ??? ??????????? ????? ??? ??????? ??? Windows ??? ?? ??????????? ??? ??????????? ??????????? ??? ???????.
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\š±Ä¬Á³·Ã· @Display ????????? ????????? ??? ??????????? ??????????? ???????
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\š±Ä¬Á³·Ã· @IconPath %SystemRoot%\system32\osuninst.EXE,0
Reg HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\†½¿¹³¼±
Reg HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\†½¿¹³¼± \command
Reg HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\†½¿¹³¼± \command@ C:\Program Files\CCleaner\ccleaner.exe
Reg HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\ˆ½±Á¾·
Reg HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\ˆ½±Á¾· \command
Reg HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\ˆ½±Á¾· \command@ C:\Program Files\CCleaner\ccleaner.exe /AUTO
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº®
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® @ ?????? ???????????? ??????? ???
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® @FriendlyTypeName @%systemroot%\system32\fxscover.exe,-2523
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \DefaultIcon
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \DefaultIcon@ %systemroot%\system32\fxscover.exe,-3
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \Shell
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \Shell\Open
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \Shell\Open\Command
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \Shell\Open\Command@ %systemroot%\system32\fxscover.exe "%1"
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \Shell\Print
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \Shell\Print\Command
Reg HKLM\SOFTWARE\Classes\£Å½¿´µÅĹº® \Shell\Print\Command@ %systemroot%\system32\fxscover.exe /p "%1"
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\£Å½´*õ¹Â
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\£Å½´*õ¹Â@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Electronic Arts\£Å½Ä̼µÅ÷
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Microsoft Office\•Á³±»µ¯±
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Microsoft Office\•Á³±»µ¯± @Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±\“¹±
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±\“¹± @Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±\”¹±Ãº*´±Ã·
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±\”¹±Ãº*´±Ã·@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±\•À¹º¿¹½É½¯µÂ
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±\•À¹º¿¹½É½¯µÂ@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±\•Á³±»µ¯±
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\’¿·¸®¼±Ä±\•Á³±»µ¯± @Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\•ºº¯½·Ã·
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\•ºº¯½·Ã·@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\•Æ±Á¼¿³*Â
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\•Æ±Á¼¿³* @Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ ±¹Ç½¯´¹±
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\ ±¹Ç½¯´¹±@Order 0x08 0x00 0x00 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\£Å½Ä̼µÅ÷
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups@\xa0\3\xb1\3¹\3Ç\3\xbd\3\x2015\3\x384\3¹\3\xb1\3 ?????????\?????????

---- EOF - GMER 1.0.14 ----
sonja
2008-04-30, 10:06
GMER 1.0.14.14205 - http://www.gmer.net
Autostart scan 2008-04-30 11:01:16
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
CmdAgent@ = C:\Program Files\Comodo\Firewall\cmdagent.exe
Creative Service for CDROM Access@ = C:\WINDOWS\system32\CTsvcCDA.EXE
ekrn@ = "C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
Fax@ = %systemroot%\system32\fxssvc.exe
GhostStartService@ = C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
LicCtrlService@ = C:\WINDOWS\runservice.exe
MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
NVSvc@ = %SystemRoot%\system32\nvsvc32.exe
Pml Driver HPZ12@ = C:\WINDOWS\system32\HPZipm12.exe
sfrem01@ = %SystemRoot%\system32\sfrem01.exe svc
SLService@ = slserv.exe
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@JMB36X ConfigureC:\WINDOWS\system32\JMRaidTool.exe boot = C:\WINDOWS\system32\JMRaidTool.exe boot
@CTDVDDET"C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" = "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
@CTSysVolC:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r /*file not found*/ = C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r /*file not found*/
@RCSystem"C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup = "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
@AudioDrvEmulator"C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" = "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
@CTHelperCTHELPER.EXE = CTHELPER.EXE
@UpdRegC:\WINDOWS\UpdReg.EXE = C:\WINDOWS\UpdReg.EXE
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@AnyDVDC:\Program Files\SlySoft\AnyDVD\AnyDVD.exe = C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@GhostStartTrayAppC:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe = C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
@HPHUPD08C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe = C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
@HP Software UpdateC:\Program Files\HP\HP Software Update\HPWuSchd2.exe = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@COMODO Firewall Pro"C:\Program Files\Comodo\Firewall\CPF.exe" /background = "C:\Program Files\Comodo\Firewall\CPF.exe" /background
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
@egui"C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice = "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
@QuickTime Task"C:\Program Files\QuickTime\QTTask.exe" -atboottime = "C:\Program Files\QuickTime\QTTask.exe" -atboottime

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@Creative DetectorC:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R /*file not found*/ = C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R /*file not found*/
@MsnMsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*ÐñïâïëÞ åðÝêôáóçò êßíçóçò CPL*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Óåëßäá éäéïôÞôùí ðñïçãïýìåíùí åêäüóåùí*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Ðñïçãïýìåíåò åêäüóåéò*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*ÖÜêåëïé Web*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{57C51AF9-DEF7-11D3-A801-00C04F163490} /*Ghost Shell Extension*/C:\Program Files\Symantec\Norton Ghost 2003\GhoShExt.dll = C:\Program Files\Symantec\Norton Ghost 2003\GhoShExt.dll
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/(null) =
@{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE} /*eLicense Control*/C:\WINDOWS\lcmmfu.cpl = C:\WINDOWS\lcmmfu.cpl
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B089FE88-FB52-11D3-BDF1-0050DA34150D} /*Eset Smart Security - Context Menu Shell Extension*/C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Eset Smart Security - Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Eset Smart Security - Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4EFB-9B51-7695ECA05670}C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll = C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.gr/ = http://www.google.gr/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\Admin\Start Menu\ÐñïãñÜììáôá\Åêêßíçóç = Adobe Gamma.lnk

C:\Documents and Settings\All Users\Start Menu\ÐñïãñÜììáôá\Åêêßíçóç >>>
HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk
ÃñÞãïñç åêêßíçóç Adobe Reader .lnk = ÃñÞãïñç åêêßíçóç Adobe Reader .lnk
ÃñÞãïñç åêêßíçóç HP Image Zone.lnk = ÃñÞãïñç åêêßíçóç HP Image Zone.lnk

---- EOF - GMER 1.0.14 ----
random/random
2008-04-30, 20:07
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post back with the Malwarebytes' Anti-Malware log, a new HijackThis log & a description of any remaining problems.
sonja
2008-05-01, 14:53
Malwarebytes' Anti-Malware 1.11
Database version: 704

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 132821
Time elapsed: 1 hour(s), 8 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXNGyyA.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0120948.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP395\A0120968.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{89C441E5-AEF6-4DDB-8E9F-EEFB5065C81B}\RP398\A0121402.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:35 μμ, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Επιφάνεια εργασίας\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Γρήγορη εκκίνηση Adobe Reader .lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Γρήγορη εκκίνηση HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9135 bytes



I think the PC performs great at the moment, i have absolutely no problem! Thank you very much random/random!!! What should be done with the programs i downloaded? Shall i delete them somehow?
random/random
2008-05-01, 18:47
I suggest you keep Malwarebytes' anti-malware and delete GMER

This will uninstall combofix;


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall (http://www.personalfirewall.comodo.com/)or Online armor (http://www.tallemu.com/online_armor_free.html)
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Install a-squared Free & update and scan with it regularly
a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here (http://www.emsisoft.com/en/software/free/)
Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer (http://www.emsisoft.com/en/software/antidialer/) which provides some real time protection against premium rate dialers
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date