View Full Version : Help with Virtumonde
Hello,
Help is needed as i have some problems most probably with Virtumonde.
I have read many posts from other users and i have understood what about regarding "before you post".
Plz find below HJT logfile.
Thnx in advance.
George
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:39 πμ, on 30/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1AF2BA96-0945-41F5-B972-C195BCEECF68} - C:\WINDOWS\system32\iifExvSj.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: banners4u browser enhancer - {2CFDC918-3E2E-5D11-A5C5-0B1E109C34B4} - C:\WINDOWS\system32\ugommqauuacvcar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {73259091-9574-4ED8-A40F-7F65AFC28634} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Mirar - {A29D4819-55B6-43E3-B812-AD5BC6204ACA} - C:\WINDOWS\system32\winka77.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Mirar - {A29D4818-55B6-43E3-B812-AD5BC6204ACA} - C:\WINDOWS\system32\winka77.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [egui] "egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [U1_USB] C:\Program Files\ASUS\AiGuru U1\AiGuru_U1usb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [hvsdtmbiwqbkgf] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ugommqauuacvcar.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [U1_utility] C:\Program Files\Asus\AiGuru U1\AiGuru_U1.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Giorgos\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4093577836-3323494507-3181222788-500\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-4093577836-3323494507-3181222788-500\..\RunOnce: [SpybotDeletingB6503] command /c del "C:\WINDOWS\system32\iifExvSj.dll_old" (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ID_Γρήγορη_εκκίνηση_πινακοθήκης_HP_ell.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SuperHybridEngine.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Αποστολή σε Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Αποστολή στη συσκευή &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223072069541
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: ssqPgHbb - ssqPgHbb.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Διαχείριση του Google Desktop 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 10559 bytes
pskelley
2008-12-02, 13:44
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
George, please post all logs in Normal Startup Mode unless I request otherwise.
1) Post an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
2) Make sure TeaTimer is disabled:
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks...Phil
Hi Phil,
thanks, your support is highly appreciated.
ComboFix 08-12-01.03 - Giorgos 2008-12-02 22:36:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1253.1.1032.18.466 [GMT 2:00]
Running from: c:\documents and settings\Giorgos\Επιφάνεια εργασίας\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Giorgos\Application Data\IUpd721
c:\documents and settings\Giorgos\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\Giorgos\Application Data\NI.GSCNS
c:\documents and settings\Giorgos\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Giorgos\Application Data\NI.GSCNS\settings.ini
c:\windows\system32\dPI19
c:\windows\system32\prunnet.exe
c:\windows\system32\yomfdwoy.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.
2008-11-28 11:34 . 2008-11-28 11:34 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 10:33 . 2008-11-28 10:33 95 --a------ c:\windows\wininit.ini
2008-11-28 10:00 . 2008-11-28 10:04 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-28 10:00 . 2008-11-28 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 09:07 . 2008-07-21 16:50 <DIR> d-------- c:\documents and settings\Administrator\Bluetooth Software
2008-11-28 09:07 . 2008-07-22 09:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Skype
2008-11-28 09:07 . 2008-07-21 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-28 09:07 . 2008-11-28 11:34 <DIR> d-------- c:\documents and settings\Administrator\Επιφάνεια εργασίας
2008-11-28 09:07 . 2008-07-22 14:47 <DIR> dr------- c:\documents and settings\Administrator\Τα έγγραφά μου
2008-11-28 09:06 . 2008-11-28 10:37 <DIR> d-------- c:\documents and settings\Administrator
2008-11-27 17:14 . 2008-11-27 17:14 38,400 --a------ c:\windows\system32\pmnnNhfg.dll
2008-11-27 17:14 . 2008-11-27 17:14 32,768 --a------ c:\windows\system32\fccaXQhh.dll
2008-11-27 16:59 . 2008-11-21 20:15 401,408 --a------ c:\windows\system32\winka77.dll
2008-11-27 16:59 . 2008-11-27 16:59 38,400 --a------ c:\windows\system32\opnOGyVN.dll
2008-11-27 16:58 . 2008-11-27 16:58 32,768 --a------ c:\windows\system32\nnnooLFx.dll
2008-11-27 16:44 . 2008-11-27 16:44 47,598 --a------ c:\windows\system32\xlgnneomgdgbb.exe
2008-11-27 16:43 . 2008-11-27 16:43 <DIR> d-------- c:\windows\system32\ve
2008-11-27 16:43 . 2008-11-27 16:43 <DIR> d-------- c:\windows\system32\SN3
2008-11-27 16:43 . 2008-11-27 16:43 <DIR> d-------- c:\windows\system32\log2
2008-11-27 16:43 . 2008-11-27 16:44 <DIR> d-------- c:\windows\system32\I2V
2008-11-27 16:43 . 2008-11-27 16:43 <DIR> d-------- c:\temp\FT62
2008-11-27 16:42 . 2008-11-27 16:42 369,972 --a------ c:\temp\dAW8U7.exe
2008-11-27 16:42 . 2008-11-27 16:42 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-27 16:25 . 2008-11-27 16:25 <DIR> d-------- c:\windows\Sun
2008-11-24 18:44 . 2008-11-24 18:44 367,616 --a------ c:\windows\system32\ugommqauuacvcar.dll
2008-11-16 07:13 . 2008-11-16 07:13 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-11-16 07:13 . 2008-11-16 07:13 <DIR> d-------- c:\program files\Common Files\Nokia
2008-11-12 19:48 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-08 18:14 . 2008-11-12 08:06 <DIR> d-------- c:\documents and settings\Elina\Application Data\skypePM
2008-11-04 19:15 . 2008-11-04 19:15 <DIR> d-------- c:\program files\winpwn-2.5
2008-11-03 03:40 . 2008-11-03 03:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-11-02 22:46 . 2008-11-08 17:38 <DIR> d-------- c:\documents and settings\Elina\Application Data\Nokia
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-02 20:44 --------- d-----w c:\documents and settings\Giorgos\Application Data\skypePM
2008-12-02 20:44 --------- d-----w c:\documents and settings\Giorgos\Application Data\Skype
2008-12-02 20:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 20:30 --------- d-----w c:\program files\Spyware Doctor
2008-12-02 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-16 05:13 --------- d-----w c:\program files\Nokia
2008-11-16 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2008-11-12 20:25 --------- d-----w c:\program files\Java
2008-11-12 11:49 --------- d-----w c:\documents and settings\Elina\Application Data\Skype
2008-11-03 19:41 --------- d-----w c:\documents and settings\Elina\Application Data\PC Suite
2008-11-03 19:40 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite
2008-11-01 13:21 --------- d-----w c:\documents and settings\Elina\Application Data\HP
2008-10-26 18:07 --------- d-----w c:\program files\Common Files\PC Tools
2008-10-26 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2008-10-26 18:06 160,792 ----a-w c:\windows\system32\drivers\pctfw2.sys
2008-10-26 17:49 --------- d-----w c:\documents and settings\Giorgos\Application Data\PC Tools
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:48 --------- d-----w c:\program files\MSXML 4.0
2008-10-22 22:11 --------- d-----w c:\documents and settings\Giorgos\Application Data\HP
2008-10-22 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-10-22 21:55 --------- d-----w c:\program files\HP
2008-10-22 21:52 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-22 21:52 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-10-22 21:51 --------- d-----w c:\program files\Common Files\HP
2008-10-22 21:48 --------- d-----w c:\program files\Hewlett-Packard
2008-10-22 21:47 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-10-22 20:55 --------- d-----w c:\program files\Google
2008-10-22 09:42 --------- d-----w c:\program files\belenus
2008-10-22 09:42 --------- d-----w c:\program files\Alfred Kaercher
2008-10-17 17:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-09 22:54 --------- d-----w c:\documents and settings\Giorgos\Application Data\Apple Computer
2008-10-09 17:21 --------- d-----w c:\documents and settings\Giorgos\Application Data\Nokia
2008-10-09 17:20 --------- d-----w c:\documents and settings\Giorgos\Application Data\PC Suite
2008-10-09 17:19 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-09 17:19 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-10-09 17:13 --------- d-----w c:\program files\PC Connectivity Solution
2008-10-09 17:13 --------- d-----w c:\program files\DIFX
2008-10-09 11:40 894 ----a-w c:\documents and settings\Giorgos\Application Data\wklnhst.dat
2008-10-09 09:43 --------- d-----w c:\documents and settings\Giorgos\Application Data\Template
2008-10-08 20:34 --------- d-----w c:\program files\Microsoft Works
2008-10-08 20:34 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-06 20:22 --------- d-----w c:\program files\Proofing Tools
2008-10-06 20:11 --------- d-----w c:\program files\Common Files\L&H
2008-10-06 19:45 --------- d-----w c:\program files\Microsoft.NET
2008-10-06 00:32 --------- d-----w c:\program files\iTunes
2008-10-06 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 00:31 --------- d-----w c:\program files\QuickTime
2008-10-06 00:31 --------- d-----w c:\program files\iPod
2008-10-06 00:31 --------- d-----w c:\program files\Common Files\Apple
2008-10-06 00:31 --------- d-----w c:\program files\Bonjour
2008-10-06 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-06 00:30 --------- d-----w c:\program files\Apple Software Update
2008-10-06 00:30 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-06 00:12 --------- d-----w c:\documents and settings\Giorgos\Application Data\vlc
2008-10-05 23:20 --------- d-----w c:\program files\VideoLAN
2008-10-05 01:07 --------- d-----w c:\program files\Windows Live
2008-10-04 20:11 --------- d-----w c:\documents and settings\Giorgos\Application Data\InterVideo
2008-10-04 19:25 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-10-03 19:37 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-03 19:37 --------- d-----w c:\program files\Asus
2008-10-03 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\ECAP
2008-09-30 14:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:25 1,846,656 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:16 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-05-07 13:34 15,523,560 ----a-w c:\program files\U1 Setup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CFDC918-3E2E-5D11-A5C5-0B1E109C34B4}]
2008-11-24 18:44 367616 --a------ c:\windows\system32\ugommqauuacvcar.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A29D4818-55B6-43E3-B812-AD5BC6204ACA}"= "c:\windows\system32\winka77.dll" [2008-11-21 401408]
[HKEY_CLASSES_ROOT\clsid\{a29d4818-55b6-43e3-b812-ad5bc6204aca}]
[HKEY_CLASSES_ROOT\TypeLib\{88FFCE85-80B5-402C-A493-8458913E8D2C}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"U1_utility"="c:\program files\Asus\AiGuru U1\AiGuru_U1.exe" [2008-04-25 557056]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"U1_USB"="c:\program files\ASUS\AiGuru U1\AiGuru_U1usb.exe" [2008-04-25 200704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-16 30192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"hvsdtmbiwqbkgf"="c:\windows\system32\ugommqauuacvcar.dll" [2008-11-24 367616]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 c:\windows\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
c:\documents and settings\All Users\Start Menu\¨¦¨α££«\΅΅ε€©\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-04-14 596584]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
ID_¨γ¦¨_΅΅ε€©_§*€΅¦γ΅_HP_ell.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-07-21 303104]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 pctfw2;pctfw2;\??\c:\windows\system32\drivers\pctfw2.sys [2008-10-26 160792]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\DRIVERS\ASUSACPI.sys [2008-07-21 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-05-17 36864]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\DRIVERS\RT2860.sys [2008-07-21 625024]
S3 GoogleDesktopManager-092308-165331;Διαχείριση του Google Desktop 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-16 30192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-10-26 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{1AF2BA96-0945-41F5-B972-C195BCEECF68} - c:\windows\system32\iifExvSj.dll
HKLM-Run-egui - egui.exe
Notify-ssqPgHbb - ssqPgHbb.dll
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 22:43:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(784)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\regsvr32.exe
c:\program files\Internet Explorer\iexplore.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
c:\program files\Common Files\Nokia\MPAPI\MPAPI3s.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-12-02 22:46:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 20:46:35
Pre-Run: 12 Κατάλογοι 63.487.275.008 διαθέσιμα byte
Post-Run: 12 Κατάλογοι 64,182,829,056 διαθέσιμα byte
258 --- E O F --- 2008-11-12 19:41:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:10 μμ, on 2/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: banners4u browser enhancer - {2CFDC918-3E2E-5D11-A5C5-0B1E109C34B4} - C:\WINDOWS\system32\ugommqauuacvcar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [U1_USB] C:\Program Files\ASUS\AiGuru U1\AiGuru_U1usb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [hvsdtmbiwqbkgf] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ugommqauuacvcar.dll"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [U1_utility] C:\Program Files\Asus\AiGuru U1\AiGuru_U1.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ID_Γρήγορη_εκκίνηση_πινακοθήκης_HP_ell.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SuperHybridEngine.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Αποστολή σε Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Αποστολή στη συσκευή &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223072069541
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Διαχείριση του Google Desktop 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 11182 bytes
thanks George
pskelley
2008-12-03, 00:06
Thanks for returning your information.
George, please read and follow these directions carefully. The first instructions I posted was a request for an uninstall list and I do not see it?
I am wondering why you did not install the Recovery Console when prompted? I will provide another chance to do so later.
Read and follow all directions carefully and in the numbered order.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\ugommqauuacvcar.dll
C:\windows\system32\pmnnNhfg.dll
c:\windows\system32\fccaXQhh.dll
c:\windows\system32\winka77.dll
c:\windows\system32\opnOGyVN.dll
c:\windows\system32\nnnooLFx.dll
c:\windows\system32\xlgnneomgdgbb.exe
c:\temp\dAW8U7.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CFDC918-3E2E-5D11-A5C5-0B1E109C34B4}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A29D4818-55B6-43E3-B812-AD5BC6204ACA}"=-
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some items may be gone, removed by CFScript)
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = S??d?se??
O2 - BHO: banners4u browser enhancer - {2CFDC918-3E2E-5D11-A5C5-0B1E109C34B4} - C:\WINDOWS\system32\ugommqauuacvcar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [hvsdtmbiwqbkgf] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\ugommqauuacvcar.dll"
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running now?
Thanks
Hi Phil,
Thanks for your help.
* I was confused and that's why i didn't post an uninstall list. I don't know if you need it but I'll post now.
* Reffering to the Recovery Console, I never asked (prompted) to do so.
Adabas D 13.01.00
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8 - Greek
Advertisement Service
AiGuru U1
Apple Mobile Device Support
Apple Software Update
Asus ACPI Driver
ASUSUpdate for Eee PC
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Azurewave Wireless LAN
Bonjour
ECAP
Eee Instant Key
Eee Storage
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
Intel(R) Graphics Media Accelerator Driver
InterVideo WinDVD
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 7
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Greek Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint Viewer 2007 (Greek)
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Works
Mirar
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
OCR Software by I.R.I.S 7.0
PC Connectivity Solution
QuickTime
Realtek High Definition Audio Driver
RON Tool Banners4u
Skype 3.6
Spybot - Search & Destroy
Spyware Doctor 6.0
StarOffice 8 ASUS Edition
Super Hybrid Engine
VLC media player 0.9.2
WIDCOMM Bluetooth Software
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
winpwn-2.5 2.5.0.2
WinRAR archiver
Βοηθός εισόδου του Windows Live
Ενημερωμένη έκδοση ασφαλείας για Windows XP (KB941569)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 11 (KB936782)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 11 (KB954154)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB938127-v2)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB953838)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB956390)
Ενημέρωση ασφαλείας για Windows XP (KB938464)
Ενημέρωση ασφαλείας για Windows XP (KB946648)
Ενημέρωση ασφαλείας για Windows XP (KB950759)
Ενημέρωση ασφαλείας για Windows XP (KB950760)
Ενημέρωση ασφαλείας για Windows XP (KB950762)
Ενημέρωση ασφαλείας για Windows XP (KB950974)
Ενημέρωση ασφαλείας για Windows XP (KB951066)
Ενημέρωση ασφαλείας για Windows XP (KB951376)
Ενημέρωση ασφαλείας για Windows XP (KB951376-v2)
Ενημέρωση ασφαλείας για Windows XP (KB951698)
Ενημέρωση ασφαλείας για Windows XP (KB951748)
Ενημέρωση ασφαλείας για Windows XP (KB952954)
Ενημέρωση ασφαλείας για Windows XP (KB953839)
Ενημέρωση ασφαλείας για Windows XP (KB954211)
Ενημέρωση ασφαλείας για Windows XP (KB954459)
Ενημέρωση ασφαλείας για Windows XP (KB955069)
Ενημέρωση ασφαλείας για Windows XP (KB956391)
Ενημέρωση ασφαλείας για Windows XP (KB956803)
Ενημέρωση ασφαλείας για Windows XP (KB956841)
Ενημέρωση ασφαλείας για Windows XP (KB957095)
Ενημέρωση ασφαλείας για Windows XP (KB957097)
Ενημέρωση ασφαλείας για Windows XP (KB958644)
Ενημέρωση για Windows XP (KB898461)
Ενημέρωση για Windows XP (KB942763)
Ενημέρωση για Windows XP (KB951072-v2)
Ενημέρωση για Windows XP (KB951978)
Επείγουσα επιδιόρθωση για Windows XP (KB952287)
Επείγουσα επιδιόρθωση για το Windows Media Player 11 (KB939683)
Πακέτο προγραμμάτων οδήγησης των Windows - Nokia Modem (05/22/2008 3.8)
Πακέτο προγραμμάτων οδήγησης των Windows - Nokia Modem (05/22/2008 7.00.0.1)
Πακέτο προγραμμάτων οδήγησης των Windows - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Πακέτο συμβατότητας για το 2007 Microsoft Office system
Συλλογή φωτογραφιών του Windows Live
ComboFix 08-12-01.03 - Giorgos 2008-12-03 11:09:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1253.1.1032.18.470 [GMT 2:00]
Running from: c:\documents and settings\Giorgos\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: c:\documents and settings\Giorgos\Επιφάνεια εργασίας\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\temp\dAW8U7.exe
c:\windows\system32\fccaXQhh.dll
c:\windows\system32\nnnooLFx.dll
c:\windows\system32\opnOGyVN.dll
c:\windows\system32\pmnnNhfg.dll
c:\windows\system32\ugommqauuacvcar.dll
c:\windows\system32\winka77.dll
c:\windows\system32\xlgnneomgdgbb.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\temp\dAW8U7.exe
c:\windows\system32\fccaXQhh.dll
c:\windows\system32\nnnooLFx.dll
c:\windows\system32\opnOGyVN.dll
c:\windows\system32\pmnnNhfg.dll
c:\windows\system32\ugommqauuacvcar.dll
c:\windows\system32\winka77.dll
c:\windows\system32\xlgnneomgdgbb.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.
2008-11-28 11:34 . 2008-11-28 11:34 <DIR> d-------- c:\program files\Trend Micro
2008-11-28 10:33 . 2008-11-28 10:33 95 --a------ c:\windows\wininit.ini
2008-11-28 10:00 . 2008-11-28 10:04 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-28 10:00 . 2008-11-28 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 09:07 . 2008-07-21 16:50 <DIR> d-------- c:\documents and settings\Administrator\Bluetooth Software
2008-11-28 09:07 . 2008-07-22 09:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Skype
2008-11-28 09:07 . 2008-07-21 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-11-28 09:07 . 2008-11-28 11:34 <DIR> d-------- c:\documents and settings\Administrator\Επιφάνεια εργασίας
2008-11-28 09:07 . 2008-07-22 14:47 <DIR> dr------- c:\documents and settings\Administrator\Τα έγγραφά μου
2008-11-28 09:06 . 2008-11-28 10:37 <DIR> d-------- c:\documents and settings\Administrator
2008-11-27 16:43 . 2008-11-27 16:43 <DIR> d-------- c:\windows\system32\ve
2008-11-27 16:43 . 2008-11-27 16:43 <DIR> d-------- c:\windows\system32\SN3
2008-11-27 16:43 . 2008-11-27 16:43 <DIR> d-------- c:\windows\system32\log2
2008-11-27 16:43 . 2008-11-27 16:44 <DIR> d-------- c:\windows\system32\I2V
2008-11-27 16:43 . 2008-11-27 16:43 <DIR> d-------- c:\temp\FT62
2008-11-27 16:42 . 2008-11-27 16:42 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-27 16:25 . 2008-11-27 16:25 <DIR> d-------- c:\windows\Sun
2008-11-16 07:13 . 2008-11-16 07:13 <DIR> d-------- c:\program files\Common Files\PCSuite
2008-11-16 07:13 . 2008-11-16 07:13 <DIR> d-------- c:\program files\Common Files\Nokia
2008-11-12 19:48 . 2008-10-24 13:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-08 18:14 . 2008-11-12 08:06 <DIR> d-------- c:\documents and settings\Elina\Application Data\skypePM
2008-11-04 19:15 . 2008-11-04 19:15 <DIR> d-------- c:\program files\winpwn-2.5
2008-11-03 03:40 . 2008-11-03 03:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 09:11 --------- d-----w c:\documents and settings\Giorgos\Application Data\Skype
2008-12-03 08:52 --------- d-----w c:\documents and settings\Giorgos\Application Data\skypePM
2008-12-02 20:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 20:30 --------- d-----w c:\program files\Spyware Doctor
2008-12-02 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-11-16 05:13 --------- d-----w c:\program files\Nokia
2008-11-16 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2008-11-12 20:25 --------- d-----w c:\program files\Java
2008-11-12 11:49 --------- d-----w c:\documents and settings\Elina\Application Data\Skype
2008-11-08 15:38 --------- d-----w c:\documents and settings\Elina\Application Data\Nokia
2008-11-03 19:41 --------- d-----w c:\documents and settings\Elina\Application Data\PC Suite
2008-11-03 19:40 --------- d-----w c:\documents and settings\All Users\Application Data\PC Suite
2008-11-01 13:21 --------- d-----w c:\documents and settings\Elina\Application Data\HP
2008-10-26 18:07 --------- d-----w c:\program files\Common Files\PC Tools
2008-10-26 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2008-10-26 18:06 160,792 ----a-w c:\windows\system32\drivers\pctfw2.sys
2008-10-26 17:49 --------- d-----w c:\documents and settings\Giorgos\Application Data\PC Tools
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 07:48 --------- d-----w c:\program files\MSXML 4.0
2008-10-22 22:11 --------- d-----w c:\documents and settings\Giorgos\Application Data\HP
2008-10-22 22:05 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-10-22 21:55 --------- d-----w c:\program files\HP
2008-10-22 21:52 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-22 21:52 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-10-22 21:51 --------- d-----w c:\program files\Common Files\HP
2008-10-22 21:48 --------- d-----w c:\program files\Hewlett-Packard
2008-10-22 21:47 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-10-22 20:55 --------- d-----w c:\program files\Google
2008-10-22 09:42 --------- d-----w c:\program files\belenus
2008-10-22 09:42 --------- d-----w c:\program files\Alfred Kaercher
2008-10-17 17:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-09 22:54 --------- d-----w c:\documents and settings\Giorgos\Application Data\Apple Computer
2008-10-09 17:21 --------- d-----w c:\documents and settings\Giorgos\Application Data\Nokia
2008-10-09 17:20 --------- d-----w c:\documents and settings\Giorgos\Application Data\PC Suite
2008-10-09 17:19 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-10-09 17:19 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-10-09 17:13 --------- d-----w c:\program files\PC Connectivity Solution
2008-10-09 17:13 --------- d-----w c:\program files\DIFX
2008-10-09 11:40 894 ----a-w c:\documents and settings\Giorgos\Application Data\wklnhst.dat
2008-10-09 09:43 --------- d-----w c:\documents and settings\Giorgos\Application Data\Template
2008-10-08 20:34 --------- d-----w c:\program files\Microsoft Works
2008-10-08 20:34 --------- d-----w c:\program files\Microsoft ActiveSync
2008-10-06 20:22 --------- d-----w c:\program files\Proofing Tools
2008-10-06 20:11 --------- d-----w c:\program files\Common Files\L&H
2008-10-06 19:45 --------- d-----w c:\program files\Microsoft.NET
2008-10-06 00:32 --------- d-----w c:\program files\iTunes
2008-10-06 00:32 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-06 00:31 --------- d-----w c:\program files\QuickTime
2008-10-06 00:31 --------- d-----w c:\program files\iPod
2008-10-06 00:31 --------- d-----w c:\program files\Common Files\Apple
2008-10-06 00:31 --------- d-----w c:\program files\Bonjour
2008-10-06 00:31 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-06 00:30 --------- d-----w c:\program files\Apple Software Update
2008-10-06 00:30 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-10-06 00:12 --------- d-----w c:\documents and settings\Giorgos\Application Data\vlc
2008-10-05 23:20 --------- d-----w c:\program files\VideoLAN
2008-10-05 01:07 --------- d-----w c:\program files\Windows Live
2008-10-04 20:11 --------- d-----w c:\documents and settings\Giorgos\Application Data\InterVideo
2008-10-04 19:25 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-10-03 19:37 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-03 19:37 --------- d-----w c:\program files\Asus
2008-10-03 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\ECAP
2008-09-30 14:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 15:25 1,846,656 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:16 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-05-07 13:34 15,523,560 ----a-w c:\program files\U1 Setup.exe
.
((((((((((((((((((((((((((((( snapshot@2008-12-02_22.45.41.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-02 13:04:50 86,960 ----a-w c:\windows\system32\perfc008.dat
+ 2008-12-02 20:46:50 86,960 ----a-w c:\windows\system32\perfc008.dat
- 2008-12-02 13:04:50 63,522 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-02 20:46:50 63,522 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-02 13:04:50 509,138 ----a-w c:\windows\system32\perfh008.dat
+ 2008-12-02 20:46:50 509,138 ----a-w c:\windows\system32\perfh008.dat
- 2008-12-02 13:04:50 404,302 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-02 20:46:50 404,302 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]
"U1_utility"="c:\program files\Asus\AiGuru U1\AiGuru_U1.exe" [2008-04-25 557056]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-10-02 1124352]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 7\PCSync2.exe" [2008-06-17 1249280]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-06-03 98304]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-06-03 479232]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"U1_USB"="c:\program files\ASUS\AiGuru U1\AiGuru_U1usb.exe" [2008-04-25 200704]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-16 30192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 c:\windows\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
c:\documents and settings\All Users\Start Menu\¨¦¨α££«\΅΅ε€©\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-04-14 596584]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
ID_¨γ¦¨_΅΅ε€©_§*€΅¦γ΅_HP_ell.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-07-21 303104]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R1 pctfw2;pctfw2;\??\c:\windows\system32\drivers\pctfw2.sys [2008-10-26 160792]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\DRIVERS\ASUSACPI.sys [2008-07-21 11264]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\l1e51x86.sys [2008-05-17 36864]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\DRIVERS\RT2860.sys [2008-07-21 625024]
S3 GoogleDesktopManager-092308-165331;Διαχείριση του Google Desktop 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-10-16 30192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-10-26 356920]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-hvsdtmbiwqbkgf - c:\windows\system32\ugommqauuacvcar.dll
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 11:11:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\igfxdev.dll
- - - - - - - > 'lsass.exe'(784)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2008-12-03 11:12:41
ComboFix-quarantined-files.txt 2008-12-03 09:12:37
ComboFix2.txt 2008-12-02 20:46:42
Pre-Run: 12 Κατάλογοι 64.132.063.232 διαθέσιμα byte
Post-Run: 12 Κατάλογοι 64,149,852,160 διαθέσιμα byte
235 --- E O F --- 2008-11-12 19:41:04
Malwarebytes' Anti-Malware 1.30
Έκδοση βάσης δεδομένων: 1454
Windows 5.1.2600 Service Pack 3
3/12/2008 11:59:35 πμ
mbam-log-2008-12-03 (11-59-35).txt
Τύπος σάρωσης: Πλήρης σάρωση (C:\|D:\|)
Αντικείμενα που σαρώθηκαν: 117321
Χρόνος που έχει διανυθεί: 25 minute(s), 10 second(s)
Μολυσμένες διεργασίες στη μνήμη: 0
Μολυσμένα στοιχεία στη μνήμη: 0
Μολυσμένα κλειδιά στο μητρώο: 0
Μολυσμένες τιμές στο μητρώο: 0
Μολυσμένα αντικείμενα δεδομένων στο μητρώο: 0
Μολυσμένοι φάκελοι: 0
Μολυσμένα αρχεία: 10
Μολυσμένες διεργασίες στη μνήμη:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)
Μολυσμένα στοιχεία στη μνήμη:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)
Μολυσμένα κλειδιά στο μητρώο:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)
Μολυσμένες τιμές στο μητρώο:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)
Μολυσμένα αντικείμενα δεδομένων στο μητρώο:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)
Μολυσμένοι φάκελοι:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)
Μολυσμένα αρχεία:
C:\Qoobox\Quarantine\C\WINDOWS\system32\fccaXQhh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnooLFx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C2228D1D-B6C9-40D8-A597-DB7059649597}\RP57\A0020350.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C2228D1D-B6C9-40D8-A597-DB7059649597}\RP58\A0023373.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C2228D1D-B6C9-40D8-A597-DB7059649597}\RP58\A0023376.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C2228D1D-B6C9-40D8-A597-DB7059649597}\RP58\A0023377.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C2228D1D-B6C9-40D8-A597-DB7059649597}\RP65\A0024521.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C2228D1D-B6C9-40D8-A597-DB7059649597}\RP66\A0024636.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C2228D1D-B6C9-40D8-A597-DB7059649597}\RP66\A0024637.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:52 μμ, on 3/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclBCBTSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\HPZinw12.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [U1_USB] C:\Program Files\ASUS\AiGuru U1\AiGuru_U1usb.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [U1_utility] C:\Program Files\Asus\AiGuru U1\AiGuru_U1.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSync2.exe" /NoDialog
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ID_Γρήγορη_εκκίνηση_πινακοθήκης_HP_ell.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SuperHybridEngine.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Αποστολή σε Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: Αποστολή στη συσκευή &Bluetooth... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Προσθήκη στο ιστολόγιο - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Προσθήκη στο ιστολόγιο στο Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223072069541
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Διαχείριση του Google Desktop 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 10865 bytes
It seems that it running smooth now.
Thanks for your time Phil
George
pskelley
2008-12-03, 13:48
Hi George, thanks for the uninstall list and the feedback, I read no Greek so you should look closely and anything in Greek to make sure I miss no malware I do not recognize.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8 - Greek
I have also no way of knowing if the new version is available in Greek, I will post the information:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php
Java(TM) 6 Update 3
Java(TM) 6 Update 7
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
Mirar <<< assuming this is adware, see the link:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-091714-4329-99
http://www.google.com/search?hl=en&q=Mirar&btnG=Google+Search&aq=f&oq=
RON Tool Banners4u <<< uninstall
http://www.google.com/search?hl=en&q=RON+Tool+Banners4u&btnG=Search
It seems that it running smooth now.
As far as I can see, looks like we killed the junk, let's proceed like this. You can work through the uninstall issues as time permits.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
I can not see what I know to be an antivirus program running on the computer. If I am missing something let me know. If you need links to a free antivirus program, also let me know. Going online without antivirus protection anymore is cyber-suicide and you will reinfect quickly, and we will both have wasted the time cleaning the computer.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
Hello Phil,
Sorry for the late reply
Id like to thank you once again for your help and also ask you a few more things
* MBAM rescan, all clear
* Secunia; already installed
* java: removed old /installed new
* mirar : try to remove them from add/remove panel, not possible
* ron tool Banners4u: removed from add/remove panel,
* uninstall the disinfection programs in due time
* Clean System Restore: not yet
Protection: I use spyware doctor with antivirus from PCTools.
curiosity drive me scan my other laptop with MBAM and some registry infections found.
Should I post a new thread or we can continue with this one?
Thanks/George
pskelley
2008-12-05, 00:22
Protection: I use spyware doctor with antivirus from PCTools.
Hi George, since I do not use SpywareDoctor, I forget that it offers antivirus protection.
mirar: try to remove them from add/remove panel, not possibleWithout reinstalling combofix and using a script, have a look here to see if something helps:
http://www.google.com/search?hl=en&q=remove+mirar&btnG=Google+Search&aq=f&oq=
Should I post a new thread or we can continue with this one?
I apologize, I just checked and 87 members are waiting for a help to respond for the first time. Members with infected computers far outnumber the few helpers so I will have to ask that you review the directions, then start a new topic for that computer.
Thanks for understanding and Happy Holidays:santa:
Hi Phil...
thanks for everything, happy holidays
George