View Full Version : spybot search & destroy doesn't run,various infections detected at an online scan
in_the_woods
2009-08-09, 17:17
Hi,
First of all I can't run spybot - search & destroy. Every time I try , the pc will either freeze or shut down and restart by itself. I tried to run it in safe mode but had the same results. The pc had a symantec antivirus in the past but does not have an antivirus now , so I tried to do an online scan at kaspersky's website but the scan failed twice. I do not remember if the pc freezed or if it shut down. I managed to do a scan at panda's website and it found various infections.
The pc is very very slow and it will frequently shut down and restart. I was using internet explorer 7 and it to was very slow. I updated to IE8 but it performed like IE7. When I switched to mozilla , right after installation I noticed that mozilla would load instantly and so did the webpages , but after a while it was performing like IE , perhaps slightly better.
I found some days ago a file named "jkos-admin" which I deleted but I kept it in the recycle bin just in case it could give you some informations , I could not find it after a system restore was performed. Perhaps I emptied the recycle bin by mistake. I think it was here : documents and settings/admin/local settings/temp, but it is not there now.
Some weeks ago and with the pc performing as bad as it does now , I cleaned the registry :oops: with CCleaner. It didn't seem to affect the pc in some way.
1) There is a "P2P Networking" icon in the control's panel and a P2PNetworking.eng in my hard drive. Should I just delete this?
2)Do you want me to paste the log of the panda scan?
3)I have an older version of spybot. I installed the new version without updating through the old one , so now I have two installed. Should I uninstall the older version?. It has some items quarantined. What must I do with these?
I would very much appreciate any help and advise you could give. Thank you very much. :thanks:
P.S. I don't speak English very well and I do not know much about computers so I apologise if something I wrought does not make much sence.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:04 μμ, on 9/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\admin\Επιφάνεια εργασίας\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mech.ntua.gr/gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Program Files\RXToolBar\RXToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PartMetBackup.lnk.disabled
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} (BiosAgentPlus ActiveX Control) - http://biosagentplus.com/files/biosagentplus.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63D0C496-2805-4133-96DE-A217E53D116A}: NameServer = 194.219.227.2,193.92.150.3
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5600 bytes
Hi in_the_woods
Yes please post panda scan log next :)
in_the_woods
2009-08-10, 15:21
Hi Shaba :greeting:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-05 10:25:05
PROTECTIONS: 0
MALWARE: 18
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\altnet signing module.exe
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@atdmt[1].txt
00141436 Application/P2PNetworking HackTools No 0 Yes No C:\WINDOWS\system32\P2P Networking v1263.cpl
00141437 Application/P2PNetworking HackTools No 0 Yes No C:\WINDOWS\Downloaded Program Files\WebP2PInstaller3.dll
00145869 Cookie/SpyLog TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@spylog[1].txt
00151738 W32/Lovgate.BU.worm Virus/Worm No 0 Yes No C:\fsc.tmp\driver\chipset\sis_chipset_ide_v2_04a_w2k_wxp\setupdir\0804\Mafia Trainer!!!.exe
00167014 adware/rxtoolbar Adware No 1 Yes No hkey_classes_root\rxtoolbar.tbinfo.1
00167014 adware/rxtoolbar Adware No 1 Yes No hkey_current_user\software\rx toolbar
00167014 adware/rxtoolbar Adware No 1 Yes No c:\program files\rxtoolbar
00167014 adware/rxtoolbar Adware No 1 Yes No hkey_local_machine\software\rxresults
00167014 adware/rxtoolbar Adware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}
00167014 adware/rxtoolbar Adware No 1 Yes No HKEY_LOCAL_MACHINE\software\classes\protocols\filter\text/html\CLSID\{2AB289AE-4B90-4281-B2AE-1F4BB034B647}
00167014 adware/rxtoolbar Adware No 1 Yes No HKEY_CLASSES_ROOT\TypeLib\{66B20295-DC57-42B6-ACDF-52D916E86464}
00167014 adware/rxtoolbar Adware No 1 Yes No HKEY_CLASSES_ROOT\Interface\{FB590D02-0A82-4F44-9FAD-517948DCF4F3}
00167014 adware/rxtoolbar Adware No 1 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0}
00167014 adware/rxtoolbar Adware No 1 Yes No hkey_classes_root\clsid\{25d8bacf-3de2-4b48-ae22-d659b8d835b0}
00167014 adware/rxtoolbar Adware No 1 Yes No hkey_local_machine\software\classes\rxtoolbar.tbinfo.1
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@yadro[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@ad.yieldmanager[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@advertising[1].txt
00169752 application/need2find HackTools No 0 Yes No hkey_current_user\software\need2find
00169752 application/need2find HackTools No 0 Yes No hkey_local_machine\software\need2find
00169752 application/need2find HackTools No 0 Yes No c:\program files\need2find
00169752 Application/Need2Find HackTools No 0 Yes No C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
00169752 Application/Need2Find HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP786\A0911225.DLL
00169753 Application/Need2Find HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP786\A0911224.DLL
00180282 Application/Need2Find HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP786\A0911231.DLL
00180282 Application/Need2Find HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP786\A0912229.dll
00211158 application/bestoffer HackTools No 0 Yes No c:\windows\smdat32m.sys
00349071 Adware/RXToolbar Adware No 1 Yes No C:\Program Files\RXToolBar\RXToolBar.dll
00527204 Application/PRScheduler HackTools Yes 0 Yes No C:\Documents and Settings\admin\Start Menu\Προγράμματα\Εκκίνηση\PowerReg Scheduler V3.exe
01907169 Trj/Zlob.LH Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP797\A0952637.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location ^
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ^
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Download at your desktop DDS from one of the links below:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Double click the tool to run it.
A black Screen will open, just read the contents and do nothing.
When the tool finish it will open 2 reports.
Copy/paste both reports back here and remove DDS from your desktop.
in_the_woods
2009-08-10, 18:30
DDS (Ver_09-07-30.01) - NTFSx86
Run by admin at 17:55:38,67 on 10/08/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1253.30.1032.18.511.278 [GMT 3:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\admin\Επιφάνεια εργασίας\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.mech.ntua.gr/gr
uInternet Connection Wizard,ShellNext = iexplore
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Βοηθός εισόδου του Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: RX Toolbar: {25d8bacf-3de2-4b48-ae22-d659b8d835b0} - c:\program files\rxtoolbar\RXToolBar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {92A40B0A-740A-4A11-9DDB-70460C6DA383} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [P2P Networking] c:\windows\system32\p2p networking\P2P Networking.exe /AUTOSTART
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\admin\start menu\προγράμματα\εκκίνηση\PartMetBackup.lnk.disabled
StartupFolder: c:\documents and settings\admin\start menu\προγράμματα\εκκίνηση\PowerReg Scheduler V3.exe
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} - hxxp://biosagentplus.com/files/biosagentplus.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {63D0C496-2805-4133-96DE-A217E53D116A} = 194.219.227.2,193.92.150.3
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\if238me7.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?t=50650
FF - plugin: c:\program files\mozilla firefox\plugins\NPNd2fn.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
S1 HWiNFO32;HWiNFO32 Kernel Driver;\??\c:\docume~1\admin\locals~1\temp\hwinfo32.sys --> c:\docume~1\admin\locals~1\temp\HWiNFO32.SYS [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-9 12672]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-9-23 13352]
S3 SE2Fbus;Sony Ericsson Device 047 Driver driver (WDM);c:\windows\system32\drivers\SE2Fbus.sys [2007-2-25 61600]
S3 SE2Fmdfl;Sony Ericsson Device 047 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Fmdfl.sys [2007-2-25 9360]
S3 SE2Fmdm;Sony Ericsson Device 047 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Fmdm.sys [2007-2-25 97184]
S3 SE2Fmgmt;Sony Ericsson Device 047 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Fmgmt.sys [2007-2-25 88688]
S3 se2Fnd5;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (NDIS);c:\windows\system32\drivers\se2Fnd5.sys [2007-2-25 18704]
S3 SE2Fobex;Sony Ericsson Device 047 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Fobex.sys [2007-2-25 86560]
S3 se2Funic;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (WDM);c:\windows\system32\drivers\se2Funic.sys [2007-2-25 90800]
=============== Created Last 30 ================
2009-08-09 21:27 12,672 a------- c:\windows\system32\drivers\cpuz132_x32.sys
2009-08-09 21:27 <DIR> --d----- c:\program files\CPUID
2009-08-09 14:10 <DIR> --d----- C:\katevasmata
2009-08-08 20:46 <DIR> --d----- c:\program files\DVD Identifier
2009-08-08 14:37 <DIR> --d----- c:\docume~1\admin\applic~1\Ashampoo
2009-08-08 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ashampoo
2009-08-08 14:37 <DIR> --d----- c:\program files\Ashampoo
2009-08-06 18:06 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-06 18:04 <DIR> --d----- c:\program files\Incoming
2009-08-06 18:01 <DIR> --d----- c:\windows\cdmxtras
2009-07-21 13:03 <DIR> --d----- c:\docume~1\admin\applic~1\uTorrent
2009-07-19 16:04 <DIR> --d----- c:\program files\Panda Security
2009-07-19 15:55 <DIR> --d----- c:\program files\Safer Networking
2009-07-19 15:31 <DIR> --d----- c:\windows\ie8updates
2009-07-18 12:13 <DIR> --d----- c:\program files\nandub
2009-07-17 20:02 <DIR> --d----- c:\docume~1\admin\applic~1\Sony Ericsson
2009-07-17 20:02 <DIR> --d----- c:\docume~1\admin\applic~1\QA International
2009-07-17 20:01 <DIR> --d----- c:\program files\CosmoSoftware
2009-07-17 19:44 <DIR> --d----- c:\documents and settings\admin\IECompatCache
2009-07-17 19:43 <DIR> --d----- c:\documents and settings\admin\PrivacIE
2009-07-17 19:38 <DIR> --d----- c:\documents and settings\admin\IETldCache
2009-07-17 19:30 <DIR> -cd----- c:\windows\ie8
2009-07-15 11:26 <DIR> --d----- c:\program files\nandub-binary-1.0rc1
2009-07-14 13:41 <DIR> --d----- c:\program files\common files\ODBC
2009-07-13 10:21 <DIR> --d----- c:\docume~1\admin\applic~1\Any Video Converter
2009-07-13 10:21 <DIR> --d----- c:\program files\Any Video Converter
==================== Find3M ====================
2009-07-21 10:24 513,760 a------- c:\windows\system32\perfh008.dat
2009-07-21 10:24 88,668 a------- c:\windows\system32\perfc008.dat
2009-07-11 17:23 23,600 a------- c:\windows\system32\drivers\TVICHW32.SYS
2009-06-29 18:58 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 18:58 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 18:58 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 17:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 17:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 22:10 1,299,456 a------- c:\windows\system32\quartz.dll
2009-05-16 14:34 34,376 a------- c:\docume~1\admin\applic~1\GDIPFONTCACHEV1.DAT
2009-05-13 08:04 915,456 a------- c:\windows\system32\wininet(4)(2).dll
2009-05-13 08:04 915,456 a------- c:\windows\system32\wininet(2).dll
2009-02-28 07:57 5,517,160 a------- c:\program files\bitcomet_setup.exe
2009-01-13 14:14 3,338,372 a------- c:\program files\cosmo_win95nt_eng.exe
2009-01-13 14:06 1,492,727 a------- c:\program files\SurfX3D.zip
2008-06-16 07:54 411,766 a------- c:\program files\tetris_gy.exe
2008-04-25 18:48 1,233,466 a------- c:\program files\wrar371el.exe
2007-11-03 13:50 348 a------- c:\program files\downloads.txt
2007-11-03 13:49 348 a------- c:\program files\downloads.bak
2007-09-07 16:57 136,704 a------- c:\program files\EModelZoomin.dll
2007-09-07 16:56 91,648 a------- c:\program files\EModelViewer.exe
2007-09-07 16:56 26,624 a------- c:\program files\edrwthumbnailprovider.dll
2007-09-07 16:55 594,944 a------- c:\program files\eDrawingOfficeAutomator.exe
2007-09-07 16:55 95,744 a------- c:\program files\EModelEx
2007-09-07 16:55 133,120 a------- c:\program files\EModelExport.dll
2007-09-07 16:55 6,802,944 a------- c:\program files\EModelXlator.dll
2007-09-07 16:54 733,184 a------- c:\program files\EModelSWDisplayLists.dll
2007-09-07 16:54 814,592 a------- c:\program files\EModelReviewer.dll
2007-09-07 16:52 135,168 a------- c:\program files\EModelMDReader.dll
2007-09-07 16:52 71,680 a------- c:\program files\EModelEventLog.dll
2007-09-07 16:51 2,186,240 a------- c:\program files\EModelView.dll
2007-09-07 16:48 57,344 a------- c:\program files\EModelUtilsVista.dll
2007-09-07 16:47 249,344 a------- c:\program files\EModelUtils.dll
2007-09-07 16:47 2,814,976 a------- c:\program files\HoopsManager.dll
2007-09-07 16:43 2,680,297 a------- c:\program files\EModelAddIn.dll
2007-09-07 15:53 7,168 a------- c:\program files\eulaedrawing.txt
2007-09-07 15:52 161,412 a------- c:\program files\GTOL.SYM
2007-09-07 15:51 509,472 a------- c:\program files\swlicservinst.exe
2007-09-07 15:51 299,552 a------- c:\program files\solidworkslicenseservice.dll
2007-09-07 15:50 17,920 a------- c:\program files\IMPLODE.DLL
2006-05-20 12:24 447,088 a------- c:\program files\AluriaLiteScannerInstall.exe
2006-03-10 22:55 300 a------- c:\program files\acadcd.mid
2006-02-01 11:00 1,400,248 a------- c:\program files\spybotsd_includes.exe
2006-02-01 10:46 789,515 a------- c:\program files\spybotsd14.exe
2006-01-24 23:26 429 a------- c:\program files\MediaBrowser.ini
2005-12-16 00:30 53,248 a------- c:\program files\Setup.exe
2005-08-09 12:57 1,211,083 a------- c:\program files\abcexcel.zip
2004-10-21 20:38 126,976 a------- c:\program files\MediaBrowser.exe
2002-02-22 12:35 43 a------- c:\program files\autorun.inf
2009-02-04 11:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020420090205\index.dat
============= FINISH: 17:56:20,65 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/9/2004 9:51:02 πμ
System Uptime: 8/10/2009 5:12:29 μμ (-1416 hours ago)
Motherboard: FUJITSU SIEMENS | | D1675
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU | 3200/800mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 27,227 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP773: 16/6/2009 9:51:19 μμ - Σημείο ελέγχου συστήματος
RP774: 24/6/2009 9:56:09 πμ - Σημείο ελέγχου συστήματος
RP775: 25/6/2009 10:24:05 πμ - Software Distribution Service 3.0
RP776: 27/6/2009 2:38:10 μμ - Σημείο ελέγχου συστήματος
RP777: 30/6/2009 8:14:29 πμ - Installed Windows Media Format Runtime
RP778: 1/7/2009 9:42:12 πμ - Software Distribution Service 3.0
RP779: 1/7/2009 6:12:22 μμ - Removed Fine Woodworking Archive
RP780: 1/7/2009 10:58:29 μμ - Software Distribution Service 3.0
RP781: 8/7/2009 9:54:24 πμ - Σημείο ελέγχου συστήματος
RP782: 9/7/2009 10:30:17 πμ - Σημείο ελέγχου συστήματος
RP783: 10/7/2009 2:13:56 μμ - Removed Kazaa 3.2.7
RP784: 10/7/2009 2:15:10 μμ - Removed Sony Ericsson PC Suite
RP785: 10/7/2009 2:36:31 μμ - Configured QuickTime
RP786: 10/7/2009 2:41:05 μμ - Removed Adobe Photoshop Album Starter Edition 3.0
RP787: 11/7/2009 12:40:41 μμ - Installed Diskeeper Lite
RP788: 11/7/2009 1:18:13 μμ - Removed Diskeeper Lite
RP789: 11/7/2009 1:39:14 μμ - Installed Diskeeper Lite
RP790: 11/7/2009 1:41:32 μμ - Removed Diskeeper Lite
RP791: 13/7/2009 9:10:40 πμ - Σημείο ελέγχου συστήματος
RP792: 14/7/2009 9:39:40 μμ - Σημείο ελέγχου συστήματος
RP793: 15/7/2009 6:48:32 μμ - Software Distribution Service 3.0
RP794: 17/7/2009 1:11:55 μμ - Software Distribution Service 3.0
RP795: 17/7/2009 7:25:08 μμ - Software Distribution Service 3.0
RP796: 17/7/2009 7:59:42 μμ - Λειτουργία επαναφοράς
RP797: 17/7/2009 9:11:49 μμ - Software Distribution Service 3.0
RP798: 19/7/2009 12:37:10 πμ - Σημείο ελέγχου συστήματος
RP799: 19/7/2009 3:24:23 μμ - Installed Windows Internet Explorer 8.
RP800: 19/7/2009 3:28:00 μμ - Software Distribution Service 3.0
RP801: 20/7/2009 6:03:50 μμ - Σημείο ελέγχου συστήματος
RP802: 21/7/2009 1:47:15 μμ - Removed Kazaa 3.2.7
RP803: 29/7/2009 11:34:05 μμ - Software Distribution Service 3.0
RP804: 4/8/2009 7:36:13 μμ - Σημείο ελέγχου συστήματος
RP805: 6/8/2009 5:12:59 μμ - Λειτουργία επαναφοράς
RP806: 6/8/2009 5:37:52 μμ - Λειτουργία επαναφοράς
RP807: 6/8/2009 5:50:52 μμ - Λειτουργία επαναφοράς
RP808: 7/8/2009 12:00:56 πμ - Software Distribution Service 3.0
==== Installed Programs ======================
Βοηθός εισόδου του Windows Live
Εργαλείο αποστολής του Windows Live
Ε9 Δήλωση στοιχείων Ακινήτων 2008 v1
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB938127)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB950759)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB958215)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB960714)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB961260)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB963027)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB969897)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB972260)
Ενημέρωση ασφαλείας για Windows XP (KB923561)
Ενημέρωση ασφαλείας για Windows XP (KB938464-v2)
Ενημέρωση ασφαλείας για Windows XP (KB938464)
Ενημέρωση ασφαλείας για Windows XP (KB946648)
Ενημέρωση ασφαλείας για Windows XP (KB950760)
Ενημέρωση ασφαλείας για Windows XP (KB950762)
Ενημέρωση ασφαλείας για Windows XP (KB950974)
Ενημέρωση ασφαλείας για Windows XP (KB951066)
Ενημέρωση ασφαλείας για Windows XP (KB951376-v2)
Ενημέρωση ασφαλείας για Windows XP (KB951376)
Ενημέρωση ασφαλείας για Windows XP (KB951698)
Ενημέρωση ασφαλείας για Windows XP (KB951748)
Ενημέρωση ασφαλείας για Windows XP (KB952004)
Ενημέρωση ασφαλείας για Windows XP (KB952954)
Ενημέρωση ασφαλείας για Windows XP (KB953839)
Ενημέρωση ασφαλείας για Windows XP (KB954211)
Ενημέρωση ασφαλείας για Windows XP (KB954459)
Ενημέρωση ασφαλείας για Windows XP (KB954600)
Ενημέρωση ασφαλείας για Windows XP (KB955069)
Ενημέρωση ασφαλείας για Windows XP (KB956391)
Ενημέρωση ασφαλείας για Windows XP (KB956572)
Ενημέρωση ασφαλείας για Windows XP (KB956802)
Ενημέρωση ασφαλείας για Windows XP (KB956803)
Ενημέρωση ασφαλείας για Windows XP (KB956841)
Ενημέρωση ασφαλείας για Windows XP (KB957097)
Ενημέρωση ασφαλείας για Windows XP (KB958644)
Ενημέρωση ασφαλείας για Windows XP (KB958687)
Ενημέρωση ασφαλείας για Windows XP (KB958690)
Ενημέρωση ασφαλείας για Windows XP (KB959426)
Ενημέρωση ασφαλείας για Windows XP (KB960225)
Ενημέρωση ασφαλείας για Windows XP (KB960715)
Ενημέρωση ασφαλείας για Windows XP (KB960803)
Ενημέρωση ασφαλείας για Windows XP (KB961371)
Ενημέρωση ασφαλείας για Windows XP (KB961373)
Ενημέρωση ασφαλείας για Windows XP (KB961501)
Ενημέρωση ασφαλείας για Windows XP (KB968537)
Ενημέρωση ασφαλείας για Windows XP (KB969898)
Ενημέρωση ασφαλείας για Windows XP (KB970238)
Ενημέρωση ασφαλείας για Windows XP (KB971633)
Ενημέρωση ασφαλείας για Windows XP (KB973346)
Ενημέρωση για Windows XP (KB951072-v2)
Ενημέρωση για Windows XP (KB951978)
Ενημέρωση για Windows XP (KB955839)
Ενημέρωση για Windows XP (KB961503)
Ενημέρωση για Windows XP (KB967715)
Ενημερωμένη έκδοση ασφαλείας για Windows XP (KB923689)
Ενημερωμένη έκδοση ασφαλείας για Windows XP (KB941569)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player (KB911564)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player (KB952069)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 6.4 (KB925398)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 9 (KB911565)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 9 (KB917734)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 9 (KB936782)
Επείγουσα επιδιόρθωση για Windows XP (KB952287)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Any Video Converter 2.7.5
AoA Audio Extractor 1.0
AOpen Multimedia Utilities
Ashampoo Burning Studio 6 FREE
Audiovisual
Autodesk DWF Viewer
C-Major Audio
CCleaner (remove only)
Choice Guard
CometBird (3.0.10)
CPUID CPU-Z 1.52.1
Defraggler (remove only)
DVD Decrypter (Remove Only)
DVD Identifier
eDrawings 2008
ERUNT 1.1j
HijackThis 2.0.2
ImgBurn
InPorte Home
Java(TM) 6 Update 13
K-Lite Codec Pack 4.7.0 (Full)
Kazaa 3.2.7
Lexmark 510 Series
Macromedia Flash Player 8
MetFileRegenerator v3.0.16
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional με FrontPage
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.5.2)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MyDVD
NVIDIA Display Driver
PowerDVD
Radar Sync Bar
Runtime 8.0 Libraries
Security Update for CAPICOM (KB931906)
Segoe UI
Smart Defrag 1.20
Sonic DLA
Sonic RecordNow DX
Sonic Simple Backup
Sonic Update Manager
Space Invaders '96 : The Year We Make Contact
Spybot - Search & Destroy
Spybot - Search & Destroy 1.3
VideoLAN VLC media player 0.8.6
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR 3.70 Εφαρμογή Διαχείρισης Συμπιεσμένων Αρχείων
==== End Of File ===========================
I think that I have uninstalled Kazaa 3.2.7 and that it appeared again in the add/remove programms list after a system restore I performed. When I try now to remove it , I get a message saying that "InstallShield Setup Launcher encountered a problem"
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
uTorrent
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please run a new DDS log scan when finished and post the logs back here.
in_the_woods
2009-08-10, 22:39
Hi Shaba :greeting: and :thanks: for helping me :cleaning: my p.c. :bighug:
Before seeking help here and having read the thread you gave me , I unistalled the first of 2 P2P (Peer to Peer) File Sharing Programs that I had , but I could not find the second one (utorrent) in the Control Panel > Add/Remove Programs. If it matters , I searched for it in the Add/Remove Programs list after performing a system restore to a restore point that was created before the installation of this program. Anyway I found and deleted (before seeking help here) a utorrent.exe which I believe was what I downloaded in order to install the program. Even now it is not precent in the Add/Remove Programs list.
DDS (Ver_09-07-30.01) - NTFSx86
Run by admin at 22:15:45,68 on 10/08/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1253.30.1032.18.511.247 [GMT 3:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\admin\Επιφάνεια εργασίας\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.mech.ntua.gr/gr
uInternet Connection Wizard,ShellNext = iexplore
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Βοηθός εισόδου του Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: RX Toolbar: {25d8bacf-3de2-4b48-ae22-d659b8d835b0} - c:\program files\rxtoolbar\RXToolBar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {92A40B0A-740A-4A11-9DDB-70460C6DA383} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [P2P Networking] c:\windows\system32\p2p networking\P2P Networking.exe /AUTOSTART
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\documents and settings\admin\start menu\προγράμματα\εκκίνηση\PartMetBackup.lnk.disabled
StartupFolder: c:\documents and settings\admin\start menu\προγράμματα\εκκίνηση\PowerReg Scheduler V3.exe
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: Ε&ξαγωγή στο Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} - hxxp://biosagentplus.com/files/biosagentplus.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {63D0C496-2805-4133-96DE-A217E53D116A} = 194.219.227.2,193.92.150.3
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\if238me7.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?t=50650
FF - plugin: c:\program files\mozilla firefox\plugins\NPNd2fn.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
============= SERVICES / DRIVERS ===============
S1 HWiNFO32;HWiNFO32 Kernel Driver;\??\c:\docume~1\admin\locals~1\temp\hwinfo32.sys --> c:\docume~1\admin\locals~1\temp\HWiNFO32.SYS [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-9 12672]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-9-23 13352]
S3 SE2Fbus;Sony Ericsson Device 047 Driver driver (WDM);c:\windows\system32\drivers\SE2Fbus.sys [2007-2-25 61600]
S3 SE2Fmdfl;Sony Ericsson Device 047 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Fmdfl.sys [2007-2-25 9360]
S3 SE2Fmdm;Sony Ericsson Device 047 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Fmdm.sys [2007-2-25 97184]
S3 SE2Fmgmt;Sony Ericsson Device 047 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Fmgmt.sys [2007-2-25 88688]
S3 se2Fnd5;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (NDIS);c:\windows\system32\drivers\se2Fnd5.sys [2007-2-25 18704]
S3 SE2Fobex;Sony Ericsson Device 047 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Fobex.sys [2007-2-25 86560]
S3 se2Funic;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (WDM);c:\windows\system32\drivers\se2Funic.sys [2007-2-25 90800]
=============== Created Last 30 ================
2009-08-09 21:27 12,672 a------- c:\windows\system32\drivers\cpuz132_x32.sys
2009-08-09 21:27 <DIR> --d----- c:\program files\CPUID
2009-08-09 14:10 <DIR> --d----- C:\katevasmata
2009-08-08 20:46 <DIR> --d----- c:\program files\DVD Identifier
2009-08-08 14:37 <DIR> --d----- c:\docume~1\admin\applic~1\Ashampoo
2009-08-08 14:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ashampoo
2009-08-08 14:37 <DIR> --d----- c:\program files\Ashampoo
2009-08-06 18:06 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-06 18:04 <DIR> --d----- c:\program files\Incoming
2009-08-06 18:01 <DIR> --d----- c:\windows\cdmxtras
2009-07-21 13:03 <DIR> --d----- c:\docume~1\admin\applic~1\uTorrent
2009-07-19 16:04 <DIR> --d----- c:\program files\Panda Security
2009-07-19 15:55 <DIR> --d----- c:\program files\Safer Networking
2009-07-19 15:31 <DIR> --d----- c:\windows\ie8updates
2009-07-18 12:13 <DIR> --d----- c:\program files\nandub
2009-07-17 20:02 <DIR> --d----- c:\docume~1\admin\applic~1\Sony Ericsson
2009-07-17 20:02 <DIR> --d----- c:\docume~1\admin\applic~1\QA International
2009-07-17 20:01 <DIR> --d----- c:\program files\CosmoSoftware
2009-07-17 19:44 <DIR> --d----- c:\documents and settings\admin\IECompatCache
2009-07-17 19:43 <DIR> --d----- c:\documents and settings\admin\PrivacIE
2009-07-17 19:38 <DIR> --d----- c:\documents and settings\admin\IETldCache
2009-07-17 19:30 <DIR> -cd----- c:\windows\ie8
2009-07-15 11:26 <DIR> --d----- c:\program files\nandub-binary-1.0rc1
2009-07-14 13:41 <DIR> --d----- c:\program files\common files\ODBC
2009-07-13 10:21 <DIR> --d----- c:\docume~1\admin\applic~1\Any Video Converter
2009-07-13 10:21 <DIR> --d----- c:\program files\Any Video Converter
==================== Find3M ====================
2009-07-21 10:24 513,760 a------- c:\windows\system32\perfh008.dat
2009-07-21 10:24 88,668 a------- c:\windows\system32\perfc008.dat
2009-07-11 17:23 23,600 a------- c:\windows\system32\drivers\TVICHW32.SYS
2009-06-29 18:58 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 18:58 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 18:58 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 17:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 17:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 22:10 1,299,456 a------- c:\windows\system32\quartz.dll
2009-05-16 14:34 34,376 a------- c:\docume~1\admin\applic~1\GDIPFONTCACHEV1.DAT
2009-05-13 08:04 915,456 a------- c:\windows\system32\wininet(4)(2).dll
2009-05-13 08:04 915,456 a------- c:\windows\system32\wininet(2).dll
2009-02-28 07:57 5,517,160 a------- c:\program files\bitcomet_setup.exe
2009-01-13 14:14 3,338,372 a------- c:\program files\cosmo_win95nt_eng.exe
2009-01-13 14:06 1,492,727 a------- c:\program files\SurfX3D.zip
2008-06-16 07:54 411,766 a------- c:\program files\tetris_gy.exe
2008-04-25 18:48 1,233,466 a------- c:\program files\wrar371el.exe
2007-11-03 13:50 348 a------- c:\program files\downloads.txt
2007-11-03 13:49 348 a------- c:\program files\downloads.bak
2007-09-07 16:57 136,704 a------- c:\program files\EModelZoomin.dll
2007-09-07 16:56 91,648 a------- c:\program files\EModelViewer.exe
2007-09-07 16:56 26,624 a------- c:\program files\edrwthumbnailprovider.dll
2007-09-07 16:55 594,944 a------- c:\program files\eDrawingOfficeAutomator.exe
2007-09-07 16:55 95,744 a------- c:\program files\EModelEx
2007-09-07 16:55 133,120 a------- c:\program files\EModelExport.dll
2007-09-07 16:55 6,802,944 a------- c:\program files\EModelXlator.dll
2007-09-07 16:54 733,184 a------- c:\program files\EModelSWDisplayLists.dll
2007-09-07 16:54 814,592 a------- c:\program files\EModelReviewer.dll
2007-09-07 16:52 135,168 a------- c:\program files\EModelMDReader.dll
2007-09-07 16:52 71,680 a------- c:\program files\EModelEventLog.dll
2007-09-07 16:51 2,186,240 a------- c:\program files\EModelView.dll
2007-09-07 16:48 57,344 a------- c:\program files\EModelUtilsVista.dll
2007-09-07 16:47 249,344 a------- c:\program files\EModelUtils.dll
2007-09-07 16:47 2,814,976 a------- c:\program files\HoopsManager.dll
2007-09-07 16:43 2,680,297 a------- c:\program files\EModelAddIn.dll
2007-09-07 15:53 7,168 a------- c:\program files\eulaedrawing.txt
2007-09-07 15:52 161,412 a------- c:\program files\GTOL.SYM
2007-09-07 15:51 509,472 a------- c:\program files\swlicservinst.exe
2007-09-07 15:51 299,552 a------- c:\program files\solidworkslicenseservice.dll
2007-09-07 15:50 17,920 a------- c:\program files\IMPLODE.DLL
2006-05-20 12:24 447,088 a------- c:\program files\AluriaLiteScannerInstall.exe
2006-03-10 22:55 300 a------- c:\program files\acadcd.mid
2006-02-01 11:00 1,400,248 a------- c:\program files\spybotsd_includes.exe
2006-02-01 10:46 789,515 a------- c:\program files\spybotsd14.exe
2006-01-24 23:26 429 a------- c:\program files\MediaBrowser.ini
2005-12-16 00:30 53,248 a------- c:\program files\Setup.exe
2005-08-09 12:57 1,211,083 a------- c:\program files\abcexcel.zip
2004-10-21 20:38 126,976 a------- c:\program files\MediaBrowser.exe
2002-02-22 12:35 43 a------- c:\program files\autorun.inf
2009-02-04 11:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020420090205\index.dat
============= FINISH: 22:15:57,54 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-07-30.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/9/2004 9:51:02 πμ
System Uptime: 8/10/2009 7:53:44 μμ (-1413 hours ago)
Motherboard: FUJITSU SIEMENS | | D1675
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU | 3200/800mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 27,224 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP773: 16/6/2009 9:51:19 μμ - Σημείο ελέγχου συστήματος
RP774: 24/6/2009 9:56:09 πμ - Σημείο ελέγχου συστήματος
RP775: 25/6/2009 10:24:05 πμ - Software Distribution Service 3.0
RP776: 27/6/2009 2:38:10 μμ - Σημείο ελέγχου συστήματος
RP777: 30/6/2009 8:14:29 πμ - Installed Windows Media Format Runtime
RP778: 1/7/2009 9:42:12 πμ - Software Distribution Service 3.0
RP779: 1/7/2009 6:12:22 μμ - Removed Fine Woodworking Archive
RP780: 1/7/2009 10:58:29 μμ - Software Distribution Service 3.0
RP781: 8/7/2009 9:54:24 πμ - Σημείο ελέγχου συστήματος
RP782: 9/7/2009 10:30:17 πμ - Σημείο ελέγχου συστήματος
RP783: 10/7/2009 2:13:56 μμ - Removed Kazaa 3.2.7
RP784: 10/7/2009 2:15:10 μμ - Removed Sony Ericsson PC Suite
RP785: 10/7/2009 2:36:31 μμ - Configured QuickTime
RP786: 10/7/2009 2:41:05 μμ - Removed Adobe Photoshop Album Starter Edition 3.0
RP787: 11/7/2009 12:40:41 μμ - Installed Diskeeper Lite
RP788: 11/7/2009 1:18:13 μμ - Removed Diskeeper Lite
RP789: 11/7/2009 1:39:14 μμ - Installed Diskeeper Lite
RP790: 11/7/2009 1:41:32 μμ - Removed Diskeeper Lite
RP791: 13/7/2009 9:10:40 πμ - Σημείο ελέγχου συστήματος
RP792: 14/7/2009 9:39:40 μμ - Σημείο ελέγχου συστήματος
RP793: 15/7/2009 6:48:32 μμ - Software Distribution Service 3.0
RP794: 17/7/2009 1:11:55 μμ - Software Distribution Service 3.0
RP795: 17/7/2009 7:25:08 μμ - Software Distribution Service 3.0
RP796: 17/7/2009 7:59:42 μμ - Λειτουργία επαναφοράς
RP797: 17/7/2009 9:11:49 μμ - Software Distribution Service 3.0
RP798: 19/7/2009 12:37:10 πμ - Σημείο ελέγχου συστήματος
RP799: 19/7/2009 3:24:23 μμ - Installed Windows Internet Explorer 8.
RP800: 19/7/2009 3:28:00 μμ - Software Distribution Service 3.0
RP801: 20/7/2009 6:03:50 μμ - Σημείο ελέγχου συστήματος
RP802: 21/7/2009 1:47:15 μμ - Removed Kazaa 3.2.7
RP803: 29/7/2009 11:34:05 μμ - Software Distribution Service 3.0
RP804: 4/8/2009 7:36:13 μμ - Σημείο ελέγχου συστήματος
RP805: 6/8/2009 5:12:59 μμ - Λειτουργία επαναφοράς
RP806: 6/8/2009 5:37:52 μμ - Λειτουργία επαναφοράς
RP807: 6/8/2009 5:50:52 μμ - Λειτουργία επαναφοράς
RP808: 7/8/2009 12:00:56 πμ - Software Distribution Service 3.0
==== Installed Programs ======================
Βοηθός εισόδου του Windows Live
Εργαλείο αποστολής του Windows Live
Ε9 Δήλωση στοιχείων Ακινήτων 2008 v1
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB938127)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB950759)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB958215)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB960714)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB961260)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB963027)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB969897)
Ενημέρωση ασφαλείας για Windows Internet Explorer 7 (KB972260)
Ενημέρωση ασφαλείας για Windows XP (KB923561)
Ενημέρωση ασφαλείας για Windows XP (KB938464-v2)
Ενημέρωση ασφαλείας για Windows XP (KB938464)
Ενημέρωση ασφαλείας για Windows XP (KB946648)
Ενημέρωση ασφαλείας για Windows XP (KB950760)
Ενημέρωση ασφαλείας για Windows XP (KB950762)
Ενημέρωση ασφαλείας για Windows XP (KB950974)
Ενημέρωση ασφαλείας για Windows XP (KB951066)
Ενημέρωση ασφαλείας για Windows XP (KB951376-v2)
Ενημέρωση ασφαλείας για Windows XP (KB951376)
Ενημέρωση ασφαλείας για Windows XP (KB951698)
Ενημέρωση ασφαλείας για Windows XP (KB951748)
Ενημέρωση ασφαλείας για Windows XP (KB952004)
Ενημέρωση ασφαλείας για Windows XP (KB952954)
Ενημέρωση ασφαλείας για Windows XP (KB953839)
Ενημέρωση ασφαλείας για Windows XP (KB954211)
Ενημέρωση ασφαλείας για Windows XP (KB954459)
Ενημέρωση ασφαλείας για Windows XP (KB954600)
Ενημέρωση ασφαλείας για Windows XP (KB955069)
Ενημέρωση ασφαλείας για Windows XP (KB956391)
Ενημέρωση ασφαλείας για Windows XP (KB956572)
Ενημέρωση ασφαλείας για Windows XP (KB956802)
Ενημέρωση ασφαλείας για Windows XP (KB956803)
Ενημέρωση ασφαλείας για Windows XP (KB956841)
Ενημέρωση ασφαλείας για Windows XP (KB957097)
Ενημέρωση ασφαλείας για Windows XP (KB958644)
Ενημέρωση ασφαλείας για Windows XP (KB958687)
Ενημέρωση ασφαλείας για Windows XP (KB958690)
Ενημέρωση ασφαλείας για Windows XP (KB959426)
Ενημέρωση ασφαλείας για Windows XP (KB960225)
Ενημέρωση ασφαλείας για Windows XP (KB960715)
Ενημέρωση ασφαλείας για Windows XP (KB960803)
Ενημέρωση ασφαλείας για Windows XP (KB961371)
Ενημέρωση ασφαλείας για Windows XP (KB961373)
Ενημέρωση ασφαλείας για Windows XP (KB961501)
Ενημέρωση ασφαλείας για Windows XP (KB968537)
Ενημέρωση ασφαλείας για Windows XP (KB969898)
Ενημέρωση ασφαλείας για Windows XP (KB970238)
Ενημέρωση ασφαλείας για Windows XP (KB971633)
Ενημέρωση ασφαλείας για Windows XP (KB973346)
Ενημέρωση για Windows XP (KB951072-v2)
Ενημέρωση για Windows XP (KB951978)
Ενημέρωση για Windows XP (KB955839)
Ενημέρωση για Windows XP (KB961503)
Ενημέρωση για Windows XP (KB967715)
Ενημερωμένη έκδοση ασφαλείας για Windows XP (KB923689)
Ενημερωμένη έκδοση ασφαλείας για Windows XP (KB941569)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player (KB911564)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player (KB952069)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 6.4 (KB925398)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 9 (KB911565)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 9 (KB917734)
Ενημερωμένη έκδοση ασφαλείας για το Windows Media Player 9 (KB936782)
Επείγουσα επιδιόρθωση για Windows XP (KB952287)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Any Video Converter 2.7.5
AoA Audio Extractor 1.0
AOpen Multimedia Utilities
Ashampoo Burning Studio 6 FREE
Audiovisual
Autodesk DWF Viewer
C-Major Audio
CCleaner (remove only)
Choice Guard
CometBird (3.0.10)
CPUID CPU-Z 1.52.1
Defraggler (remove only)
DVD Decrypter (Remove Only)
DVD Identifier
eDrawings 2008
ERUNT 1.1j
HijackThis 2.0.2
ImgBurn
InPorte Home
Java(TM) 6 Update 13
K-Lite Codec Pack 4.7.0 (Full)
Kazaa 3.2.7
Lexmark 510 Series
Macromedia Flash Player 8
MetFileRegenerator v3.0.16
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional με FrontPage
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.5.2)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MyDVD
NVIDIA Display Driver
PowerDVD
Radar Sync Bar
Runtime 8.0 Libraries
Security Update for CAPICOM (KB931906)
Segoe UI
Smart Defrag 1.20
Sonic DLA
Sonic RecordNow DX
Sonic Simple Backup
Sonic Update Manager
Space Invaders '96 : The Year We Make Contact
Spybot - Search & Destroy
Spybot - Search & Destroy 1.3
VideoLAN VLC media player 0.8.6
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format Runtime
Windows XP Service Pack 3
WinRAR 3.70 Εφαρμογή Διαχείρισης Συμπιεσμένων Αρχείων
==== End Of File ===========================
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
in_the_woods
2009-08-11, 17:20
Hi Shaba,
I am disappointed as the computer crashes over an over again before the scan is completed. Sometimes in the first two minutes , sometimes after 15-16 minutes of scanning , in both modes , safe and normal.
Might be driver/heat/hardware problem, hard to say.
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
in_the_woods
2009-08-11, 20:51
Earlier in the morning I assumed that perhaps insufficient heat dissipation is causing these crashes. I tried this "insane" approach : removed the sides of the case , placed the pc under an air conditioner , set the air conditioner to its lowest temperature and highest speed , placed a desktop fan close to the cpu in order to " push" the air flow from the air conditioner to the cpu (am I loosing my mind Sheba? :scratch: ). It didn't change anything allthough the heat sink was constantly cold.
ComboFix did not attemp to install the Microsoft Windows Recovery Consol so I manually installed it afterwards. The computer once again shut down and restarted after ComboFix had finished running. I remember the screen stating that it is preparing the log report , I moved away from the pc for a few seconds and saw the pc restarting again when I returned. I searched for the combofix.txt and found it in the combofix folder. I then performed a HijackThis scan and started preparing my reply but when I searched again for the combofix.txt it had mysteriously disappeared :scratch: I then decided to run combofix once again. While it was running I realised that what I was doing was a mistake and that I should report back here and wait for further instructions but it was to late , so a I left combofix finish its job. This time it did finish and produce a combofix.txt
Sheba , I am including in this reply: the first HJT log (the one produced after the first incomplete run of combofix) the combofix log (the only one I have , produced after the second successful run of combofix) and the second HJT log (produced after the second successful run of combofix) Before loosing that first combofix log I opened it and remember seeing under ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) pretty much the same items that the second combofix log has under "Other Deletion". I don't think that it had anything else then ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).
first HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:51 μμ, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\admin\Επιφάνεια εργασίας\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mech.ntua.gr/gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PartMetBackup.lnk.disabled
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} (BiosAgentPlus ActiveX Control) - http://biosagentplus.com/files/biosagentplus.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63D0C496-2805-4133-96DE-A217E53D116A}: NameServer = 194.219.227.2,193.92.150.3
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5131 bytes
combofix log
ComboFix 09-08-10.06 - admin 11/08/2009 19:36:48.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1253.30.1032.18.511.143 [GMT 3:00]
Running from: C:\Documents and Settings\admin\Επιφάνεια εργασίας\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\\setup.exe
C:\Program Files\autorun.inf
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
C:\Program Files\Need2Find\bar\History\search
C:\Program Files\RXToolBar\Cache\CTwww_qklinkserver_com_activity_in_asp_bid=6900NC
C:\Program Files\RXToolBar\CacheCatalog.rx
C:\Program Files\RXToolBar\graphics\additional.gif
C:\Program Files\RXToolBar\graphics\additional_active.gif
C:\Program Files\RXToolBar\graphics\background.jpg
C:\Program Files\RXToolBar\graphics\blue_hr_horz.GIF
C:\Program Files\RXToolBar\graphics\gray_hr_horz.GIF
C:\Program Files\RXToolBar\graphics\Thumbs.db
C:\Program Files\RXToolBar\graphics\thumbtack.gif
C:\Program Files\RXToolBar\graphics\thumbtack_active.gif
C:\Program Files\RXToolBar\graphics\thumbtack_click.gif
C:\Program Files\RXToolBar\HTML\content.htm
C:\Program Files\RXToolBar\HTML\main.htm
C:\Program Files\RXToolBar\rx.xml
C:\Program Files\RXToolBar\rxtoolbar.cfg
C:\Program Files\RXToolBar\RXToolBar.dll
C:\Program Files\RXToolBar\rxwebsearches.xsl
C:\Program Files\RXToolBar\sfcont.bin
C:\Program Files\RXToolBar\yahoo.xsl
C:\WINDOWS\Ινδιάνος .bmp
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\ANS2000.INI
C:\WINDOWS\cdmxtras\uninst.exe
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\Installer\3bfdd9.msp
C:\WINDOWS\Installer\6fdd59.msp
C:\WINDOWS\Installer\6fdd5a.msp
C:\WINDOWS\Installer\6fdd5b.msp
C:\WINDOWS\Installer\6fdd5c.msp
C:\WINDOWS\Installer\6fdd5d.msp
C:\WINDOWS\Installer\6fdd5e.msp
C:\WINDOWS\Installer\6fdd5f.msp
C:\WINDOWS\Installer\6fdd60.msp
C:\WINDOWS\Installer\6fdd61.msp
C:\WINDOWS\Installer\821701.msi
C:\WINDOWS\smdat32m.sys
.
((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.
2009-08-09 18:27:58 . 2009-08-09 18:27:58 0 d-----w- C:\Program Files\CPUID
2009-08-09 18:27:58 . 2009-03-26 22:16:28 12672 ----a-w- C:\WINDOWS\system32\drivers\cpuz132_x32.sys
2009-08-09 12:25:48 . 2009-08-09 12:33:36 0 d-----w- C:\Program Files\ERUNT
2009-08-09 11:10:50 . 2009-08-09 11:11:53 0 d-----w- C:\katevasmata
2009-08-08 17:46:16 . 2009-08-08 17:46:17 0 d-----w- C:\Program Files\DVD Identifier
2009-08-08 11:37:50 . 2009-08-08 11:37:50 0 d-----w- C:\Documents and Settings\admin\Application Data\Ashampoo
2009-08-08 11:37:42 . 2009-08-08 11:37:42 0 d-----w- C:\Documents and Settings\All Users\Application Data\ashampoo
2009-08-08 11:37:42 . 2009-08-08 11:37:42 0 d-----w- C:\Documents and Settings\admin\Local Settings\Application Data\ashampoo
2009-08-08 11:37:33 . 2009-08-08 11:37:33 0 d-----w- C:\Program Files\Ashampoo
2009-08-06 15:06:32 . 2009-08-06 15:06:32 0 d-----w- C:\WINDOWS\system32\wbem\Repository
2009-08-06 15:04:18 . 2009-08-06 15:04:18 0 d-----w- C:\Program Files\Incoming
2009-07-21 10:03:40 . 2009-08-06 15:01:17 0 d-----w- C:\Documents and Settings\admin\Application Data\uTorrent
2009-07-19 15:00:45 . 2009-07-19 15:00:45 0 d-----w- C:\Documents and Settings\Administrator.JESUS-CHRIST.001\IETldCache
2009-07-19 13:07:09 . 2009-07-19 13:07:09 0 d-----w- C:\Documents and Settings\LocalService\IETldCache
2009-07-19 13:04:45 . 2009-07-19 13:04:45 0 d-----w- C:\Program Files\Panda Security
2009-07-19 12:55:36 . 2009-07-19 12:55:36 0 d-----w- C:\Program Files\Safer Networking
2009-07-19 12:31:10 . 2009-07-19 12:33:30 0 d-----w- C:\WINDOWS\ie8updates
2009-07-18 09:13:21 . 2009-08-06 15:04:22 0 d-----w- C:\Program Files\nandub
2009-07-17 18:42:26 . 2009-07-17 18:42:26 0 d-----w- C:\Documents and Settings\Administrator.JESUS-CHRIST.001\Local Settings\Application Data\Mozilla
2009-07-17 18:41:45 . 2009-08-06 15:05:02 0 d-----w- C:\Documents and Settings\Administrator.JESUS-CHRIST.001\Local Settings\Application Data\Microsoft
2009-07-17 18:41:42 . 2009-08-06 15:05:04 0 d-s---w- C:\Documents and Settings\Administrator.JESUS-CHRIST.001
2009-07-17 17:02:33 . 2009-07-17 17:02:33 0 d-----w- C:\Documents and Settings\admin\Application Data\Sony Ericsson
2009-07-17 17:02:33 . 2009-07-17 17:02:33 0 d-----w- C:\Documents and Settings\admin\Application Data\QA International
2009-07-17 17:01:19 . 2009-07-17 17:01:19 0 d-----w- C:\Program Files\CosmoSoftware
2009-07-17 16:58:32 . 2009-07-17 16:58:32 0 d-----w- C:\Documents and Settings\Administrator.JESUS-CHRIST.000\IETldCache
2009-07-17 16:58:11 . 2009-07-17 17:00:06 0 d-----w- C:\Documents and Settings\Administrator.JESUS-CHRIST.000\Local Settings\Application Data\Microsoft
2009-07-17 16:58:08 . 2009-07-17 17:00:11 0 d-s---w- C:\Documents and Settings\Administrator.JESUS-CHRIST.000
2009-07-17 16:44:25 . 2009-07-17 16:44:25 0 d-----w- C:\Documents and Settings\admin\IECompatCache
2009-07-17 16:43:37 . 2009-07-17 16:43:37 0 d-----w- C:\Documents and Settings\admin\PrivacIE
2009-07-17 16:38:06 . 2009-07-17 16:38:06 0 d-----w- C:\Documents and Settings\admin\IETldCache
2009-07-17 16:30:17 . 2009-08-06 15:03:56 0 dc----w- C:\WINDOWS\ie8
2009-07-17 12:50:01 . 2009-07-17 17:01:10 0 d-s---w- C:\Documents and Settings\γιώργος
2009-07-15 18:48:40 . 2009-07-17 17:02:36 0 d-----w- C:\Documents and Settings\Administrator.JESUS-CHRIST\Local Settings\Application Data\Microsoft
2009-07-15 18:48:37 . 2009-07-17 17:02:38 0 d-s---w- C:\Documents and Settings\Administrator.JESUS-CHRIST
2009-07-15 08:26:15 . 2009-07-15 08:30:17 0 d-----w- C:\Program Files\nandub-binary-1.0rc1
2009-07-14 08:47:53 . 2009-08-06 15:04:14 0 d-----w- C:\Documents and Settings\admin\Application Data\ImgBurn
2009-07-14 08:26:45 . 2009-07-14 08:27:10 0 d-----w- C:\Program Files\ImgBurn
2009-07-13 07:21:58 . 2009-07-18 08:54:16 0 d-----w- C:\Documents and Settings\admin\Application Data\Any Video Converter
2009-07-13 07:21:52 . 2009-07-13 07:22:26 0 d-----w- C:\Program Files\Any Video Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 14:47:49 . 2004-12-16 14:26:06 0 d-----w- C:\Program Files\Spybot - Search & Destroy
2009-08-09 11:17:19 . 2006-12-23 20:24:55 0 d-----w- C:\Program Files\BitComet
2009-08-09 11:14:12 . 2004-12-16 14:26:07 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-08 11:37:03 . 2009-04-29 13:34:44 0 d-----w- C:\Documents and Settings\admin\Application Data\mIRC
2009-08-08 11:19:37 . 2009-04-29 13:34:44 0 d-----w- C:\Program Files\mIRC
2009-08-06 15:12:01 . 2008-10-08 12:55:16 0 d-----w- C:\Program Files\Winamp
2009-08-06 15:04:14 . 2008-12-28 19:33:49 0 d-----w- C:\Documents and Settings\admin\Application Data\dvdcss
2009-07-21 10:47:49 . 2004-09-08 08:15:54 0 d-----w- C:\Program Files\Common Files\InstallShield
2009-07-21 07:24:27 . 2003-04-17 12:00:00 88668 ----a-w- C:\WINDOWS\system32\perfc008.dat
2009-07-21 07:24:27 . 2003-04-17 12:00:00 513760 ----a-w- C:\WINDOWS\system32\perfh008.dat
2009-07-16 08:36:49 . 2009-04-18 09:16:11 0 d-----w- C:\Program Files\CometBird
2009-07-11 14:23:53 . 2009-07-11 14:23:56 23600 ----a-w- C:\WINDOWS\system32\drivers\TVICHW32.SYS
2009-07-11 14:04:50 . 2009-07-11 14:04:50 0 d-----w- C:\Program Files\hw32_301_326
2009-07-11 10:42:40 . 2009-07-11 10:37:55 0 d-----w- C:\Program Files\Absolute Uninstaller
2009-07-11 10:38:06 . 2009-07-11 10:38:06 0 d-----w- C:\Documents and Settings\admin\Application Data\GlarySoft
2009-07-11 10:07:43 . 2009-07-11 10:07:42 0 d-----w- C:\Program Files\Defraggler
2009-07-11 08:13:16 . 2009-07-07 11:34:35 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-10 20:31:07 . 2009-07-10 20:31:07 0 d-----w- C:\Program Files\IObit
2009-07-10 20:29:56 . 2009-07-10 20:29:56 0 d-----w- C:\Documents and Settings\admin\Application Data\IObit
2009-07-10 20:04:48 . 2009-07-10 20:04:44 0 d-----w- C:\Program Files\CCleaner
2009-07-10 13:45:54 . 2009-03-01 20:02:20 0 d-----w- C:\Program Files\MetFileRegenerator
2009-07-10 12:02:47 . 2008-04-25 16:11:59 0 d-----w- C:\Program Files\MediaBrowser
2009-07-10 11:39:15 . 2004-09-08 08:15:57 0 d--h--w- C:\Program Files\InstallShield Installation Information
2009-07-10 11:28:36 . 2007-02-25 17:25:09 0 d-----w- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2009-07-07 11:36:59 . 2009-07-07 11:34:24 0 d-----w- C:\Program Files\AoA Audio Extractor
2009-06-29 15:58:52 . 2004-08-23 18:35:30 827392 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-06-29 15:58:49 . 2004-09-04 13:45:03 78336 ----a-w- C:\WINDOWS\system32\ieencode.dll
2009-06-29 15:58:48 . 2003-04-17 12:00:00 17408 ----a-w- C:\WINDOWS\system32\corpol.dll
2009-06-18 13:08:22 . 2008-09-20 19:49:35 0 d-----w- C:\Program Files\E9App2008
2009-06-16 14:36:17 . 2003-04-17 12:00:00 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2009-06-16 14:36:16 . 2003-04-17 12:00:00 81920 ----a-w- C:\WINDOWS\system32\fontsub.dll
2009-06-03 19:10:30 . 2004-09-08 08:26:19 1299456 ----a-w- C:\WINDOWS\system32\quartz.dll
2009-02-28 04:57:19 . 2009-02-28 04:57:19 5517160 ----a-w- C:\Program Files\bitcomet_setup.exe
2009-01-13 11:14:18 . 2009-01-13 11:14:15 3338372 ----a-w- C:\Program Files\cosmo_win95nt_eng.exe
2009-01-13 11:06:44 . 2009-01-13 11:06:43 1492727 ----a-w- C:\Program Files\SurfX3D.zip
2008-06-16 04:54:31 . 2008-06-16 04:52:37 411766 ----a-w- C:\Program Files\tetris_gy.exe
2008-04-25 15:48:03 . 2008-04-25 15:35:56 1233466 ----a-w- C:\Program Files\wrar371el.exe
2007-11-03 10:50:41 . 2007-11-03 09:04:01 348 ----a-w- C:\Program Files\downloads.txt
2007-11-03 10:49:45 . 2007-11-03 09:04:01 348 ----a-w- C:\Program Files\downloads.bak
2007-09-07 13:57:56 . 2007-09-07 13:57:56 136704 ----a-w- C:\Program Files\EModelZoomin.dll
2007-09-07 13:56:36 . 2007-09-07 13:56:36 91648 ----a-w- C:\Program Files\EModelViewer.exe
2007-09-07 13:56:16 . 2007-09-07 13:56:16 26624 ----a-w- C:\Program Files\edrwthumbnailprovider.dll
2007-09-07 13:55:44 . 2007-09-07 13:55:44 594944 ----a-w- C:\Program Files\eDrawingOfficeAutomator.exe
2007-09-07 13:55:38 . 2007-09-07 13:55:38 95744 ----a-w- C:\Program Files\EModelEx
2007-09-07 13:55:36 . 2007-09-07 13:55:36 133120 ----a-w- C:\Program Files\EModelExport.dll
2007-09-07 13:55:24 . 2007-09-07 13:55:24 6802944 ----a-w- C:\Program Files\EModelXlator.dll
2007-09-07 13:54:52 . 2007-09-07 13:54:52 733184 ----a-w- C:\Program Files\EModelSWDisplayLists.dll
2007-09-07 13:54:22 . 2007-09-07 13:54:22 814592 ----a-w- C:\Program Files\EModelReviewer.dll
2007-09-07 13:52:40 . 2007-09-07 13:52:40 135168 ----a-w- C:\Program Files\EModelMDReader.dll
2007-09-07 13:52:28 . 2007-09-07 13:52:28 71680 ----a-w- C:\Program Files\EModelEventLog.dll
2007-09-07 13:51:52 . 2007-09-07 13:51:52 2186240 ----a-w- C:\Program Files\EModelView.dll
2007-09-07 13:48:00 . 2007-09-07 13:48:00 57344 ----a-w- C:\Program Files\EModelUtilsVista.dll
2007-09-07 13:47:54 . 2007-09-07 13:47:54 249344 ----a-w- C:\Program Files\EModelUtils.dll
2007-09-07 13:47:32 . 2007-09-07 13:47:32 2814976 ----a-w- C:\Program Files\HoopsManager.dll
2007-09-07 13:43:46 . 2007-09-07 13:43:46 2680297 ----a-w- C:\Program Files\EModelAddIn.dll
2007-09-07 12:53:22 . 2007-09-07 12:53:22 7168 ----a-w- C:\Program Files\eulaedrawing.txt
2007-09-07 12:52:52 . 2007-09-07 12:52:52 161412 ----a-w- C:\Program Files\GTOL.SYM
2007-09-07 12:51:12 . 2007-09-07 12:51:12 509472 ----a-w- C:\Program Files\swlicservinst.exe
2007-09-07 12:51:12 . 2007-09-07 12:51:12 299552 ----a-w- C:\Program Files\solidworkslicenseservice.dll
2007-09-07 12:50:20 . 2007-09-07 12:50:20 17920 ----a-w- C:\Program Files\IMPLODE.DLL
2006-05-20 09:24:59 . 2006-05-20 09:24:59 447088 ----a-w- C:\Program Files\AluriaLiteScannerInstall.exe
2006-03-10 19:55:59 . 2008-04-25 16:11:59 300 ----a-w- C:\Program Files\acadcd.mid
2006-02-01 08:00:00 . 2006-02-01 07:57:27 1400248 ----a-w- C:\Program Files\spybotsd_includes.exe
2006-02-01 07:46:48 . 2006-02-01 07:46:27 789515 ----a-w- C:\Program Files\spybotsd14.exe
2006-01-24 20:26:20 . 2008-04-25 16:11:59 429 ----a-w- C:\Program Files\MediaBrowser.ini
2005-08-09 09:57:42 . 2005-08-09 09:57:38 1211083 ----a-w- C:\Program Files\abcexcel.zip
2004-10-21 17:38:02 . 2008-04-25 16:11:59 126976 ----a-w- C:\Program Files\MediaBrowser.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2003-11-17 02:33:00 3022848]
"nwiz"="nwiz.exe" - C:\WINDOWS\system32\nwiz.exe [2003-11-17 02:33:00 753664]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 16:30:27 15360]
C:\Documents and Settings\admin\Start Menu\α\΅΅ε\
PartMetBackup.lnk.disabled [2009-3-1 1922]
PowerReg Scheduler V3.exe [2004-10-4 225280]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Adobe Reader Speed Launch.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Adobe Reader Speed Launch.lnk.disabled
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Microsoft Office.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Microsoft Office.lnk.disabled
backup=C:\WINDOWS\pss\Microsoft Office.lnk.disabledCommon Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Copernic Desktop Search"="C:\Program Files\Copernic Desktop Search\CopernicDesktopSearch.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"P2P Networking"=C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe
"AGRSMMSG"=AGRSMMSG.exe
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\AOpen\\Multimedia Utilities\\LIVEUPD.EXE"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\BitComet\\plugin_emule\\plugin_eMule.exe"=
"C:\\Program Files\\M_I_R_C_\\mirc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"20720:TCP"= 20720:TCP:BitComet 20720 TCP
"20720:UDP"= 20720:UDP:BitComet 20720 UDP
"60006:TCP"= 60006:TCP:BitComet 60006 TCP(ED2K)
"60006:UDP"= 60006:UDP:BitComet 60006 UDP(ED2K)
S1 HWiNFO32;HWiNFO32 Kernel Driver;\??\C:\DOCUME~1\admin\LOCALS~1\Temp\HWiNFO32.SYS --> C:\DOCUME~1\admin\LOCALS~1\Temp\HWiNFO32.SYS [?]
S3 cpuz132;cpuz132;C:\WINDOWS\system32\drivers\cpuz132_x32.sys [9/8/2009 9:27:58 μμ 12672]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\drivers\ggflt.sys [23/9/2008 9:20:35 μμ 13352]
S3 SE2Fbus;Sony Ericsson Device 047 Driver driver (WDM);C:\WINDOWS\system32\drivers\SE2Fbus.sys [25/2/2007 8:44:51 μμ 61600]
S3 SE2Fmdfl;Sony Ericsson Device 047 USB WMC Modem Filter;C:\WINDOWS\system32\drivers\SE2Fmdfl.sys [25/2/2007 8:45:01 μμ 9360]
S3 SE2Fmdm;Sony Ericsson Device 047 USB WMC Modem Driver;C:\WINDOWS\system32\drivers\SE2Fmdm.sys [25/2/2007 8:45:00 μμ 97184]
S3 SE2Fmgmt;Sony Ericsson Device 047 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\drivers\SE2Fmgmt.sys [25/2/2007 8:45:59 μμ 88688]
S3 se2Fnd5;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (NDIS);C:\WINDOWS\system32\drivers\se2Fnd5.sys [25/2/2007 8:46:10 μμ 18704]
S3 SE2Fobex;Sony Ericsson Device 047 USB WMC OBEX Interface;C:\WINDOWS\system32\drivers\SE2Fobex.sys [25/2/2007 8:45:48 μμ 86560]
S3 se2Funic;Sony Ericsson Device 047 USB Ethernet Emulation SEMC47 (WDM);C:\WINDOWS\system32\drivers\se2Funic.sys [25/2/2007 8:46:06 μμ 90800]
.
Contents of the 'Scheduled Tasks' folder
2009-07-10 C:\WINDOWS\Tasks\SmartDefrag.job
- C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-10 20:31:08 . 2009-07-02 06:22:24]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-P2P Networking - C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mech.ntua.gr/gr
uInternet Connection Wizard,ShellNext = iexplore
IE: &eBay Search - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: Ε&ξαγωγή στο Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {63D0C496-2805-4133-96DE-A217E53D116A} = 194.219.227.2,193.92.150.3
DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} - hxxp://biosagentplus.com/files/biosagentplus.cab
FF - ProfilePath - C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\if238me7.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.spybot.info/showthread.php?t=50650
---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
second HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:51 μμ, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\admin\Επιφάνεια εργασίας\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mech.ntua.gr/gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PartMetBackup.lnk.disabled
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} (BiosAgentPlus ActiveX Control) - http://biosagentplus.com/files/biosagentplus.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63D0C496-2805-4133-96DE-A217E53D116A}: NameServer = 194.219.227.2,193.92.150.3
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5131 bytes
in_the_woods
2009-08-11, 21:21
:oops: i just realised that when running HJT for the second time it replaced the first HJT log with the fresh one , so I have posted 2 times the second HJT log. I am sorry Sheba.
here is a even fresher HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:03 μμ, on 11/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\admin\Επιφάνεια εργασίας\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mech.ntua.gr/gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PartMetBackup.lnk.disabled
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} (BiosAgentPlus ActiveX Control) - http://biosagentplus.com/files/biosagentplus.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63D0C496-2805-4133-96DE-A217E53D116A}: NameServer = 194.219.227.2,193.92.150.3
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5131 bytes
Before we continue, I have to ask that is this Desktop?
Επιφάνεια εργασίας
in_the_woods
2009-08-11, 22:17
Yes , it is the desktop.
Microsoft Windows Recovery Console is installed , but the black screen that offers the option to boot into recovery console mode lasts so little that in case we need it , I don't think that I will able το select it.
Then please move HijackThis in own folder in Desktop.
After that:
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.
You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.
Post back a fresh HijackThis log afterwards, please.
in_the_woods
2009-08-12, 10:17
Goodmorning Shaba ,
I created a folder at the desktop and moved HiJachThis.exe into this new folder.
I downloaded avast! 4.8 antivirus and scaned my pc with it. It found various infections and when it asked me , I decided to quarantine them because I wanted to consult you first. I am posting a fresh HJT log and the avast log.
P.S In the avast log , "einai molysmeno apo" means "is infected by" , "Metakinithike sto Kibotio" means "was moved to the box". These are greek words written with english characters.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:23 πμ, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\admin\Επιφάνεια εργασίας\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mech.ntua.gr/gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PartMetBackup.lnk.disabled
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} (BiosAgentPlus ActiveX Control) - http://biosagentplus.com/files/biosagentplus.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63D0C496-2805-4133-96DE-A217E53D116A}: NameServer = 194.219.227.2,193.92.150.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5902 bytes
12/08/2009 08:52
Sarosi olon ton topikon odigon
Arxeio C:\katevasmata\streamviewer.45019.exe einai molysmeno apo Win32:FakeAV-KI [Trj], Metakinithike sto Kibotio
Arxeio C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll.vir einai molysmeno apo Win32:Adware-gen [Adw], Metakinithike sto Kibotio
Arxeio C:\Qoobox\Quarantine\C\Program Files\RXToolBar\RXToolBar.dll.vir einai molysmeno apo Win32:Adware-gen [Adw], Metakinithike sto Kibotio
Arxeio C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP786\A0911224.DLL einai molysmeno apo Win32:Spyware-gen [Trj], Metakinithike sto Kibotio
Arxeio C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP786\A0911225.DLL einai molysmeno apo Win32:Adware-gen [Adw], Metakinithike sto Kibotio
Arxeio C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP786\A0911231.DLL einai molysmeno apo Win32:Findbar [Adw], Metakinithike sto Kibotio
Arxeio C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP786\A0912229.dll einai molysmeno apo Win32:Findbar [Adw], Metakinithike sto Kibotio
Arxeio C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP797\A0952637.exe einai molysmeno apo Win32:FakeAV-KI [Trj], Metakinithike sto Kibotio
Arxeio C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP809\A1011313.dll einai molysmeno apo Win32:Adware-gen [Adw], Metakinithike sto Kibotio
Arxeio C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP809\A1011315.dll einai molysmeno apo Win32:Adware-gen [Adw], Metakinithike sto Kibotio
Arxeio C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP812\A1013534.exe einai molysmeno apo Win32:FakeAV-KI [Trj], Metakinithike sto Kibotio
Arxeio C:\WINDOWS\Downloaded Program Files\WebP2PInstaller3.dll einai molysmeno apo Win32:Adware-gen [Adw], Metakinithike sto Kibotio
Arxeio C:\WINDOWS\system32\P2P Networking v1263.cpl einai molysmeno apo Win32:Lineage-197 [Trj], Metakinithike sto Kibotio
Arithmos arithmimenon arxeion: 5122
Arithmos elegmenon arxeion: 70786
Arithmos molysmenon arxeion: 13
Open HijackThis, click do a system scan only and checkmark these:
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
Close all windows including browser and press fix checked.
Reboot.
Note: You can use Internet Explorer or Moxilla FireFox for this scan!
If using Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted ... double click it, to install.
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Please go to ESET Online Scanner (http://www.eset.eu/online-scanner) - ESET All Rights Reserved... to run an online scan.
** Make sure you are using an account that has Administrative privileges **
Press the "ESET Online Scanner" button.
Check the box next to "YES, I accept the Terms of Use."... then click "Start".
Click Yes... at the run ActiveX prompt. Click Install... at the install ActiveX prompt.
Once installed, the scanner will be initialized.
Click "Start". Make sure that the options: Remove found threats is UNCHECKED
Leave the "default" settings under Advanced as they are, if not set , place a check for:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Click "Start"... ESET scanner will begin to download the virus signatures database. (This takes a while)
When the signatures have been downloaded, the scan will start automatically.
Wait for the scan to finish... it will take a while... please be patient. When the scan is finished...
Use Notepad to open the log file located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste the contents of log.txt in your next reply.
Remember to enable your Anti-virus protection... before continuing!
in_the_woods
2009-08-12, 16:37
ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=41cf1039463a8d40955d46972f53363c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-12 01:30:51
# local_time=2009-08-12 04:30:51 )
# country="Greece"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 37 100 100 23555781250
# scanned=50887
# found=0
# cleaned=0
# scan_time=1801
in_the_woods
2009-08-12, 16:39
The archives files box was unchecked so I left it that way.
That is fine. Please post also a fresh HijackThis log.
in_the_woods
2009-08-12, 19:04
Here it is Shaba ,
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:42 μμ, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\admin\Επιφάνεια εργασίας\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mech.ntua.gr/gr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: PartMetBackup.lnk.disabled
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {A0CC33E0-9DF0-4361-A94D-E55C4008788F} (BiosAgentPlus ActiveX Control) - http://biosagentplus.com/files/biosagentplus.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{63D0C496-2805-4133-96DE-A217E53D116A}: NameServer = 194.219.227.2,193.92.150.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
--
End of file - 5769 bytes
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)
Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
in_the_woods
2009-08-13, 13:47
Hi Shaba ,
Things are better as spybot search & destroy can finally run and scan the system :). Yesterday knight it performed a scan and found some tracking cookies plus these :
Need2Find: [SBI $9EA9B2FF] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Need2Find
Need2Find: [SBI $C55EA721] Browser helper object (Registry key, fixed)
HKEY_USERS\S-1-5-21-746137067-1326574676-682003330-1004\SOFTWARE\Need2Find
MalwareCore: [SBI $006A9C3D] Program directory (Directory, fixed)
C:\Program Files\\Lang\
I scaned again this morning and one cookie was again precent DoubleClick: Tracking cookie (Firefox: admin (default)) (Cookie, fixed) , allthough spybot search & destroy fixed it yesterday.
I tried the panda security online scanner once again an found some items. These where precent at panda's first scan with the exception of Rootkit/Booto.C , I haven't been surfing much since we started here , don't know where that came from. Might them be false alarms? I enclude the log panda's scan produced. Some items are precent at C:\System Volume Information\_restore so perhaps disabling and reenabling the system restore as you adviced me in your previous reply will fix these.
Sorry, I just want to be sure before proceeding with the instructions you gave me.
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-13 12:36:57
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090812-0] 4.8.1335 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\altnet signing module.exe
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
00141436 Application/P2PNetworking HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP812\A1013535.cpl
00151738 W32/Lovgate.BU.worm Virus/Worm No 0 Yes No C:\fsc.tmp\driver\chipset\sis_chipset_ide_v2_04a_w2k_wxp\setupdir\0804\Mafia Trainer!!!.exe
00527204 Application/PRScheduler HackTools Yes 0 Yes No C:\Documents and Settings\admin\Start Menu\Προγράμματα\Εκκίνηση\PowerReg Scheduler V3.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP809\A1011333.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location @
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description @
;===================================================================================================================================================================================
;===================================================================================================================================================================================
"Some items are precent at C:\System Volume Information\_restore so perhaps disabling and reenabling the system restore as you adviced me in your previous reply will fix these."
Yes it will. These look like false positives to me:
C:\fsc.tmp\driver\chipset\sis_chipset_ide_v2_04a_w2k_wxp\setupdir\0804\Mafia Trainer!!!.exe
C:\Documents and Settings\admin\Start Menu\Προγράμματα\Εκκίνηση\PowerReg Scheduler V3.exe
Please disable&re-enable system restore and tell me what Panda and Spybot find after that.
in_the_woods
2009-08-13, 16:50
The disable and re-enable of system restore seems to have fixed two items :thanks:
Spybot found the same cookie DoubleClick: Tracking cookie (Firefox: admin (default)) (Cookie, fixed) again allthough it fixed it at the end of the previous scan.
Perhaps these information have some value:
a) PowerReg Scheduler V3.exe is 220KB , was created 4/10/2004 , is located at C:\Documents and Settings\admin\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
b) Mafia Trainer!!!.exe is 104KB , created 8/9/2004 , modified 26/3/2003
Is Programs\Startup a good place for PowerReg Scheduler V3.exe? Should I just delete it?
fresh panda scan log:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-13 15:23:35
PROTECTIONS: 1
MALWARE: 4
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090812-0] 4.8.1335 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\altnet signing module.exe
00029258 application/altnet HackTools No 0 Yes No hkey_local_machine\software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
00029258 application/altnet HackTools No 0 Yes No hkey_classes_root\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
00151738 W32/Lovgate.BU.worm Virus/Worm No 0 Yes No C:\fsc.tmp\driver\chipset\sis_chipset_ide_v2_04a_w2k_wxp\setupdir\0804\Mafia Trainer!!!.exe
00527204 Application/PRScheduler HackTools Yes 0 Yes No C:\Documents and Settings\admin\Start Menu\Προγράμματα\Εκκίνηση\PowerReg Scheduler V3.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location 1
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 1
;===================================================================================================================================================================================
;===================================================================================================================================================================================
This (http://www.spybot.info/en/faq/37.html) will help for tracking cookies.
"Is Programs\Startup a good place for PowerReg Scheduler V3.exe? Should I just delete it?"
It is fine.
Please use the following link to download ERUNT (http://aumha.org/downloads/erunt-setup.exe)
Use the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.
Note:to restore your registry, go to the folder and start ERDNT.exe
Open Notepad and copy the contents of the following box to a new file.
Windows Registry Editor Version 5.00
[-hkey_local_machine\software\classes\appid\altnet signing module.exe]
[-hkey_local_machine\software\classes\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}]
[-hkey_classes_root\appid\{99a8e2b2-3405-4c0d-9110-131c14caaf62}]
[-HKEY_CLASSES_ROOT\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64}
[-HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}]
[-HKEY_CLASSES_ROOT\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}]
Save it as fix.reg (save type: "All files" (*.*)) to your desktop.
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Go to Desktop, double-click fix.reg and merge the infomation with the registry.
Reboot.
Rerun panda and post back findings, please.
in_the_woods
2009-08-14, 09:44
Goodmorning ,
I followed your instructions , here is a fresh panda scan log:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-14 09:38:11
PROTECTIONS: 1
MALWARE: 4
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090813-0] 4.8.1335 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64}
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
00151738 W32/Lovgate.BU.worm Virus/Worm No 0 Yes No C:\fsc.tmp\driver\chipset\sis_chipset_ide_v2_04a_w2k_wxp\setupdir\0804\Mafia Trainer!!!.exe
00151738 W32/Lovgate.BU.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP814\A1020695.exe
00527204 Application/PRScheduler HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP814\A1020694.exe
00527204 Application/PRScheduler HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP814\A1021695.exe
00527204 Application/PRScheduler HackTools Yes 0 Yes No C:\Documents and Settings\admin\Start Menu\Προγράμματα\Εκκίνηση\PowerReg Scheduler V3.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location h
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description h
;===================================================================================================================================================================================
;===================================================================================================================================================================================
OK, one error from my side.
Please run this fix2.reg
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\TypeLib\{5830698F-7FC0-40CD-A453-9A0CAFDF3A64}]
Reboot, rerun panda and post back fresh panda log, please.
in_the_woods
2009-08-14, 13:27
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-14 13:22:45
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090813-0] 4.8.1335 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\admin\Cookies\admin@atdmt[2].txt
00151738 W32/Lovgate.BU.worm Virus/Worm No 0 Yes No C:\fsc.tmp\driver\chipset\sis_chipset_ide_v2_04a_w2k_wxp\setupdir\0804\Mafia Trainer!!!.exe
00151738 W32/Lovgate.BU.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP814\A1020695.exe
00527204 Application/PRScheduler HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP814\A1020694.exe
00527204 Application/PRScheduler HackTools No 0 Yes No C:\System Volume Information\_restore{6A7D3704-4820-4689-BD42-CB6D54847B88}\RP814\A1021695.exe
00527204 Application/PRScheduler HackTools Yes 0 Yes No C:\Documents and Settings\admin\Start Menu\Προγράμματα\Εκκίνηση\PowerReg Scheduler V3.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location {
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description {
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Good :)
Still some issues left?
in_the_woods
2009-08-14, 14:06
Hi Shaba ,
Well everything seems to be O.K. Spybot can scan the system everytime I run it :) Before following your instructions , the system would freeze or crash everytime.
Mozilla and webpages are loading instantly ... everything looks normal :)
Panda scan shows some items in C:\System Volume Information\ , should I disable&re-enable system restore in order to get rid of them?
This is not a malware issue but i would appreciate one last advise. Since I will be using mozilla from now one and since Iexplorer isn't functioning (this happened after a system restore performed before the beggining of this thread) I would like to remove IE from my system but when clicking on it in the Add/Remove Programs list , the delete option does not show up. I can't find an uninstall option in its folder. Do I simply delete its folder? What is the proper way to remove it from the system?
Removing IE isn't recommended. What I recommend to do is that you will install IE8 to see if it helps.
in_the_woods
2009-08-14, 19:08
Hi Shaba,
I downloaded IE8. At the end of installation it asked me to reboot which I did. I tried to run IE8 but the pc would crash. It would reboot and crash over and over again without me trying to run something :confused:. It could only boot in safe mode. I tried again this afternoon and it will boot in normal mode , but it is running like a turtle , perhaps a little slower. These where happening before some days when I downloaded IE8 again. The system restore function , which I am talking about in this thread , was able to "cure" the system. I am of course using mozilla now. Don't know what to do next.
I think that it is best to redirect you to some windows forum if that is ok?
in_the_woods
2009-08-14, 19:24
Yes of course Shaba. What must I do with combofix and other tools we used? Does this mean that you will close this thread?
in_the_woods
2009-08-14, 19:25
Is it o.k. to inform them that I am redirected to them by you?
We can do that you post first here (http://forums.pcpitstop.com/index.php?) and after you have got reply there, I will give you final instructions here :)
in_the_woods
2009-08-14, 21:54
I followed the link you gave me , running mozilla with a neptune plug-in , when a page opened with IE8. It looks like some add-on caused the first crash this morning. I was redirected to a microsoft link with this message:
This add-on can cause Internet Explorer to stop responding or crash
Internet Explorer 8 is not compatible with your version of the "Drive Letter Access" Internet Explorer add-on.
So I selected to allways open without this add-on and IE8 is running O.K. since. Perhaps some hardware component malfunction caused the other crashes :scratch:
One thing ia a little strange. Everytime I run IE , i see 2 iexplorer.exe in the Task Manager. Is this normal?
in_the_woods
2009-08-14, 21:54
I haven't posted there anything yet.
in_the_woods
2009-08-14, 22:06
iexplorer.exe
sorry , I mean 2 iexplore.exe
No, it can just be that this isn't compatible:
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
Fix that entry with HijackThis with browsers closed and let me know if it helped.
in_the_woods
2009-08-14, 22:55
I fixed it but I still see 2 iexplore.exe in Task Manager
in_the_woods
2009-08-14, 22:58
One is using 29.104 K and the other 16.276 K right now.
Yes but that is normal with IE8. I have also two.
Still some issues left?
in_the_woods
2009-08-15, 13:24
Still some issues left?
No , everything is O.K. :)
Good :)
I hope that you stay clean also in the future.
in_the_woods
2009-08-16, 11:11
I really appreciate your help and the time you spent deeling with my issues. It is a good time for me to start using the pc in a more productive manner from now on :thanks:
Take care :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.