Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

H E L P ! I am infected...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

H E L P ! I am infected...

Unread postby hourpou » November 9th, 2007, 2:07 pm

Several Pop-ups on IE, tray baloon notifications telling me i have Spyware-Viruses etc and messeges like "Critical System Error..."

I've done a search on the net about this but I cant get anywhere...

Thank you for any help

My hijackthis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:36 μμ, on 9.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft LifeCam\LifeTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt

7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} -

C:\WINDOWS\system32\yzhuufmd.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk

Shared\acstart17.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: SYSTRAN Lookup - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/lookup.js
O8 - Extra context menu item: SYSTRAN Translate - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/translate.js
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... -

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware

2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk

Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky

Anti-Virus 6.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program

Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program

Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program

Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License

Service\PSIService.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9564 bytes
hourpou
Active Member
 
Posts: 8
Joined: November 8th, 2007, 3:30 pm
Advertisement
Register to Remove

Unread postby beynac » November 10th, 2007, 6:13 am

Good morning. :)

I'll be happy to help you sort out your problem. In order to help me with this, please note the following points:
  • If you have any questions or problems - stop and ask
  • It's important that you do not take any independent action to clean the computer (e.g. scans and clean-up programs)
  • Please continue until I give the "all clear". The symptoms may disappear quite quickly, but this doesn't mean that the computer is clean
----------------------------------------------

ComboFix by sUBs

Important: If you already have ComboFix on your computer, please delete it and download the latest version.
  • Download this file - ComboFix.exe. (Please save it on your desktop).
  • Close all open windows.
  • Double click ComboFix.exe and follow the prompts.
  • When finished, it will produce a log for you. Please post that log in your next reply
Important: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

If necessary, please split the log into separate posts to ensure that they don't get cut off. It is important that I see the full log.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

-----------------------------------------------

Please post the following, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log (please untick Word Wrap in Notepad)
Please let me know whether the Greek characters in the log are valid.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby hourpou » November 10th, 2007, 9:10 am

hi beynac and thank you for your reply! :)


1. Here is my ComboFix log:
---------------------------------


ComboFix 07-11-08.1 - user 2007-11-10 14:24:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1032.18.426 [GMT 2:00]
Running from: C:\Documents and Settings\user\Επιφάνεια εργασίας\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\user\Επιφάνεια εργασίας\Live Safety Center.lnk
C:\Documents and Settings\user\Επιφάνεια εργασίας\Online Security Guide.lnk
C:\Documents and Settings\user\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cocpxepr.dll
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ghquujoa.dll
C:\WINDOWS\system32\malccnjd.dllbox
C:\WINDOWS\system32\mgxowoqe.dll
C:\WINDOWS\system32\prnncvqy.dll
C:\WINDOWS\system32\yzhuufmd.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.

2007-11-10 14:29 289,452 --a------ C:\Documents and Settings\user\catchme.zip
2007-11-10 13:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 10:57 84,032 --a------ C:\WINDOWS\system32\xlcqkweg.dll
2007-11-10 01:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-09 21:01 84,032 --a------ C:\WINDOWS\system32\dhwutiyx.dll
2007-11-09 01:06 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-09 01:06 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-09 01:06 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-09 01:06 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-09 01:06 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-08 21:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-08 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-08 21:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 21:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 22:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-07 17:00 145,472 --a------ C:\WINDOWS\system32\yzhuufmd.dll
2007-11-07 17:00 145,472 --a------ C:\WINDOWS\system32\iuncxugm.dll
2007-11-07 16:09 <DIR> d-------- C:\Program Files\FRP-Analysis
2007-11-07 15:45 84,032 --a------ C:\WINDOWS\system32\etdljrvr.dll
2007-11-07 02:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-07 02:05 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-07 01:23 4,844 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-06 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 14:21 145,472 --a------ C:\WINDOWS\system32\npournif.dll
2007-11-06 14:21 145,472 --a------ C:\WINDOWS\system32\malccnjd.dll
2007-11-05 23:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\Microsoft Corporation
2007-11-05 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-11-05 22:56 <DIR> d-------- C:\Program Files\ABBYY FineReader 9.0
2007-11-05 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABBYY
2007-11-05 22:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\SYSTRAN
2007-11-05 22:46 <DIR> d-------- C:\Program Files\SYSTRAN
2007-11-05 22:45 878,080 --a------ C:\WINDOWS\system32\iconv.dll
2007-11-05 22:45 721,920 --a------ C:\WINDOWS\system32\libxml2.dll
2007-11-05 22:45 150,016 --a------ C:\WINDOWS\system32\libxslt.dll
2007-11-05 22:45 51,200 --a------ C:\WINDOWS\system32\libexslt.dll
2007-11-05 22:44 144,896 -ra------ C:\WINDOWS\system32\libsyslic1.original.dll
2007-11-05 22:44 57,344 -ra------ C:\WINDOWS\system32\libsyslic1.dll
2007-11-05 22:11 34,304 --a------ C:\WINDOWS\system32\iifdday.dll
2007-10-22 22:52 1,719,296 --a------ C:\WINDOWS\system32\hinstd.dll
2007-10-22 22:52 264,704 --a------ C:\WINDOWS\system32\hlvdd.dll
2007-10-22 22:52 125,712 --a------ C:\WINDOWS\system32\vb6de.dll
2007-10-22 22:52 116,938 --a------ C:\WINDOWS\system32\vshelp.dll
2007-10-22 22:52 99,866 --a------ C:\WINDOWS\system32\vb5de.dll
2007-10-22 22:52 25,088 --a------ C:\WINDOWS\system32\Hlduinst.exe
2007-10-22 22:52 23,040 --a------ C:\WINDOWS\system32\drivers\aksusb.sys
2007-10-22 22:50 <DIR> d-------- C:\Program Files\SOFiSTiK
2007-10-22 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-22 22:39 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-22 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-20 14:40 <DIR> d-------- C:\Documents and Settings\user\Application Data\Corel
2007-10-20 14:37 <DIR> d-------- C:\Program Files\Corel
2007-10-20 14:37 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-10-20 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-10-20 14:05 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-20 14:05 88 -rahs---- C:\WINDOWS\system32\75906E75A1.sys
2007-10-20 12:53 <DIR> d-------- C:\Program Files\Common Files\Protexis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 12:38 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-10 12:37 26,353,184 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-10 12:33 353,900 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-10 12:33 138,476 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-10 12:33 1,465,888 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-10 12:12 --------- d-----w C:\Documents and Settings\user\Application Data\Skype
2007-11-09 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-08 22:48 --------- d-----w C:\Program Files\eMule
2007-11-08 22:47 --------- d-----w C:\Documents and Settings\user\Application Data\Azureus
2007-11-07 14:11 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-06 19:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-05 20:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 22:50 --------- d-----w C:\Program Files\Computers and Structures
2007-10-29 20:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-22 14:35 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-22 14:33 --------- d-----w C:\Program Files\SopCast
2007-10-22 14:31 --------- d-----w C:\Program Files\DScaler
2007-10-22 14:30 --------- d-----w C:\Program Files\COORD_GR
2007-10-22 14:29 --------- d-----w C:\Program Files\TechSmith
2007-10-16 18:31 --------- d-----w C:\Program Files\Microsoft LifeCam
2007-10-14 20:24 --------- d-----w C:\Program Files\Google
2007-10-13 21:11 --------- d-----w C:\Documents and Settings\user\Application Data\TVU Networks
2007-10-09 13:34 --------- d-----w C:\Program Files\Java
2007-09-21 15:09 --------- d-----w C:\Program Files\Ulead CD & DVD PictureShow 4
2007-09-21 14:04 256 ----a-w C:\IASTOEL.DLL
2007-09-21 10:33 --------- d-----w C:\Program Files\audiograbber
2007-09-17 22:11 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-09-17 22:06 --------- d-----w C:\Documents and Settings\user\Application Data\Ulead Systems
2007-09-17 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-09-17 21:07 --------- d-----w C:\Program Files\FastStone Image Viewer
2007-09-17 21:07 --------- d-----w C:\Documents and Settings\user\Application Data\FastStone
2007-09-17 20:35 --------- d-----w C:\Program Files\Azureus
2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-19 21:50 1,024 ----a-w C:\Program Files\USERDEF.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\IW.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\COMPOSITES.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\CASTELATED.SEC
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{072D24E7-7B28-4DB8-80F3-A82A55067964}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2718C205-5035-41A0-956D-B9AB284CD7B9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9d42dc18-f7eb-40f8-8b67-39843128a6fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-07 17:00 145472 --a------ C:\WINDOWS\system32\yzhuufmd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b29660cf-b8ab-4211-a4c9-03413cd4ea45}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
2007-11-05 22:11 34304 --a------ C:\WINDOWS\system32\iifdday.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\yzhuufmd.dll [2007-11-07 17:00 145472]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\yzhuufmd.dll [2007-11-07 17:00 145472]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 C:\WINDOWS\RTHDCPL.EXE]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 19:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"RegistryMechanic"="" []
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-04-18 09:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-07 23:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-07 14:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-23 12:52]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-27 20:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"= C:\WINDOWS\system32\iifdday.dll [2007-11-05 22:11 34304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdday]
iifdday.dll 2007-11-05 22:11 34304 C:\WINDOWS\system32\iifdday.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\malccnjd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yzhuufmd]
yzhuufmd.dll 2007-11-07 17:00 145472 C:\WINDOWS\system32\yzhuufmd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddabc.dll

R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 14:37:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-10 14:42:08 - machine was rebooted
.
--- E O F ---


2. New HijackThis log:
-----------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:41 μμ, on 10.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Microsoft LifeCam\LifeTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\yzhuufmd.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: SYSTRAN Lookup - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/lookup.js
O8 - Extra context menu item: SYSTRAN Translate - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/translate.js
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9692 bytes


3. As far as the greek characters, they are valid
(I am greek you see...)

Thank you in advance,
John
Greece
hourpou
Active Member
 
Posts: 8
Joined: November 8th, 2007, 3:30 pm

Unread postby beynac » November 10th, 2007, 10:05 am

Good afternoon John.

3. As far as the greek characters, they are valid

I thought so, but I only had Babel Fish translator to give me a guide. I particularly enjoyed the translation of "Δημιουργία Αγαπημένου κινητής συσκευής." which BabelFish translated as "Creation of Beloved mobile appliance". :lol: I think that I get the general idea - but it's best to ask! I assume that it should translate as "Create Mobile Favorite". :)

I see that you have run an online Kaspersky scan. Please do not run any other scans unless I tell you to. The Kaspersky one is OK, but others could really cause us problems if you run them while we are fixing the computer.

----------------------------------------------------------

Disable AVG Anti-Spyware Resident Shield

We need to make sure that this is disabled as it could interfere with our fix. Please check the following settings:
  • Click the Shield icon at the top.
  • Under Resident shield is... make sure that this shows as inactive or not available in the free version.
  • Change it, if necessary.
Close AVG Anti-Spyware. Do not scan.

---------------------------------------------------------

Rename HijackThis

I think that you may have something that's hiding from HijackThis. To fool the 'nasty' into letting us see the complete picture, we need to rename HijackThis.
  • Click on Start then My Computer
  • Navigate to the folder C:\Program Files\Trend Micro\HijackThis\
  • Rename HijackThis.exe as NoHiding.exe
  • Right-click on NoHiding and select Send To then Desktop (create shortcut)
  • Close the window
Always use the new shortcut to run HijackThis (now "NoHiding").

------------------------------------------------------

VundoFix

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will create a report named vundofix.txt on your main drive (C:\vundofix.txt)
Note: It is possible that VundoFix may encounter a file it cannot remove.
In this case, VundoFix will run on reboot. Simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

-----------------------------------------------------

Please post the following, as a reply to this thread:
  • The VundoFix report (C:\vundofix.txt)
  • A new HijackThis log (run as NoHiding)
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby hourpou » November 10th, 2007, 2:49 pm

Well hello again!

"Creation of Beloved mobile appliance"

That was a good one! :) :) :)


So,

1. I made AVG anti-spyware inactive

2. I renamed HijackThis.exe into NoHidding.exe

3. I downloaded VundoFix.exe and runed it.
I performed a scan for vundo... BUT even though i restarted the
computer a few times, it didn't manage to remove a file, as you
can see in the following log:
----------------------------------------------------------------------------------


VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.10

Scan started at 7:29:09 μμ 10.11.2007

Listing files found while scanning....

C:\windows\system32\iifdday.dll
C:\WINDOWS\system32\yzhuufmd.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifdday.dll
C:\windows\system32\iifdday.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yzhuufmd.dll
C:\WINDOWS\system32\yzhuufmd.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\iifdday.dll
C:\windows\system32\iifdday.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.10

Scan started at 7:41:04 μμ 10.11.2007

Listing files found while scanning....

C:\windows\system32\iifdday.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifdday.dll
C:\windows\system32\iifdday.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.10

Scan started at 7:47:50 μμ 10.11.2007

Listing files found while scanning....

C:\windows\system32\iifdday.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifdday.dll
C:\windows\system32\iifdday.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.10

Scan started at 7:55:07 μμ 10.11.2007

Listing files found while scanning....

C:\windows\system32\iifdday.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifdday.dll
C:\windows\system32\iifdday.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.10

Scan started at 8:04:18 μμ 10.11.2007

Listing files found while scanning....

C:\windows\system32\iifdday.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifdday.dll
C:\windows\system32\iifdday.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.10

Scan started at 8:11:23 μμ 10.11.2007

Listing files found while scanning....

C:\windows\system32\iifdday.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifdday.dll
C:\windows\system32\iifdday.dll Could not be deleted.

Performing Repairs to the registry.
Done!


4. Also, a new HijackThis log (run as NoHidding.exe)
-------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:40 μμ, on 10.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\NoHiding.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {072D24E7-7B28-4DB8-80F3-A82A55067964} - (no file)
O2 - BHO: (no name) - {2718C205-5035-41A0-956D-B9AB284CD7B9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9d42dc18-f7eb-40f8-8b67-39843128a6fc} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b29660cf-b8ab-4211-a4c9-03413cd4ea45} - (no file)
O2 - BHO: (no name) - {DF2D2737-63E9-450C-BC0E-719BE4C4BA8A} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {F6B1F430-52B5-4478-9FC6-A94F79D423C3} - C:\WINDOWS\system32\iifdday.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: SYSTRAN Lookup - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/lookup.js
O8 - Extra context menu item: SYSTRAN Translate - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/translate.js
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: malccnjd - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10522 bytes


Now it seems that i dont get any more annoying popups :) but i think that we are not done yet, are we?

Thank you again!
John

hourpou
Active Member
 
Posts: 8
Joined: November 8th, 2007, 3:30 pm

Unread postby beynac » November 10th, 2007, 5:48 pm

i think that we are not done yet, are we?

No, but we are getting there. :)

---------------------------------------------------------

Open Notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\iifdday.dll
C:\WINDOWS\system32\dhwutiyx.dll
C:\WINDOWS\system32\xlcqkweg.dll
C:\WINDOWS\system32\yzhuufmd.dll
C:\WINDOWS\system32\iuncxugm.dll
C:\WINDOWS\system32\etdljrvr.dll
C:\WINDOWS\system32\npournif.dll
C:\WINDOWS\system32\malccnjd.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{072D24E7-7B28-4DB8-80F3-A82A55067964}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2718C205-5035-41A0-956D-B9AB284CD7B9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9d42dc18-f7eb-40f8-8b67-39843128a6fc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b29660cf-b8ab-4211-a4c9-03413cd4ea45}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F6B1F430-52B5-4478-9FC6-A94F79D423C3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F6B1F430-52B5-4478-9FC6-A94F79D423C3}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdday]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\malccnjd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yzhuufmd]


Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall.

------------------------------------------------

Please post, as a reply to this thread:
  • The ComboFix log
  • A new HijackThis log (run as NoHiding)
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby hourpou » November 10th, 2007, 9:57 pm

OK, here we go:

1. ComboFix log:
----------------------


ComboFix 07-11-08.1 - user 2007-11-11 3:35:09.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1032.18.489 [GMT 2:00]
Running from: C:\Documents and Settings\user\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Επιφάνεια εργασίας\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\dhwutiyx.dll
C:\WINDOWS\system32\etdljrvr.dll
C:\WINDOWS\system32\iifdday.dll
C:\WINDOWS\system32\iuncxugm.dll
C:\WINDOWS\system32\malccnjd.dll
C:\WINDOWS\system32\npournif.dll
C:\WINDOWS\system32\xlcqkweg.dll
C:\WINDOWS\system32\yzhuufmd.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\user\Επιφάνεια εργασίας\Live Safety Center.lnk
C:\Documents and Settings\user\Επιφάνεια εργασίας\Online Security Guide.lnk
C:\WINDOWS\system32\dhwutiyx.dll
C:\WINDOWS\system32\etdljrvr.dll
C:\WINDOWS\system32\iifdday.dll
C:\WINDOWS\system32\iuncxugm.dll
C:\WINDOWS\system32\malccnjd.dll
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\npournif.dll
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\system32\xlcqkweg.dll
C:\WINDOWS\system32\yzhuufmd.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 03:40 575,471 --a------ C:\Documents and Settings\user\catchme.zip
2007-11-10 19:29 <DIR> d-------- C:\VundoFix Backups
2007-11-10 13:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 01:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-09 01:06 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-09 01:06 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-09 01:06 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-09 01:06 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-09 01:06 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-08 21:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-08 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-08 21:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 21:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 22:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-07 16:09 <DIR> d-------- C:\Program Files\FRP-Analysis
2007-11-07 02:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-07 02:05 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-07 01:23 4,844 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-06 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 23:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\Microsoft Corporation
2007-11-05 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-11-05 22:56 <DIR> d-------- C:\Program Files\ABBYY FineReader 9.0
2007-11-05 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABBYY
2007-11-05 22:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\SYSTRAN
2007-11-05 22:46 <DIR> d-------- C:\Program Files\SYSTRAN
2007-11-05 22:45 878,080 --a------ C:\WINDOWS\system32\iconv.dll
2007-11-05 22:45 721,920 --a------ C:\WINDOWS\system32\libxml2.dll
2007-11-05 22:45 150,016 --a------ C:\WINDOWS\system32\libxslt.dll
2007-11-05 22:45 51,200 --a------ C:\WINDOWS\system32\libexslt.dll
2007-11-05 22:44 144,896 -ra------ C:\WINDOWS\system32\libsyslic1.original.dll
2007-11-05 22:44 57,344 -ra------ C:\WINDOWS\system32\libsyslic1.dll
2007-10-22 22:52 1,719,296 --a------ C:\WINDOWS\system32\hinstd.dll
2007-10-22 22:52 264,704 --a------ C:\WINDOWS\system32\hlvdd.dll
2007-10-22 22:52 125,712 --a------ C:\WINDOWS\system32\vb6de.dll
2007-10-22 22:52 116,938 --a------ C:\WINDOWS\system32\vshelp.dll
2007-10-22 22:52 99,866 --a------ C:\WINDOWS\system32\vb5de.dll
2007-10-22 22:52 25,088 --a------ C:\WINDOWS\system32\Hlduinst.exe
2007-10-22 22:52 23,040 --a------ C:\WINDOWS\system32\drivers\aksusb.sys
2007-10-22 22:50 <DIR> d-------- C:\Program Files\SOFiSTiK
2007-10-22 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-22 22:39 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-22 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-20 14:40 <DIR> d-------- C:\Documents and Settings\user\Application Data\Corel
2007-10-20 14:37 <DIR> d-------- C:\Program Files\Corel
2007-10-20 14:37 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-10-20 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-10-20 14:05 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-20 14:05 88 -r-hs---- C:\WINDOWS\system32\75906E75A1.sys
2007-10-20 12:53 <DIR> d-------- C:\Program Files\Common Files\Protexis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 01:44 1,480,480 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-11 01:43 26,749,216 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-11 01:42 359,276 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-11 01:42 139,820 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-11 01:37 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-10 18:02 --------- d-----w C:\Documents and Settings\user\Application Data\Skype
2007-11-09 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-08 22:48 --------- d-----w C:\Program Files\eMule
2007-11-08 22:47 --------- d-----w C:\Documents and Settings\user\Application Data\Azureus
2007-11-07 14:11 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-06 19:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-05 20:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 22:50 --------- d-----w C:\Program Files\Computers and Structures
2007-10-29 20:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-22 14:35 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-22 14:33 --------- d-----w C:\Program Files\SopCast
2007-10-22 14:31 --------- d-----w C:\Program Files\DScaler
2007-10-22 14:30 --------- d-----w C:\Program Files\COORD_GR
2007-10-22 14:29 --------- d-----w C:\Program Files\TechSmith
2007-10-16 18:31 --------- d-----w C:\Program Files\Microsoft LifeCam
2007-10-14 20:24 --------- d-----w C:\Program Files\Google
2007-10-13 21:11 --------- d-----w C:\Documents and Settings\user\Application Data\TVU Networks
2007-10-09 13:34 --------- d-----w C:\Program Files\Java
2007-09-21 15:09 --------- d-----w C:\Program Files\Ulead CD & DVD PictureShow 4
2007-09-21 14:04 256 ----a-w C:\IASTOEL.DLL
2007-09-21 10:33 --------- d-----w C:\Program Files\audiograbber
2007-09-17 22:11 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-09-17 22:06 --------- d-----w C:\Documents and Settings\user\Application Data\Ulead Systems
2007-09-17 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-09-17 21:07 --------- d-----w C:\Program Files\FastStone Image Viewer
2007-09-17 21:07 --------- d-----w C:\Documents and Settings\user\Application Data\FastStone
2007-09-17 20:35 --------- d-----w C:\Program Files\Azureus
2007-03-19 21:50 1,024 ----a-w C:\Program Files\USERDEF.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\IW.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\COMPOSITES.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\CASTELATED.SEC
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 C:\WINDOWS\RTHDCPL.EXE]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 19:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"RegistryMechanic"="" []
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-04-18 09:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-07 23:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-07 14:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-23 12:52]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-27 20:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmnlm.dll

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R2 RCService;RCService;"C:\Program Files\gigabyte\RCService\RCService.exe"
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
R3 SaiClass;SaiClass;C:\WINDOWS\system32\drivers\SaiNtBus.sys
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys
S3 SaiNtHid;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 03:44:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 3:46:49 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-10 14:42
.
--- E O F ---


2. HijackThis log (run as NoHiding)
---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:20 πμ, on 11.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\NoHiding.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: SYSTRAN Lookup - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/lookup.js
O8 - Extra context menu item: SYSTRAN Translate - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/translate.js
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9989 bytes
hourpou
Active Member
 
Posts: 8
Joined: November 8th, 2007, 3:30 pm

Unread postby beynac » November 11th, 2007, 6:25 am

Good morning John.

That's looking a lot better. There's just one more registry entry to change. We'll use ComboFix again as it will give us a double-check that nothing has returned.

Open Notepad and copy/paste the text in the quotebox below into it:
Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= "msv1_0"


Save this on your Desktop as CFScript.txt

Image
ComboFix should also be on your Desktop. Referring to the picture above, drag CFScript.txt into ComboFix.exe. ComboFix will then run. When finished, it will produce a log (C:\ComboFix.txt). Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running as this may cause it to stall.

-----------------------------------------------------

Kaspersky Online Scanner

I would like you to run an online scan to make sure that there is nothing else lurking. I have included the full instructions but I am aware that you already have this installed. Some of the following will not therefore apply. Please make sure that the latest definitions are downloaded.

Using Internet Explorer, go to: http://www.kaspersky.com/virusscanner
  • Click on Kaspersky Online Scanner
  • Click the Accept button (see the note below if using IE7)
  • Follow the prompts to download and install the ActiveX component(s) and other software
    • If a yellow information bar appears at the top of the browser window, click on it and select Install ActiveX Control
    • If a message box appears, click on OK or Run as appropriate
  • Click Accept again (see the note below if using IE7)
  • When a message box appears, click on Install to allow the installation
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click 'Next'.
  • Now click on 'Scan Settings'
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
    • Scan Options: 'Scan Archives' and 'Scan Mail Bases'
  • Click 'OK'
  • Now under 'Select a target to scan' select 'My Computer'
  • The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
  • Now click on the Save as... button:
  • Save the report to your desktop (N.B. Save as type: Text document (txt))
Note: You may get a window without the Accept/Decline buttons. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

----------------------------------------------------

Please post the following as a reply to this thread:
  • The ComboFix log
  • The Kaspersky report (I suggest that you use a separate post (or more) to avoid this being cut off)
  • A new HijackThis log (run as NoHiding)
Please let me know how the computer is running now. Have all of the popups and messages stopped?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: H E L P ! I am infected...

Unread postby hourpou » November 12th, 2007, 10:55 am

Hello beynac!

I have used combofix again as you suggested, but I didn't manage to peform a kaspersky online scan :?
As soon as the scanner starts to download the "latest Kaspersky Anti-Virus Databases" I get the classic windows error message that "the program has performed an illegal operation and had to close"... (In greek of course :) )
Most of the time the message pops up just at the beggining of the download... :(
I am using IE7 by the way - I Tried Firefox but couldn't get past the Accept/Decline screen...

anyway, this is the combofix log:
-----------------------------------------


ComboFix 07-11-08.1 - user 2007-11-12 16:10:34.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1253.1.1032.18.545 [GMT 2:00]
Running from: C:\Documents and Settings\user\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Επιφάνεια εργασίας\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 03:40 575,471 --a------ C:\Documents and Settings\user\catchme.zip
2007-11-10 19:29 <DIR> d-------- C:\VundoFix Backups
2007-11-10 13:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 01:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-09 01:06 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-09 01:06 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-09 01:06 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-09 01:06 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-09 01:06 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-08 21:40 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-08 21:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-08 21:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-08 21:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-07 23:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 22:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-07 16:09 <DIR> d-------- C:\Program Files\FRP-Analysis
2007-11-07 02:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-07 02:05 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-07 01:23 4,844 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-06 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 23:11 <DIR> d-------- C:\Documents and Settings\user\Application Data\Microsoft Corporation
2007-11-05 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Corporation
2007-11-05 22:56 <DIR> d-------- C:\Program Files\ABBYY FineReader 9.0
2007-11-05 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ABBYY
2007-11-05 22:50 <DIR> d-------- C:\Documents and Settings\user\Application Data\SYSTRAN
2007-11-05 22:46 <DIR> d-------- C:\Program Files\SYSTRAN
2007-11-05 22:45 878,080 --a------ C:\WINDOWS\system32\iconv.dll
2007-11-05 22:45 721,920 --a------ C:\WINDOWS\system32\libxml2.dll
2007-11-05 22:45 150,016 --a------ C:\WINDOWS\system32\libxslt.dll
2007-11-05 22:45 51,200 --a------ C:\WINDOWS\system32\libexslt.dll
2007-11-05 22:44 144,896 -ra------ C:\WINDOWS\system32\libsyslic1.original.dll
2007-11-05 22:44 57,344 -ra------ C:\WINDOWS\system32\libsyslic1.dll
2007-10-22 22:52 1,719,296 --a------ C:\WINDOWS\system32\hinstd.dll
2007-10-22 22:52 264,704 --a------ C:\WINDOWS\system32\hlvdd.dll
2007-10-22 22:52 125,712 --a------ C:\WINDOWS\system32\vb6de.dll
2007-10-22 22:52 116,938 --a------ C:\WINDOWS\system32\vshelp.dll
2007-10-22 22:52 99,866 --a------ C:\WINDOWS\system32\vb5de.dll
2007-10-22 22:52 25,088 --a------ C:\WINDOWS\system32\Hlduinst.exe
2007-10-22 22:52 23,040 --a------ C:\WINDOWS\system32\drivers\aksusb.sys
2007-10-22 22:50 <DIR> d-------- C:\Program Files\SOFiSTiK
2007-10-22 22:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-22 22:39 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-22 16:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-20 14:40 <DIR> d-------- C:\Documents and Settings\user\Application Data\Corel
2007-10-20 14:37 <DIR> d-------- C:\Program Files\Corel
2007-10-20 14:37 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-10-20 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-10-20 14:05 2,516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-20 14:05 88 -r-hs---- C:\WINDOWS\system32\75906E75A1.sys
2007-10-20 12:53 <DIR> d-------- C:\Program Files\Common Files\Protexis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 14:13 26,837,024 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-12 14:13 1,487,648 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-12 14:11 --------- d-----w C:\Program Files\Kaspersky Lab
2007-11-11 22:24 360,188 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-11 22:24 140,324 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-11 19:59 --------- d-----w C:\Documents and Settings\user\Application Data\Skype
2007-11-09 23:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-08 22:48 --------- d-----w C:\Program Files\eMule
2007-11-08 22:47 --------- d-----w C:\Documents and Settings\user\Application Data\Azureus
2007-11-07 14:11 286,720 ------w C:\WINDOWS\Setup1.exe
2007-11-06 19:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-05 20:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 22:50 --------- d-----w C:\Program Files\Computers and Structures
2007-10-29 20:36 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-10-22 14:35 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-22 14:33 --------- d-----w C:\Program Files\SopCast
2007-10-22 14:31 --------- d-----w C:\Program Files\DScaler
2007-10-22 14:30 --------- d-----w C:\Program Files\COORD_GR
2007-10-22 14:29 --------- d-----w C:\Program Files\TechSmith
2007-10-16 18:31 --------- d-----w C:\Program Files\Microsoft LifeCam
2007-10-14 20:24 --------- d-----w C:\Program Files\Google
2007-10-13 21:11 --------- d-----w C:\Documents and Settings\user\Application Data\TVU Networks
2007-10-09 13:34 --------- d-----w C:\Program Files\Java
2007-09-21 15:09 --------- d-----w C:\Program Files\Ulead CD & DVD PictureShow 4
2007-09-21 14:04 256 ----a-w C:\IASTOEL.DLL
2007-09-21 10:33 --------- d-----w C:\Program Files\audiograbber
2007-09-17 22:11 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-09-17 22:06 --------- d-----w C:\Documents and Settings\user\Application Data\Ulead Systems
2007-09-17 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-09-17 21:07 --------- d-----w C:\Program Files\FastStone Image Viewer
2007-09-17 21:07 --------- d-----w C:\Documents and Settings\user\Application Data\FastStone
2007-09-17 20:35 --------- d-----w C:\Program Files\Azureus
2007-08-21 06:16 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-03-19 21:50 1,024 ----a-w C:\Program Files\USERDEF.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\IW.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\COMPOSITES.SEC
2007-03-19 21:50 1,024 ----a-w C:\Program Files\CASTELATED.SEC
.

((((((((((((((((((((((((((((( snapshot@2007-11-10_14.38.57.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 19:12:03 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
+ 2007-11-11 17:04:00 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"RTHDCPL"="RTHDCPL.EXE" [2005-05-04 11:28 C:\WINDOWS\RTHDCPL.EXE]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 19:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"RegistryMechanic"="" []
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-04-18 09:20]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 21:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-11-07 23:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-07 14:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-23 12:52]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-27 20:13]

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe"
R2 RCService;RCService;"C:\Program Files\gigabyte\RCService\RCService.exe"
R3 3xHybrid;3xHybrid service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys
R3 SaiClass;SaiClass;C:\WINDOWS\system32\drivers\SaiNtBus.sys
R3 VX1000;VX-1000;C:\WINDOWS\system32\DRIVERS\VX1000.sys
S1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\DRIVERS\imhidusb.sys
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys
S3 SaiNtHid;%SAINTHID_NAME%;C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 16:13:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-12 16:14:40
C:\ComboFix2.txt ... 2007-11-11 03:46
C:\ComboFix3.txt ... 2007-11-10 14:42
.
--- E O F ---


I also run a (renamed) hijackThis, here is the log:
------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:54 μμ, on 12.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft LifeCam\LifeTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\NoHiding.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: SYSTRAN Lookup - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/lookup.js
O8 - Extra context menu item: SYSTRAN Translate - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/translate.js
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9769 bytes


Do you think that the failure to launch the online scanner is suspicious or maybe i have some wrong settings???

Thanx
John
hourpou
Active Member
 
Posts: 8
Joined: November 8th, 2007, 3:30 pm

Re: H E L P ! I am infected...

Unread postby beynac » November 12th, 2007, 11:50 am

There could be a number of reasons why the online Kaspersky scan didn't work. However, we have a more pressing problem. Your installed Kaspersky Anti-Virus program is not running.

Some questions:
  • Have you shut it down for any reason?
  • Is it a trial version? If so, has this expired?
  • Did you reboot the computer before running the HijackThis log?

Could you please reboot the computer and check whether the program is running. It's possible that trying to run the online scan shut it down. We need to make sure that it is running before we go any further.

Please run a new HijackThis log and post it, together with the answers to my questions.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: H E L P ! I am infected...

Unread postby hourpou » November 12th, 2007, 5:48 pm

oooops... my mistake :oops:
I had shut down the program to see if the online scanner works... sorry if I confused you...

A new HijackThis log:
----------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:51 μμ, on 12.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\gigabyte\RCService\RCService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft LifeCam\LifeTray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\NoHiding.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt

7\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: SYSTRAN Lookup - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/lookup.js
O8 - Extra context menu item: SYSTRAN Translate - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/translate.js
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky

Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk

Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus

6.0\avp.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program

Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program

Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program

Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: RCService - Unknown owner - C:\Program Files\gigabyte\RCService\RCService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9950 bytes
hourpou
Active Member
 
Posts: 8
Joined: November 8th, 2007, 3:30 pm

Re: H E L P ! I am infected...

Unread postby beynac » November 12th, 2007, 6:32 pm

I had shut down the program to see if the online scanner works... sorry if I confused you...

No problem - that was a good idea. :)

Let's try a different online scan.

ESET Online Scanner

Please run the ESET Online Scanner. You must use Internet Explorer to run the scan.
  • Check the box to accept the Terms of Use
  • Click Start
  • When prompted, left-click on the Information Bar which pops up at the top of your browser window
  • Click on Install ActiveX Control
  • A message box will pop up. Click on Install to install the software
  • Click Start
  • Do not check the following boxes
    • remove found threats
    • scan for unwanted applications
  • Click Start
  • When the scan has ended it should show a report giving details of any threats found
  • The report will be saved as C:/Program Files/esetonlinescanner/log.txt
Please post that report as a reply to this thread.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: H E L P ! I am infected...

Unread postby hourpou » November 13th, 2007, 5:32 pm

Well, that worked fine!

Here is the log file:
----------------------------


# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2655 (20071113)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=a5104575c7339f44a71e7d909c52e354
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2007-11-13 08:33:23
# local_time=2007-11-13 10:33:23 (+0200, # country="Greece"
# osver=5.1.2600 NT Service Pack 2
# scanned=513309
# found=5
# scan_time=7387
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application C90FFF88346156DECD8BC005A5FAE429
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application CB2DBAE906440BB4228DC2F1C1A410AA
C:\qoobox\Quarantine\C\Documents and Settings\user\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 5BEB54B938B63B5C2860509BE7EDEA47
C:\qoobox\Quarantine\C\Documents and Settings\user\Επιφάνεια εργασίας\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application 20F31C6EC1F6A95A2D4633BA3C1AE42F
C:\qoobox\Quarantine\C\Documents and Settings\user\Επιφάνεια εργασίας\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 87557DBEABBBDD2B17B2948BAB37C0CC
hourpou
Active Member
 
Posts: 8
Joined: November 8th, 2007, 3:30 pm

Re: H E L P ! I am infected...

Unread postby beynac » November 13th, 2007, 6:10 pm

Well done! The only items found are in ComboFix's quarantine folder. We'll delete those in a moment. You have ZoneAlarm firewall showing in the services in your HiajckThis log but it doesn't appear to be running. Could you please check this. It is important that you use a firewall otherwise you will be wide open to re-infection. Please let me know if you have any problems getting this running.

We need to do a bit of tidying up now. You can delete VundoFix from your desktop and its log (C:\vundofix.txt). You can uninstall ComboFix.

  • Click Start then Run
  • Type Combofix /u into the textbox - Note the space between the x and the /u, it needs to be there.
  • If you are shown the disclaimer, Select "2"

The above procedure will also do the following::
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

----------------------------------------------------------

If you do not already use it, I suggest that you install SpywareBlaster. This program will:
  • Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
This program blocks these items but does not run in the background. It therefore does not use any resources.

I would also recommend that you have a look at Firetrust SiteHound. This gives warnings when you are about to enter a website that is on their 'block' list. An alternative is McAfee SiteAdvisor. I use SiteHound, but both have a good reputation (N.B. use only one of them, not both).

This article, How to prevent Malware by miekiemoes, gives some very good advice.

Please let me know whether you have any questions or if you have trouble with ZoneAlarm.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Re: H E L P ! I am infected...

Unread postby hourpou » November 14th, 2007, 6:59 pm

Hi beynac!

I have performed those last actions you mentioned...
I also restored zone alarm and I downloaded SpywareBlaster...
Everything seems to work fine now!!! :)

Is there anything else I should do???

Thank you very much for your assistance,
John

hourpou
Active Member
 
Posts: 8
Joined: November 8th, 2007, 3:30 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware