as it seems i have been infected by downloader mislead app. what can i do?
Downloader mislead app. problem..plz help
as it seems i have been infected by downloader mislead app. what can i do?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:47 μμ, on 31/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [win32] C:\WINDOWS\system32\winpack32.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [win32] C:\WINDOWS\system32\winpack32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71588D8A-6E6D-42CD-876B-18584BA2A830}: NameServer = 195.170.0.1 195.170.2.2
O21 - SSODL: zip - {7474b4ee-695c-4f54-9896-997c5e6d382c} - C:\WINDOWS\Installer\{7474b4ee-695c-4f54-9896-997c5e6d382c}\zip.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
--
End of file - 6816 bytes
Run Combofix and hijackthis (for second time)
I followed the instructions of Shaba in the thread :
http://forums.spybot.info/showthread.php?t=21023
i run combofix and afterwards i run hijackthis and these are the logs:
1.
ComboFix 08-01-31.4 - despina 2008-01-31 16:57:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.231 [GMT 2:00]
Running from: C:\Documents and Settings\despina\Επιφάνεια εργασίας\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.
2008-01-31 15:40 . 2008-01-31 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-31 13:32 . 2008-01-31 13:32 <DIR> d-------- C:\Documents and Settings\despina\Application Data\Grisoft
2008-01-31 13:32 . 2008-01-31 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-31 13:32 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-31 13:14 . 2008-01-31 13:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 12:36 . 2008-01-31 12:36 28,174 --a------ C:\Documents and Settings\despina\catchme.zip
2008-01-31 12:20 . 2008-01-31 12:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-26 13:15 . 2008-01-31 02:48 <DIR> d-------- C:\Program Files\Winamp Remote
2008-01-23 17:26 . 2008-01-23 17:26 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-23 05:45 . 2008-01-23 05:45 2,010,076 --a------ C:\WINDOWS\_detmp.1
2008-01-23 00:54 . 2008-01-23 00:54 <DIR> d-------- C:\Program Files\directx
2008-01-23 00:54 . 2008-01-23 00:54 0 --a------ C:\WINDOWS\DXT134.tmp
2008-01-23 00:54 . 2008-01-23 00:54 0 --a------ C:\WINDOWS\DXT133.tmp
2008-01-23 00:54 . 2008-01-23 00:54 0 --a------ C:\WINDOWS\DXT132.tmp
2008-01-23 00:54 . 2008-01-23 00:54 0 --a------ C:\WINDOWS\DXT131.tmp
2008-01-23 00:34 . 2008-01-23 00:34 <DIR> d-------- C:\WINDOWS\Cache
2008-01-22 15:56 . 2008-01-22 15:56 <DIR> d-------- C:\Documents and Settings\despina\Application Data\NeroDigital
2008-01-22 14:56 . 2008-01-31 11:50 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-22 14:38 . 2008-01-22 14:38 <DIR> d-------- C:\Documents and Settings\despina\Application Data\Nero
2008-01-22 14:34 . 2008-01-22 14:34 <DIR> d-------- C:\Program Files\Nero
2008-01-22 14:34 . 2008-01-31 12:26 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-01-22 14:34 . 2008-01-31 12:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-01-09 16:43 . 2008-01-09 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-01-09 15:29 . 2008-01-09 15:29 <DIR> d-------- C:\Program Files\3B
2008-01-09 15:29 . 2008-01-09 16:09 <DIR> d-------- C:\Documents and Settings\despina\Application Data\3B
2008-01-09 15:29 . 2007-06-11 16:15 2,115,816 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-01-09 15:29 . 2007-06-11 16:15 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-01-07 14:26 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-01-07 14:26 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-01-07 14:26 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-01-07 14:26 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-01-07 14:26 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-01-07 14:26 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-01-07 14:26 . 2003-11-04 15:11 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2008-01-07 14:26 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-01-07 14:26 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-01-06 16:59 . 2007-10-11 01:49 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-06 16:59 . 2007-07-01 05:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-06 16:59 . 2007-07-01 05:36 1,118,208 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-06 16:59 . 2007-10-11 01:49 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-06 16:59 . 2007-10-11 01:49 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-06 16:59 . 2007-10-11 01:49 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-06 16:59 . 2007-10-11 01:49 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-06 16:59 . 2007-10-11 01:49 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-06 16:59 . 2007-10-10 12:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-06 16:58 . 2008-01-06 16:59 <DIR> d-------- C:\WINDOWS\system32\el-gr
2008-01-06 16:55 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-25 18:21 . 2007-12-25 21:51 2,872 --a------ C:\halloween_log.html
2007-12-22 22:51 . 2007-12-22 22:51 <DIR> d-------- C:\Program Files\Xvid
2007-12-22 22:51 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-22 22:51 . 2006-11-01 14:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-22 22:51 . 2006-11-01 15:26 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-22 22:50 . 2007-12-22 22:50 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-12-22 22:50 . 2008-01-23 15:39 <DIR> d-------- C:\Program Files\AVI ReComp
2007-12-22 22:40 . 2007-12-22 22:40 <DIR> d-------- C:\Program Files\Gabest
2007-12-13 16:17 . 2007-12-13 16:17 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-12-13 16:17 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-12-13 16:17 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-12-13 16:07 . 2007-12-13 16:07 <DIR> d-------- C:\Program Files\Lionhead Studios
2007-12-13 16:06 . 2007-12-13 16:06 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2007-12-13 14:37 . 2007-12-13 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-12-13 12:57 . 2008-01-20 22:38 <DIR> d-------- C:\Documents and Settings\despina\Application Data\Ahead
2007-12-05 05:05 . 2007-12-05 05:05 368,640 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-12-05 04:48 . 2007-12-05 04:48 9,535,488 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-12-05 04:33 . 2007-12-05 04:33 3,107,788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-12-05 04:33 . 2007-12-05 04:33 3,107,788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-12-05 04:33 . 2007-12-05 04:33 887,724 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-12-05 04:14 . 2007-12-05 04:14 180,224 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-12-03 14:42 . 2007-12-03 14:42 <DIR> d-------- C:\WINDOWS\Subtitle Workshop GTvS Edition
2007-12-03 14:42 . 2007-12-03 14:42 <DIR> d-------- C:\Program Files\URUSoft
2007-12-03 14:42 . 2007-12-03 14:42 95 --a------ C:\GTvSScript.ini
2007-12-02 00:09 . 2007-12-02 00:23 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-12-02 00:09 . 2007-12-02 18:41 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-01 22:20 . 2007-12-02 18:41 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-12-01 22:18 . 2007-12-01 22:18 <DIR> dr-h----- C:\Documents and Settings\despina\Application Data\SecuROM
2007-12-01 22:18 . 2007-12-01 22:18 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-01 21:39 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-12-01 21:39 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-12-01 21:39 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-12-01 21:39 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-12-01 21:39 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-12-01 21:39 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-12-01 21:39 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-12-01 21:39 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-12-01 21:39 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 14:49 --------- d-----w C:\Program Files\mIRC
2008-01-31 13:15 --------- d-----w C:\Program Files\SAV
2008-01-31 01:02 --------- d-----w C:\Documents and Settings\despina\Application Data\uTorrent
2008-01-28 15:38 --------- d-----w C:\Program Files\DC++
2008-01-26 11:42 --------- d-----w C:\Program Files\Winamp
2008-01-23 11:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-22 17:35 --------- d-----w C:\Documents and Settings\despina\Application Data\dvdcss
2008-01-22 11:21 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-20 21:03 --------- d-----w C:\Program Files\Ahead
2008-01-20 20:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 14:43 --------- d-----w C:\Documents and Settings\despina\Application Data\ATI
2008-01-09 14:35 --------- d-----w C:\Program Files\ATI Technologies
2007-12-05 12:17 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2007-12-05 05:26 2,782,208 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-12-05 03:04 269,312 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-12-05 02:56 147,456 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-12-05 02:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-12-05 02:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-12-05 02:55 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-12-05 02:54 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-12-05 02:53 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-12-05 02:53 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-12-05 02:44 3,175,584 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-12-05 02:33 1,640,192 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-12-05 02:19 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-12-05 02:19 385,024 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-12-05 02:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-12-05 02:16 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll
2007-12-05 02:11 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-11-07 09:27 730,112 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,295,872 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-25 07:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-23 23:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-23 23:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-23 23:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-23 23:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-10 23:49 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2001-11-23 04:08 712,704 -c--a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-04 05:45 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"win32"="C:\WINDOWS\system32\winpack32.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 12:15 106496]
"Cmaudio"="cmicnfg.cpl" []
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 10:51 172032]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 10:50 204800]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 03:19 69632]
"win32"="C:\WINDOWS\system32\winpack32.exe" [ ]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [ ]
"RCAutoLiveUpdate"="C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe" [ ]
"RCSystemTray"="C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-09-04 05:45 15360]
C:\Documents and Settings\All Users\Start Menu\α\΅΅ε\
DSLMON.lnk - C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe [2007-05-12 19:34:51 839680]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F}"= C:\WINDOWS\system32\gebbbxu.dll [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"zip"= {7474b4ee-695c-4f54-9896-997c5e6d382c} - C:\WINDOWS\Installer\{7474b4ee-695c-4f54-9896-997c5e6d382c}\zip.dll [2008-01-31 12:04 38950]
R2 Reporting;Reporting Agents;"C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe" [2007-03-14 14:09]
R3 e4usbaw;USB ADSL2 WAN Adapter;C:\WINDOWS\system32\DRIVERS\e4usbaw.sys [2006-05-04 17:50]
R3 usbstor;Πρόγραμμα οδήγησης μαζικής αποθήκευσης USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 23:08]
S2 IKANLOADER2;General Purpose USB Driver (e4ldr.sys);C:\WINDOWS\system32\Drivers\e4ldr.sys [2006-03-02 18:25]
S3 ewdmaudn;ewdmaudn;C:\DOCUME~1\despina\LOCALS~1\Temp\ewdmaudn.sys []
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-01-04 13:01]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-01-04 13:01]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-01-04 13:01]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-01-04 13:01]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-01-04 13:01]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-01-04 13:01]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-01-04 13:01]
S3 usbscan;Πρόγραμμα οδήγησης σαρωτή USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 21:58]
*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER
*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD
*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - MCHINJDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 15:00:00 C:\WINDOWS\Tasks\AAE8F11191C36F55.job"
- c:\docume~1\despina\applic~1\filmid~1\grim four phone.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 17:00:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-31 17:01:11
ComboFix-quarantined-files.txt 2008-01-31 15:00:58
ComboFix2.txt 2008-01-31 10:44:11
.
2008-01-23 15:31:13 --- E O F ---
Run Combofix and hijackthis (for second time)
2.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:05 μμ, on 31/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [win32] C:\WINDOWS\system32\winpack32.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [win32] C:\WINDOWS\system32\winpack32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71588D8A-6E6D-42CD-876B-18584BA2A830}: NameServer = 195.170.0.1 195.170.2.2
O21 - SSODL: zip - {7474b4ee-695c-4f54-9896-997c5e6d382c} - C:\WINDOWS\Installer\{7474b4ee-695c-4f54-9896-997c5e6d382c}\zip.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Reporting Agents (Reporting) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Reporting Agents\Win32\ReporterSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
--
End of file - 6782 bytes
Plzzzz help with this..i've made the first steps by myself..
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
The Waiting Room <<< you must have missed this
http://forums.spybot.info/forumdisplay.php?f=37
What you should have done was followed the posted directions! If your issues are not resolved, and you have some nasty trojans in this HJT log, post a new log, do not scan and post the Kaspersky scan now until I request it.I followed the instructions of Shaba in the thread :
http://forums.spybot.info/showthread.php?t=21023
If you post back, tell me what this means > Επιφάνεια εργασίας
Thanks
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.
MS-MVP Consumer Security 2007-08-09
Proud Member ASAP
UNITE Member 2006
Posting Permissions
